diff --git a/shell.nix b/shell.nix
index eddb114..0016f1c 100644
--- a/shell.nix
+++ b/shell.nix
@@ -2,11 +2,13 @@
   packages = with pkgs; [
     ansible
     ansible-lint
+    awscli
     certbot
     dig
     openssl
     caddy
     shellcheck
     git-crypt
+    opentofu
   ];
 }
diff --git a/tf-infra/README.md b/tf-infra/README.md
index df7164b..5d8dabb 100644
--- a/tf-infra/README.md
+++ b/tf-infra/README.md
@@ -7,7 +7,7 @@ The state can be found in an s3 bucket that is not managed via terraform and loo
 This uses the following environment variables:
 
 ```
-# contabo
+# contabo from https://my.contabo.com/api/details
 export CNTB_OAUTH2_CLIENT_ID="id"
 export CNTB_OAUTH2_CLIENT_SECRET="secret"
 export CNTB_OAUTH2_USER="email"
diff --git a/tf-infra/backup_personal.tf b/tf-infra/backup_personal.tf
new file mode 100644
index 0000000..ecc9417
--- /dev/null
+++ b/tf-infra/backup_personal.tf
@@ -0,0 +1,63 @@
+resource "aws_s3_bucket" "personal_backups" {
+    bucket = "nilstrieb-personal-backup"
+}
+
+resource "aws_s3_bucket_lifecycle_configuration" "personal_backups_lifecycle" {
+    bucket = aws_s3_bucket.personal_backups.bucket
+    rule {
+      id = "1-cold"
+
+      filter {
+        prefix = "1/"
+      }
+
+      transition {
+        days = 30
+        storage_class = "GLACIER_IR"
+      }
+
+      status = "Enabled"
+    }
+}
+
+resource "aws_iam_user" "personal_backup_uploader" {
+  name = "personal-backup-uploader"
+}
+
+resource "aws_iam_access_key" "personal_backup_uploader" {
+  user = aws_iam_user.personal_backup_uploader.name
+}
+
+
+resource "aws_iam_group" "personal_backup_uploaders" {
+  name = "personal-backup-uploaders"
+}
+
+resource "aws_iam_user_group_membership" "personal_backup_uploader" {
+  user =  aws_iam_user.personal_backup_uploader.name
+  groups = [ aws_iam_group.personal_backup_uploaders.name ]
+}
+
+resource "aws_iam_group_policy" "upload_personal_backup" {
+  name = "nilstrieb-personal-backups-upload"
+  group = aws_iam_group.personal_backup_uploaders.name
+  policy = jsonencode({
+    "Version":"2012-10-17",
+    "Statement":[
+        {
+          "Effect":"Allow",
+          "Action":"s3:*",
+          "Resource":"arn:aws:s3:::${aws_s3_bucket.personal_backups.bucket}*"
+        },
+    ]
+  })
+}
+
+
+output "personal_backup_access_key_id" {
+  value = aws_iam_access_key.personal_backup_uploader.id
+}
+output "personal_backup_access_key_secret" {
+  value = aws_iam_access_key.personal_backup_uploader.secret
+  sensitive = true
+}
diff --git a/tf-infra/state.sh b/tf-infra/state.sh
index d7060db..ebf2abc 100755
--- a/tf-infra/state.sh
+++ b/tf-infra/state.sh
@@ -1,4 +1,4 @@
-#!/usr/bin/bash
+#!/usr/bin/env bash
 
 BUCKET="nilstrieb-states"