diff --git a/.env.example b/.env.example
new file mode 100644
index 0000000..d426386
--- /dev/null
+++ b/.env.example
@@ -0,0 +1,5 @@
+PROXMOX_VE_ENDPOINT=""
+PROXMOX_VE_API_TOKEN=""
+
+AWS_ACCESS_KEY_ID=""
+AWS_SECRET_ACCESS_KEY=""
diff --git a/.justfile b/.justfile
index b3aba5d..50d8ca4 100644
--- a/.justfile
+++ b/.justfile
@@ -1,3 +1,5 @@
+set dotenv-load := true
+
 export ANSIBLE_VAULT_PASSWORD_FILE := justfile_directory() + "/.decrypt-pass.txt"
 export ANSIBLE_BECOME_PASSWORD_FILE := justfile_directory() + "/.become-pass.txt"
 
@@ -34,3 +36,7 @@ decrypt +ARGS:
 [no-cd]
 decrypt-store +ARGS:
   uv run ansible-vault decrypt {{ ARGS }}
+
+[no-cd]
+tofu +ARGS:
+  tofu {{ ARGS }}
diff --git a/opentofu/vms/providers.tf b/opentofu/vms/providers.tf
index 25d07d3..bb0c737 100644
--- a/opentofu/vms/providers.tf
+++ b/opentofu/vms/providers.tf
@@ -7,11 +7,25 @@ terraform {
       version = "0.43.2"
     }
   }
+
+  backend "s3" {
+    bucket = "opentofu-state"
+    region = "us-east-1"
+    key = "lxc/terraform.tfstate"
+    encrypt = false
+
+    skip_credentials_validation = true
+    skip_region_validation      = true
+    skip_requesting_account_id  = true
+    skip_s3_checksum = true
+
+    endpoints = {
+      s3       = "https://a7638f5d66d44acc48d4b80b7c3c8a0c.r2.cloudflarestorage.com"
+    }
+  }
 }
 
 provider "proxmox" {
-  endpoint  = var.proxmox_api_endpoint
-  api_token = var.proxmox_api_token
   insecure  = true
   tmp_dir  = "/var/tmp"
   ssh {
diff --git a/opentofu/vms/s3.tf b/opentofu/vms/s3.tf
index 52ec9ed..cebf4c0 100644
--- a/opentofu/vms/s3.tf
+++ b/opentofu/vms/s3.tf
@@ -1,3 +1,5 @@
+# docs: https://registry.terraform.io/providers/bpg/proxmox/latest/docs/resources/virtual_environment_container
+
 resource "proxmox_virtual_environment_container" "banana-hoard" {
   vm_id = 160
   node_name = "pve"
diff --git a/opentofu/vms/variables.tf b/opentofu/vms/variables.tf
index 68a8dd4..35c2ef3 100644
--- a/opentofu/vms/variables.tf
+++ b/opentofu/vms/variables.tf
@@ -1,13 +1,3 @@
-variable "proxmox_api_endpoint" {
-  type = string
-  description = "Proxmox cluster API endpoint https://proxmox-01.my-domain.net:8006"
-}
-
-variable "proxmox_api_token" {
-  type = string
-  description = "Proxmox API token bpg proxmox provider with ID and token"
-}
-
 variable "root_password" {
   type = string
   description = "Password used for the root user"