diff --git a/shell.nix b/shell.nix
index 20d11e7..dfcb78e 100644
--- a/shell.nix
+++ b/shell.nix
@@ -1,10 +1,10 @@
 { pkgs ? import <nixpkgs> {} }:
 
 pkgs.mkShell {
-  buildInputs = [
-    pkgs.hello
+  buildInputs = with pkgs; [
+    terraform
+    niv
 
-    # keep this line if you use bash
-    pkgs.bashInteractive
+    bashInteractive
   ];
 }
diff --git a/terraform/.gitignore b/terraform/.gitignore
new file mode 100644
index 0000000..3fa8c86
--- /dev/null
+++ b/terraform/.gitignore
@@ -0,0 +1 @@
+.terraform
diff --git a/terraform/aws_image/.gitignore b/terraform/aws_image/.gitignore
new file mode 100644
index 0000000..095b8ed
--- /dev/null
+++ b/terraform/aws_image/.gitignore
@@ -0,0 +1,2 @@
+result
+.terraform
diff --git a/terraform/aws_image/.terraform.lock.hcl b/terraform/aws_image/.terraform.lock.hcl
new file mode 100644
index 0000000..67c7458
--- /dev/null
+++ b/terraform/aws_image/.terraform.lock.hcl
@@ -0,0 +1,38 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/aws" {
+  version = "3.53.0"
+  hashes = [
+    "h1:oRCCzfwGCDNyuhIJ8kCg0N7h4W2WESm37o2GIt0ETpQ=",
+    "zh:35a77c79170b0cf3fb7eb835f3ce0b715aeeceda0a259e96e49fed5a30cf6646",
+    "zh:519d5470a932b1ec9a0fe08876c5e0f0f84f8e506b652c051e4ab708be081e89",
+    "zh:58cfa5b454602d57c47acd15c2ad166a012574742cdbcf950787ce79b6510218",
+    "zh:5fc3c0162335a730701c0175809250233f45f1021da8fa52c73635e4c08372d8",
+    "zh:6790f9d6261eb4bd5cdd7cd9125f103befce2ba127f9ba46eef83585b86e1d11",
+    "zh:76e1776c3bf9568d520f78419ec143c081f653b8df4fb22577a8c4a35d3315f9",
+    "zh:ca8ed88d0385e45c35223ace59b1bf77d81cd2154d5416e63a3dddaf0def30e6",
+    "zh:d002562c4a89a9f1f6cd8d854fad3c66839626fc260e5dde5267f6d34dbd97a4",
+    "zh:da5e47fb769e90a2f16c90fd0ba95d62da3d76eb006823664a5c6e96188731b0",
+    "zh:dfe7f33ec252ea550e090975a5f10940c27302bebb5559957957937b069646ea",
+    "zh:fa91574605ddce726e8a4e421297009a9dabe023106e139ac46da49c8285f2fe",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/null" {
+  version = "3.1.0"
+  hashes = [
+    "h1:vpC6bgUQoJ0znqIKVFevOdq+YQw42bRq0u+H3nto8nA=",
+    "zh:02a1675fd8de126a00460942aaae242e65ca3380b5bb192e8773ef3da9073fd2",
+    "zh:53e30545ff8926a8e30ad30648991ca8b93b6fa496272cd23b26763c8ee84515",
+    "zh:5f9200bf708913621d0f6514179d89700e9aa3097c77dac730e8ba6e5901d521",
+    "zh:9ebf4d9704faba06b3ec7242c773c0fbfe12d62db7d00356d4f55385fc69bfb2",
+    "zh:a6576c81adc70326e4e1c999c04ad9ca37113a6e925aefab4765e5a5198efa7e",
+    "zh:a8a42d13346347aff6c63a37cda9b2c6aa5cc384a55b2fe6d6adfa390e609c53",
+    "zh:c797744d08a5307d50210e0454f91ca4d1c7621c68740441cf4579390452321d",
+    "zh:cecb6a304046df34c11229f20a80b24b1603960b794d68361a67c5efe58e62b8",
+    "zh:e1371aa1e502000d9974cfaff5be4cfa02f47b17400005a16f14d2ef30dc2a70",
+    "zh:fc39cc1fe71234a0b0369d5c5c7f876c71b956d23d7d6f518289737a001ba69b",
+    "zh:fea4227271ebf7d9e2b61b89ce2328c7262acd9fd190e1fd6d15a591abfa848e",
+  ]
+}
