diff --git a/bitwarden_license/src/Scim/Dockerfile b/bitwarden_license/src/Scim/Dockerfile
index 6970dfa7bb..d1bb11cf60 100644
--- a/bitwarden_license/src/Scim/Dockerfile
+++ b/bitwarden_license/src/Scim/Dockerfile
@@ -1,7 +1,21 @@
+FROM mcr.microsoft.com/dotnet/sdk:8.0 AS build
+ARG TARGETPLATFORM
+ARG BUILDPLATFORM
+ENV PROJECT_NAME=Scim
+
+WORKDIR /build
+COPY ../../ ./
+
+WORKDIR /build/bitwarden_license/src/${PROJECT_NAME}
+
+RUN dotnet publish --self-contained /p:PublishSingleFile=true -o out
+
 FROM mcr.microsoft.com/dotnet/aspnet:8.0
 
 LABEL com.bitwarden.product="bitwarden"
 
+ENV PROJECT_NAME=Scim
+
 RUN apt-get update \
     && apt-get install -y --no-install-recommends \
     gosu \
@@ -9,11 +23,12 @@ RUN apt-get update \
     krb5-user \
     && rm -rf /var/lib/apt/lists/*
 
-ENV ASPNETCORE_URLS http://+:5000
-WORKDIR /app
+ENV ASPNETCORE_URLS=http://+:5000
+
 EXPOSE 5000
-COPY obj/build-output/publish .
-COPY entrypoint.sh /
+WORKDIR /app
+COPY --from=build /build/bitwarden_license/src/${PROJECT_NAME}/out /app
+COPY ./bitwarden_license/src/${PROJECT_NAME}/entrypoint.sh /entrypoint.sh
 RUN chmod +x /entrypoint.sh
 
 HEALTHCHECK CMD curl -f http://localhost:5000/alive || exit 1
diff --git a/bitwarden_license/src/Scim/entrypoint.sh b/bitwarden_license/src/Scim/entrypoint.sh
index a1fa82d02a..e21b4f3bbd 100644
--- a/bitwarden_license/src/Scim/entrypoint.sh
+++ b/bitwarden_license/src/Scim/entrypoint.sh
@@ -1,4 +1,6 @@
-#!/bin/bash
+#!/usr/bin/env bash
+
+PROJECT_NAME="Scim"
 
 # Setup
 
@@ -19,31 +21,41 @@ then
     LGID=65534
 fi
 
-# Create user and group
+if [ "$(id -u)" = "0" ]
+then
+    # Create user and group
 
-groupadd -o -g $LGID $GROUPNAME >/dev/null 2>&1 ||
-groupmod -o -g $LGID $GROUPNAME >/dev/null 2>&1
-useradd -o -u $LUID -g $GROUPNAME -s /bin/false $USERNAME >/dev/null 2>&1 ||
-usermod -o -u $LUID -g $GROUPNAME -s /bin/false $USERNAME >/dev/null 2>&1
-mkhomedir_helper $USERNAME
+    groupadd -o -g $LGID $GROUPNAME >/dev/null 2>&1 ||
+    groupmod -o -g $LGID $GROUPNAME >/dev/null 2>&1
+    useradd -o -u $LUID -g $GROUPNAME -s /bin/false $USERNAME >/dev/null 2>&1 ||
+    usermod -o -u $LUID -g $GROUPNAME -s /bin/false $USERNAME >/dev/null 2>&1
+    mkhomedir_helper $USERNAME
 
-# The rest...
+    # The rest...
 
-chown -R $USERNAME:$GROUPNAME /app
-mkdir -p /etc/bitwarden/core
-mkdir -p /etc/bitwarden/logs
-mkdir -p /etc/bitwarden/ca-certificates
-chown -R $USERNAME:$GROUPNAME /etc/bitwarden
+    chown -R $USERNAME:$GROUPNAME /app
+    mkdir -p /etc/bitwarden/core
+    mkdir -p /etc/bitwarden/logs
+    mkdir -p /etc/bitwarden/ca-certificates
+    chown -R $USERNAME:$GROUPNAME /etc/bitwarden
 
-# if [[ $globalSettings__selfHosted == "true" ]]; then
-#   cp /etc/bitwarden/ca-certificates/*.crt /usr/local/share/ca-certificates/ >/dev/null 2>&1 \
-#     && update-ca-certificates
-# fi
+    if [[ $globalSettings__selfHosted == "true" ]]; then
+      cp /etc/bitwarden/ca-certificates/*.crt /usr/local/share/ca-certificates/ >/dev/null 2>&1 \
+        && update-ca-certificates
+    fi
 
-if [[ -f "/etc/bitwarden/kerberos/bitwarden.keytab" && -f "/etc/bitwarden/kerberos/krb5.conf" ]]; then
-  chown -R $USERNAME:$GROUPNAME /etc/bitwarden/kerberos
-  cp -f /etc/bitwarden/kerberos/krb5.conf /etc/krb5.conf
-  gosu $USERNAME:$GROUPNAME kinit $globalSettings__kerberosUser -k -t /etc/bitwarden/kerberos/bitwarden.keytab
+    if [[ -f "/etc/bitwarden/kerberos/bitwarden.keytab" && -f "/etc/bitwarden/kerberos/krb5.conf" ]]; then
+      chown -R $USERNAME:$GROUPNAME /etc/bitwarden/kerberos
+    fi
+
+    gosu_cmd="gosu $USERNAME:$GROUPNAME"
+else
+    gosu_cmd=""
 fi
 
-exec gosu $USERNAME:$GROUPNAME dotnet /app/Scim.dll
+if [[ -f "/etc/bitwarden/kerberos/bitwarden.keytab" && -f "/etc/bitwarden/kerberos/krb5.conf" ]]; then
+    cp -f /etc/bitwarden/kerberos/krb5.conf /etc/krb5.conf
+    $gosu_cmd kinit $globalSettings__kerberosUser -k -t /etc/bitwarden/kerberos/bitwarden.keytab
+fi
+
+exec $gosu_cmd /app/"${PROJECT_NAME}"
diff --git a/bitwarden_license/src/Sso/Dockerfile b/bitwarden_license/src/Sso/Dockerfile
index 6970dfa7bb..39647d8b23 100644
--- a/bitwarden_license/src/Sso/Dockerfile
+++ b/bitwarden_license/src/Sso/Dockerfile
@@ -1,7 +1,21 @@
+FROM mcr.microsoft.com/dotnet/sdk:8.0 AS build
+ARG TARGETPLATFORM
+ARG BUILDPLATFORM
+ENV PROJECT_NAME=Sso
+
+WORKDIR /build
+COPY ../../ ./
+
+WORKDIR /build/bitwarden_license/src/${PROJECT_NAME}
+
+RUN dotnet publish --self-contained /p:PublishSingleFile=true -o out
+
 FROM mcr.microsoft.com/dotnet/aspnet:8.0
 
 LABEL com.bitwarden.product="bitwarden"
 
+ENV PROJECT_NAME=Sso
+
 RUN apt-get update \
     && apt-get install -y --no-install-recommends \
     gosu \
@@ -9,11 +23,12 @@ RUN apt-get update \
     krb5-user \
     && rm -rf /var/lib/apt/lists/*
 
-ENV ASPNETCORE_URLS http://+:5000
-WORKDIR /app
+ENV ASPNETCORE_URLS=http://+:5000
+
 EXPOSE 5000
-COPY obj/build-output/publish .
-COPY entrypoint.sh /
+WORKDIR /app
+COPY --from=build /build/bitwarden_license/src/${PROJECT_NAME}/out /app
+COPY ./bitwarden_license/src/${PROJECT_NAME}/entrypoint.sh /entrypoint.sh
 RUN chmod +x /entrypoint.sh
 
 HEALTHCHECK CMD curl -f http://localhost:5000/alive || exit 1
diff --git a/bitwarden_license/src/Sso/entrypoint.sh b/bitwarden_license/src/Sso/entrypoint.sh
index 9a188d8054..1c21e54d68 100644
--- a/bitwarden_license/src/Sso/entrypoint.sh
+++ b/bitwarden_license/src/Sso/entrypoint.sh
@@ -1,4 +1,6 @@
-#!/bin/bash
+#!/usr/bin/env bash
+
+PROJECT_NAME="Sso"
 
 # Setup
 
@@ -19,37 +21,48 @@ then
     LGID=65534
 fi
 
-# Create user and group
+if [ "$(id -u)" = "0" ]
+then
+    # Create user and group
 
-groupadd -o -g $LGID $GROUPNAME >/dev/null 2>&1 ||
-groupmod -o -g $LGID $GROUPNAME >/dev/null 2>&1
-useradd -o -u $LUID -g $GROUPNAME -s /bin/false $USERNAME >/dev/null 2>&1 ||
-usermod -o -u $LUID -g $GROUPNAME -s /bin/false $USERNAME >/dev/null 2>&1
-mkhomedir_helper $USERNAME
+    groupadd -o -g $LGID $GROUPNAME >/dev/null 2>&1 ||
+    groupmod -o -g $LGID $GROUPNAME >/dev/null 2>&1
+    useradd -o -u $LUID -g $GROUPNAME -s /bin/false $USERNAME >/dev/null 2>&1 ||
+    usermod -o -u $LUID -g $GROUPNAME -s /bin/false $USERNAME >/dev/null 2>&1
+    mkhomedir_helper $USERNAME
 
-# The rest...
+    # The rest...
 
