diff --git a/Dockerfile b/base/Dockerfile
similarity index 98%
rename from Dockerfile
rename to base/Dockerfile
index 483011e..4cfe2b4 100644
--- a/Dockerfile
+++ b/base/Dockerfile
@@ -39,6 +39,7 @@ RUN set -x ; \
   cd /srv && \
   curl -s -o ledgersmb-installer -L https://get.ledgersmb.org/ledgersmb-installer && \
   ARTIFACT_LOCATION="$ARTIFACT_PATH" perl ledgersmb-installer install --yes --log-level=trace $LSMB_VERSION && \
+  mv /srv/ledgersmb/server-start /usr/local/bin/run.sh && \
   rm -rf ~/.cpanm/ /var/lib/apt/lists/* /usr/share/man/*
 
 WORKDIR /srv/ledgersmb
@@ -66,7 +67,6 @@ ENV DEFAULT_DB=lsmb
 
 COPY start.sh /usr/local/bin/start.sh
 COPY config.sh /usr/local/bin/config.sh
-COPY run.sh /usr/local/bin/run.sh
 
 RUN chmod +x /usr/local/bin/start.sh /usr/local/bin/config.sh /usr/local/bin/run.sh && \
   mkdir -p /var/www && \
diff --git a/config.sh b/base/config.sh
similarity index 100%
rename from config.sh
rename to base/config.sh
diff --git a/docker-compose-reverseproxy.yml b/base/docker-compose-reverseproxy.yml
similarity index 100%
rename from docker-compose-reverseproxy.yml
rename to base/docker-compose-reverseproxy.yml
diff --git a/docker-compose.yml b/base/docker-compose.yml
similarity index 100%
rename from docker-compose.yml
rename to base/docker-compose.yml
diff --git a/nginx.conf b/base/nginx.conf
similarity index 100%
rename from nginx.conf
rename to base/nginx.conf
diff --git a/start.sh b/base/start.sh
similarity index 100%
rename from start.sh
rename to base/start.sh
diff --git a/build b/build
index 59c2989..4e19453 100755
--- a/build
+++ b/build
@@ -6,9 +6,19 @@ ${DOCKER:-docker} buildx build \
    --progress plain \
    --platform ${PLATFORM:-linux/amd64,linux/arm64,linux/arm/v7} \
    --build-arg "ARTIFACT_PATH=$ARTIFACT_PATH" \
+   -t ledgersmb/ledgersmb:$BRANCH-base \
+   -t ledgersmb/ledgersmb:$VERSION-base \
+   -t ghcr.io/ledgersmb/ledgersmb:$BRANCH-base \
+   -t ghcr.io/ledgersmb/ledgersmb:$VERSION-base \
+   ${SET_LATEST_TAG:+ -t ledgersmb/ledgersmb:latest-base -t ghcr.io/ledgersmb/ledgersmb:latest-base} \
+   --push base/
+
+${DOCKER:-docker} buildx build \
+   --progress plain \
+   --platform ${PLATFORM:-linux/amd64,linux/arm64,linux/arm/v7} \
    -t ledgersmb/ledgersmb:$BRANCH \
    -t ledgersmb/ledgersmb:$VERSION \
    -t ghcr.io/ledgersmb/ledgersmb:$BRANCH \
    -t ghcr.io/ledgersmb/ledgersmb:$VERSION \
    ${SET_LATEST_TAG:+ -t ledgersmb/ledgersmb:latest -t ghcr.io/ledgersmb/ledgersmb:latest} \
-   --push .
