diff --git a/.gitignore b/.gitignore
index c417acb09..d294bc091 100644
--- a/.gitignore
+++ b/.gitignore
@@ -71,3 +71,6 @@ tsconfig.tsbuildinfo
# Config Cache Directory
config/cache
+
+# Docker compose
+compose.override.yaml
diff --git a/charts/seerr-chart/README.md b/charts/seerr-chart/README.md
index 99ba534db..5f3824dbb 100644
--- a/charts/seerr-chart/README.md
+++ b/charts/seerr-chart/README.md
@@ -28,7 +28,7 @@ Refer to [https://docs.seerr.dev/getting-started/kubernetes](Seerr kubernetes do
### Updating to 3.0.0
-Nothing has changed; we just rebranded the `jellyseerr` Helm chart to `seerr` 🥳.
+Nothing has changed; we just rebranded the `jellyseerr` Helm chart to `seerr` 🥳 refer to our [Migration guide](https://docs.seerr.dev/migration-guide).
### Updating to 2.7.0
@@ -70,12 +70,20 @@ If `replicaCount` value was used - remove it. Helm update should work fine after
| nodeSelector | object | `{}` | |
| podAnnotations | object | `{}` | |
| podLabels | object | `{}` | |
-| podSecurityContext | object | `{}` | |
+| podSecurityContext.fsGroup | int | `1000` | |
+| podSecurityContext.fsGroupChangePolicy | string | `"OnRootMismatch"` | |
| probes.livenessProbe | object | `{}` | Configure liveness probe |
| probes.readinessProbe | object | `{}` | Configure readiness probe |
| probes.startupProbe | string | `nil` | Configure startup probe |
| resources | object | `{}` | |
-| securityContext | object | `{}` | |
+| securityContext.allowPrivilegeEscalation | bool | `false` | |
+| securityContext.capabilities.drop[0] | string | `"ALL"` | |
+| securityContext.privileged | bool | `false` | |
+| securityContext.readOnlyRootFilesystem | bool | `false` | |
+| securityContext.runAsGroup | int | `1000` | |
+| securityContext.runAsNonRoot | bool | `true` | |
+| securityContext.runAsUser | int | `1000` | |
+| securityContext.seccompProfile.type | string | `"RuntimeDefault"` | |
| service.port | int | `80` | |
| service.type | string | `"ClusterIP"` | |
| serviceAccount.annotations | object | `{}` | Annotations to add to the service account |
diff --git a/charts/seerr-chart/README.md.gotmpl b/charts/seerr-chart/README.md.gotmpl
index 15a45b064..4fe0e2868 100644
--- a/charts/seerr-chart/README.md.gotmpl
+++ b/charts/seerr-chart/README.md.gotmpl
@@ -22,7 +22,7 @@ Refer to [https://docs.seerr.dev/getting-started/kubernetes](Seerr kubernetes do
### Updating to 3.0.0
-Nothing has changed; we just rebranded the `jellyseerr` Helm chart to `seerr` 🥳.
+Nothing has changed; we just rebranded the `jellyseerr` Helm chart to `seerr` 🥳 refer to our [Migration guide](https://docs.seerr.dev/migration-guide).
### Updating to 2.7.0
diff --git a/charts/seerr-chart/values.yaml b/charts/seerr-chart/values.yaml
index ff358da38..a4f480085 100644
--- a/charts/seerr-chart/values.yaml
+++ b/charts/seerr-chart/values.yaml
@@ -50,16 +50,22 @@ serviceAccount:
podAnnotations: {}
podLabels: {}
-podSecurityContext: {}
-# fsGroup: 2000
+podSecurityContext:
+ fsGroup: 1000
+ fsGroupChangePolicy: OnRootMismatch
-securityContext: {}
-# capabilities:
-# drop:
-# - ALL
-# readOnlyRootFilesystem: true
-# runAsNonRoot: true
-# runAsUser: 1000
+securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: false
+ runAsNonRoot: true
+ privileged: false
+ runAsUser: 1000
+ runAsGroup: 1000
+ seccompProfile:
+ type: RuntimeDefault
service:
type: ClusterIP
diff --git a/docs/migration-guide.mdx b/docs/migration-guide.mdx
new file mode 100644
index 000000000..caefaf446
--- /dev/null
+++ b/docs/migration-guide.mdx
@@ -0,0 +1,168 @@
+---
+title: Migration guide
+---
+
+import Tabs from '@theme/Tabs';
+import TabItem from '@theme/TabItem';
+
+Whether you come from Overseerr or Jellyseerr, you don't need to perform any manual migration steps, your instance will automatically be migrated to Seerr.
