diff --git a/.dockerignore b/.dockerignore
index c3d1d8a..c6e918d 100644
--- a/.dockerignore
+++ b/.dockerignore
@@ -1,5 +1,6 @@
 # This file is generated by 'make dockerignore', do not edit.
 **/*.log
+**/*.pem
 **/.env
 **/.terraform
 **/build
diff --git a/.gitignore b/.gitignore
index 8798b8f..4e05b95 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,5 @@
 *.log
+*.pem
 .env
 .terraform
 build
diff --git a/Makefile b/Makefile
index bfbdc19..7322f25 100644
--- a/Makefile
+++ b/Makefile
@@ -66,7 +66,7 @@ endif
 shell:
 	@: $${I}
 ifeq ($(I),admin)
-	docker run -it --rm --hostname $(I) -v $(VOLUME_MOUNT):/src -v /var/run/docker.sock:/var/run/docker.sock -v $(HOME)/.aws:/var/riju/.aws -v $(HOME)/.docker:/var/riju/.docker -v $(HOME)/.terraform.d:/var/riju/.terraform.d -e AWS_REGION -e AWS_ACCESS_KEY_ID -e AWS_SECRET_ACCESS_KEY -e VOLUME_MOUNT=$(VOLUME_MOUNT) $(SHELL_PORTS) --network host riju:$(I)
+	docker run -it --rm --hostname $(I) -v $(VOLUME_MOUNT):/src -v /var/run/docker.sock:/var/run/docker.sock -v $(HOME)/.aws:/var/riju/.aws -v $(HOME)/.docker:/var/riju/.docker -v $(HOME)/.ssh:/var/riju/.ssh -v $(HOME)/.terraform.d:/var/riju/.terraform.d -e AWS_REGION -e AWS_ACCESS_KEY_ID -e AWS_SECRET_ACCESS_KEY -e VOLUME_MOUNT=$(VOLUME_MOUNT) $(SHELL_PORTS) --network host riju:$(I)
 else ifeq ($(I),compile)
 	docker run -it --rm --hostname $(I) $(SHELL_PORTS) riju:$(I)
 else
@@ -137,8 +137,8 @@ push:
 .PHONY: upload
 upload:
 	@: $${L} $${T} $${S3_BUCKET_BASE}
-	hash=$$(dpkg-deb -f $(BUILD)/$(DEB) Riju-Script-Hash); test $${hash}; aws s3 cp - $(S3_HASH)/$${hash} < /dev/null
 	aws s3 cp $(BUILD)/$(DEB) $(S3_DEB)
+	hash=$$(dpkg-deb -f $(BUILD)/$(DEB) Riju-Script-Hash); test $${hash}; aws s3 cp - $(S3_HASH)/$${hash} < /dev/null
 
 ### Miscellaneous
 
@@ -146,3 +146,7 @@ upload:
 dockerignore:
 	echo "# This file is generated by 'make dockerignore', do not edit." > .dockerignore
 	cat .gitignore | sed 's#^#**/#' >> .dockerignore
+
+.PHONY: env
+env:
+	exec bash --rcfile <(cat ~/.bashrc - <<< 'PS1="[.env] $$PS1"')
diff --git a/docker/admin/install.bash b/docker/admin/install.bash
index 4ff668b..50d72ca 100755
--- a/docker/admin/install.bash
+++ b/docker/admin/install.bash
@@ -37,6 +37,7 @@ make
 man
 nodejs
 packer
+ssh
 sudo
 tmux
 terraform
diff --git a/docker/admin/pid1.bash b/docker/admin/pid1.bash
index dc36927..a8ff6ae 100755
--- a/docker/admin/pid1.bash
+++ b/docker/admin/pid1.bash
@@ -8,6 +8,7 @@ useradd -u "$(stat -c %u "$PWD")" -g "$(stat -c %g "$PWD")" -o -p '!' -m -N -l -
 runuser -u riju -- touch /home/riju/.sudo_as_admin_successful
 runuser -u riju -- ln -sT /var/riju/.aws /home/riju/.aws
 runuser -u riju -- ln -sT /var/riju/.docker /home/riju/.docker
+runuser -u riju -- ln -sT /var/riju/.ssh /home/riju/.ssh
 runuser -u riju -- ln -sT /var/riju/.terraform.d /home/riju/.terraform.d
 runuser -u riju -- yarn install
 
diff --git a/packer/provision.bash b/packer/provision.bash
index e6003ef..5aa6a5c 100644
--- a/packer/provision.bash
+++ b/packer/provision.bash
@@ -4,23 +4,27 @@ set -euo pipefail
 
 export DEBIAN_FRONTEND=noninteractive
 
-apt-get update
-apt-get dist-upgrade
+sudo -E apt-get update
+sudo -E apt-get dist-upgrade -y
 
