diff --git a/Makefile b/Makefile
index aad9d3e..819a0b4 100644
--- a/Makefile
+++ b/Makefile
@@ -73,7 +73,7 @@ else
 SHELL_PORTS :=
 endif
 
-SHELL_ENV := -e Z -e CI -e TEST_PATIENCE -e TEST_CONCURRENCY -e TEST_TIMEOUT_SECS -e FATHOM_SITE_ID
+SHELL_ENV := -e Z -e CI -e TEST_PATIENCE -e TEST_CONCURRENCY -e TEST_TIMEOUT_SECS -e ANALYTICS_TAG
 
 ifeq ($(I),lang)
 LANG_TAG := lang-$(L)
diff --git a/README.md b/README.md
index bd037c1..1a74c56 100644
--- a/README.md
+++ b/README.md
@@ -44,8 +44,9 @@ being nice include:
 
 * *Trying to consume as many resources as possible.* All this will do
   is prevent others from using Riju, which isn't nice.
-* *Mining cryptocurrency.* Since hosting Riju comes out of my
-  paycheck, this is exactly equivalent to stealing, which isn't nice.
+* *Mining cryptocurrency.* Since hosting Riju comes out of ~my
+  paycheck~ community donations, this is exactly equivalent to
+  stealing, which isn't nice.
 
 ## Can I help? / Documentation
 
diff --git a/backend/server.js b/backend/server.js
index f81fcfb..4643aca 100644
--- a/backend/server.js
+++ b/backend/server.js
@@ -16,7 +16,10 @@ const host = process.env.HOST || "localhost";
 const port = parseInt(process.env.PORT || "") || 6119;
 const tlsPort = parseInt(process.env.TLS_PORT || "") || 6120;
 const useTLS = process.env.TLS ? true : false;
-const fathomSiteId = process.env.FATHOM_SITE_ID || "";
+const analyticsTag = (process.env.ANALYTICS_TAG || "").replace(
+  /^'(.+)'$/,
+  "$1"
+);
 
 const langs = await langsPromise;
 const app = express();
@@ -28,7 +31,7 @@ app.get("/", (_, res) => {
   if (Object.keys(langs).length > 0) {
     res.render(path.resolve("frontend/pages/index"), {
       langs,
-      fathomSiteId,
+      analyticsTag,
     });
   } else {
     res
@@ -63,7 +66,7 @@ app.get("/:lang", cors(), (req, res) => {
   }
   res.render(path.resolve("frontend/pages/app"), {
     config: langs[lang],
-    fathomSiteId,
+    analyticsTag,
   });
 });
 app.use("/css", express.static("frontend/styles"));
diff --git a/doc/selfhosting.md b/doc/selfhosting.md
index 60f62f2..43bb580 100644
--- a/doc/selfhosting.md
+++ b/doc/selfhosting.md
@@ -263,9 +263,10 @@ enable all the fun CloudFlare options you'd like.
 
 ## Set up analytics (optional)
 
-Sign up for Fathom Analytics, enter your domain name, and get a site
-ID. Set this as `FATHOM_SITE_ID` in your `.env` file, and build and
-roll out a new web AMI.
+Sign up for Fathom Analytics, enter your domain name, and get a tag
+for embedding. Set this as `ANALYTICS_TAG` in your `.env` file (use
+single quoting, as Makefile handling of quotes is a bit nonstandard),
+and build and roll out a new web AMI.
 
