diff --git a/.dockerignore b/.dockerignore
index 9f4da1e..5c78c3c 100644
--- a/.dockerignore
+++ b/.dockerignore
@@ -3,6 +3,7 @@
 
 # Don't track cargo generated files
 target/*
+server/target/*
 app/target/*
 auth/target/*
 
diff --git a/.gitignore b/.gitignore
index a11fe10..a8d24dd 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,6 +1,7 @@
 # Generated by Cargo
 # will have compiled files and executables
-/target/
+/target
+/serve/target/
 /app/target
 /app/pkg
 /auth/target
diff --git a/Cargo.toml b/Cargo.toml
index f6b01de..ee52c0c 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -1,78 +1,6 @@
 [workspace]
-members = [".", "auth", "app"]
-
-[package]
-authors = ["Valentin Tolmer <valentin@tolmer.fr>", "Steve Barrau <steve.barrau@gmail.com>", "Thomas Wickham <mackwic@gmail.com>"]
-edition = "2018"
-name = "lldap"
-version = "0.1.0"
-
-[dependencies]
-actix = "0.12"
-actix-files = "0.6.0-beta.6"
-actix-http = "3.0.0-beta.9"
-actix-rt = "2.2.0"
-actix-server = "2.0.0-beta.5"
-actix-service = "2.0.0"
-actix-web = "4.0.0-beta.8"
-actix-web-httpauth = "0.6.0-beta.2"
-anyhow = "*"
-async-trait = "0.1"
-base64 = "0.13"
-bincode = "1.3"
-chrono = { version = "*", features = [ "serde" ]}
-clap = "3.0.0-beta.2"
-cron = "*"
-derive_builder = "0.10.2"
-futures = "*"
-futures-util = "*"
-hmac = "0.10"
-http = "*"
-jwt = "0.13"
-ldap3_server = "*"
-lldap_auth = { path = "auth" }
-log = "*"
-orion = "0.16"
-serde = "*"
-serde_json = "1"
-sha2 = "0.9"
-sqlx-core = "=0.5.1"
-thiserror = "*"
-time = "0.2"
-tokio = { version = "1.2.0", features = ["full"] }
-tokio-util = "0.6.3"
-tracing = "*"
-tracing-actix-web = "0.4.0-beta.7"
-tracing-log = "*"
-tracing-subscriber = "*"
-rand = { version = "0.8", features = ["small_rng", "getrandom"] }
-juniper_actix = "0.4.0"
-juniper = "0.15.6"
-
-# TODO: update to 0.6 when out.
-[dependencies.opaque-ke]
-git = "https://github.com/novifinancial/opaque-ke"
-rev = "eb59676a940b15f77871aefe1e46d7b5bf85f40a"
-
-[dependencies.sqlx]
-version = "0.5.1"
-features = [
-  "any",
-  "chrono",
-  "macros",
-  "mysql",
-  "postgres",
-  "runtime-actix-native-tls",
-  "sqlite",
+members = [
+  "server",
+  "auth",
+  "app"
 ]
-
-[dependencies.sea-query]
-version = "0.9.4"
-features = ["with-chrono"]
-
-[dependencies.figment]
-features = ["env", "toml"]
-version = "*"
-
-[dev-dependencies]
-mockall = "0.9.1"
diff --git a/Dockerfile b/Dockerfile
index 3428f7e..e24a40d 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -12,7 +12,7 @@ RUN set -x \
         app
 RUN set -x \
     # Install required packages
-    && apk add npm openssl-dev musl-dev
+    && apk add npm openssl-dev musl-dev make perl
 USER app
 WORKDIR /app
 RUN set -x \
@@ -21,7 +21,7 @@ RUN set -x \
     && npm install rollup
 # Build
 COPY --chown=app:app . /app
-RUN cargo build --release
+RUN cargo build --release -p lldap
 # TODO: release mode.
 RUN ./app/build.sh
 
diff --git a/README.md b/README.md
index 694030a..2f5526b 100644
--- a/README.md
+++ b/README.md
@@ -28,7 +28,8 @@ Backend:
   * Only a small, read-only subset of the LDAP protocol is supported.
 * Listens on another port for HTTP traffic.
   * The authentication API, based on JWTs, is under "/auth".
-  * The user management API is under "/api" (POST requests only).
+  * The user management API is a GraphQL API under "/api/graphql". The schema
+    is defined in `schema.graphql`.
   * The static frontend files are served by this port too.
 
