diff --git a/README.md b/README.md
index c345ed3..59ef26c 100644
--- a/README.md
+++ b/README.md
@@ -1,19 +1,23 @@
 # NOVNC-BASE
 
-A desktop environment with sound in docker
+A desktop environment with sound in docker.
 
 Can be used as a base file for application specific containers.
 
+- `thomasloven/novnc-ubuntu`
+- `thomasloven/novnc-debuan`
+- `thomasloven/novnc-alpine`
+
 To just get a desktop environment at `http://localhost:8080`:
 
 ```bash
-docker run --rm thomasloven/novnc-base -p 8080:8080
+docker run --rm -p 8080:8080 thomasloven/novnc-ubuntu
 ```
 
 Or used as a base for specific applications:
 
 ```dockerfile
-FROM thomasloven/novnc-base
+FROM thomasloven/novnc-ubuntu
 
 RUN sudo apt-get update \
   && DEBIAN_FRONTEND=noninteractive \
@@ -24,6 +28,10 @@ CMD ["blender"]
 
 See more examples in `apps/`.
 
+
+The container will run as user `$USERNAME` (default `novnc`) with uid `${UUID}` (default `1000`) and group id `${GUID}` (default `1000`).
+The user has sudo privileges with no password(!).
+
 ### Bonus functionality - dotfiles installation.
 If the environment variable `DOTFILES_REPO` is set, the container will `git
 clone` that into `~/dotfiles` and then run `~/dotfiles/install.sh` if it
diff --git a/alpine.Dockerfile b/alpine.Dockerfile
index 2a6aaf7..449f29a 100644
--- a/alpine.Dockerfile
+++ b/alpine.Dockerfile
@@ -50,17 +50,12 @@ COPY entrypoint.sh /opt/noVNC/entrypoint.sh
 ENTRYPOINT ["/opt/noVNC/entrypoint.sh"]
 EXPOSE 8080
 
-RUN adduser --home /home/novnc --shell /bin/bash --system --disabled-password novnc \
-    && echo "novnc ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers
-
 # Add a custom version of vncserver which discards all arguments but the display
 RUN mv /usr/bin/vncserver /usr/bin/vncserver-orig \
   && echo -e "#!/bin/bash \n \
   /usr/bin/vncserver-orig \$1" > /usr/bin/vncserver \
   && chmod +x /usr/bin/vncserver
 
-USER novnc
-RUN mkdir -p /home/novnc/.vnc/ \
-    && echo -e "-Securitytypes=none" > /home/novnc/.vnc/config \
-    && touch /home/novnc/.vnc/passwd && chmod 0600 /home/novnc/.vnc/passwd
-WORKDIR /home/novnc
+RUN mkdir -p /etc/skel/.vnc/ \
+  && echo -e "-Securitytypes=none" > /etc/skel/.vnc/config \
+  && touch /etc/skel/.vnc/passwd && chmod 0600 /etc/skel/.vnc/passwd
diff --git a/debian.Dockerfile b/debian.Dockerfile
index b0e213b..3500d10 100644
--- a/debian.Dockerfile
+++ b/debian.Dockerfile
@@ -57,8 +57,3 @@ COPY entrypoint.sh /opt/noVNC/entrypoint.sh
 
 ENTRYPOINT ["/opt/noVNC/entrypoint.sh"]
 EXPOSE 8080
-
-RUN adduser --home /home/novnc --shell /bin/bash --system --disabled-password novnc \
-    && echo "novnc ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers
-USER novnc
-WORKDIR /home/novnc
diff --git a/entrypoint.sh b/entrypoint.sh
index eb26a32..71b8318 100755
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -18,43 +18,63 @@ kill_pid ~/.tcp-pid
 kill_pid ~/.ws-pid
 
 
-# Clone and install dotfiles if DOTFILES_REPO is defined
-if [ -n "$DOTFILES_REPO" ]; then
-  if [ ! -d ~/dotfiles ]; then
-    git clone $DOTFILES_REPO ~/dotfiles
-    if [ -f ~/dotfiles/install.sh ]; then
-      /bin/bash ~/dotfiles/install.sh
+user_entrypoint() {
+  cd ~
+
+  # Clone and install dotfiles if DOTFILES_REPO is defined
+  if [ -n "$DOTFILES_REPO" ]; then
+    if [ ! -d ~/dotfiles ]; then
+      git clone --depth 1 --recurse-submodules --shallow-submodules $DOTFILES_REPO ~/dotfiles
+      if [ -f ~/dotfiles/install.sh ]; then
+        /bin/bash ~/dotfiles/install.sh
+      fi
     fi
   fi
+