-apt-get install -y curl gnupg lsb-release
+sudo -E apt-get install -y curl gnupg lsb-release
 
-curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add -
+curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo -E apt-key add -
 
 ubuntu_name="$(lsb_release -cs)"
 
-tee -a /etc/apt/sources.list.d/custom.list >/dev/null <<EOF
+sudo tee -a /etc/apt/sources.list.d/custom.list >/dev/null <<EOF
 deb [arch=amd64] https://download.docker.com/linux/ubuntu ${ubuntu_name} stable
 EOF
 
-apt-get update
-apt-get install docker-ce docker-ce-cli containerd.io
+sudo -E apt-get update
+sudo -E apt-get install -y docker-ce docker-ce-cli containerd.io whois
 
-sed -i "s#DOCKER_REPO_REPLACED_BY_PACKER#${DOCKER_REPO}#" /usr/local/bin/riju-deploy
+sudo sed -i "s#DOCKER_REPO_BASE_REPLACED_BY_PACKER#${DOCKER_REPO_BASE}#" /tmp/riju-deploy
+
+sudo chown root:root /tmp/riju /tmp/riju-deploy /tmp/riju.service
+sudo mv /tmp/riju /tmp/riju-deploy /usr/local/bin/
+sudo mv /tmp/riju.service /etc/systemd/system/
 
 for user in admin deploy; do
     if ! grep -vq "PRIVATE KEY" "/tmp/id_${user}.pub"; then
@@ -32,23 +36,25 @@ for user in admin deploy; do
     echo "${contents}" > "/tmp/id_${user}.pub"
 done
 
-sed -Ei 's/^#?PermitRootLogin .*/PermitRootLogin no/' /etc/ssh/sshd_config
-sed -Ei 's/^#?PasswordAuthentication .*/PasswordAuthentication no/' /etc/ssh/sshd_config
-sed -Ei 's/^#?PermitEmptyPasswords .*/PermitEmptyPasswords no/' /etc/ssh/sshd_config
+sudo sed -Ei 's/^#?PermitRootLogin .*/PermitRootLogin no/' /etc/ssh/sshd_config
+sudo sed -Ei 's/^#?PasswordAuthentication .*/PasswordAuthentication no/' /etc/ssh/sshd_config
+sudo sed -Ei 's/^#?PermitEmptyPasswords .*/PermitEmptyPasswords no/' /etc/ssh/sshd_config
 
-passwd -l root
-useradd admin -g admin -G sudo -s /usr/bin/bash -p "$(echo "${ADMIN_PASSWORD}" | mkpasswd -s)" -m
-useradd deploy -s /usr/bin/bash -p "!"
+sudo passwd -l root
+sudo useradd admin -g admin -G sudo -s /usr/bin/bash -p "$(echo "${ADMIN_PASSWORD}" | mkpasswd -s)" -m
+sudo useradd deploy -s /usr/bin/bash -p "!" -m
 
 for user in admin deploy; do
-    mkdir -p "/home/${user}/.ssh"
-    mv "/tmp/id_${user}.pub" "/home/${user}/.ssh/authorized_keys"
-    chown -R "${user}:${user}" "/home/${user}/.ssh"
-    chmod -R go-rwx "/home/${user}/.ssh"
+    sudo runuser -u "${user}" -- mkdir -p "/home/${user}/.ssh"
+    sudo mv "/tmp/id_${user}.pub" "/home/${user}/.ssh/authorized_keys"
+    sudo chown -R "${user}:${user}" "/home/${user}/.ssh"
+    sudo chmod -R go-rwx "/home/${user}/.ssh"
 done
 
-sed -i 's/^/command="sudo riju-deploy",restrict/' /home/deploy/.ssh/authorized_keys
+sudo runuser -u deploy -- sed -i 's/^/command="sudo riju-deploy",restrict/' /home/deploy/.ssh/authorized_keys
 
-cat <<"EOF" > /etc/sudoers.d/riju
+sudo tee /etc/sudoers.d/riju >/dev/null <<"EOF"
 deploy ALL=(root) NOPASSWD: /usr/local/bin/riju-deploy
 EOF
+
+sudo passwd -l ubuntu
diff --git a/packer/riju-deploy b/packer/riju-deploy
index 1a10308..c1b7dcc 100755
--- a/packer/riju-deploy
+++ b/packer/riju-deploy
@@ -2,7 +2,7 @@
 
 set -euo pipefail
 
-DOCKER_REPO="${DOCKER_REPO:-DOCKER_REPO_REPLACED_BY_PACKER}"
+DOCKER_REPO_BASE="${DOCKER_REPO_BASE:-DOCKER_REPO_BASE_REPLACED_BY_PACKER}"
 
 if (( $# != 1 )); then
     echo "usage: ssh deploy@riju COMMIT-SHA" >&2
@@ -16,7 +16,7 @@ if [[ "$(echo -n "${commit}" | wc -c)" != 40 ]]; then
     exit 1
 fi
 
