diff --git a/terranix/default.nix b/terranix/default.nix
index b6ff81e..bcf5704 100644
--- a/terranix/default.nix
+++ b/terranix/default.nix
@@ -2,5 +2,6 @@
   imports = [
     ./common.nix
     ./state.nix
+    ./s3.nix
   ];
 }
diff --git a/terranix/s3.nix b/terranix/s3.nix
new file mode 100644
index 0000000..5255d6b
--- /dev/null
+++ b/terranix/s3.nix
@@ -0,0 +1,32 @@
+{ lib, ... }:
+let
+  inherit (lib) tf;
+in
+{
+  # FIXME: add a NixOS module to abstract bucket creation, etc.
+  config = {
+    terraform.required_providers.garage = {
+      version = "~> 1.0.3";
+      source = "registry.opentofu.org/RaitoBezarius/garage";
+    };
+
+    resource = {
+      secret_resource.admin-s3-token.lifecycle.prevent_destroy = true;
+      garage_bucket.monorepo-terraform-state = { };
+      garage_bucket_global_alias = {
+        monorepo-terraform-state = {
+          bucket_id = tf.ref "resource.garage_bucket.monorepo-terraform-state.id";
+          alias = "monorepo-terraform-state";
+        };
+      };
+      garage_key = { };
+      garage_bucket_key = { };
+    };
+
+    provider.garage = {
+      host = "s3-admin.dgnum.eu";
+      scheme = "https";
+      token = tf.ref "resource.secret_resource.admin-s3-token.value";
+    };
+  };
+}