+  # Launch VNC server - view :1 defaults to port 5901
+  vncserver :1 -SecurityTypes None -localhost no --I-KNOW-THIS-IS-INSECURE &
+  # vncserver :1 &
+  echo "$!" > ~/.vnc-pid
+
+  # Launch pulseaudio server
+  # /etc/pulse/client.conf and /etc/pulse/default.pa are setup to make a default
+  # audio sink which outputs to a socket at /tmp/pulseaudio.socket
+  DISPLAY=:0.0 pulseaudio --disallow-module-loading --disallow-exit --exit-idle-time=-1&
+  echo "$!" > ~/.pa-pid
+
+  # Use gstreamer to stream the pulseaudio source /tmp/pulseaudio.socket to stdout (fd=1)
+  # the tcpserver from ucspi-tcp pipes this to tcp port 6901
+  tcpserver localhost 6901 gst-launch-1.0 -q pulsesrc server=/tmp/pulseaudio.socket ! audio/x-raw, channels=2, rate=12000 ! cutter ! opusenc ! webmmux ! fdsink fd=1 &
+  echo "$!" > ~/.tcp-pid
+
+  # Websockify does three things:
+  # - publishes /opt/noVNC to http port 8080
+  # - proxies vnc port 5901 to 8080/websockify?token=vnc
+  # - proxies pulseaudio port 6901 to 8080/websockify?token=pulse
+  # The latter two are defined through the tokenfile
+  /opt/noVNC/utils/websockify/websockify.py --web /opt/noVNC 8080 --token-plugin=TokenFile --token-source=/opt/noVNC/tokenfile &
+  echo "$!" > ~/.ws-pid
+
+  if [ -n "$@" ]; then
+    DISPLAY=:1.0 exec "$@" &
+  fi
+
+  wait
+}
+
+uname=${USERNAME:-novnc}
+uid=${UUID:-1000}
+gid=${GUID:-1000}
+
+if ! id -u ${uname} > /dev/null 2>&1; then
+  addgroup --gid ${gid} ${uname}
+  adduser --home /home/${uname} --shell /bin/bash --system --disabled-password --uid ${uid} --ingroup ${uname} ${uname}
+  echo "${uname} ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers
+  mkdir -p /home/${uname}
+  chown ${uname}:${uname} /home/${uname}
 fi
 
-# Launch VNC server - view :1 defaults to port 5901
-vncserver :1 -SecurityTypes None -localhost no --I-KNOW-THIS-IS-INSECURE &
-# vncserver :1 &
-echo "$!" > ~/.vnc-pid
-
-# Launch pulseaudio server
-# /etc/pulse/client.conf and /etc/pulse/default.pa are setup to make a default
-# audio sink which outputs to a socket at /tmp/pulseaudio.socket
-DISPLAY=:0.0 pulseaudio --disallow-module-loading --disallow-exit --exit-idle-time=-1&
-echo "$!" > ~/.pa-pid
-
-# Use gstreamer to stream the pulseaudio source /tmp/pulseaudio.socket to stdout (fd=1)
-# the tcpserver from ucspi-tcp pipes this to tcp port 6901
-tcpserver localhost 6901 gst-launch-1.0 -q pulsesrc server=/tmp/pulseaudio.socket ! audio/x-raw, channels=2, rate=12000 ! cutter ! opusenc ! webmmux ! fdsink fd=1 &
-echo "$!" > ~/.tcp-pid
-
-# Websockify does three things:
-# - publishes /opt/noVNC to http port 8080
-# - proxies vnc port 5901 to 8080/websockify?token=vnc
-# - proxies pulseaudio port 6901 to 8080/websockify?token=pulse
-# The latter two are defined through the tokenfile
-/opt/noVNC/utils/websockify/websockify.py --web /opt/noVNC 8080 --token-plugin=TokenFile --token-source=/opt/noVNC/tokenfile &
-echo "$!" > ~/.ws-pid
-
-if [ -n "$@" ]; then
-  DISPLAY=:1.0 exec "$@" &
-fi
+export -f user_entrypoint
+su ${uname} -c "bash -c user_entrypoint ${@}" &
 
 wait
-
diff --git a/ubuntu.Dockerfile b/ubuntu.Dockerfile
index b358d61..953aac1 100644
--- a/ubuntu.Dockerfile
+++ b/ubuntu.Dockerfile
@@ -57,8 +57,3 @@ COPY entrypoint.sh /opt/noVNC/entrypoint.sh
 
 ENTRYPOINT ["/opt/noVNC/entrypoint.sh"]
 EXPOSE 8080
-
-RUN adduser --home /home/novnc --shell /bin/bash --system --disabled-password novnc \
-    && echo "novnc ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers
-USER novnc
-WORKDIR /home/novnc