+   --push proxy/
diff --git a/proxy/Dockerfile b/proxy/Dockerfile
new file mode 100644
index 0000000..ee0a89e
--- /dev/null
+++ b/proxy/Dockerfile
@@ -0,0 +1,47 @@
+# Install LedgerSMB version
+ARG LSMB_VERSION=1.13.0-beta1
+# Install s6-overlay
+ARG S6_OVERLAY_VERSION=3.2.0.2
+
+FROM ledgersmb/ledgersmb:$LSMB_VERSION
+
+# Repeat args if we still want to use them
+ARG LSMB_VERSION
+ARG S6_OVERLAY_VERSION
+
+# Install nginx and other dependencies
+USER root
+RUN set -x && \
+    DEBIAN_FRONTEND=noninteractive apt-get update -y && \
+    DEBIAN_FRONTEND=noninteractive apt-get dist-upgrade -y && \
+    DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends nginx wget xz-utils && \
+    mkdir -p /var/lib/nginx/body /var/cache/nginx && \
+    DEBIAN_FRONTEND=noninteractive apt-get autoremove -q -y && \
+    DEBIAN_FRONTEND=noninteractive apt-get clean -q && \
+    ARCH="$(case "$(dpkg --print-architecture)" in armv7*) echo "armhf" ;; arm64) echo "aarch64" ;; amd64) echo "x86_64" ;; *) exit 1 ;; esac)" && \
+    wget -O /tmp/s6-overlay-noarch.tar.xz https://github.com/just-containers/s6-overlay/releases/download/v${S6_OVERLAY_VERSION}/s6-overlay-noarch.tar.xz && \
+    wget -O /tmp/s6-overlay-noarch.tar.xz.sha256 https://github.com/just-containers/s6-overlay/releases/download/v${S6_OVERLAY_VERSION}/s6-overlay-noarch.tar.xz.sha256 && \
+    wget -O /tmp/s6-overlay-${ARCH}.tar.xz https://github.com/just-containers/s6-overlay/releases/download/v${S6_OVERLAY_VERSION}/s6-overlay-${ARCH}.tar.xz && \
+    wget -O /tmp/s6-overlay-${ARCH}.tar.xz.sha256 https://github.com/just-containers/s6-overlay/releases/download/v${S6_OVERLAY_VERSION}/s6-overlay-${ARCH}.tar.xz.sha256 && \
+    wget -O /tmp/s6-overlay-symlinks-noarch.tar.xz https://github.com/just-containers/s6-overlay/releases/download/v${S6_OVERLAY_VERSION}/s6-overlay-symlinks-noarch.tar.xz && \
+    wget -O /tmp/s6-overlay-symlinks-noarch.tar.xz.sha256 https://github.com/just-containers/s6-overlay/releases/download/v${S6_OVERLAY_VERSION}/s6-overlay-symlinks-noarch.tar.xz.sha256 && \
+    cd /tmp && \
+    sha256sum -c *.sha256 && \
+    tar -C / -Jxpf /tmp/s6-overlay-noarch.tar.xz && \
+    tar -C / -Jxpf /tmp/s6-overlay-${ARCH}.tar.xz && \ 
+    tar -C / -Jxpf /tmp/s6-overlay-symlinks-noarch.tar.xz && \
+    rm -rf ~/.cpanm/ /var/lib/apt/lists/* /usr/share/man/* /usr/share/doc/* /tmp/s6-overlay-*.tar.xz*
+
+COPY nginx.conf /etc/nginx/nginx.conf
+
+# Configure nginx and starman with s6
+COPY services/starman/run /etc/services.d/starman/run
+COPY services/nginx/run /etc/services.d/nginx/run
+COPY scripts/ledgersmb_config /etc/s6-overlay/s6-rc.d/ledgersmb_config
+
+RUN chmod +x /etc/services.d/starman/run /etc/services.d/nginx/run /etc/s6-overlay/s6-rc.d/ledgersmb_config/up && \
+    touch /etc/s6-overlay/s6-rc.d/user/contents.d/ledgersmb_config
+
+EXPOSE 80
+
+ENTRYPOINT ["/init"]
diff --git a/proxy/nginx.conf b/proxy/nginx.conf
new file mode 100644
index 0000000..a8f5cc6
--- /dev/null
+++ b/proxy/nginx.conf
@@ -0,0 +1,74 @@
+# This is a full (minimal) nginx configuration file
+
+error_log /dev/stderr info;
+pid /tmp/nginx.pid;