 Note that secure protocols (LDAPS, HTTPS) are currently not supported. This can
@@ -53,9 +54,9 @@ Data storage:
   interface between front and back-end. In particular, it contains the OPAQUE
   structures and the JWT format.
 * `app/`: The frontend.
-* `src/`: The backend.
-  * `domain/`: Domain-specific logic: users, groups, checking passwords...
-  * `infra/`: API, both GraphQL and LDAP
+* `server/`: The backend.
+  * `src/domain/`: Domain-specific logic: users, groups, checking passwords...
+  * `src/infra/`: API, both GraphQL and LDAP
 
 ## Authentication
 
@@ -98,8 +99,7 @@ Contributions are welcome! Just fork and open a PR. Or just file a bug.
 We don't have a code of conduct, just be respectful and remember that it's just
 normal people doing this for free on their free time.
 
-Make sure that you run `cargo fmt` in each crate that you modified (top-level,
-`app/` and `auth/`) before creating the PR.
+Make sure that you run `cargo fmt` from the root before creating the PR.
 
 ### Setup
 
diff --git a/server/Cargo.toml b/server/Cargo.toml
new file mode 100644
index 0000000..4d0de19
--- /dev/null
+++ b/server/Cargo.toml
@@ -0,0 +1,75 @@
+[package]
+authors = ["Valentin Tolmer <valentin@tolmer.fr>", "Steve Barrau <steve.barrau@gmail.com>", "Thomas Wickham <mackwic@gmail.com>"]
+edition = "2018"
+name = "lldap"
+version = "0.1.0"
+
+[dependencies]
+actix = "0.12"
+actix-files = "0.6.0-beta.6"
+actix-http = "3.0.0-beta.9"
+actix-rt = "2.2.0"
+actix-server = "2.0.0-beta.5"
+actix-service = "2.0.0"
+actix-web = "4.0.0-beta.8"
+actix-web-httpauth = "0.6.0-beta.2"
+anyhow = "*"
+async-trait = "0.1"
+base64 = "0.13"
+bincode = "1.3"
+chrono = { version = "*", features = [ "serde" ]}
+clap = "3.0.0-beta.2"
+cron = "*"
+derive_builder = "0.10.2"
+futures = "*"
+futures-util = "*"
+hmac = "0.10"
+http = "*"
+jwt = "0.13"
+ldap3_server = "*"
+lldap_auth = { path = "../auth" }
+log = "*"
+orion = "0.16"
+serde = "*"
+serde_json = "1"
+sha2 = "0.9"
+sqlx-core = "=0.5.1"
+thiserror = "*"
+time = "0.2"
+tokio = { version = "1.2.0", features = ["full"] }
+tokio-util = "0.6.3"
+tracing = "*"
+tracing-actix-web = "0.4.0-beta.7"
+tracing-log = "*"
+tracing-subscriber = "*"
+rand = { version = "0.8", features = ["small_rng", "getrandom"] }
+juniper_actix = "0.4.0"
+juniper = "0.15.6"
+
+# TODO: update to 0.6 when out.
+[dependencies.opaque-ke]
+git = "https://github.com/novifinancial/opaque-ke"
+rev = "eb59676a940b15f77871aefe1e46d7b5bf85f40a"
+
+[dependencies.sqlx]
+version = "0.5.1"
+features = [
+  "any",
+  "chrono",
+  "macros",
+  "mysql",
+  "postgres",
+  "runtime-actix-native-tls",
+  "sqlite",
+]
+
+[dependencies.sea-query]
+version = "0.9.4"
+features = ["with-chrono"]
+
+[dependencies.figment]
+features = ["env", "toml"]
+version = "*"
+
+[dev-dependencies]
+mockall = "0.9.1"
diff --git a/src/domain/error.rs b/server/src/domain/error.rs
similarity index 100%
rename from src/domain/error.rs
rename to server/src/domain/error.rs
diff --git a/src/domain/handler.rs b/server/src/domain/handler.rs
similarity index 100%
rename from src/domain/handler.rs
rename to server/src/domain/handler.rs
diff --git a/src/domain/mod.rs b/server/src/domain/mod.rs
similarity index 100%
rename from src/domain/mod.rs
rename to server/src/domain/mod.rs
diff --git a/src/domain/opaque_handler.rs b/server/src/domain/opaque_handler.rs
similarity index 100%
rename from src/domain/opaque_handler.rs
rename to server/src/domain/opaque_handler.rs
diff --git a/src/domain/sql_backend_handler.rs b/server/src/domain/sql_backend_handler.rs
similarity index 100%
rename from src/domain/sql_backend_handler.rs
rename to server/src/domain/sql_backend_handler.rs
diff --git a/src/domain/sql_opaque_handler.rs b/server/src/domain/sql_opaque_handler.rs
similarity index 100%
rename from src/domain/sql_opaque_handler.rs
rename to server/src/domain/sql_opaque_handler.rs
diff --git a/src/domain/sql_tables.rs b/server/src/domain/sql_tables.rs
similarity index 100%
rename from src/domain/sql_tables.rs