-mkdir -p /etc/bitwarden/identity
-mkdir -p /etc/bitwarden/core
-mkdir -p /etc/bitwarden/logs
-mkdir -p /etc/bitwarden/ca-certificates
-chown -R $USERNAME:$GROUPNAME /etc/bitwarden
+    chown -R $USERNAME:$GROUPNAME /app
+    mkdir -p /etc/bitwarden/core
+    mkdir -p /etc/bitwarden/logs
+    mkdir -p /etc/bitwarden/ca-certificates
+    chown -R $USERNAME:$GROUPNAME /etc/bitwarden
 
-# if [[ $globalSettings__selfHosted == "true" ]]; then
-#   cp /etc/bitwarden/identity/identity.pfx /app/identity.pfx
-# fi
+    if [[ $globalSettings__selfHosted == "true" ]]; then
+      cp /etc/bitwarden/ca-certificates/*.crt /usr/local/share/ca-certificates/ >/dev/null 2>&1 \
+        && update-ca-certificates
+    fi
 
-chown -R $USERNAME:$GROUPNAME /app
+    if [[ -f "/etc/bitwarden/kerberos/bitwarden.keytab" && -f "/etc/bitwarden/kerberos/krb5.conf" ]]; then
+      chown -R $USERNAME:$GROUPNAME /etc/bitwarden/kerberos
+    fi
 
-# if [[ $globalSettings__selfHosted == "true" ]]; then
-#   cp /etc/bitwarden/ca-certificates/*.crt /usr/local/share/ca-certificates/ >/dev/null 2>&1 \
-#     && update-ca-certificates
-# fi
-
-if [[ -f "/etc/bitwarden/kerberos/bitwarden.keytab" && -f "/etc/bitwarden/kerberos/krb5.conf" ]]; then
-  chown -R $USERNAME:$GROUPNAME /etc/bitwarden/kerberos
-  cp -f /etc/bitwarden/kerberos/krb5.conf /etc/krb5.conf
-  gosu $USERNAME:$GROUPNAME kinit $globalSettings__kerberosUser -k -t /etc/bitwarden/kerberos/bitwarden.keytab
+    gosu_cmd="gosu $USERNAME:$GROUPNAME"
+else
+    gosu_cmd=""
 fi
 
-exec gosu $USERNAME:$GROUPNAME dotnet /app/Sso.dll
+if [[ -f "/etc/bitwarden/kerberos/bitwarden.keytab" && -f "/etc/bitwarden/kerberos/krb5.conf" ]]; then
+    cp -f /etc/bitwarden/kerberos/krb5.conf /etc/krb5.conf
+    $gosu_cmd kinit $globalSettings__kerberosUser -k -t /etc/bitwarden/kerberos/bitwarden.keytab
+fi
+
+if [[ $globalSettings__selfHosted == "true" ]]; then
+    cp /etc/bitwarden/identity/identity.pfx /app/identity.pfx || \
+        if [[ -z $globalSettings__identityServer__certificateLocation ]]; then
+            export globalSettings__identityServer__certificateLocation=/home/app/config/identity.pfx
+        fi
+fi
+
+exec $gosu_cmd /app/"${PROJECT_NAME}"
diff --git a/src/Admin/Dockerfile b/src/Admin/Dockerfile
index ad8a4565fc..b54ca67435 100644
--- a/src/Admin/Dockerfile
+++ b/src/Admin/Dockerfile
@@ -1,77 +1,35 @@
 FROM mcr.microsoft.com/dotnet/sdk:8.0 AS build
 ARG TARGETPLATFORM
 ARG BUILDPLATFORM
-ARG PROJECT_NAME=Admin
+ENV PROJECT_NAME=Admin
 
 WORKDIR /build
 COPY ../../ ./
 
 WORKDIR /build/src/${PROJECT_NAME}
 
-RUN <<EOF
-  case "$TARGETPLATFORM" in
-    *"linux/amd64"*)
-      dotnet publish --self-contained /p:PublishSingleFile=true -r linux-x64 -o out
-      ;;
-    *"linux/arm64"*)
-      dotnet publish --self-contained /p:PublishSingleFile=true -r linux-arm64 -o out
-      ;;
-    *)
-      echo "unsupported target platform: $TARGETPLATFORM"
-      exit 1;;
-  esac
-EOF
+RUN dotnet publish --self-contained /p:PublishSingleFile=true -o out
 
-# FROM ghcr.io/linuxserver/baseimage-ubuntu:noble
 FROM mcr.microsoft.com/dotnet/aspnet:8.0
-# TODO: move this to a base image
+
 LABEL com.bitwarden.product="bitwarden"
 
 ENV PROJECT_NAME=Admin
 
-# RUN groupadd \
-#   --gid=$APP_UID \
-#   app \
-#   && useradd -l \
-#   --uid=$APP_UID \
-#   --gid=$APP_UID \
-#   --create-home \
-#   app
+RUN apt-get update \
+    && apt-get install -y --no-install-recommends \
+    gosu \
+    curl \
+    krb5-user \
+    && rm -rf /var/lib/apt/lists/*
 
-RUN mkdir -p {/config} \
-  && chown -R app:app {/config}
-
-# RUN apt-get update \
-#     && apt-get install -y --no-install-recommends \
-#     gosu \
-#     curl \
-#     krb5-user \
-#     && rm -rf /var/lib/apt/lists/*
-
-# RUN apt-get update \
-#     && apt-get install -y --no-install-recommends \
-#         ca-certificates \
-#         \
-#         # .NET dependencies
-#         libc6 \
-#         libgcc-s1 \
-#         # libicu70 \
-#         libicu74 \
-#         libssl3 \
-#         libstdc++6 \
-#         tzdata \
-#         zlib1g \
-#     && rm -rf /var/lib/apt/lists/*
-
-# ENV HOME=/home/app
-ENV ASPNETCORE_URLS http://+:5000
-# END: move to base image
+ENV ASPNETCORE_URLS=http://+:5000
 
 EXPOSE 5000
 WORKDIR /app
 COPY --from=build /build/src/${PROJECT_NAME}/out /app
+COPY ./src/${PROJECT_NAME}/entrypoint.sh /entrypoint.sh
+RUN chmod +x /entrypoint.sh
 HEALTHCHECK CMD curl -f http://localhost:5000/alive || exit 1
 
-# TODO: use an entrypoint script with `set -e && exec ${PROJECT_NAME}`
-USER app
-ENTRYPOINT ["./Admin"]
+ENTRYPOINT ["/entrypoint.sh"]
diff --git a/src/Admin/entrypoint.sh b/src/Admin/entrypoint.sh
index 132a5b1f0d..760eb21c13 100644
--- a/src/Admin/entrypoint.sh
+++ b/src/Admin/entrypoint.sh
@@ -1,4 +1,6 @@
-#!/bin/bash
+#!/usr/bin/env bash
+
+PROJECT_NAME="Admin"
 
 # Setup
 
@@ -19,31 +21,41 @@ then
     LGID=65534
 fi
 
-# Create user and group
+if [ "$(id -u)" = "0" ]
+then
+    # Create user and group
 
-groupadd -o -g $LGID $GROUPNAME >/dev/null 2>&1 ||
-groupmod -o -g $LGID $GROUPNAME >/dev/null 2>&1
-useradd -o -u $LUID -g $GROUPNAME -s /bin/false $USERNAME >/dev/null 2>&1 ||
-usermod -o -u $LUID -g $GROUPNAME -s /bin/false $USERNAME >/dev/null 2>&1
-mkhomedir_helper $USERNAME
+    groupadd -o -g $LGID $GROUPNAME >/dev/null 2>&1 ||
+    groupmod -o -g $LGID $GROUPNAME >/dev/null 2>&1
+    useradd -o -u $LUID -g $GROUPNAME -s /bin/false $USERNAME >/dev/null 2>&1 ||
+    usermod -o -u $LUID -g $GROUPNAME -s /bin/false $USERNAME >/dev/null 2>&1
+    mkhomedir_helper $USERNAME
 
-# The rest...
+    # The rest...
 
