diff --git a/.gitignore b/.gitignore
index d50eeb8..51613c9 100644
--- a/.gitignore
+++ b/.gitignore
@@ -9,3 +9,6 @@ result-*
 *.qcow2
 .gcroots
 .pre-commit-config.yaml
+
+# Ignore Terraform configuration file
+config.tf.json
diff --git a/default.nix b/default.nix
index 414feb8..62a3a5e 100644
--- a/default.nix
+++ b/default.nix
@@ -67,9 +67,16 @@ let
       commitizen.enable = true;
     };
   };
+  terranixConfig = import "${sources.terranix}/core" {
+    inherit pkgs;
+    strip_nulls = true;
+    terranix_config.imports = [ ./terranix ];
+  };
+  terranixConfigFile = (pkgs.formats.json { }).generate "config.tf.json" terranixConfig.config;
 in
 
 {
+  inherit terranixConfigFile terranixConfig;
   nodes = builtins.mapAttrs (
     host: { site, ... }: "${host}.${site}.infra.dgnum.eu"
   ) (import ./meta/nodes.nix);
@@ -83,6 +90,11 @@ in
       name = "dgnum-infra";
 
       packages = [
+        (pkgs.writeShellScriptBin "tf" ''
+          set -eo pipefail
+          ln -snf ${terranixConfigFile} config.tf.json
+          exec ${pkgs.lib.getExe pkgs.opentofu} "$@"
+        '')
         (pkgs.nixos-generators.overrideAttrs (_: {
           version = "1.8.0-unstable";
           src = builtins.storePath sources.nixos-generators;
diff --git a/npins/sources.json b/npins/sources.json
index fa089ef..ee03e5b 100644
--- a/npins/sources.json
+++ b/npins/sources.json
@@ -300,6 +300,21 @@
       "url": null,
       "hash": "11vvfxw2sznc155x0xlgl00g6n9sr90xa0b1hr14vchg7gkz46r5"
     },
+    "terranix": {
+      "type": "GitRelease",
+      "repository": {
+        "type": "GitHub",
+        "owner": "terranix",
+        "repo": "terranix"
+      },
+      "pre_releases": false,
+      "version_upper_bound": null,
+      "release_prefix": null,
+      "version": "2.7.0",
+      "revision": "00710f39f38a0a654a2c4fd96cbb988b4f4cedfa",
+      "url": "https://api.github.com/repos/terranix/terranix/tarball/2.7.0",
+      "hash": "1wsyhsdsjw6xlhpkhaqvia3x0na3nx2vamcb2rbcbdmb7ra1y9f6"
+    },
     "wp4nix": {
       "type": "Git",
       "repository": {
diff --git a/terranix/common.nix b/terranix/common.nix
new file mode 100644
index 0000000..0e8b0be
--- /dev/null
+++ b/terranix/common.nix
@@ -0,0 +1,7 @@
+{
+  # Until we get some kind of KMS operational, store secrets in the state file.
+  terraform.required_providers.secret = {
+    version = "~> 1.2.1";
+    source = "numtide/secret";
+  };
+}
diff --git a/terranix/default.nix b/terranix/default.nix
new file mode 100644
index 0000000..b6ff81e
--- /dev/null
+++ b/terranix/default.nix
@@ -0,0 +1,6 @@
+{
+  imports = [
+    ./common.nix
+    ./state.nix
+  ];
+}
diff --git a/terranix/state.nix b/terranix/state.nix
new file mode 100644
index 0000000..5fffad0
--- /dev/null
+++ b/terranix/state.nix
@@ -0,0 +1,21 @@
+{
+  # We use terraform.backend.s3 directly instead of the type-checked Terranix
+  # backend.s3 options. The latter does not support setting arbitrary s3
+  # endpoints.
+  #
+  # Note: currently requires the user to provide AWS_ACCESS_KEY_ID as well as
+  # AWS_SECRET_ACCESS_KEY in their environment variables.
+
+  terraform.backend.s3 = {
+    endpoints.s3 = "s3.dgnum.eu";
+    region = "garage";
+    bucket = "monorepo-terraform-state";
+    key = "state";
+
+    # It's just a dump Garage server, don't try to be smart.
+    skip_credentials_validation = true;
+    skip_region_validation = true;
+    skip_requesting_account_id = true;
+    skip_metadata_api_check = true;
+  };
+}