diff --git a/.gitignore b/.gitignore
index 1688ff0..6a65a15 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,6 +1,5 @@
 *.tfvars
 .terraform/
 *.env
-.terraform.lock.hcl
 *.tfstate
 *.tfstate.backup
diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl
new file mode 100644
index 0000000..56d5786
--- /dev/null
+++ b/.terraform.lock.hcl
@@ -0,0 +1,24 @@
+# This file is maintained automatically by "tofu init".
+# Manual edits may be lost in future updates.
+
+provider "registry.opentofu.org/hashicorp/external" {
+  version = "2.3.4"
+  hashes = [
+    "h1:i0CiDzSau8J/NcGlv6A3luRuYkqbnuO2c+XVrJ6YOoA=",
+  ]
+}
+
+provider "registry.opentofu.org/hashicorp/null" {
+  version = "3.2.3"
+  hashes = [
+    "h1:tIPswUCP63F9jN+FulrFOJfVriHAMtLUPEkalbwa+Ys=",
+  ]
+}
+
+provider "registry.opentofu.org/hetznercloud/hcloud" {
+  version     = "1.49.1"
+  constraints = "~> 1.45"
+  hashes = [
+    "h1:dyK3/rOb8IJOM0trh328NovbYb+Rz33qui2/fg85hU8=",
+  ]
+}
diff --git a/README.md b/README.md
index 92b6bcf..2d66491 100644
--- a/README.md
+++ b/README.md
@@ -4,7 +4,7 @@ This is an experimental configuration for my Hetzner VPS using OpenTofu and Nix.
 
 ## How to use
 
-Copy `secret.tfvars.example` to `secret.tfvars` and fill in the values.
+In the `terraform` directory, copy `secret.tfvars.example` to `secret.tfvars` and fill in the values.
 
 To generate a token with Hetzner, go to the project and click `Security -> API Tokens`.
 
@@ -14,5 +14,5 @@ Run `nix develop` to access a shell where OpenTofu is accessible.
 
 The following aliases in the development shell include the secrets file automatically.
 
-- `tofu-plan`
-- `tofu-apply`
+- `tofu-plan` - run in `terraform` directory
+- `tofu-apply` - run in `terraform` directory
diff --git a/flake.lock b/flake.lock
index bad2016..0049e95 100644
--- a/flake.lock
+++ b/flake.lock
@@ -1,5 +1,45 @@
 {
   "nodes": {
+    "disko": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1739841949,
+        "narHash": "sha256-lSOXdgW/1zi/SSu7xp71v+55D5Egz8ACv0STkj7fhbs=",
+        "owner": "nix-community",
+        "repo": "disko",
+        "rev": "15dbf8cebd8e2655a883b74547108e089f051bf0",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "disko",
+        "type": "github"
+      }
+    },
+    "flake-parts": {
+      "inputs": {
+        "nixpkgs-lib": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1738453229,
+        "narHash": "sha256-7H9XgNiGLKN1G1CgRh0vUL4AheZSYzPm+zmZ7vxbJdo=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "32ea77a06711b758da0ad9bd6a844c5740a87abd",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
     "nixpkgs": {
       "locked": {
         "lastModified": 1739866667,
@@ -18,6 +58,8 @@
     },
     "root": {
       "inputs": {
+        "disko": "disko",
+        "flake-parts": "flake-parts",
         "nixpkgs": "nixpkgs"
       }
     }
diff --git a/flake.nix b/flake.nix
index 7825361..f450f5e 100644
--- a/flake.nix
+++ b/flake.nix
@@ -1,6 +1,12 @@
 {
   inputs = {
     nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+    
+    flake-parts.url = "github:hercules-ci/flake-parts";
+    flake-parts.inputs.nixpkgs-lib.follows = "nixpkgs";
+
+    disko.url = "github:nix-community/disko";
+    disko.inputs.nixpkgs.follows = "nixpkgs";
   };
 
