diff --git a/.gitignore b/.gitignore
index 68de7cd5..97157118 100644
--- a/.gitignore
+++ b/.gitignore
@@ -57,3 +57,7 @@ test-emails/
 env/
 venv/
 .venv/
+
+# Ignore some terraform files
+/ci/tf/.terraform
+/ci/tf/terraform.tfstate*
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 10dd1787..4bd71920 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -61,34 +61,47 @@ test:
         coverage_format: cobertura
         path: coverage.xml
 
-deploy:
-  stage: deploy
-  tags:
-    - secure
-  rules:
-    - if: $CI_COMMIT_BRANCH == "pu"
-      when: manual
-  variables:
-    FASTAPI_BACKEND: gunicorn
-    FASTAPI_WORKERS: 5
-    AURWEB_FASTAPI_PREFIX: https://aur-dev.archlinux.org
-    AURWEB_SSHD_PREFIX: ssh://aur@aur-dev.archlinux.org:2222
-    COMMIT_HASH: $CI_COMMIT_SHA
-    GIT_DATA_DIR: git_data
-  script:
-    - pacman -Syu --noconfirm docker docker-compose socat openssh
-    - chmod 600 ${SSH_KEY}
-    - socat "UNIX-LISTEN:/tmp/docker.sock,reuseaddr,fork" EXEC:"ssh -o UserKnownHostsFile=${SSH_KNOWN_HOSTS} -Ti ${SSH_KEY} ${SSH_USER}@${SSH_HOST}" &
-    - export DOCKER_HOST="unix:///tmp/docker.sock"
-    # Set secure login config for aurweb.
-    - sed -ri "s/^(disable_http_login).*$/\1 = 1/" conf/config.dev
-    - docker-compose build
-    - docker-compose -f docker-compose.yml -f docker-compose.aur-dev.yml down --remove-orphans
-    - docker-compose -f docker-compose.yml -f docker-compose.aur-dev.yml up -d
-    - docker image prune -f
-    - docker container prune -f
-    - docker volume prune -f
+.init_tf: &init_tf
+  - pacman -Syu --needed --noconfirm --cachedir .pkg-cache terraform
+  - export TF_VAR_name="aurweb-${CI_COMMIT_REF_SLUG}"
+  - TF_ADDRESS="${CI_API_V4_URL}/projects/${TF_STATE_PROJECT}/terraform/state/${CI_COMMIT_REF_SLUG}"
+  - cd ci/tf
+  - >
+    terraform init \
+      -backend-config="address=${TF_ADDRESS}" \
+      -backend-config="lock_address=${TF_ADDRESS}/lock" \
+      -backend-config="unlock_address=${TF_ADDRESS}/lock" \
+      -backend-config="username=x-access-token" \
+      -backend-config="password=${TF_STATE_GITLAB_ACCESS_TOKEN}" \
+      -backend-config="lock_method=POST" \
+      -backend-config="unlock_method=DELETE" \
+      -backend-config="retry_wait_min=5"
 
+deploy_review:
+  stage: deploy
+  script:
+    - *init_tf
+    - terraform apply -auto-approve
   environment:
-    name: development
-    url: https://aur-dev.archlinux.org
+    name: review/$CI_COMMIT_REF_NAME
+    url: https://aurweb-$CI_ENVIRONMENT_SLUG.sandbox.archlinux.page
+    on_stop: stop_review
+    auto_stop_in: 1 week
+  rules:
+    - if: $CI_MERGE_REQUEST_ID && $CI_PROJECT_PATH == "archlinux/aurweb"
+      when: manual
+
+stop_review:
+  stage: deploy
+  needs:
+    - deploy_review
+  script:
+    - *init_tf
+    - terraform destroy -auto-approve
+    - 'curl --silent --show-error --fail --header "Private-Token: ${TF_STATE_GITLAB_ACCESS_TOKEN}" --request DELETE "${CI_API_V4_URL}/projects/${TF_STATE_PROJECT}/terraform/state/${CI_COMMIT_REF_SLUG}"'
+  environment:
+    name: review/$CI_COMMIT_REF_NAME
+    action: stop
+  rules:
+    - if: $CI_MERGE_REQUEST_ID && $CI_PROJECT_PATH == "archlinux/aurweb"
+      when: manual