-chown -R $USERNAME:$GROUPNAME /app
-mkdir -p /etc/bitwarden/core
-mkdir -p /etc/bitwarden/logs
-mkdir -p /etc/bitwarden/ca-certificates
-chown -R $USERNAME:$GROUPNAME /etc/bitwarden
+    chown -R $USERNAME:$GROUPNAME /app
+    mkdir -p /etc/bitwarden/core
+    mkdir -p /etc/bitwarden/logs
+    mkdir -p /etc/bitwarden/ca-certificates
+    chown -R $USERNAME:$GROUPNAME /etc/bitwarden
 
-# if [[ $globalSettings__selfHosted == "true" ]]; then
-#   cp /etc/bitwarden/ca-certificates/*.crt /usr/local/share/ca-certificates/ >/dev/null 2>&1 \
-#     && update-ca-certificates
-# fi
+    if [[ $globalSettings__selfHosted == "true" ]]; then
+      cp /etc/bitwarden/ca-certificates/*.crt /usr/local/share/ca-certificates/ >/dev/null 2>&1 \
+        && update-ca-certificates
+    fi
 
-if [[ -f "/etc/bitwarden/kerberos/bitwarden.keytab" && -f "/etc/bitwarden/kerberos/krb5.conf" ]]; then
-  chown -R $USERNAME:$GROUPNAME /etc/bitwarden/kerberos
-  cp -f /etc/bitwarden/kerberos/krb5.conf /etc/krb5.conf
-  gosu $USERNAME:$GROUPNAME kinit $globalSettings__kerberosUser -k -t /etc/bitwarden/kerberos/bitwarden.keytab
+    if [[ -f "/etc/bitwarden/kerberos/bitwarden.keytab" && -f "/etc/bitwarden/kerberos/krb5.conf" ]]; then
+      chown -R $USERNAME:$GROUPNAME /etc/bitwarden/kerberos
+    fi
+
+    gosu_cmd="gosu $USERNAME:$GROUPNAME"
+else
+    gosu_cmd=""
 fi
 
-exec gosu $USERNAME:$GROUPNAME dotnet /app/Admin.dll
+if [[ -f "/etc/bitwarden/kerberos/bitwarden.keytab" && -f "/etc/bitwarden/kerberos/krb5.conf" ]]; then
+    cp -f /etc/bitwarden/kerberos/krb5.conf /etc/krb5.conf
+    $gosu_cmd kinit $globalSettings__kerberosUser -k -t /etc/bitwarden/kerberos/bitwarden.keytab
+fi
+
+exec $gosu_cmd /app/"${PROJECT_NAME}"
diff --git a/src/Api/Dockerfile b/src/Api/Dockerfile
index 642f072e61..947302bf0e 100644
--- a/src/Api/Dockerfile
+++ b/src/Api/Dockerfile
@@ -1,82 +1,36 @@
 FROM mcr.microsoft.com/dotnet/sdk:8.0 AS build
 ARG TARGETPLATFORM
 ARG BUILDPLATFORM
-ARG PROJECT_NAME=Api
+ENV PROJECT_NAME=Api
 
 WORKDIR /build
 COPY ../../ ./
 
 WORKDIR /build/src/${PROJECT_NAME}
 
-RUN <<EOF
-  case "$TARGETPLATFORM" in
-    *"linux/amd64"*)
-      dotnet publish --self-contained /p:PublishSingleFile=true -r linux-x64 -o out
-      ;;
-    *"linux/arm64"*)
-      dotnet publish --self-contained /p:PublishSingleFile=true -r linux-arm64 -o out
-      ;;
-    *)
-      echo "unsupported target platform: $TARGETPLATFORM"
-      exit 1;;
-  esac
-EOF
+RUN dotnet publish --self-contained /p:PublishSingleFile=true -o out
+
+FROM mcr.microsoft.com/dotnet/aspnet:8.0
 
-FROM ghcr.io/linuxserver/baseimage-ubuntu:noble
-# TODO: move this to a base image
 LABEL com.bitwarden.product="bitwarden"
 
-ENV APP_UID=1654
-ENV ASPNETCORE_HTTP_PORTS=8080
-ENV DOTNET_RUNNING_IN_CONTAINER=true
 ENV PROJECT_NAME=Api
 
-RUN groupadd \
-  --gid=$APP_UID \
-  app \
-  && useradd -l \
-  --uid=$APP_UID \
-  --gid=$APP_UID \
-  --create-home \
-  app
-
-RUN mkdir -p {/admin,/api,/identity,/events,/notifications} \
-  && chown -R app:app {/admin,/api,/identity,/events,/notifications}
-
-RUN mkdir -p {/config} \
-  && chown -R app:app {/config}
-
-# RUN apt-get update \
-#     && apt-get install -y --no-install-recommends \
-#     gosu \
-#     curl \
-#     krb5-user \
-#     && rm -rf /var/lib/apt/lists/*
-
 RUN apt-get update \
     && apt-get install -y --no-install-recommends \
-        ca-certificates \
-        \
-        # .NET dependencies
-        libc6 \
-        libgcc-s1 \
-        # libicu70 \
-        libicu74 \
-        libssl3 \
-        libstdc++6 \
-        tzdata \
-        zlib1g \
+    gosu \
+    curl \
+    krb5-user \
     && rm -rf /var/lib/apt/lists/*
 
 ENV HOME=/home/app
 ENV ASPNETCORE_URLS http://+:5000
-# END: move to base image
 
 EXPOSE 5000
 WORKDIR /app
 COPY --from=build /build/src/${PROJECT_NAME}/out /app
+COPY ./src/${PROJECT_NAME}/entrypoint.sh /entrypoint.sh
+RUN chmod +x /entrypoint.sh
 HEALTHCHECK CMD curl -f http://localhost:5000/alive || exit 1
 
-# TODO: use an entrypoint script with `set -e && exec ${PROJECT_NAME}`
-USER app
-ENTRYPOINT ["./Api"]
+ENTRYPOINT ["/entrypoint.sh"]
diff --git a/src/Api/entrypoint.sh b/src/Api/entrypoint.sh
index e01f95aec7..d0890f42c2 100644
--- a/src/Api/entrypoint.sh
+++ b/src/Api/entrypoint.sh
@@ -1,4 +1,6 @@
-#!/bin/bash
+#!/usr/bin/env bash
+
+PROJECT_NAME="Api"
 
 # Setup
 
@@ -19,31 +21,41 @@ then
     LGID=65534
 fi
 
-# Create user and group
+if [ "$(id -u)" = "0" ]
+then
+    # Create user and group
 
-groupadd -o -g $LGID $GROUPNAME >/dev/null 2>&1 ||
-groupmod -o -g $LGID $GROUPNAME >/dev/null 2>&1
-useradd -o -u $LUID -g $GROUPNAME -s /bin/false $USERNAME >/dev/null 2>&1 ||
-usermod -o -u $LUID -g $GROUPNAME -s /bin/false $USERNAME >/dev/null 2>&1
-mkhomedir_helper $USERNAME
+    groupadd -o -g $LGID $GROUPNAME >/dev/null 2>&1 ||
+    groupmod -o -g $LGID $GROUPNAME >/dev/null 2>&1
+    useradd -o -u $LUID -g $GROUPNAME -s /bin/false $USERNAME >/dev/null 2>&1 ||
+    usermod -o -u $LUID -g $GROUPNAME -s /bin/false $USERNAME >/dev/null 2>&1
+    mkhomedir_helper $USERNAME
 
-# The rest...
+    # The rest...
 
