diff --git a/.gitea/workflows/terraform-apply.yml b/.gitea/workflows/terraform-apply.yml
index 5a49a78..a94816c 100644
--- a/.gitea/workflows/terraform-apply.yml
+++ b/.gitea/workflows/terraform-apply.yml
@@ -20,6 +20,21 @@ jobs:
           cat > secrets.auto.tfvars << EOF
           pm_api_token_secret = "${{ secrets.PM_API_TOKEN_SECRET }}"
           EOF
+          cat > backend.hcl << EOF
+          bucket                      = "${{ secrets.B2_TF_BUCKET }}"
+          key                         = "terraform.tfstate"
+          region                      = "us-east-005"
+          endpoints = {
+            s3 = "${{ secrets.B2_TF_ENDPOINT }}"
+          }
+          access_key                  = "$(printf '%s' "${{ secrets.B2_KEY_ID }}" | tr -d '\r\n')"
+          secret_key                  = "$(printf '%s' "${{ secrets.B2_APPLICATION_KEY }}" | tr -d '\r\n')"
+          skip_credentials_validation = true
+          skip_metadata_api_check     = true
+          skip_region_validation      = true
+          skip_requesting_account_id  = true
+          use_path_style              = true
+          EOF
 
       - name: Set up Terraform
         uses: hashicorp/setup-terraform@v2
@@ -28,7 +43,7 @@ jobs:
 
       - name: Terraform Init
         working-directory: terraform
-        run: terraform init
+        run: terraform init -reconfigure -backend-config=backend.hcl
 
       - name: Terraform Plan
         working-directory: terraform
@@ -37,3 +52,24 @@ jobs:
       - name: Terraform Apply
         working-directory: terraform
         run: terraform apply -auto-approve
+
+      - name: Enroll VMs in Tailscale
+        env:
+          TS_AUTHKEY: ${{ secrets.TS_AUTHKEY }}
+          TAILSCALE_ENROLL_HOSTS: ${{ secrets.TAILSCALE_ENROLL_HOSTS }}
+          VM_SSH_PRIVATE_KEY: ${{ secrets.VM_SSH_PRIVATE_KEY }}
+        run: |
+          if [ -z "$TS_AUTHKEY" ] || [ -z "$TAILSCALE_ENROLL_HOSTS" ] || [ -z "$VM_SSH_PRIVATE_KEY" ]; then
+            echo "Skipping Tailscale enrollment (missing TS_AUTHKEY, TAILSCALE_ENROLL_HOSTS, or VM_SSH_PRIVATE_KEY)."
+            exit 0
+          fi
+
+          install -m 700 -d ~/.ssh
+          printf '%s\n' "$VM_SSH_PRIVATE_KEY" > ~/.ssh/id_rsa
+          chmod 600 ~/.ssh/id_rsa
+
+          for host in $(printf '%s' "$TAILSCALE_ENROLL_HOSTS" | tr ',' ' '); do
+            echo "Enrolling $host into Tailscale"
+            ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i ~/.ssh/id_rsa "micqdf@$host" \
+              "echo '$TS_AUTHKEY' | sudo tee /etc/tailscale/authkey >/dev/null && sudo chmod 600 /etc/tailscale/authkey && sudo systemctl start tailscale-firstboot.service"
+          done
diff --git a/.gitea/workflows/terraform-plan.yml b/.gitea/workflows/terraform-plan.yml
index 35637d1..7854dd6 100644
--- a/.gitea/workflows/terraform-plan.yml
+++ b/.gitea/workflows/terraform-plan.yml
@@ -22,6 +22,21 @@ jobs:
           cat > secrets.auto.tfvars << EOF
           pm_api_token_secret = "${{ secrets.PM_API_TOKEN_SECRET }}"
           EOF
+          cat > backend.hcl << EOF
+          bucket                      = "${{ secrets.B2_TF_BUCKET }}"
+          key                         = "terraform.tfstate"
+          region                      = "us-east-005"
+          endpoints = {
+            s3 = "${{ secrets.B2_TF_ENDPOINT }}"
+          }
+          access_key                  = "$(printf '%s' "${{ secrets.B2_KEY_ID }}" | tr -d '\r\n')"
+          secret_key                  = "$(printf '%s' "${{ secrets.B2_APPLICATION_KEY }}" | tr -d '\r\n')"
+          skip_credentials_validation = true
+          skip_metadata_api_check     = true
+          skip_region_validation      = true
+          skip_requesting_account_id  = true
+          use_path_style              = true
+          EOF
           echo "Created secrets.auto.tfvars:"
           cat secrets.auto.tfvars | sed 's/=.*/=***/'
           echo "Using token ID from terraform.tfvars:"
@@ -34,7 +49,7 @@ jobs:
 
       - name: Terraform Init
         working-directory: terraform
-        run: terraform init
+        run: terraform init -reconfigure -backend-config=backend.hcl
 
       - name: Terraform Format Check
         working-directory: terraform
diff --git a/nixos/template-base/configuration.nix b/nixos/template-base/configuration.nix
index 867d6c0..957346b 100644
--- a/nixos/template-base/configuration.nix
+++ b/nixos/template-base/configuration.nix
@@ -39,6 +39,33 @@
 
   security.sudo.wheelNeedsPassword = false;
 
+  systemd.services.tailscale-firstboot = {
+    description = "One-time Tailscale enrollment";
+    after = [ "network-online.target" "tailscaled.service" ];
+    wants = [ "network-online.target" "tailscaled.service" ];
+    wantedBy = [ "multi-user.target" ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+    };
+    script = ''
+      if [ -f /var/lib/tailscale/.joined ]; then
+        exit 0
+      fi
+
+      if [ ! -s /etc/tailscale/authkey ]; then
+        exit 0
+      fi
+
+      key="$(cat /etc/tailscale/authkey)"
+      ${pkgs.tailscale}/bin/tailscale up --auth-key="$key" --hostname="$(hostname)"
+
+      install -d -m 0700 /var/lib/tailscale
+      touch /var/lib/tailscale/.joined
+      rm -f /etc/tailscale/authkey
+    '';
+  };
+
   environment.systemPackages = with pkgs; [
     btop
     curl
@@ -50,11 +77,13 @@
     htop
     jq
     ripgrep
+    tailscale
     tree
     unzip
     vim
+    neovim
     wget
   ];
 
-  system.stateVersion = "24.11";
+  system.stateVersion = "25.05";
 }
diff --git a/terraform/main.tf b/terraform/main.tf
index 55e812f..8631a17 100644
--- a/terraform/main.tf
+++ b/terraform/main.tf
@@ -1,4 +1,6 @@
 terraform {
+  backend "s3" {}
+
   required_providers {
     proxmox = {
       source  = "Telmate/proxmox"