diff --git a/ci/tf/.terraform.lock.hcl b/ci/tf/.terraform.lock.hcl
new file mode 100644
index 00000000..aa5501c4
--- /dev/null
+++ b/ci/tf/.terraform.lock.hcl
@@ -0,0 +1,61 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/dns" {
+  version = "3.3.2"
+  hashes = [
+    "h1:HjskPLRqmCw8Q/kiSuzti3iJBSpcAvcBFdlwFFQuoDE=",
+    "zh:05d2d50e301318362a4a82e6b7a9734ace07bc01abaaa649c566baf98814755f",
+    "zh:1e9fd1c3bfdda777e83e42831dd45b7b9e794250a0f351e5fd39762e8a0fe15b",
+    "zh:40e715fc7a2ede21f919567249b613844692c2f8a64f93ee64e5b68bae7ac2a2",
+    "zh:454d7aa83000a6e2ba7a7bfde4bcf5d7ed36298b22d760995ca5738ab02ee468",
+    "zh:46124ded51b4153ad90f12b0305fdbe0c23261b9669aa58a94a31c9cca2f4b19",
+    "zh:55a4f13d20f73534515a6b05701abdbfc54f4e375ba25b2dffa12afdad20e49d",
+    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+    "zh:7903b1ceb8211e2b8c79290e2e70906a4b88f4fba71c900eb3a425ce12f1716a",
+    "zh:b79fc4f444ef7a2fd7111a80428c070ad824f43a681699e99ab7f83074dfedbd",
+    "zh:ca9f45e0c4cb94e7d62536c226024afef3018b1de84f1ea4608b51bcd497a2a0",
+    "zh:ddc8bd894559d7d176e0ceb0bb1ae266519b01b315362ebfee8327bb7e7e5fa8",
+    "zh:e77334c0794ef8f9354b10e606040f6b0b67b373f5ff1db65bddcdd4569b428b",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/tls" {
+  version = "4.0.4"
+  hashes = [
+    "h1:pe9vq86dZZKCm+8k1RhzARwENslF3SXb9ErHbQfgjXU=",
+    "zh:23671ed83e1fcf79745534841e10291bbf34046b27d6e68a5d0aab77206f4a55",
+    "zh:45292421211ffd9e8e3eb3655677700e3c5047f71d8f7650d2ce30242335f848",
+    "zh:59fedb519f4433c0fdb1d58b27c210b27415fddd0cd73c5312530b4309c088be",
+    "zh:5a8eec2409a9ff7cd0758a9d818c74bcba92a240e6c5e54b99df68fff312bbd5",
+    "zh:5e6a4b39f3171f53292ab88058a59e64825f2b842760a4869e64dc1dc093d1fe",
+    "zh:810547d0bf9311d21c81cc306126d3547e7bd3f194fc295836acf164b9f8424e",
+    "zh:824a5f3617624243bed0259d7dd37d76017097dc3193dac669be342b90b2ab48",
+    "zh:9361ccc7048be5dcbc2fafe2d8216939765b3160bd52734f7a9fd917a39ecbd8",
+    "zh:aa02ea625aaf672e649296bce7580f62d724268189fe9ad7c1b36bb0fa12fa60",
+    "zh:c71b4cd40d6ec7815dfeefd57d88bc592c0c42f5e5858dcc88245d371b4b8b1e",
+    "zh:dabcd52f36b43d250a3d71ad7abfa07b5622c69068d989e60b79b2bb4f220316",
+    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+  ]
+}
+
+provider "registry.terraform.io/hetznercloud/hcloud" {
+  version = "1.42.0"
+  hashes = [
+    "h1:cr9lh26H3YbWSHb7OUnCoYw169cYO3Cjpt3yPnRhXS0=",
+    "zh:153b5f39d780e9a18bc1ea377d872647d328d943813cbd25d3d20863f8a37782",
+    "zh:35b9e95760c58cca756e34ad5f4138ac6126aa3e8c41b4a0f1d5dc9ee5666c73",
+    "zh:47a3cdbce982f2b4e17f73d4934bdb3e905a849b36fb59b80f87d852496ed049",
+    "zh:6a718c244c2ba300fbd43791661a061ad1ab16225ef3e8aeaa3db8c9eff12c85",
+    "zh:a2cbfc95c5e2c9422ed0a7b6292192c38241220d5b7813c678f937ab3ef962ae",
+    "zh:b837e118e08fd36aa8be48af7e9d0d3d112d2680c79cfc71cfe2501fb40dbefa",
+    "zh:bf66db8c680e18b77e16dc1f20ed1cdcc7876bfb7848c320ccb86f0fb80661ed",
+    "zh:c1ad80bbe48dc8a272a02dcdb4b12f019606f445606651c01e561b9d72d816b1",
+    "zh:d4e616701128ad14a6b5a427b0e9145ece4cad02aa3b5f9945c6d0b9ada8ab70",
+    "zh:d9d01f727037d028720100a5bc9fd213cb01e63e4b439a16f2f482c147976530",
