diff --git a/packer/provision.bash b/packer/provision.bash
index 5aa6a5c..477c262 100644
--- a/packer/provision.bash
+++ b/packer/provision.bash
@@ -20,8 +20,6 @@ EOF
 sudo -E apt-get update
 sudo -E apt-get install -y docker-ce docker-ce-cli containerd.io whois
 
-sudo sed -i "s#DOCKER_REPO_BASE_REPLACED_BY_PACKER#${DOCKER_REPO_BASE}#" /tmp/riju-deploy
-
 sudo chown root:root /tmp/riju /tmp/riju-deploy /tmp/riju.service
 sudo mv /tmp/riju /tmp/riju-deploy /usr/local/bin/
 sudo mv /tmp/riju.service /etc/systemd/system/
@@ -51,7 +49,7 @@ for user in admin deploy; do
     sudo chmod -R go-rwx "/home/${user}/.ssh"
 done
 
-sudo runuser -u deploy -- sed -i 's/^/command="sudo riju-deploy",restrict/' /home/deploy/.ssh/authorized_keys
+sudo runuser -u deploy -- sed -i 's/^/command="sudo riju-deploy ${SSH_ORIGINAL_COMMAND}",restrict /' /home/deploy/.ssh/authorized_keys
 
 sudo tee /etc/sudoers.d/riju >/dev/null <<"EOF"
 deploy ALL=(root) NOPASSWD: /usr/local/bin/riju-deploy
diff --git a/packer/riju b/packer/riju
index f536156..6525006 100755
--- a/packer/riju
+++ b/packer/riju
@@ -2,7 +2,7 @@
 
 set -euo pipefail
 
-domain="$(ls /etc/letsencrypt/live | grep -v README | head -n1)"
+domain="$(ls /etc/letsencrypt/live | grep -v README | head -n1)" || true
 
 if [[ -n "${domain}" ]]; then
     echo "Detected cert for domain: ${domain}, enabling TLS" >&2
@@ -33,4 +33,4 @@ port_args="${PORT_MAPPING:--p 0.0.0.0:80:6119 -p 0.0.0.0:443:6120}"
 docker run --rm ${port_args} ${extra_args} \
        -e TLS -e TLS_PRIVATE_KEY -e TLS_CERTIFICATE -e ANALYTICS \
        -h riju --name "${CONTAINER_NAME:-riju-prod}" \
-       "${IMAGE_NAME}:-riju:app"
+       "${IMAGE_NAME:-riju:app}"
diff --git a/packer/riju-deploy b/packer/riju-deploy
index c1b7dcc..27d38e1 100755
--- a/packer/riju-deploy
+++ b/packer/riju-deploy
@@ -2,21 +2,12 @@
 
 set -euo pipefail
 
-DOCKER_REPO_BASE="${DOCKER_REPO_BASE:-DOCKER_REPO_BASE_REPLACED_BY_PACKER}"
-
 if (( $# != 1 )); then
-    echo "usage: ssh deploy@riju COMMIT-SHA" >&2
+    echo "usage: ssh deploy@riju IMAGE" >&2
     exit 1
 fi
 
-commit="$1"
-
-if [[ "$(echo -n "${commit}" | wc -c)" != 40 ]]; then
-    echo "riju-deploy: invalid commit SHA: ${commit}" >&2
-    exit 1
-fi
-
-image="${DOCKER_REPO_BASE}:app-${commit}"
+image="$1"
 
 echo "Pull image to be deployed..."
 docker pull "${image}"
@@ -26,7 +17,7 @@ CONTAINER_NAME=riju-test IMAGE_NAME="${image}" DETACH=1 \
               PORT_MAPPING="-p 127.0.0.1:6119:6119" riju
 
