diff --git a/argocd/manifests/navidrome/deployment.yaml b/argocd/manifests/navidrome/deployment.yaml
index 157fe91..09ee82c 100644
--- a/argocd/manifests/navidrome/deployment.yaml
+++ b/argocd/manifests/navidrome/deployment.yaml
@@ -14,9 +14,16 @@ spec:
       labels:
         app: navidrome
     spec:
+      securityContext:
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
       containers:
         - name: navidrome
-          image: registry.ops.eblu.me/blumeops/navidrome:v1.0.2
+          image: registry.ops.eblu.me/blumeops/navidrome:v1.0.3
+          securityContext:
+            runAsNonRoot: true
+            allowPrivilegeEscalation: false
           ports:
             - containerPort: 4533
               name: http
diff --git a/containers/navidrome/Dockerfile b/containers/navidrome/Dockerfile
index 4bf5231..3267b95 100644
--- a/containers/navidrome/Dockerfile
+++ b/containers/navidrome/Dockerfile
@@ -42,10 +42,13 @@ LABEL org.opencontainers.image.description="Navidrome is a self-hosted music ser
 # Points to upstream canonical source, not the forge mirror used for builds
 LABEL org.opencontainers.image.source=https://github.com/navidrome/navidrome
 
-RUN apk add --no-cache ca-certificates tzdata taglib ffmpeg
+RUN apk add --no-cache ca-certificates tzdata taglib ffmpeg \
+ && addgroup -g 1000 navidrome \
+ && adduser -u 1000 -G navidrome -D navidrome
 
 COPY --from=build /navidrome /usr/bin/navidrome
 
 EXPOSE 4533
 
+USER 1000
 CMD ["/usr/bin/navidrome"]
diff --git a/docs/changelog.d/fix-navidrome-container-v1.0.2.bugfix.md b/docs/changelog.d/fix-navidrome-container-v1.0.2.bugfix.md
index 077e4a9..4c9c687 100644
--- a/docs/changelog.d/fix-navidrome-container-v1.0.2.bugfix.md
+++ b/docs/changelog.d/fix-navidrome-container-v1.0.2.bugfix.md
@@ -1 +1 @@
-Fix navidrome custom container image (removed non-root user that prevented SQLite writes)
+Switch navidrome to custom container image with dedicated non-root user and fsGroup security context