 ## Set up monitoring (optional)
 
diff --git a/financials/2021-10/breakdown.txt b/financials/2021-10/breakdown.txt
new file mode 100644
index 0000000..e7b0510
--- /dev/null
+++ b/financials/2021-10/breakdown.txt
@@ -0,0 +1,18 @@
+Riju :: $106.77
+  EC2 :: $81.38
+    Data Transfer :: $0.03
+    EBS Snapshot :: $2.36
+    EBS Volume :: $28.57
+      EBS Volume :: $28.57
+        gp2 :: $1.07
+        gp3 :: $27.49
+    Instance :: $50.43
+      t3.large :: $23.05
+      t3.medium :: $27.38
+  ECR :: $5.14
+    Storage :: $5.14
+  ELB :: $20.14
+    Data Transfer :: $0.38
+    LCUs :: $0.07
+    Load Balancer :: $19.68
+  S3 :: $0.11
diff --git a/frontend/pages/app.ejs b/frontend/pages/app.ejs
index 18378b2..e23ef9c 100644
--- a/frontend/pages/app.ejs
+++ b/frontend/pages/app.ejs
@@ -22,8 +22,8 @@
      window.rijuConfig = <%- JSON.stringify(config) %>;
     </script>
     <script src="/js/app.js" defer></script>
-    <% if (fathomSiteId) { %>
-      <script src="https://cdn.usefathom.com/script.js" data-site="<%= fathomSiteId %>" defer></script>
+    <% if (analyticsTag) { %>
+      <%- analyticsTag %>
     <% } %>
   </head>
   <body>
diff --git a/frontend/pages/index.ejs b/frontend/pages/index.ejs
index 77c1830..ac45a26 100644
--- a/frontend/pages/index.ejs
+++ b/frontend/pages/index.ejs
@@ -4,6 +4,9 @@
     <meta charset="utf-8" />
     <title>Riju</title>
     <link rel="stylesheet" href="/css/index.css" />
+    <% if (analyticsTag) { %>
+      <%- analyticsTag %>
+    <% } %>
   </head>
   <body>
     <h1>Riju: <i>fast</i> online playground for every programming language</h1>
@@ -30,8 +33,5 @@
     <% } else { %>
       <i>Riju is loading language configuration...</i>
     <% } %>
-    <% if (fathomSiteId) { %>
-      <script src="https://cdn.usefathom.com/script.js" data-site="<%= fathomSiteId %>" defer></script>
-    <% } %>
   </body>
 </html>
diff --git a/packer/provision-web.bash b/packer/provision-web.bash
index 62a4bb1..dac1f74 100644
--- a/packer/provision-web.bash
+++ b/packer/provision-web.bash
@@ -59,7 +59,7 @@ sudo sed -Ei 's|^#?PermitRootLogin .*|PermitRootLogin no|' /etc/ssh/sshd_config
 sudo sed -Ei 's|^#?PasswordAuthentication .*|PasswordAuthentication no|' /etc/ssh/sshd_config
 sudo sed -Ei 's|^#?PermitEmptyPasswords .*|PermitEmptyPasswords no|' /etc/ssh/sshd_config
 sudo sed -Ei "s|\\\$AWS_REGION|${AWS_REGION}|" /etc/systemd/system/riju.service
-sudo sed -Ei "s|\\\$FATHOM_SITE_ID|${FATHOM_SITE_ID:-}|" /etc/systemd/system/riju.service
+sudo sed -Ei "s|\\\$ANALYTICS_TAG|${ANALYTICS_TAG:-}|" /etc/systemd/system/riju.service
 sudo sed -Ei "s|\\\$S3_BUCKET|${S3_BUCKET}|" /etc/systemd/system/riju.service
 sudo sed -Ei "s|\\\$SENTRY_DSN|${SENTRY_DSN:-}|" /etc/systemd/system/riju.service
 sudo sed -Ei "s|\\\$SUPERVISOR_ACCESS_TOKEN|${SUPERVISOR_ACCESS_TOKEN}|" /etc/systemd/system/riju.service
diff --git a/packer/riju.service b/packer/riju.service
index 2697900..c11177b 100644
--- a/packer/riju.service
+++ b/packer/riju.service
@@ -11,7 +11,7 @@ ExecStart=riju-supervisor
 Restart=always
 RestartSec=5
 Environment=AWS_REGION=$AWS_REGION
-Environment=FATHOM_SITE_ID=$FATHOM_SITE_ID
+Environment=ANALYTICS_TAG=$ANALYTICS_TAG
 Environment=S3_BUCKET=$S3_BUCKET
 Environment=SENTRY_DSN=$SENTRY_DSN
 Environment=SUPERVISOR_ACCESS_TOKEN=$SUPERVISOR_ACCESS_TOKEN
diff --git a/packer/riju.slice b/packer/riju.slice
index a670120..c3e9eca 100644
--- a/packer/riju.slice
+++ b/packer/riju.slice
@@ -3,12 +3,26 @@ Description=Resource limits for Riju user containers
 Before=slices.target
 