-chown -R $USERNAME:$GROUPNAME /app
-mkdir -p /etc/bitwarden/core
-mkdir -p /etc/bitwarden/logs
-mkdir -p /etc/bitwarden/ca-certificates
-chown -R $USERNAME:$GROUPNAME /etc/bitwarden
+    chown -R $USERNAME:$GROUPNAME /app
+    mkdir -p /etc/bitwarden/core
+    mkdir -p /etc/bitwarden/logs
+    mkdir -p /etc/bitwarden/ca-certificates
+    chown -R $USERNAME:$GROUPNAME /etc/bitwarden
 
-# if [[ $globalSettings__selfHosted == "true" ]]; then
-#   cp /etc/bitwarden/ca-certificates/*.crt /usr/local/share/ca-certificates/ >/dev/null 2>&1 \
-#     && update-ca-certificates
-# fi
+    if [[ $globalSettings__selfHosted == "true" ]]; then
+      cp /etc/bitwarden/ca-certificates/*.crt /usr/local/share/ca-certificates/ >/dev/null 2>&1 \
+        && update-ca-certificates
+    fi
 
-if [[ -f "/etc/bitwarden/kerberos/bitwarden.keytab" && -f "/etc/bitwarden/kerberos/krb5.conf" ]]; then
-  chown -R $USERNAME:$GROUPNAME /etc/bitwarden/kerberos
-  cp -f /etc/bitwarden/kerberos/krb5.conf /etc/krb5.conf
-  gosu $USERNAME:$GROUPNAME kinit $globalSettings__kerberosUser -k -t /etc/bitwarden/kerberos/bitwarden.keytab
+    if [[ -f "/etc/bitwarden/kerberos/bitwarden.keytab" && -f "/etc/bitwarden/kerberos/krb5.conf" ]]; then
+        chown -R $USERNAME:$GROUPNAME /etc/bitwarden/kerberos
+    fi
+
+    gosu_cmd="gosu $USERNAME:$GROUPNAME"
+else
+    gosu_cmd=""
 fi
 
-exec gosu $USERNAME:$GROUPNAME dotnet /app/Api.dll
+if [[ -f "/etc/bitwarden/kerberos/bitwarden.keytab" && -f "/etc/bitwarden/kerberos/krb5.conf" ]]; then
+    cp -f /etc/bitwarden/kerberos/krb5.conf /etc/krb5.conf
+    $gosu_cmd kinit $globalSettings__kerberosUser -k -t /etc/bitwarden/kerberos/bitwarden.keytab
+fi
+
+exec $gosu_cmd /app/"${PROJECT_NAME}"
diff --git a/src/Billing/Dockerfile b/src/Billing/Dockerfile
index 256a7fdde6..49feeba672 100644
--- a/src/Billing/Dockerfile
+++ b/src/Billing/Dockerfile
@@ -1,50 +1,33 @@
 FROM mcr.microsoft.com/dotnet/sdk:8.0 AS build
 ARG TARGETPLATFORM
 ARG BUILDPLATFORM
-ARG PROJECT_NAME=Identity
+ENV PROJECT_NAME=Billing
 
 WORKDIR /build
 COPY ../../ ./
 
 WORKDIR /build/src/${PROJECT_NAME}
 
-RUN <<EOF
-  case "$TARGETPLATFORM" in
-    *"linux/amd64"*)
-      dotnet publish --self-contained /p:PublishSingleFile=true -r linux-x64 -o out
-      ;;
-    *"linux/arm64"*)
-      dotnet publish --self-contained /p:PublishSingleFile=true -r linux-arm64 -o out
-      ;;
-    *)
-      echo "unsupported target platform: $TARGETPLATFORM"
-      exit 1;;
-  esac
-EOF
+RUN dotnet publish --self-contained /p:PublishSingleFile=true -o out
 
-# TODO: move this to a base image
 LABEL com.bitwarden.product="bitwarden"
 
-ENV PROJECT_NAME=Identity
+ENV PROJECT_NAME=Billing
 
-RUN mkdir -p {/config} \
-    && chown -R app:app {/config}
-
-# RUN apt-get update \
-#     && apt-get install -y --no-install-recommends \
-#     gosu \
-#     curl \
-#     krb5-user \
-#     && rm -rf /var/lib/apt/lists/*
+RUN apt-get update \
+    && apt-get install -y --no-install-recommends \
+    gosu \
+    curl \
+    krb5-user \
+    && rm -rf /var/lib/apt/lists/*
 
 ENV ASPNETCORE_URLS=http://+:5000
-# END: move to base image
 
 WORKDIR /app
 EXPOSE 5000
 COPY --from=build /build/src/${PROJECT_NAME}/out /app
+COPY ./src/${PROJECT_NAME}/entrypoint.sh /entrypoint.sh
+RUN chmod +x /entrypoint.sh
 HEALTHCHECK CMD curl -f http://localhost:5000/alive || exit 1
 
-# TODO: use an entrypoint script with `set -e && exec ${PROJECT_NAME}`
-USER app
-ENTRYPOINT ["./Billing"]
+ENTRYPOINT ["./entrypoint.sh"]
diff --git a/src/Billing/entrypoint.sh b/src/Billing/entrypoint.sh
index 95b5bde087..464eb6aa3c 100644
--- a/src/Billing/entrypoint.sh
+++ b/src/Billing/entrypoint.sh
@@ -1,4 +1,6 @@
-#!/bin/bash
+#!/usr/bin/env bash
+
+PROJECT_NAME="Billing"
 
 # Setup
 
@@ -19,25 +21,32 @@ then
     LGID=65534
 fi
 
-# Create user and group
+if [ "$(id -u)" = "0" ]
+then
+    # Create user and group
 
-groupadd -o -g $LGID $GROUPNAME >/dev/null 2>&1 ||
-groupmod -o -g $LGID $GROUPNAME >/dev/null 2>&1
-useradd -o -u $LUID -g $GROUPNAME -s /bin/false $USERNAME >/dev/null 2>&1 ||
-usermod -o -u $LUID -g $GROUPNAME -s /bin/false $USERNAME >/dev/null 2>&1
-mkhomedir_helper $USERNAME
+    groupadd -o -g $LGID $GROUPNAME >/dev/null 2>&1 ||
+    groupmod -o -g $LGID $GROUPNAME >/dev/null 2>&1
+    useradd -o -u $LUID -g $GROUPNAME -s /bin/false $USERNAME >/dev/null 2>&1 ||
+    usermod -o -u $LUID -g $GROUPNAME -s /bin/false $USERNAME >/dev/null 2>&1
+    mkhomedir_helper $USERNAME
 
-# The rest...
+    # The rest...
 
-chown -R $USERNAME:$GROUPNAME /app
-mkdir -p /etc/bitwarden/core
-mkdir -p /etc/bitwarden/logs
-mkdir -p /etc/bitwarden/ca-certificates
-chown -R $USERNAME:$GROUPNAME /etc/bitwarden
+    chown -R $USERNAME:$GROUPNAME /app
+    mkdir -p /etc/bitwarden/core
+    mkdir -p /etc/bitwarden/logs
+    mkdir -p /etc/bitwarden/ca-certificates
+    chown -R $USERNAME:$GROUPNAME /etc/bitwarden
 
-# if [[ $globalSettings__selfHosted == "true" ]]; then
-#   cp /etc/bitwarden/ca-certificates/*.crt /usr/local/share/ca-certificates/ >/dev/null 2>&1 \
-#     && update-ca-certificates
-# fi
+    if [[ $globalSettings__selfHosted == "true" ]]; then
+    cp /etc/bitwarden/ca-certificates/*.crt /usr/local/share/ca-certificates/ >/dev/null 2>&1 \
+        && update-ca-certificates
+    fi
 
-exec gosu $USERNAME:$GROUPNAME dotnet /app/Billing.dll
+    gosu_cmd="gosu $USERNAME:$GROUPNAME"
+else
+    gosu_cmd=""
+fi
+
+exec $gosu_cmd /app/"${PROJECT_NAME}"
diff --git a/src/Events/Dockerfile b/src/Events/Dockerfile
index c25af886c8..b9e2922d72 100644
--- a/src/Events/Dockerfile
+++ b/src/Events/Dockerfile
@@ -1,76 +1,35 @@
 FROM mcr.microsoft.com/dotnet/sdk:8.0 AS build
 ARG TARGETPLATFORM
 ARG BUILDPLATFORM
-ARG PROJECT_NAME=Events
+ENV PROJECT_NAME=Events
 
 WORKDIR /build
 COPY ../../ ./
 
 WORKDIR /build/src/${PROJECT_NAME}
 
-RUN <<EOF
-  case "$TARGETPLATFORM" in
-    *"linux/amd64"*)
-      dotnet publish --self-contained /p:PublishSingleFile=true -r linux-x64 -o out
-      ;;
-    *"linux/arm64"*)
-      dotnet publish --self-contained /p:PublishSingleFile=true -r linux-arm64 -o out
-      ;;
-    *)
-      echo "unsupported target platform: $TARGETPLATFORM"
-      exit 1;;
-  esac
-EOF
+RUN dotnet publish --self-contained /p:PublishSingleFile=true -o out
 
-# FROM ghcr.io/linuxserver/baseimage-ubuntu:noble
 FROM mcr.microsoft.com/dotnet/aspnet:8.0
-# TODO: move this to a base image
+
 LABEL com.bitwarden.product="bitwarden"
 
 ENV PROJECT_NAME=Events
 
-# RUN groupadd \
-#   --gid=$APP_UID \
-#   app \
-#   && useradd -l \
-#   --uid=$APP_UID \
-#   --gid=$APP_UID \
-#   --create-home \
-#   app
+RUN apt-get update \
+  && apt-get install -y --no-install-recommends \
+  gosu \
+  curl \
+  krb5-user \
+  && rm -rf /var/lib/apt/lists/*
 
