diff --git a/.env.example b/.env.example
new file mode 100644
index 0000000..df0e7fc
--- /dev/null
+++ b/.env.example
@@ -0,0 +1,2 @@
+AWS_ACCESS_KEY_ID=""
+AWS_SECRET_ACCESS_KEY=""
diff --git a/.justfile b/.justfile
index b3aba5d..50d8ca4 100644
--- a/.justfile
+++ b/.justfile
@@ -1,3 +1,5 @@
+set dotenv-load := true
+
 export ANSIBLE_VAULT_PASSWORD_FILE := justfile_directory() + "/.decrypt-pass.txt"
 export ANSIBLE_BECOME_PASSWORD_FILE := justfile_directory() + "/.become-pass.txt"
 
@@ -34,3 +36,7 @@ decrypt +ARGS:
 [no-cd]
 decrypt-store +ARGS:
   uv run ansible-vault decrypt {{ ARGS }}
+
+[no-cd]
+tofu +ARGS:
+  tofu {{ ARGS }}
diff --git a/opentofu/vms/providers.tf b/opentofu/vms/providers.tf
index 25d07d3..4c011de 100644
--- a/opentofu/vms/providers.tf
+++ b/opentofu/vms/providers.tf
@@ -7,6 +7,22 @@ terraform {
       version = "0.43.2"
     }
   }
+
+  backend "s3" {
+    bucket = "opentofu-state"
+    region = "us-east-1"
+    key = "lxc/terraform.tfstate"
+    encrypt = false
+
+    skip_credentials_validation = true
+    skip_region_validation      = true
+    skip_requesting_account_id  = true
+    skip_s3_checksum = true
+
+    endpoints = {
+      s3       = "https://a7638f5d66d44acc48d4b80b7c3c8a0c.r2.cloudflarestorage.com"
+    }
+  }
 }
 
 provider "proxmox" {