+    "zh:dea047ee4d679370d4376fb746c4b959bf51dd06047c1c2656b32789c2433643",
+    "zh:e5ad7a3c556894bd40b28a874e7d2f6924876fa75fa443136a7d6ab9a00abbaa",
+    "zh:edf6e7e129157bd45e3da4a330d1ace17a336d417c3b77c620f302d440c368e8",
+    "zh:f610bc729866d58da9cffa4deae34dbfdba96655e855a87c6bb2cb7b35a8961c",
+  ]
+}
diff --git a/ci/tf/main.tf b/ci/tf/main.tf
new file mode 100644
index 00000000..b149a621
--- /dev/null
+++ b/ci/tf/main.tf
@@ -0,0 +1,67 @@
+terraform {
+  backend "http" {
+  }
+}
+
+provider "hcloud" {
+  token = var.hcloud_token
+}
+
+provider "dns" {
+  update {
+    server        = var.dns_server
+    key_name      = var.dns_tsig_key
+    key_algorithm = var.dns_tsig_algorithm
+    key_secret    = var.dns_tsig_secret
+  }
+}
+
+resource "tls_private_key" "this" {
+  algorithm = "ED25519"
+}
+
+resource "hcloud_ssh_key" "this" {
+  name       = var.name
+  public_key = tls_private_key.this.public_key_openssh
+}
+
+data "hcloud_image" "this" {
+  with_selector = "custom_image=archlinux"
+  most_recent   = true
+  with_status   = ["available"]
+}
+
+resource "hcloud_server" "this" {
+  name        = var.name
+  image       = data.hcloud_image.this.id
+  server_type = var.server_type
+  datacenter  = var.datacenter
+  ssh_keys    = [hcloud_ssh_key.this.name]
+
+  public_net {
+    ipv4_enabled = true
+    ipv6_enabled = true
+  }
+}
+
+resource "hcloud_rdns" "this" {
+  for_each = { ipv4 : hcloud_server.this.ipv4_address, ipv6 : hcloud_server.this.ipv6_address }
+
+  server_id  = hcloud_server.this.id
+  ip_address = each.value
+  dns_ptr    = "${var.name}.${var.dns_zone}"
+}
+
+resource "dns_a_record_set" "this" {
+  zone      = "${var.dns_zone}."
+  name      = var.name
+  addresses = [hcloud_server.this.ipv4_address]
+  ttl       = 300
+}
+
+resource "dns_aaaa_record_set" "this" {
+  zone      = "${var.dns_zone}."
+  name      = var.name
+  addresses = [hcloud_server.this.ipv6_address]
+  ttl       = 300
+}
diff --git a/ci/tf/terraform.tfvars b/ci/tf/terraform.tfvars
new file mode 100644
index 00000000..14818592
--- /dev/null
+++ b/ci/tf/terraform.tfvars
@@ -0,0 +1,4 @@
+server_type = "cpx11"
+datacenter  = "fsn1-dc14"
+dns_server  = "redirect.archlinux.org"
+dns_zone    = "sandbox.archlinux.page"
diff --git a/ci/tf/variables.tf b/ci/tf/variables.tf
new file mode 100644
index 00000000..a4e710ee
--- /dev/null
+++ b/ci/tf/variables.tf
@@ -0,0 +1,36 @@
+variable "hcloud_token" {
+  type      = string
+  sensitive = true
+}
+
+variable "dns_server" {
+  type = string
+}
+
+variable "dns_tsig_key" {
+  type = string
+}
+
+variable "dns_tsig_algorithm" {
+  type = string
+}
+
+variable "dns_tsig_secret" {
+  type = string
+}
+
+variable "dns_zone" {
+  type = string
+}
+
+variable "name" {
+  type = string
+}
+
+variable "server_type" {
+  type = string
+}
+
+variable "datacenter" {
+  type = string
+}
diff --git a/ci/tf/versions.tf b/ci/tf/versions.tf
new file mode 100644
index 00000000..2c72215a
--- /dev/null
+++ b/ci/tf/versions.tf
@@ -0,0 +1,13 @@
+terraform {
+  required_providers {
+    tls = {
+      source = "hashicorp/tls"
+    }
+    hcloud = {
+      source = "hetznercloud/hcloud"
+    }
+    dns = {
+      source = "hashicorp/dns"
+    }
+  }
+}