diff --git a/.hgignore b/.hgignore
index 9d021b0190..550971ec60 100644
--- a/.hgignore
+++ b/.hgignore
@@ -6,6 +6,8 @@ ops/secrets/
 result
 result-*
 
+ops/vault/cfg/tf/
+
 web/quotes/theme/static/
 
 syntax: regexp
diff --git a/default.nix b/default.nix
index c9468c535f..2ca200c435 100644
--- a/default.nix
+++ b/default.nix
@@ -9,6 +9,7 @@ let
   config = depot: {
     inherit depot system;
     pkgs = depot.third_party.nixpkgs;
+    depotRoot = toString ./.;
   };
 in fix (self:
   let ch = (self.config // { inherit (self) lib; });
diff --git a/ops/default.nix b/ops/default.nix
index bba61cc2d4..73e664b1b2 100644
--- a/ops/default.nix
+++ b/ops/default.nix
@@ -8,6 +8,7 @@ args: {
   secrets = import ./secrets args;
   raritan = import ./raritan args;
   factorio = import ./factorio args;
+  vault = import ./vault args;
 
   home-manager-ext = import ./home-manager-ext.nix args;
 }
diff --git a/ops/vault/cfg/config.nix b/ops/vault/cfg/config.nix
new file mode 100644
index 0000000000..e880de6bdf
--- /dev/null
+++ b/ops/vault/cfg/config.nix
@@ -0,0 +1,15 @@
+{ ... }:
+
+{
+  terraform = {
+    backend.gcs = {
+      bucket = "lukegb-terraform-state";
+      prefix = "depot/vault";
+    };
+
+    required_providers.vault = {
+      source = "hashicorp/vault";
+      version = "3.3.1";
+    };
+  };
+}
diff --git a/ops/vault/cfg/default.nix b/ops/vault/cfg/default.nix
new file mode 100644
index 0000000000..d94511955a
--- /dev/null
+++ b/ops/vault/cfg/default.nix
@@ -0,0 +1,21 @@
+{ pkgs, depotRoot, ... }@args:
+
+let
+  terranix = import "${pkgs.terranix}/core/default.nix" {
+    inherit pkgs;
+    terranix_config = { imports = [ ./config.nix ]; };
+    strip_nulls = true;
+    extraArgs = args;
+  };
+
+  config = (pkgs.formats.json { }).generate "config.tf.json" terranix.config;
+
+  terraform = pkgs.writeShellScript "terraform" ''
+    cd ${depotRoot}/ops/vault/cfg/tf
+    rm ./config.tf.json
+    ln -s ${config} config.tf.json
+    exec ${pkgs.terraform}/bin/terraform "$@"
+  '';
+in {
+  inherit config terraform;
+}
diff --git a/ops/vault/cfg/tf/.terraform.lock.hcl b/ops/vault/cfg/tf/.terraform.lock.hcl
new file mode 100644
index 0000000000..2c791a9234
--- /dev/null
+++ b/ops/vault/cfg/tf/.terraform.lock.hcl
@@ -0,0 +1,21 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/vault" {
+  version     = "3.3.1"
+  constraints = "3.3.1"
+  hashes = [
+    "h1:i7EC2IF0KParI+JPA5ZtXJrAn3bAntW5gEMLvOXwpW4=",
+    "zh:3e1866037f43c1083ff825dce2a9e3853c757bb0121c5ae528ee3cf3f99b4113",
+    "zh:49636cc5c4939134e098c4ec0163c41fae103f24d7e1e8fc0432f8ad93d596a0",
+    "zh:5258a7001719c4aeb84f4c4da7115b795da4794754938a3c4176a4b578fe93a1",
+    "zh:7461738691e2e8ea91aba73d4351cfbc30fcaedcf0e332c9d35ef215f93aa282",
+    "zh:815529478e33a6727273b08340a4c62c9aeb3da02abf8f091bb4f545c8451fce",
+    "zh:8e6fede9f5e25b507faf6cacd61b997035b8b62859245861149ddb2990ada8eb",
+    "zh:9acc2387084b9c411e264c4351633bc82f9c4e420f8e6bbad9f87b145351f929",
+    "zh:b9e4af3b06386ceed720f0163a1496088c154aa1430ae072c525ffefa4b37891",
+    "zh:c7d5dfb8f8536694db6740e2a4afd2d681b60b396ded469282524c62ce154861",
+    "zh:d0850be710c6fd682634a2f823beed0164231cc873b1dc09038aa477c926f57c",
+    "zh:e90c2cba9d89db5eab295b2f046f24a53f23002bcfe008633d398fb3fa16d941",
+  ]
+}
diff --git a/ops/vault/default.nix b/ops/vault/default.nix
new file mode 100644
index 0000000000..a13b0bc28c
--- /dev/null
+++ b/ops/vault/default.nix
@@ -0,0 +1,7 @@
+# SPDX-FileCopyrightText: 2022 Luke Granger-Brown <depot@lukegb.com>
+#
+# SPDX-License-Identifier: Apache-2.0
+
+args: {
+  cfg = import ./cfg args;
+}