-RUN mkdir -p {/config} \
-    && chown -R app:app {/config}
-
-# RUN apt-get update \
-#     && apt-get install -y --no-install-recommends \
-#     gosu \
-#     curl \
-#     krb5-user \
-#     && rm -rf /var/lib/apt/lists/*
-
-# RUN apt-get update \
-#     && apt-get install -y --no-install-recommends \
-#         ca-certificates \
-#         \
-#         # .NET dependencies
-#         libc6 \
-#         libgcc-s1 \
-#         # libicu70 \
-#         libicu74 \
-#         libssl3 \
-#         libstdc++6 \
-#         tzdata \
-#         zlib1g \
-#     && rm -rf /var/lib/apt/lists/*
-
-# ENV HOME=/home/app
-ENV ASPNETCORE_URLS http://+:5000
-# END: move to base image
+ENV ASPNETCORE_URLS=http://+:5000
 
 EXPOSE 5000
 WORKDIR /app
 COPY --from=build /build/src/${PROJECT_NAME}/out /app
-HEALTHCHECK CMD curl -f http://localhost:5000/google.com/icon.png || exit 1
+COPY ./src/${PROJECT_NAME}/entrypoint.sh /entrypoint.sh
+RUN chmod +x /entrypoint.sh
+HEALTHCHECK CMD curl -f http://localhost:5000/alive || exit 1
 
-USER app
-ENTRYPOINT ["./Events"]
+ENTRYPOINT ["/entrypoint.sh"]
diff --git a/src/Events/entrypoint.sh b/src/Events/entrypoint.sh
index 750805a248..078efdea3b 100644
--- a/src/Events/entrypoint.sh
+++ b/src/Events/entrypoint.sh
@@ -1,4 +1,6 @@
-#!/bin/bash
+#!/usr/bin/env bash
+
+PROJECT_NAME="Events"
 
 # Setup
 
@@ -19,31 +21,41 @@ then
     LGID=65534
 fi
 
-# Create user and group
+if [ "$(id -u)" = "0" ]
+then
+    # Create user and group
 
-groupadd -o -g $LGID $GROUPNAME >/dev/null 2>&1 ||
-groupmod -o -g $LGID $GROUPNAME >/dev/null 2>&1
-useradd -o -u $LUID -g $GROUPNAME -s /bin/false $USERNAME >/dev/null 2>&1 ||
-usermod -o -u $LUID -g $GROUPNAME -s /bin/false $USERNAME >/dev/null 2>&1
-mkhomedir_helper $USERNAME
+    groupadd -o -g $LGID $GROUPNAME >/dev/null 2>&1 ||
+    groupmod -o -g $LGID $GROUPNAME >/dev/null 2>&1
+    useradd -o -u $LUID -g $GROUPNAME -s /bin/false $USERNAME >/dev/null 2>&1 ||
+    usermod -o -u $LUID -g $GROUPNAME -s /bin/false $USERNAME >/dev/null 2>&1
+    mkhomedir_helper $USERNAME
 
-# The rest...
+    # The rest...
 
-chown -R $USERNAME:$GROUPNAME /app
-mkdir -p /etc/bitwarden/core
-mkdir -p /etc/bitwarden/logs
-mkdir -p /etc/bitwarden/ca-certificates
-chown -R $USERNAME:$GROUPNAME /etc/bitwarden
+    chown -R $USERNAME:$GROUPNAME /app
+    mkdir -p /etc/bitwarden/core
+    mkdir -p /etc/bitwarden/logs
+    mkdir -p /etc/bitwarden/ca-certificates
+    chown -R $USERNAME:$GROUPNAME /etc/bitwarden
 
-# if [[ $globalSettings__selfHosted == "true" ]]; then
-#   cp /etc/bitwarden/ca-certificates/*.crt /usr/local/share/ca-certificates/ >/dev/null 2>&1 \
-#     && update-ca-certificates
-# fi
+    if [[ $globalSettings__selfHosted == "true" ]]; then
+      cp /etc/bitwarden/ca-certificates/*.crt /usr/local/share/ca-certificates/ >/dev/null 2>&1 \
+        && update-ca-certificates
+    fi
 
-if [[ -f "/etc/bitwarden/kerberos/bitwarden.keytab" && -f "/etc/bitwarden/kerberos/krb5.conf" ]]; then
-  chown -R $USERNAME:$GROUPNAME /etc/bitwarden/kerberos
-  cp -f /etc/bitwarden/kerberos/krb5.conf /etc/krb5.conf
-  gosu $USERNAME:$GROUPNAME kinit $globalSettings__kerberosUser -k -t /etc/bitwarden/kerberos/bitwarden.keytab
+    if [[ -f "/etc/bitwarden/kerberos/bitwarden.keytab" && -f "/etc/bitwarden/kerberos/krb5.conf" ]]; then
+      chown -R $USERNAME:$GROUPNAME /etc/bitwarden/kerberos
+    fi
+
+    gosu_cmd="gosu $USERNAME:$GROUPNAME"
+else
+    gosu_cmd=""
 fi
 
-exec gosu $USERNAME:$GROUPNAME dotnet /app/Events.dll
+if [[ -f "/etc/bitwarden/kerberos/bitwarden.keytab" && -f "/etc/bitwarden/kerberos/krb5.conf" ]]; then
+    cp -f /etc/bitwarden/kerberos/krb5.conf /etc/krb5.conf
+    $gosu_cmd kinit $globalSettings__kerberosUser -k -t /etc/bitwarden/kerberos/bitwarden.keytab
+fi
+
+exec $gosu_cmd /app/"${PROJECT_NAME}"
diff --git a/src/EventsProcessor/Dockerfile b/src/EventsProcessor/Dockerfile
index 4344452f65..3a80d3c2f0 100644
--- a/src/EventsProcessor/Dockerfile
+++ b/src/EventsProcessor/Dockerfile
@@ -1,20 +1,35 @@
+FROM mcr.microsoft.com/dotnet/sdk:8.0 AS build
+ARG TARGETPLATFORM
+ARG BUILDPLATFORM
+ENV PROJECT_NAME=EventsProcessor
+
+WORKDIR /build
+COPY ../../ ./
+
+WORKDIR /build/src/${PROJECT_NAME}
+
+RUN dotnet publish --self-contained /p:PublishSingleFile=true -o out
+
 FROM mcr.microsoft.com/dotnet/aspnet:8.0
 
 LABEL com.bitwarden.product="bitwarden"
 
+ENV PROJECT_NAME=EventsProcessor
+
 RUN apt-get update \
     && apt-get install -y --no-install-recommends \
     gosu \
     curl \
     && rm -rf /var/lib/apt/lists/*
 
+ENV HOME=/home/app
 ENV ASPNETCORE_URLS http://+:5000
-WORKDIR /app
-EXPOSE 5000
-COPY obj/build-output/publish .
-COPY entrypoint.sh /
-RUN chmod +x /entrypoint.sh
 
+EXPOSE 5000
+WORKDIR /app
+COPY --from=build /build/src/${PROJECT_NAME}/out /app
+COPY ./src/${PROJECT_NAME}/entrypoint.sh /entrypoint.sh
+RUN chmod +x /entrypoint.sh
 HEALTHCHECK CMD curl -f http://localhost:5000/alive || exit 1
 
-CMD ["./../entrypoint.sh"]
+ENTRYPOINT ["/entrypoint.sh"]
diff --git a/src/EventsProcessor/entrypoint.sh b/src/EventsProcessor/entrypoint.sh
index 1119e19efc..e5e9432145 100644
--- a/src/EventsProcessor/entrypoint.sh
+++ b/src/EventsProcessor/entrypoint.sh
@@ -1,4 +1,6 @@
-#!/bin/bash
+#!/usr/bin/env bash
+
+PROJECT_NAME="EventsProcessor"
 
 # Setup
 
@@ -19,24 +21,31 @@ then
     LGID=65534
 fi
 
-# Create user and group
+if [ "$(id -u)" = "0" ]
+then
+    # Create user and group
 
-groupadd -o -g $LGID $GROUPNAME >/dev/null 2>&1 ||
-groupmod -o -g $LGID $GROUPNAME >/dev/null 2>&1
-useradd -o -u $LUID -g $GROUPNAME -s /bin/false $USERNAME >/dev/null 2>&1 ||
-usermod -o -u $LUID -g $GROUPNAME -s /bin/false $USERNAME >/dev/null 2>&1
-mkhomedir_helper $USERNAME
+    groupadd -o -g $LGID $GROUPNAME >/dev/null 2>&1 ||
+    groupmod -o -g $LGID $GROUPNAME >/dev/null 2>&1
+    useradd -o -u $LUID -g $GROUPNAME -s /bin/false $USERNAME >/dev/null 2>&1 ||
+    usermod -o -u $LUID -g $GROUPNAME -s /bin/false $USERNAME >/dev/null 2>&1
+    mkhomedir_helper $USERNAME
 
-# The rest...
+    # The rest...
 