 echo "Wait for web server to come up..." >&2
-sleep 10
+sleep 5
 
 echo "Test web server health..." >&2
 curl -fsSL http://localhost:6119 | head -n15
diff --git a/packer/server.json b/packer/server.json
index 39a0346..97ec28b 100644
--- a/packer/server.json
+++ b/packer/server.json
@@ -1,6 +1,5 @@
 {
   "variables": {
-    "docker_repo_base": "{{env `DOCKER_REPO_BASE`}}",
     "admin_password": "{{env `ADMIN_PASSWORD`}}",
     "admin_ssh_public_key_file": "{{env `ADMIN_SSH_PUBLIC_KEY_FILE`}}",
     "deploy_ssh_public_key_file": "{{env `DEPLOY_SSH_PUBLIC_KEY_FILE`}}"
@@ -27,7 +26,6 @@
       "type": "shell",
       "script": "validate.bash",
       "environment_vars": [
-        "DOCKER_REPO_BASE={{user `docker_repo_base`}}",
         "ADMIN_PASSWORD={{user `admin_password`}}",
         "ADMIN_SSH_PUBLIC_KEY_FILE={{user `admin_ssh_public_key_file`}}",
         "DEPLOY_SSH_PUBLIC_KEY_FILE={{user `deploy_ssh_public_key_file`}}"
@@ -61,10 +59,7 @@
     {
       "type": "shell",
       "script": "provision.bash",
-      "environment_vars": [
-        "DOCKER_REPO_BASE={{user `docker_repo_base`}}",
-        "ADMIN_PASSWORD={{user `admin_password`}}"
-      ]
+      "environment_vars": ["ADMIN_PASSWORD={{user `admin_password`}}"]
     }
   ]
 }
diff --git a/tf/.terraform.lock.hcl b/tf/.terraform.lock.hcl
index d1da1f0..145903a 100755
--- a/tf/.terraform.lock.hcl
+++ b/tf/.terraform.lock.hcl
@@ -20,3 +20,20 @@ provider "registry.terraform.io/hashicorp/aws" {
     "zh:f6c05e20d9a3fba76ca5f47206dde35e5b43b6821c6cbf57186164ce27ba9f15",
   ]
 }
+
+provider "registry.terraform.io/hashicorp/external" {
+  version = "2.0.0"
+  hashes = [
+    "h1:Q5xqryWI3tCY8yr+fugq7dz4Qz+8g4GaW9ZS8dc6Ob8=",
+    "zh:07949780dd6a1d43e7b46950f6e6976581d9724102cb5388d3411a1b6f476bde",
+    "zh:0a4f4636ff93f0644affa8474465dd8c9252946437ad025b28fc9f6603534a24",
+    "zh:0dd7e05a974c649950d1a21d7015d3753324ae52ebdd1744b144bc409ca4b3e8",
+    "zh:2b881032b9aa9d227ac712f614056d050bcdcc67df0dc79e2b2cb76a197059ad",
+    "zh:38feb4787b4570335459ca75a55389df1a7570bdca8cdf5df4c2876afe3c14b4",
+    "zh:40f7e0aaef3b1f4c2ca2bb1189e3fe9af8c296da129423986d1d99ccc8cfb86c",
+    "zh:56b361f64f0f0df5c4f958ae2f0e6f8ba192f35b720b9d3ae1be068fabcf73d9",
+    "zh:5fadb5880cd31c2105f635ded92b9b16f918c1dd989627a4ce62c04939223909",
+    "zh:61fa0be9c14c8c4109cfb7be8d54a80c56d35dbae49d3231cddb59831e7e5a4d",
+    "zh:853774bf97fbc4a784d5af5a4ca0090848430781ae6cfc586adeb48f7c44af79",
+  ]
+}
diff --git a/tf/infra.tf b/tf/infra.tf
index 6a1af53..c0fb08c 100644
--- a/tf/infra.tf
+++ b/tf/infra.tf
@@ -1,9 +1,8 @@
 terraform {
-  backend "remote" {
-    organization = "riju"
-    workspaces {
-      name = "riju"
-    }
+  backend "s3" {
+    bucket = "riju-tf"
+    key    = "state"
+    region = "us-west-1"
   }
   required_providers {
     aws = {
@@ -24,8 +23,7 @@ data "external" "env" {
 }
 
 provider "aws" {
-  profile = "default"
-  region  = "us-west-1"
+  region = "us-west-1"
 }
 
 data "aws_region" "current" {}
@@ -36,14 +34,63 @@ resource "aws_s3_bucket" "riju_debs" {
   tags   = local.tags
 }
 
+data "aws_ami" "server" {
+  owners = ["self"]
+
+  filter {
+    name   = "name"
+    values = [data.external.env.result.AMI_NAME]
+  }
+}
+
+resource "aws_security_group" "server" {
+  name        = "riju-server"
+  description = "Security group for Riju server"
+
+  ingress {
+    description = "SSH"
+    from_port   = 22
+    to_port     = 22
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  ingress {
+    description = "HTTP"
+    from_port   = 80
+    to_port     = 80
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  ingress {
+    description = "HTTPS"
+    from_port   = 443
+    to_port     = 443
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = local.tags
+}
+
 resource "aws_instance" "server" {
-  instance_type = "t3.micro"
-  ami           = data.external.env.result.AMI_ID
-  tags          = local.tags
+  instance_type     = "t3.micro"
+  ami               = data.aws_ami.server.id
+  availability_zone = "${data.aws_region.current.name}b"
+  security_groups   = [aws_security_group.server.name]
+  tags              = local.tags
 }
 
 resource "aws_ebs_volume" "data" {
-  availability_zone = "${data.aws_region.current.name}a"
+  availability_zone = "${data.aws_region.current.name}b"
   size              = 100
   tags              = local.tags
 }