diff --git a/Makefile b/Makefile
index b66a750..e3032b9 100644
--- a/Makefile
+++ b/Makefile
@@ -8,7 +8,9 @@ export
 
 BUILD := build/$(T)/$(L)
 DEB := riju-$(T)-$(L).deb
-S3_DEB := s3://$(S3_BUCKET_BASE)-debs/debs/$(T)/$(L)/$(DEB)
+S3_DEBS := s3://$(S3_BUCKET_BASE)-debs
+S3_DEB := $(S3_DEBS)/debs/$(T)/$(L)/$(DEB)
+S3_HASH := $(S3_DEBS)/hashes/$(T)/$(L)/riju-$(T)-$(L).sha1
 
 .PHONY: help
 help:
@@ -21,6 +23,10 @@ help:
 
 ### Build things locally
 
+.PHONY: admin-image
+admin-image:
+	docker build . -f docker/admin/Dockerfile -t riju-admin --pull
+
 .PHONY: packaging-image
 packaging-image:
 	docker build . -f docker/packaging/Dockerfile -t riju-packaging --pull
@@ -50,6 +56,10 @@ pkg:
 
 ### Run things inside Docker
 
+.PHONY: admin-shell
+admin-shell:
+	docker run -it --rm -v $(PWD):/src -v $(HOME)/.aws:/var/riju/.aws:ro -e AWS_REGION -e AWS_ACCESS_KEY_ID -e AWS_SECRET_ACCESS_KEY riju-admin
+
 .PHONY: packaging-shell
 packaging-shell:
 	docker run -it --rm -v $(PWD):/src riju-packaging
@@ -107,6 +117,7 @@ publish-app-image:
 .PHONY: publish-pkg
 publish-pkg:
 	@: $${L} $${T} $${S3_BUCKET_BASE}
+	aws s3 cp <(dpkg-deb -f $(BUILD)/$(DEB) Riju-Script-Hash) $(S3_HASH)
 	aws s3 cp $(BUILD)/$(DEB) $(S3_DEB)
 
 ### Miscellaneous
diff --git a/docker/admin/Dockerfile b/docker/admin/Dockerfile
new file mode 100644
index 0000000..f4888f1
--- /dev/null
+++ b/docker/admin/Dockerfile
@@ -0,0 +1,9 @@
+FROM ubuntu:rolling
+
+COPY docker/admin/install.bash /tmp/
+RUN /tmp/install.bash
+
+WORKDIR /src
+COPY docker/admin/pid1.bash /usr/local/sbin/
+ENTRYPOINT ["/usr/local/sbin/pid1.bash"]
+CMD ["bash"]
diff --git a/docker/admin/install.bash b/docker/admin/install.bash
new file mode 100755
index 0000000..09d233b
--- /dev/null
+++ b/docker/admin/install.bash
@@ -0,0 +1,43 @@
+#!/usr/bin/env bash
+
+set -euxo pipefail
+
+pushd /tmp
+
+export DEBIAN_FRONTEND=noninteractive
+
+apt-get update
+(yes || true) | unminimize
+
+apt-get install -y curl gnupg lsb-release
+
+curl -sSL https://deb.nodesource.com/gpgkey/nodesource.gpg.key | apt-key add -
+curl -sSL https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key add -
+
+ubuntu_ver="$(lsb_release -rs)"
+ubuntu_name="$(lsb_release -cs)"
+
+node_repo="$(curl -sS https://deb.nodesource.com/setup_current.x | grep NODEREPO= | grep -Eo 'node_[0-9]+\.x' | head -n1)"
+
+tee -a /etc/apt/sources.list.d/custom.list >/dev/null <<EOF
+deb https://deb.nodesource.com/${node_repo} ${ubuntu_name} main
+deb https://dl.yarnpkg.com/debian/ stable main
+EOF
+
+apt-get update
+apt-get install -y less make man nodejs sudo unzip wget yarn
+
+wget https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip -O awscli.zip
+unzip awscli.zip
+./aws/install
+rm -rf aws awscli.zip
+
+rm -rf /var/lib/apt/lists/*
+
+tee /etc/sudoers.d/90-riju >/dev/null <<"EOF"
+%sudo ALL=(ALL:ALL) NOPASSWD: ALL
+EOF
+
+popd
+
+rm "$0"
diff --git a/docker/admin/pid1.bash b/docker/admin/pid1.bash
new file mode 100755
index 0000000..bd3162e
--- /dev/null
+++ b/docker/admin/pid1.bash
@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+groupadd -g "$(stat -c %g "$PWD")" -o -p '!' -r riju
+useradd -u "$(stat -c %u "$PWD")" -g "$(stat -c %g "$PWD")" -o -m -N -l -s /usr/bin/bash -G sudo riju
+
+runuser -u riju -- touch /home/riju/.sudo_as_admin_successful
+runuser -u riju -- ln -sT /var/riju/.aws /home/riju/.aws
+
+exec runuser -u riju "$@"