-chown -R $USERNAME:$GROUPNAME /app
-mkdir -p /etc/bitwarden/logs
-#mkdir -p /etc/bitwarden/ca-certificates
-chown -R $USERNAME:$GROUPNAME /etc/bitwarden
+    chown -R $USERNAME:$GROUPNAME /app
+    mkdir -p /etc/bitwarden/logs
+    mkdir -p /etc/bitwarden/ca-certificates
+    chown -R $USERNAME:$GROUPNAME /etc/bitwarden
 
-# if [[ $globalSettings__selfHosted == "true" ]]; then
-#   cp /etc/bitwarden/ca-certificates/*.crt /usr/local/share/ca-certificates/ >/dev/null 2>&1 \
-#     && update-ca-certificates
-# fi
+    if [[ $globalSettings__selfHosted == "true" ]]; then
+      cp /etc/bitwarden/ca-certificates/*.crt /usr/local/share/ca-certificates/ >/dev/null 2>&1 \
+        && update-ca-certificates
+    fi
 
-exec gosu $USERNAME:$GROUPNAME dotnet /app/EventsProcessor.dll
+    gosu_cmd="gosu $USERNAME:$GROUPNAME"
+else
+    gosu_cmd=""
+fi
+
+exec $gosu_cmd /app/"${PROJECT_NAME}"
diff --git a/src/Icons/Dockerfile b/src/Icons/Dockerfile
index 7c2f738289..bd4ebdd3dd 100644
--- a/src/Icons/Dockerfile
+++ b/src/Icons/Dockerfile
@@ -1,76 +1,35 @@
 FROM mcr.microsoft.com/dotnet/sdk:8.0 AS build
 ARG TARGETPLATFORM
 ARG BUILDPLATFORM
-ARG PROJECT_NAME=Icons
+ENV PROJECT_NAME=Icons
 
 WORKDIR /build
 COPY ../../ ./
 
 WORKDIR /build/src/${PROJECT_NAME}
 
-RUN <<EOF
-  case "$TARGETPLATFORM" in
-    *"linux/amd64"*)
-      dotnet publish --self-contained /p:PublishSingleFile=true -r linux-x64 -o out
-      ;;
-    *"linux/arm64"*)
-      dotnet publish --self-contained /p:PublishSingleFile=true -r linux-arm64 -o out
-      ;;
-    *)
-      echo "unsupported target platform: $TARGETPLATFORM"
-      exit 1;;
-  esac
-EOF
+RUN dotnet publish --self-contained /p:PublishSingleFile=true -o out
 
-# FROM ghcr.io/linuxserver/baseimage-ubuntu:noble
 FROM mcr.microsoft.com/dotnet/aspnet:8.0
-# TODO: move this to a base image
+
 LABEL com.bitwarden.product="bitwarden"
 
 ENV PROJECT_NAME=Icons
 
-# RUN groupadd \
-#   --gid=$APP_UID \
-#   app \
-#   && useradd -l \
-#   --uid=$APP_UID \
-#   --gid=$APP_UID \
-#   --create-home \
-#   app
+RUN apt-get update \
+    && apt-get install -y --no-install-recommends \
+    gosu \
+    curl \
+    krb5-user \
+    && rm -rf /var/lib/apt/lists/*
 
-RUN mkdir -p {/config} \
-    && chown -R app:app {/config}
-
-# RUN apt-get update \
-#     && apt-get install -y --no-install-recommends \
-#     gosu \
-#     curl \
-#     krb5-user \
-#     && rm -rf /var/lib/apt/lists/*
-
-# RUN apt-get update \
-#     && apt-get install -y --no-install-recommends \
-#         ca-certificates \
-#         \
-#         # .NET dependencies
-#         libc6 \
-#         libgcc-s1 \
-#         # libicu70 \
-#         libicu74 \
-#         libssl3 \
-#         libstdc++6 \
-#         tzdata \
-#         zlib1g \
-#     && rm -rf /var/lib/apt/lists/*
-
-# ENV HOME=/home/app
-ENV ASPNETCORE_URLS http://+:5000
-# END: move to base image
+ENV ASPNETCORE_URLS=http://+:5000
 
 EXPOSE 5000
 WORKDIR /app
 COPY --from=build /build/src/${PROJECT_NAME}/out /app
+COPY ./src/${PROJECT_NAME}/entrypoint.sh /entrypoint.sh
+RUN chmod +x /entrypoint.sh
 HEALTHCHECK CMD curl -f http://localhost:5000/google.com/icon.png || exit 1
 
-USER app
-ENTRYPOINT ["./Icons"]
+ENTRYPOINT ["./entrypoint.sh"]
diff --git a/src/Icons/entrypoint.sh b/src/Icons/entrypoint.sh
index 162927278d..f66dc10a03 100644
--- a/src/Icons/entrypoint.sh
+++ b/src/Icons/entrypoint.sh
@@ -1,4 +1,6 @@
-#!/bin/bash
+#!/usr/bin/env bash
+
+PROJECT_NAME="Icons"
 
 # Setup
 
@@ -19,24 +21,41 @@ then
     LGID=65534
 fi
 
-# Create user and group
+if [ "$(id -u)" = "0" ]
+then
+    # Create user and group
 
-groupadd -o -g $LGID $GROUPNAME >/dev/null 2>&1 ||
-groupmod -o -g $LGID $GROUPNAME >/dev/null 2>&1
-useradd -o -u $LUID -g $GROUPNAME -s /bin/false $USERNAME >/dev/null 2>&1 ||
-usermod -o -u $LUID -g $GROUPNAME -s /bin/false $USERNAME >/dev/null 2>&1
-mkhomedir_helper $USERNAME
+    groupadd -o -g $LGID $GROUPNAME >/dev/null 2>&1 ||
+    groupmod -o -g $LGID $GROUPNAME >/dev/null 2>&1
+    useradd -o -u $LUID -g $GROUPNAME -s /bin/false $USERNAME >/dev/null 2>&1 ||
+    usermod -o -u $LUID -g $GROUPNAME -s /bin/false $USERNAME >/dev/null 2>&1
+    mkhomedir_helper $USERNAME
 
-# The rest...
+    # The rest...
 
-chown -R $USERNAME:$GROUPNAME /app
-mkdir -p /etc/bitwarden/logs
-mkdir -p /etc/bitwarden/ca-certificates
-chown -R $USERNAME:$GROUPNAME /etc/bitwarden
+    chown -R $USERNAME:$GROUPNAME /app
+    mkdir -p /etc/bitwarden/core
+    mkdir -p /etc/bitwarden/logs
+    mkdir -p /etc/bitwarden/ca-certificates
+    chown -R $USERNAME:$GROUPNAME /etc/bitwarden
 
-# if [[ $globalSettings__selfHosted == "true" ]]; then
-#   cp /etc/bitwarden/ca-certificates/*.crt /usr/local/share/ca-certificates/ >/dev/null 2>&1 \
-#     && update-ca-certificates
-# fi
+    if [[ $globalSettings__selfHosted == "true" ]]; then
+      cp /etc/bitwarden/ca-certificates/*.crt /usr/local/share/ca-certificates/ >/dev/null 2>&1 \
+        && update-ca-certificates
+    fi
 
-exec gosu $USERNAME:$GROUPNAME dotnet /app/Icons.dll
+    if [[ -f "/etc/bitwarden/kerberos/bitwarden.keytab" && -f "/etc/bitwarden/kerberos/krb5.conf" ]]; then
+      chown -R $USERNAME:$GROUPNAME /etc/bitwarden/kerberos
+    fi
+
+    gosu_cmd="gosu $USERNAME:$GROUPNAME"
+else
+    gosu_cmd=""
+fi
+
+if [[ -f "/etc/bitwarden/kerberos/bitwarden.keytab" && -f "/etc/bitwarden/kerberos/krb5.conf" ]]; then
+    cp -f /etc/bitwarden/kerberos/krb5.conf /etc/krb5.conf
+    $gosu_cmd kinit $globalSettings__kerberosUser -k -t /etc/bitwarden/kerberos/bitwarden.keytab
+fi
+
+exec $gosu_cmd /app/"${PROJECT_NAME}"
diff --git a/src/Identity/Dockerfile b/src/Identity/Dockerfile
index 3f6144bea7..c60d5b9dcd 100644
--- a/src/Identity/Dockerfile
+++ b/src/Identity/Dockerfile
@@ -1,53 +1,35 @@
 FROM mcr.microsoft.com/dotnet/sdk:8.0 AS build
 ARG TARGETPLATFORM
 ARG BUILDPLATFORM
-ARG PROJECT_NAME=Identity
+ENV PROJECT_NAME=Identity
 