 [Slice]
+
+# t3.large instance has baseline CPU performance of 60% and is
+# burstable up to 200%. Reserve bursting for server + operating
+# system.
 CPUAccounting=true
-CPUQuota=100%
+CPUQuota=60%
+
+# t3.large instance has 8GB memory, so reserve 3GB for server +
+# operating system. Disable swap for now.
 MemoryAccounting=true
-MemoryMax=3G
-MemorySwapMax=8G
+MemoryMax=5G
+MemorySwapMax=0
+
+# Empirically, EC2 instances appear to have /proc/sys/kernel/pid_max
+# equal to 2^22 = 4194304. It should be safe to give about a tenth of
+# this space to user code.
 TasksAccounting=true
-TasksMax=2048
+TasksMax=400000
+
+# Attempt to deny access to EC2 Instance Metadata service from user
+# code.
 IPAccounting=true
 IPAddressDeny=169.254.169.254
diff --git a/packer/web.pkr.hcl b/packer/web.pkr.hcl
index 4ed4b3f..ff1125f 100644
--- a/packer/web.pkr.hcl
+++ b/packer/web.pkr.hcl
@@ -8,9 +8,9 @@ variable "aws_region" {
   default = "${env("AWS_REGION")}"
 }
 
-variable "fathom_site_id" {
+variable "analytics_tag" {
   type    = string
-  default = "${env("FATHOM_SITE_ID")}"
+  default = "${env("ANALYTICS_TAG")}"
 }
 
 variable "grafana_api_key" {
@@ -35,7 +35,7 @@ variable "supervisor_access_token" {
 
 data "amazon-ami" "ubuntu" {
   filters = {
-    name                = "ubuntu/images/hvm-ssd/ubuntu-*-21.04-amd64-server-*"
+    name                = "ubuntu/images/hvm-ssd/ubuntu-*-21.10-amd64-server-*"
     root-device-type    = "ebs"
     virtualization-type = "hvm"
   }
@@ -116,7 +116,7 @@ build {
     environment_vars = [
       "ADMIN_PASSWORD=${var.admin_password}",
       "AWS_REGION=${var.aws_region}",
-      "FATHOM_SITE_ID=${var.fathom_site_id}",
+      "ANALYTICS_TAG=${var.analytics_tag}",
       "GRAFANA_API_KEY=${var.grafana_api_key}",
       "S3_BUCKET=${var.s3_bucket}",
       "SENTRY_DSN=${var.sentry_dsn}",
diff --git a/supervisor/src/main.go b/supervisor/src/main.go
index 54c829b..2600475 100644
--- a/supervisor/src/main.go
+++ b/supervisor/src/main.go
@@ -355,7 +355,7 @@ func (sv *supervisor) reload() error {
 		"-v", "/var/cache/riju:/var/cache/riju",
 		"-v", "/var/run/docker.sock:/var/run/docker.sock",
 		"-p", fmt.Sprintf("127.0.0.1:%d:6119", port),
-		"-e", "FATHOM_SITE_ID",
+		"-e", "ANALYTICS_TAG",
 		"-e", "RIJU_DEPLOY_CONFIG",
 		"-e", "SENTRY_DSN",
 		"--label", fmt.Sprintf("riju.deploy-config-hash=%s", deployCfgHash),
diff --git a/system/src/riju-system-privileged.c b/system/src/riju-system-privileged.c
index 71fa582..91f2025 100644
--- a/system/src/riju-system-privileged.c
+++ b/system/src/riju-system-privileged.c
@@ -233,13 +233,11 @@ void session(char *uuid, char *lang, char *imageHash)
         "--name",
         container,
         "--cpus",
-        "1",
+        "0.6",
         "--memory",
         "1g",
-        "--memory-swap",
-        "8g",
         "--pids-limit",
-        "2048",
+        "4000",
         "--cgroup-parent",
         "riju.slice",
         "--label",
diff --git a/tf/ec2.tf b/tf/ec2.tf
index 83ccee9..9f31e58 100644
--- a/tf/ec2.tf
+++ b/tf/ec2.tf
@@ -37,7 +37,7 @@ resource "aws_security_group" "server" {
 resource "aws_launch_template" "server" {
   name          = "riju-server"
   image_id      = data.aws_ami.server.id
-  instance_type = "t3.medium"
+  instance_type = "t3.large"
 
   security_group_names = [aws_security_group.server.name]
   iam_instance_profile {