-image="${DOCKER_REPO}:app-${commit}"
+image="${DOCKER_REPO_BASE}:app-${commit}"
 
 echo "Pull image to be deployed..."
 docker pull "${image}"
diff --git a/packer/server.json b/packer/server.json
index 612e00a..39a0346 100644
--- a/packer/server.json
+++ b/packer/server.json
@@ -1,9 +1,9 @@
 {
   "variables": {
-    "docker_repo": "{{env `DOCKER_REPO`}}",
+    "docker_repo_base": "{{env `DOCKER_REPO_BASE`}}",
     "admin_password": "{{env `ADMIN_PASSWORD`}}",
-    "admin_ssh_public_key_file": "{{env `ADMIN_SSH_PUBLIC_KEY_FILE`}",
-    "deploy_ssh_public_key_file": "{{env `DEPLOY_SSH_PUBLIC_KEY_FILE`}"
+    "admin_ssh_public_key_file": "{{env `ADMIN_SSH_PUBLIC_KEY_FILE`}}",
+    "deploy_ssh_public_key_file": "{{env `DEPLOY_SSH_PUBLIC_KEY_FILE`}}"
   },
   "builders": [
     {
@@ -12,7 +12,7 @@
         "filters": {
           "virtualization-type": "hvm",
           "root-device-type": "ebs",
-          "name": "ubuntu/images/ubuntu-groovy-20.10-amd64-server-*"
+          "name": "ubuntu/images/hvm-ssd/ubuntu-groovy-20.10-amd64-server-*"
         },
         "owners": ["099720109477"],
         "most_recent": true
@@ -27,7 +27,7 @@
       "type": "shell",
       "script": "validate.bash",
       "environment_vars": [
-        "DOCKER_REPO={{user `docker_repo`}}",
+        "DOCKER_REPO_BASE={{user `docker_repo_base`}}",
         "ADMIN_PASSWORD={{user `admin_password`}}",
         "ADMIN_SSH_PUBLIC_KEY_FILE={{user `admin_ssh_public_key_file`}}",
         "DEPLOY_SSH_PUBLIC_KEY_FILE={{user `deploy_ssh_public_key_file`}}"
@@ -36,17 +36,17 @@
     {
       "type": "file",
       "source": "riju",
-      "destination": "/usr/local/bin/riju"
+      "destination": "/tmp/riju"
     },
     {
       "type": "file",
       "source": "riju-deploy",
-      "destination": "/usr/local/bin/riju-deploy"
+      "destination": "/tmp/riju-deploy"
     },
     {
       "type": "file",
       "source": "riju.service",
-      "destination": "/etc/systemd/system/riju.service"
+      "destination": "/tmp/riju.service"
     },
     {
       "type": "file",
@@ -62,7 +62,7 @@
       "type": "shell",
       "script": "provision.bash",
       "environment_vars": [
-        "DOCKER_REPO={{user `docker_repo`}}",
+        "DOCKER_REPO_BASE={{user `docker_repo_base`}}",
         "ADMIN_PASSWORD={{user `admin_password`}}"
       ]
     }
diff --git a/packer/validate.bash b/packer/validate.bash
index 749cdc8..a4957fe 100755
--- a/packer/validate.bash
+++ b/packer/validate.bash
@@ -2,7 +2,7 @@
 
 set -euo pipefail
 
-: ${DOCKER_REPO}
+: ${DOCKER_REPO_BASE}
 : ${ADMIN_PASSWORD}
 : ${ADMIN_SSH_PUBLIC_KEY_FILE}
 : ${DEPLOY_SSH_PUBLIC_KEY_FILE}
diff --git a/tf/infra.tf b/tf/infra.tf
index 23464b5..6a1af53 100644
--- a/tf/infra.tf
+++ b/tf/infra.tf
@@ -47,3 +47,9 @@ resource "aws_ebs_volume" "data" {
   size              = 100
   tags              = local.tags
 }
+
+resource "aws_volume_attachment" "data" {
+  device_name = "/dev/sdh"
+  volume_id   = aws_ebs_volume.data.id
+  instance_id = aws_instance.server.id
+}