+This migration will run automatically the first time you start your instance using the Seerr codebase (Docker image or source build or Kubernetes, etc.).
+An additional migration will happen for Overseerr users, to migrate their configuration to the new codebase.
+
+:::warning
+Before doing anything you should backup your existing instance so that you can rollback in case something goes wrong.
+See [Backups](/using-seerr/backups) for details on how to properly backup your instance.
+:::
+
+## Docker
+Refer to [Seerr Docker Documentation](/getting-started/docker), all of our examples have been updated to reflect the below change.
+
+Changes :
+- Renamed all references from `overseerr` or `jellyseerr` to `seerr`.
+- The container image reference has been updated.
+- The container can now be run as a non-root user (`node` user); remove the `user` directive if you have configured it.
+- The container no longer provides an init process, so you must configure it by adding `init: true` for Docker Compose or `--init` for the Docker CLI.
+
+:::info
+**Config folder permissions**: Since the container now runs as the `node` user (UID 1000), you must ensure your config folder has the correct permissions. The `node` user must have read and write access to the `/app/config` directory.
+
+If you're migrating from a previous installation, you may need to update the ownership of your config folder:
+```bash
+sudo chown -R 1000:1000 /path/to/appdata/config
+```
+
+This ensures the `node` user (UID 1000) owns the config directory and can read and write to it.
+:::
+
+### Unix
+
+Summary of changes :
+
+
+ ```yaml {3-6}
+ ---
+ services:
+ seerr:
+ image: ghcr.io/seerr-team/seerr:latest
+ init: true
+ container_name: seerr
+ environment:
+ - LOG_LEVEL=debug
+ - TZ=Asia/Tashkent
+ - PORT=5055 #optional
+ ports:
+ - 5055:5055
+ volumes:
+ - /path/to/appdata/config:/app/config
+ healthcheck:
+ test: wget --no-verbose --tries=1 --spider http://localhost:5055/api/v1/status || exit 1
+ start_period: 20s
+ timeout: 3s
+ interval: 15s
+ retries: 3
+ restart: unless-stopped
+ ```
+
+
+ ```bash {2-3,10}
+ docker run -d \
+ --name seerr \
+ --init \
+ -e LOG_LEVEL=debug \
+ -e TZ=Asia/Tashkent \
+ -e PORT=5055 \
+ -p 5055:5055 \
+ -v /path/to/appdata/config:/app/config \
+ --restart unless-stopped \
+ ghcr.io/seerr-team/seerr:latest
+ ```
+
+
+
+### Windows
+Summary of changes :
+
+
+ ```yaml {3-6,13,23}
+ ---
+ services:
+ seerr:
+ image: ghcr.io/seerr-team/seerr:latest
+ init: true
+ container_name: seerr
+ environment:
+ - LOG_LEVEL=debug
+ - TZ=Asia/Tashkent
+ ports:
+ - 5055:5055
+ volumes:
+ - seerr-data:/app/config
+ healthcheck:
+ test: wget --no-verbose --tries=1 --spider http://localhost:5055/api/v1/status || exit 1
+ start_period: 20s
+ timeout: 3s
+ interval: 15s
+ retries: 3
+ restart: unless-stopped
+
+ volumes:
+ seerr-data:
+ external: true
+ ```
+
+
+ ```bash {2-3,8,10}
+ docker run -d \
+ --name seerr \
+ --init \
+ -e LOG_LEVEL=debug \
+ -e TZ=Asia/Tashkent \
+ -e PORT=5055 \
+ -p 5055:5055 \
+ -v seerr-data:/app/config \
+ --restart unless-stopped \
+ ghcr.io/seerr-team/seerr:latest
+ ```
+
+
+
+## Kubernetes
+Refer to [Seerr Kubernetes Documentation](/getting-started/kubernetes), all of our examples have been updated to reflect the below change.
+
+Changes :
+- All references to `jellyseerr` have been renamed to `seerr` in the manifests.
+- The container image reference has been updated.
+- The default `securityContext` and `podSecurityContext` have been updated to support running the container without root permissions.
+
+Summary of changes :
+
+
+ ```yaml
+ image:
+ repository: fallenbagel/jellyseerr
+ podSecurityContext: {}
+ securityContext: {}
+ ```
+
+
+ ```yaml
+ image:
+ repository: seerr-team/seerr
+ podSecurityContext:
+ fsGroup: 1000
+ fsGroupChangePolicy: OnRootMismatch
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: false
+ runAsNonRoot: true
+ privileged: false
+ runAsUser: 1000
+ runAsGroup: 1000
+ seccompProfile:
+ type: RuntimeDefault
+ ```
+
+