 WORKDIR /build
 COPY ../../ ./
 
 WORKDIR /build/src/${PROJECT_NAME}
 
-RUN <<EOF
-  case "$TARGETPLATFORM" in
-    *"linux/amd64"*)
-      dotnet publish --self-contained /p:PublishSingleFile=true -r linux-x64 -o out
-      ;;
-    *"linux/arm64"*)
-      dotnet publish --self-contained /p:PublishSingleFile=true -r linux-arm64 -o out
-      ;;
-    *)
-      echo "unsupported target platform: $TARGETPLATFORM"
-      exit 1;;
-  esac
-EOF
+RUN dotnet publish --self-contained /p:PublishSingleFile=true -o out
 
-# FROM ghcr.io/linuxserver/baseimage-ubuntu:noble
 FROM mcr.microsoft.com/dotnet/aspnet:8.0
 
-# TODO: move this to a base image
 LABEL com.bitwarden.product="bitwarden"
 
 ENV PROJECT_NAME=Identity
 
-RUN mkdir -p {/config} \
-  && chown -R app:app {/config}
-
-# RUN apt-get update \
-#     && apt-get install -y --no-install-recommends \
-#     gosu \
-#     curl \
-#     krb5-user \
-#     && rm -rf /var/lib/apt/lists/*
+RUN apt-get update \
+  && apt-get install -y --no-install-recommends \
+  gosu \
+  curl \
+  krb5-user \
+  && rm -rf /var/lib/apt/lists/*
 
 ENV ASPNETCORE_URLS=http://+:5000
-# END: move to base image
 
 EXPOSE 5000
 WORKDIR /app
 COPY --from=build /build/src/${PROJECT_NAME}/out /app
+COPY ./src/${PROJECT_NAME}/entrypoint.sh /entrypoint.sh
+RUN chmod +x /entrypoint.sh
 HEALTHCHECK CMD curl -f http://localhost:5000/.well-known/openid-configuration || exit 1
 
-# TODO: use an entrypoint script with `set -e && exec ${PROJECT_NAME}`
-USER app
-ENTRYPOINT ["./Identity"]
+ENTRYPOINT ["/entrypoint.sh"]
diff --git a/src/Identity/entrypoint.sh b/src/Identity/entrypoint.sh
index 4c95bfd093..5311d1ba8e 100644
--- a/src/Identity/entrypoint.sh
+++ b/src/Identity/entrypoint.sh
@@ -1,4 +1,6 @@
-#!/bin/bash
+#!/usr/bin/env bash
+
+PROJECT_NAME="Identity"
 
 # Setup
 
@@ -19,37 +21,48 @@ then
     LGID=65534
 fi
 
-# Create user and group
+if [ "$(id -u)" = "0" ]
+then
+    # Create user and group
 
-groupadd -o -g $LGID $GROUPNAME >/dev/null 2>&1 ||
-groupmod -o -g $LGID $GROUPNAME >/dev/null 2>&1
-useradd -o -u $LUID -g $GROUPNAME -s /bin/false $USERNAME >/dev/null 2>&1 ||
-usermod -o -u $LUID -g $GROUPNAME -s /bin/false $USERNAME >/dev/null 2>&1
-mkhomedir_helper $USERNAME
+    groupadd -o -g $LGID $GROUPNAME >/dev/null 2>&1 ||
+    groupmod -o -g $LGID $GROUPNAME >/dev/null 2>&1
+    useradd -o -u $LUID -g $GROUPNAME -s /bin/false $USERNAME >/dev/null 2>&1 ||
+    usermod -o -u $LUID -g $GROUPNAME -s /bin/false $USERNAME >/dev/null 2>&1
+    mkhomedir_helper $USERNAME
 
-# The rest...
+    # The rest...
 
-mkdir -p /etc/bitwarden/identity
-mkdir -p /etc/bitwarden/core
-mkdir -p /etc/bitwarden/logs
-mkdir -p /etc/bitwarden/ca-certificates
-chown -R $USERNAME:$GROUPNAME /etc/bitwarden
+    chown -R $USERNAME:$GROUPNAME /app
+    mkdir -p /etc/bitwarden/core
+    mkdir -p /etc/bitwarden/logs
+    mkdir -p /etc/bitwarden/ca-certificates
+    chown -R $USERNAME:$GROUPNAME /etc/bitwarden
 
-if [[ $globalSettings__selfHosted == "true" ]]; then
-  cp /etc/bitwarden/identity/identity.pfx /app/identity.pfx
+    if [[ $globalSettings__selfHosted == "true" ]]; then
+      cp /etc/bitwarden/ca-certificates/*.crt /usr/local/share/ca-certificates/ >/dev/null 2>&1 \
+        && update-ca-certificates
+    fi
+
+    if [[ -f "/etc/bitwarden/kerberos/bitwarden.keytab" && -f "/etc/bitwarden/kerberos/krb5.conf" ]]; then
+      chown -R $USERNAME:$GROUPNAME /etc/bitwarden/kerberos
+    fi
+
+    gosu_cmd="gosu $USERNAME:$GROUPNAME"
+else
+    gosu_cmd=""
 fi
 
-chown -R $USERNAME:$GROUPNAME /app
-
-# if [[ $globalSettings__selfHosted == "true" ]]; then
-#   cp /etc/bitwarden/ca-certificates/*.crt /usr/local/share/ca-certificates/ >/dev/null 2>&1 \
-#     && update-ca-certificates
-# fi
-
 if [[ -f "/etc/bitwarden/kerberos/bitwarden.keytab" && -f "/etc/bitwarden/kerberos/krb5.conf" ]]; then
-  chown -R $USERNAME:$GROUPNAME /etc/bitwarden/kerberos
-  cp -f /etc/bitwarden/kerberos/krb5.conf /etc/krb5.conf
-  gosu $USERNAME:$GROUPNAME kinit $globalSettings__kerberosUser -k -t /etc/bitwarden/kerberos/bitwarden.keytab
+    cp -f /etc/bitwarden/kerberos/krb5.conf /etc/krb5.conf
+    $gosu_cmd kinit $globalSettings__kerberosUser -k -t /etc/bitwarden/kerberos/bitwarden.keytab
 fi
 
-exec gosu $USERNAME:$GROUPNAME dotnet /app/Identity.dll
+if [[ $globalSettings__selfHosted == "true" ]]; then
+    cp /etc/bitwarden/identity/identity.pfx /app/identity.pfx || \
+        if [[ -z $globalSettings__identityServer__certificateLocation ]]; then
+            export globalSettings__identityServer__certificateLocation=/home/app/config/identity.pfx
+        fi
+fi
+
+exec $gosu_cmd /app/"${PROJECT_NAME}"
diff --git a/src/Notifications/Dockerfile b/src/Notifications/Dockerfile
index ae9e693c2a..6adff83230 100644
--- a/src/Notifications/Dockerfile
+++ b/src/Notifications/Dockerfile
@@ -1,20 +1,35 @@
+FROM mcr.microsoft.com/dotnet/sdk:8.0 AS build
+ARG TARGETPLATFORM
+ARG BUILDPLATFORM
+ENV PROJECT_NAME=Notifications
+
+WORKDIR /build
+COPY ../../ ./
+
+WORKDIR /build/src/${PROJECT_NAME}
+
+RUN dotnet publish --self-contained /p:PublishSingleFile=true -o out
+
 FROM mcr.microsoft.com/dotnet/aspnet:8.0
 
 LABEL com.bitwarden.product="bitwarden"
 
+ENV PROJECT_NAME=Notifications
+
 RUN apt-get update \
     && apt-get install -y --no-install-recommends \
     gosu \
     curl \
+    krb5-user \
     && rm -rf /var/lib/apt/lists/*
 
-ENV ASPNETCORE_URLS http://+:5000
-WORKDIR /app
-EXPOSE 5000
-COPY obj/build-output/publish .
-COPY entrypoint.sh /
-RUN chmod +x /entrypoint.sh
+ENV ASPNETCORE_URLS=http://+:5000
 
+EXPOSE 5000
+WORKDIR /app
+COPY --from=build /build/src/${PROJECT_NAME}/out /app
+COPY ./src/${PROJECT_NAME}/entrypoint.sh /entrypoint.sh
+RUN chmod +x /entrypoint.sh
 HEALTHCHECK CMD curl -f http://localhost:5000/alive || exit 1
 
 ENTRYPOINT ["/entrypoint.sh"]
diff --git a/src/Notifications/entrypoint.sh b/src/Notifications/entrypoint.sh
index 87f7bb9466..09f6e3b6af 100644
--- a/src/Notifications/entrypoint.sh
+++ b/src/Notifications/entrypoint.sh
@@ -1,4 +1,6 @@
-#!/bin/bash
+#!/usr/bin/env bash
+
+PROJECT_NAME="Notifications"
 
 # Setup
 
@@ -19,24 +21,32 @@ then
     LGID=65534
 fi
 
-# Create user and group
+if [ "$(id -u)" = "0" ]
+then
+    # Create user and group
 
-groupadd -o -g $LGID $GROUPNAME >/dev/null 2>&1 ||
-groupmod -o -g $LGID $GROUPNAME >/dev/null 2>&1
-useradd -o -u $LUID -g $GROUPNAME -s /bin/false $USERNAME >/dev/null 2>&1 ||
-usermod -o -u $LUID -g $GROUPNAME -s /bin/false $USERNAME >/dev/null 2>&1
-mkhomedir_helper $USERNAME
+    groupadd -o -g $LGID $GROUPNAME >/dev/null 2>&1 ||
+    groupmod -o -g $LGID $GROUPNAME >/dev/null 2>&1
+    useradd -o -u $LUID -g $GROUPNAME -s /bin/false $USERNAME >/dev/null 2>&1 ||
+    usermod -o -u $LUID -g $GROUPNAME -s /bin/false $USERNAME >/dev/null 2>&1
+    mkhomedir_helper $USERNAME
 
-# The rest...
+    # The rest...
 