   outputs = { self, nixpkgs, ... }: 
@@ -13,6 +19,8 @@
         pkgs = import nixpkgs { inherit system; };
         tofuPkg = pkgs.opentofu.withPlugins (p: [
           pkgs.terraform-providers.hcloud
+          pkgs.terraform-providers.null
+          pkgs.terraform-providers.external
         ]);
       in {
         default = pkgs.mkShell {
diff --git a/main.tf b/main.tf
deleted file mode 100644
index b9312cf..0000000
--- a/main.tf
+++ /dev/null
@@ -1,46 +0,0 @@
-terraform {
-  required_providers {
-    hcloud = {
-      source = "hetznercloud/hcloud"
-      version = "~> 1.45"
-    }
-  }
-}
-
-variable "hcloud_token" {
-  sensitive = true
-}
-
-provider "hcloud" {
-  token = var.hcloud_token
-}
-
-resource "hcloud_ssh_key" "main" {
-  name       = "my-ssh-key"
-  public_key = file("~/.ssh/id_ed25519.pub")
-}
-
-resource "hcloud_server" "vpn" {
-  name        = "vpn"
-  image       = "debian-12"
-  server_type = "cpx11"
-  location    = "hil"
-  ssh_keys    = [hcloud_ssh_key.main.id]
-  
-  //provisioner "local-exec" {
-  //  command = "sleep 120"
-  //}
-
-  provisioner "remote-exec" {
-    connection {
-      type        = "ssh"
-      user        = "root"
-      host        = self.ipv4_address
-      // private_key = file("~/.ssh/id_ed25519")
-      agent       = true
-    }
-    inline = [
-      "curl https://raw.githubusercontent.com/elitak/NixOS-infect/master/NixOS-infect | PROVIDER=hetznercloud Nix_CHANNEL=NixOS-Unstable bash 2>&1 | tee /tmp/infect.log",
-    ]
-  }
-}
diff --git a/terraform/.terraform.lock.hcl b/terraform/.terraform.lock.hcl
new file mode 100644
index 0000000..56d5786
--- /dev/null
+++ b/terraform/.terraform.lock.hcl
@@ -0,0 +1,24 @@
+# This file is maintained automatically by "tofu init".
+# Manual edits may be lost in future updates.
+
+provider "registry.opentofu.org/hashicorp/external" {
+  version = "2.3.4"
+  hashes = [
+    "h1:i0CiDzSau8J/NcGlv6A3luRuYkqbnuO2c+XVrJ6YOoA=",
+  ]
+}
+
+provider "registry.opentofu.org/hashicorp/null" {
+  version = "3.2.3"
+  hashes = [
+    "h1:tIPswUCP63F9jN+FulrFOJfVriHAMtLUPEkalbwa+Ys=",
+  ]
+}
+
+provider "registry.opentofu.org/hetznercloud/hcloud" {
+  version     = "1.49.1"
+  constraints = "~> 1.45"
+  hashes = [
+    "h1:dyK3/rOb8IJOM0trh328NovbYb+Rz33qui2/fg85hU8=",
+  ]
+}
diff --git a/terraform/main.tf b/terraform/main.tf
new file mode 100644
index 0000000..486f06f
--- /dev/null
+++ b/terraform/main.tf
@@ -0,0 +1,60 @@
+terraform {
+  required_providers {
+    hcloud = {
+      source = "hetznercloud/hcloud"
+      version = "~> 1.45"
+    }
+  }
+}
+
+variable "hcloud_token" {
+  sensitive = true
+}
+
+provider "hcloud" {
+  token = var.hcloud_token
+}
+
+resource "hcloud_ssh_key" "main" {
+  name       = "my-ssh-key"
+  public_key = file("~/.ssh/id_ed25519.pub")
+}
+
+resource "hcloud_server" "vpn" {
+  name        = "vpn"
+  image       = "debian-12"
+  server_type = "cpx11"
+  location    = "hil"
+  ssh_keys    = [hcloud_ssh_key.main.id]
+  
+  //provisioner "local-exec" {
+  //  command = "sleep 120"
+  //}
+
+  //provisioner "remote-exec" {
+  //  connection {
+  //    type        = "ssh"
+  //    user        = "root"
+  //    host        = self.ipv4_address
+  //    // private_key = file("~/.ssh/id_ed25519")
+  //    agent       = true
+  //  }
+  //  inline = [
+  //    "curl https://raw.githubusercontent.com/elitak/NixOS-infect/master/NixOS-infect | PROVIDER=hetznercloud Nix_CHANNEL=NixOS-Unstable bash 2>&1 | tee /tmp/infect.  log",
+  //  ]
+  //}
+}
+
+module "deploy" {
+  //depends_on             = [local_file.nixos_vars]
+  source                 = "github.com/numtide/nixos-anywhere//terraform/all-in-one"
+  nixos_system_attr      = ".#nixosConfigurations.vpn.config.system.build.toplevel"
+  nixos_partitioner_attr = ".#nixosConfigurations.vpn.config.system.build.diskoScript"
+  target_host            = hcloud_server.vpn.ipv4_address
+  instance_id            = hcloud_server.vpn.id
+  //extra_files_script     = "${path.module}/decrypt-age-keys.sh"
+  //extra_environment = {
+  //  SOPS_FILE = var.sops_file
+  //}
+  debug_logging = true
+}
diff --git a/secret.tfvars.example b/terraform/secret.tfvars.example
similarity index 100%
rename from secret.tfvars.example
rename to terraform/secret.tfvars.example