rename to server/src/domain/sql_tables.rs
diff --git a/src/infra/auth_service.rs b/server/src/infra/auth_service.rs
similarity index 100%
rename from src/infra/auth_service.rs
rename to server/src/infra/auth_service.rs
diff --git a/src/infra/cli.rs b/server/src/infra/cli.rs
similarity index 100%
rename from src/infra/cli.rs
rename to server/src/infra/cli.rs
diff --git a/src/infra/configuration.rs b/server/src/infra/configuration.rs
similarity index 100%
rename from src/infra/configuration.rs
rename to server/src/infra/configuration.rs
diff --git a/src/infra/db_cleaner.rs b/server/src/infra/db_cleaner.rs
similarity index 100%
rename from src/infra/db_cleaner.rs
rename to server/src/infra/db_cleaner.rs
diff --git a/src/infra/graphql/api.rs b/server/src/infra/graphql/api.rs
similarity index 100%
rename from src/infra/graphql/api.rs
rename to server/src/infra/graphql/api.rs
diff --git a/src/infra/graphql/mod.rs b/server/src/infra/graphql/mod.rs
similarity index 100%
rename from src/infra/graphql/mod.rs
rename to server/src/infra/graphql/mod.rs
diff --git a/src/infra/graphql/mutation.rs b/server/src/infra/graphql/mutation.rs
similarity index 100%
rename from src/infra/graphql/mutation.rs
rename to server/src/infra/graphql/mutation.rs
diff --git a/src/infra/graphql/query.rs b/server/src/infra/graphql/query.rs
similarity index 100%
rename from src/infra/graphql/query.rs
rename to server/src/infra/graphql/query.rs
diff --git a/src/infra/jwt_sql_tables.rs b/server/src/infra/jwt_sql_tables.rs
similarity index 100%
rename from src/infra/jwt_sql_tables.rs
rename to server/src/infra/jwt_sql_tables.rs
diff --git a/src/infra/ldap_handler.rs b/server/src/infra/ldap_handler.rs
similarity index 100%
rename from src/infra/ldap_handler.rs
rename to server/src/infra/ldap_handler.rs
diff --git a/src/infra/ldap_server.rs b/server/src/infra/ldap_server.rs
similarity index 100%
rename from src/infra/ldap_server.rs
rename to server/src/infra/ldap_server.rs
diff --git a/src/infra/logging.rs b/server/src/infra/logging.rs
similarity index 100%
rename from src/infra/logging.rs
rename to server/src/infra/logging.rs
diff --git a/src/infra/mod.rs b/server/src/infra/mod.rs
similarity index 100%
rename from src/infra/mod.rs
rename to server/src/infra/mod.rs
diff --git a/src/infra/sql_backend_handler.rs b/server/src/infra/sql_backend_handler.rs
similarity index 100%
rename from src/infra/sql_backend_handler.rs
rename to server/src/infra/sql_backend_handler.rs
diff --git a/src/infra/tcp_backend_handler.rs b/server/src/infra/tcp_backend_handler.rs
similarity index 100%
rename from src/infra/tcp_backend_handler.rs
rename to server/src/infra/tcp_backend_handler.rs
diff --git a/src/infra/tcp_server.rs b/server/src/infra/tcp_server.rs
similarity index 96%
rename from src/infra/tcp_server.rs
rename to server/src/infra/tcp_server.rs
index 9476746..216e93b 100644
--- a/src/infra/tcp_server.rs
+++ b/server/src/infra/tcp_server.rs
@@ -20,7 +20,7 @@ use std::sync::RwLock;
 
 async fn index(req: HttpRequest) -> actix_web::Result<NamedFile> {
     let mut path = PathBuf::new();
-    path.push("app");
+    path.push("../app");
     let file = req.match_info().query("filename");
     path.push(if file.is_empty() { "index.html" } else { file });
     Ok(NamedFile::open(path)?)
@@ -120,7 +120,7 @@ mod tests {
     async fn test_index_ok() {
         let req = TestRequest::default().to_http_request();
         let resp = index(req).await.unwrap();
-        assert_eq!(resp.path(), Path::new("app/index.html"));
+        assert_eq!(resp.path(), Path::new("../app/index.html"));
     }
 
     #[actix_rt::test]
@@ -129,6 +129,6 @@ mod tests {
             .param("filename", "main.js")
             .to_http_request();
         let resp = index(req).await.unwrap();
-        assert_eq!(resp.path(), Path::new("app/main.js"));
+        assert_eq!(resp.path(), Path::new("../app/main.js"));
     }
 }
diff --git a/src/main.rs b/server/src/main.rs
similarity index 100%
rename from src/main.rs
rename to server/src/main.rs