-chown -R $USERNAME:$GROUPNAME /app
-mkdir -p /etc/bitwarden/logs
-mkdir -p /etc/bitwarden/ca-certificates
-chown -R $USERNAME:$GROUPNAME /etc/bitwarden
+    chown -R $USERNAME:$GROUPNAME /app
+    mkdir -p /etc/bitwarden/core
+    mkdir -p /etc/bitwarden/logs
+    mkdir -p /etc/bitwarden/ca-certificates
+    chown -R $USERNAME:$GROUPNAME /etc/bitwarden
 
-# if [[ $globalSettings__selfHosted == "true" ]]; then
-#   cp /etc/bitwarden/ca-certificates/*.crt /usr/local/share/ca-certificates/ >/dev/null 2>&1 \
-#     && update-ca-certificates
-# fi
+    if [[ $globalSettings__selfHosted == "true" ]]; then
+      cp /etc/bitwarden/ca-certificates/*.crt /usr/local/share/ca-certificates/ >/dev/null 2>&1 \
+        && update-ca-certificates
+    fi
 
-exec gosu $USERNAME:$GROUPNAME dotnet /app/Notifications.dll
+    gosu_cmd="gosu $USERNAME:$GROUPNAME"
+else
+    gosu_cmd=""
+fi
+
+exec $gosu_cmd /app/"${PROJECT_NAME}"
diff --git a/util/Attachments/Dockerfile b/util/Attachments/Dockerfile
index d434ea8817..aef188e050 100644
--- a/util/Attachments/Dockerfile
+++ b/util/Attachments/Dockerfile
@@ -1,13 +1,9 @@
-FROM bitwarden/server:latest as build
+FROM bitwarden/server:latest AS build
 ARG TARGETPLATFORM
 ARG BUILDPLATFORM
-ARG PROJECT_NAME=Attachments
-
-RUN mkdir -p {/storage/attachments,/bitwarden_server,/config} \
-  && chown -R app:app {/storage/attachments,/bitwarden_server,/config}
+ENV PROJECT_NAME=Attachments
 
 EXPOSE 5000
 HEALTHCHECK CMD curl -f http://localhost:5000/alive || exit 1
 
-USER app
-ENTRYPOINT ["/bitwarden_server/Server", "/contentRoot=/config/core/attachments", "/webRoot=.", "/serveUnknown=true"]
+ENTRYPOINT ["/bitwarden_server/Server", "/contentRoot=/etc/bitwarden/core/attachments", "/webRoot=.", "/serveUnknown=true"]
diff --git a/util/Attachments/entrypoint.sh b/util/Attachments/entrypoint.sh
index 3b50472930..5a076a4076 100644
--- a/util/Attachments/entrypoint.sh
+++ b/util/Attachments/entrypoint.sh
@@ -1,4 +1,6 @@
-#!/bin/bash
+#!/usr/bin/env bash
+
+PROJECT_NAME="Attachments"
 
 # Setup
 
@@ -19,19 +21,27 @@ then
     LGID=65534
 fi
 
-# Create user and group
+if [ "$(id -u)" = "0" ]
+then
+    # Create user and group
 
-groupadd -o -g $LGID $GROUPNAME >/dev/null 2>&1 ||
-groupmod -o -g $LGID $GROUPNAME >/dev/null 2>&1
-useradd -o -u $LUID -g $GROUPNAME -s /bin/false $USERNAME >/dev/null 2>&1 ||
-usermod -o -u $LUID -g $GROUPNAME -s /bin/false $USERNAME >/dev/null 2>&1
-mkhomedir_helper $USERNAME
+    groupadd -o -g $LGID $GROUPNAME >/dev/null 2>&1 ||
+    groupmod -o -g $LGID $GROUPNAME >/dev/null 2>&1
+    useradd -o -u $LUID -g $GROUPNAME -s /bin/false $USERNAME >/dev/null 2>&1 ||
+    usermod -o -u $LUID -g $GROUPNAME -s /bin/false $USERNAME >/dev/null 2>&1
+    mkhomedir_helper $USERNAME
 
-# The rest...
+    # The rest...
 
-chown -R $USERNAME:$GROUPNAME /bitwarden_server
-mkdir -p /etc/bitwarden/core/attachments
-chown -R $USERNAME:$GROUPNAME /etc/bitwarden
+    chown -R $USERNAME:$GROUPNAME /bitwarden_server
+    mkdir -p /etc/bitwarden/core/attachments
+    chown -R $USERNAME:$GROUPNAME /etc/bitwarden
+    gosu_cmd="gosu $USERNAME:$GROUPNAME"
+else
+    gosu_cmd=""
+fi
 
-exec gosu $USERNAME:$GROUPNAME dotnet /bitwarden_server/Server.dll \
-    /contentRoot=/etc/bitwarden/core/attachments /webRoot=. /serveUnknown=true
+exec $gosu_cmd /bitwarden_server/Server \
+    /contentRoot=/etc/bitwarden/core/attachments \
+    /webRoot=. \
+    /serveUnknown=true
diff --git a/util/Server/Dockerfile b/util/Server/Dockerfile
index cc2037a685..c9b938642a 100644
--- a/util/Server/Dockerfile
+++ b/util/Server/Dockerfile
@@ -1,48 +1,29 @@
 FROM mcr.microsoft.com/dotnet/sdk:8.0 AS build
 ARG TARGETPLATFORM
 ARG BUILDPLATFORM
-ARG PROJECT_NAME=Server
+ENV PROJECT_NAME=Server
 
 WORKDIR /build
 COPY ../../ ./
 
 WORKDIR /build/util/${PROJECT_NAME}
 
-RUN <<EOF
-  case "$TARGETPLATFORM" in
-    *"linux/amd64"*)
-      dotnet publish "./Server.csproj" -c "Release" --self-contained /p:PublishSingleFile=true -r linux-x64 -o out # || \
-      # ls -hal && exit 1
-      ;;
-    *"linux/arm64"*)
-      dotnet publish "./Server.csproj" -c "Release" --self-contained /p:PublishSingleFile=true -r linux-arm64 -o out # || \
-      # ls -hal && exit 1
-      ;;
-    *)
-      echo "unsupported target platform: $TARGETPLATFORM"
-      exit 1
-      ;;
-  esac
-EOF
+RUN dotnet publish "./Server.csproj" -c "Release" --self-contained /p:PublishSingleFile=true -o out
 
 FROM mcr.microsoft.com/dotnet/aspnet:8.0
-RUN true
+
 LABEL com.bitwarden.product="bitwarden"
 ARG TARGETPLATFORM
 ARG BUILDPLATFORM
-ARG PROJECT_NAME=Server
+ENV PROJECT_NAME=Server
 
-# RUN apt-get update \
-#     && apt-get install -y --no-install-recommends \
-#     gosu \
-#     curl \
-#     krb5-user \
-#     && rm -rf /var/lib/apt/lists/*
+RUN apt-get update \
+    && apt-get install -y --no-install-recommends \
+    gosu \
+    curl \
+    krb5-user \
+    && rm -rf /var/lib/apt/lists/*
 
 ENV ASPNETCORE_URLS=http://+:5000
 
-# file will be in: /build/util/Server/bin/Release/net8.0/linux-arm64/Server.dll
 COPY --from=build /build/util/${PROJECT_NAME}/out/ /bitwarden_server
-
-RUN mkdir -p {/app,/bitwarden_server,/config,/storage} \
-  && chown -R app:app {/app,/bitwarden_server,/config,/storage}