+worker_processes 1;
+user www-data;
+
+
+events {
+   worker_connections 1024;
+}
+
+http {
+   client_body_temp_path /tmp/client_body;
+   proxy_temp_path /tmp/proxy_temp;
+   fastcgi_temp_path /tmp/fastcgi_temp;
+   scgi_temp_path /tmp/scgi_temp;
+   uwsgi_temp_path /tmp/uwsgi_temp;
+
+   sendfile on;
+   tcp_nopush on;
+   tcp_nodelay on;
+   keepalive_timeout 65;
+   types_hash_max_size 2048;
+   include /etc/nginx/mime.types;
+   default_type application/octet-stream;
+
+   access_log /dev/stdout;
+   error_log /dev/stderr info;
+
+   gzip off;
+   gzip_static on;
+
+   server {
+      listen 80 default_server;
+      listen [::]:80 default_server ipv6only=on;
+
+      root /srv/ledgersmb/UI;
+
+      access_log /dev/stdout;
+      error_log /dev/stderr info;
+
+      # Configuration files don't exist
+      location ^~ \.conf$ {
+         return 404;
+      }
+
+      # 'Hidden' files don't exist
+      location ~ /\. {
+         return 404;
+      }
+
+      location = / {
+         return 301 login.pl;
+      }
+
+      # JS & CSS
+      location ~* \.(js|css)$ {
+         add_header Pragma "public";
+         add_header Cache-Control "public, must-revalidate, proxy-revalidate"; # Production
+         expires     7d; # Indicate that the resource can be cached for 1 week # Production
+         try_files $uri =404;
+      }
+
+      location / {
+         proxy_set_header        Host $host;
+         proxy_set_header        X-Real-IP $remote_addr;
+         proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
+         proxy_set_header        X-Forwarded-Proto $scheme;
+         proxy_read_timeout      300;
+         proxy_pass              http://127.0.0.1:5762;
+      }
+   }
+}
diff --git a/proxy/scripts/ledgersmb_config/type b/proxy/scripts/ledgersmb_config/type
new file mode 100644
index 0000000..bdd22a1
--- /dev/null
+++ b/proxy/scripts/ledgersmb_config/type
@@ -0,0 +1 @@
+oneshot
diff --git a/proxy/scripts/ledgersmb_config/up b/proxy/scripts/ledgersmb_config/up
new file mode 100644
index 0000000..b6603bc
--- /dev/null
+++ b/proxy/scripts/ledgersmb_config/up
@@ -0,0 +1,3 @@
+foreground { echo "Running config..." }
+
+/usr/local/bin/config.sh
diff --git a/proxy/services/nginx/run b/proxy/services/nginx/run
new file mode 100644
index 0000000..edbd1c8
--- /dev/null
+++ b/proxy/services/nginx/run
@@ -0,0 +1,3 @@
+#!/usr/bin/with-contenv /bin/bash
+
+exec nginx -g "daemon off;"
diff --git a/proxy/services/starman/run b/proxy/services/starman/run
new file mode 100644
index 0000000..44218a0
--- /dev/null
+++ b/proxy/services/starman/run
@@ -0,0 +1,3 @@
+#!/usr/bin/with-contenv /bin/bash
+
+s6-setuidgid www-data /usr/local/bin/run.sh
diff --git a/run.sh b/run.sh
deleted file mode 100755
index d76c8d9..0000000
--- a/run.sh
+++ /dev/null
@@ -1,9 +0,0 @@
-#!/bin/bash
-
-cd /srv/ledgersmb
-
-# ':5762:' suppresses an uninitialized variable warning in starman
-# the last colon means "don't connect using tls"; without it, there's a warning
-exec starman --listen 0.0.0.0:5762 --workers ${LSMB_WORKERS:-5} \
-             -I lib -I old/lib \
-             --preload-app bin/ledgersmb-server.psgi