diff --git a/terraform/aws_image/main.tf b/terraform/aws_image/main.tf
new file mode 100644
index 0000000..dfc38a0
--- /dev/null
+++ b/terraform/aws_image/main.tf
@@ -0,0 +1,118 @@
+provider "aws" {
+  region = "us-east-1"
+}
+
+terraform {
+  backend "s3" {
+    bucket = "xeserv-tf-state-paranoid"
+    key    = "aws_image"
+    region = "us-east-1"
+  }
+}
+
+resource "aws_s3_bucket" "images" {
+  bucket = "xeserv-ami-images"
+  acl    = "private"
+
+  tags = {
+    Name = "Xeserv AMI Images"
+  }
+}
+
+resource "aws_iam_role" "vmimport" {
+  name               = "vmimport"
+  assume_role_policy = file("./vmie-trust-policy.json")
+}
+
+resource "aws_iam_role_policy" "vmimport_policy" {
+  name   = "vmimport"
+  role   = aws_iam_role.vmimport.id
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "s3:ListBucket",
+        "s3:GetObject",
+        "s3:GetBucketLocation"
+      ],
+      "Resource": [
+        "${aws_s3_bucket.images.arn}",
+        "${aws_s3_bucket.images.arn}/*"
+      ]
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "s3:GetBucketLocation",
+        "s3:GetObject",
+        "s3:ListBucket",
+        "s3:PutObject",
+        "s3:GetBucketAcl"
+      ],
+      "Resource": [
+        "${aws_s3_bucket.images.arn}",
+        "${aws_s3_bucket.images.arn}/*"
+      ]
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "ec2:ModifySnapshotAttribute",
+        "ec2:CopySnapshot",
+        "ec2:RegisterImage",
+        "ec2:Describe*"
+      ],
+      "Resource": "*"
+    }
+  ]
+    }
+EOF
+}
+
+resource "aws_s3_bucket_object" "nixos_21_05" {
+  bucket = aws_s3_bucket.images.bucket
+  key    = "nixos-21.05-paranoid.vhd"
+
+  source = "./result/nixos.vhd"
+  etag   = filemd5("./result/nixos.vhd")
+}
+
+resource "aws_ebs_snapshot_import" "nixos_21_05" {
+  disk_container {
+    format = "VHD"
+    user_bucket {
+      s3_bucket = aws_s3_bucket.images.bucket
+      s3_key    = aws_s3_bucket_object.nixos_21_05.key
+    }
+  }
+
+  role_name = aws_iam_role.vmimport.name
+
+  tags = {
+    Name = "NixOS-21.05"
+  }
+}
+
+resource "aws_ami" "nixos_21_05" {
+  name                = "nixos_21_05"
+  architecture        = "x86_64"
+  virtualization_type = "hvm"
+  root_device_name    = "/dev/xvda"
+  ena_support         = true
+  sriov_net_support   = "simple"
+
+  ebs_block_device {
+    device_name           = "/dev/xvda"
+    snapshot_id           = aws_ebs_snapshot_import.nixos_21_05.id
+    volume_size           = 40 # you can go as low as 8 GB, but 40 is a nice number
+    delete_on_termination = true
+    volume_type           = "gp3"
+  }
+}
+
+output "nixos_21_05_ami" {
+  value = aws_ami.nixos_21_05.id
+}
diff --git a/terraform/aws_image/vmie-trust-policy.json b/terraform/aws_image/vmie-trust-policy.json
new file mode 100644
index 0000000..60d17f5
--- /dev/null
+++ b/terraform/aws_image/vmie-trust-policy.json
@@ -0,0 +1,15 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Principal": { "Service": "vmie.amazonaws.com" },
+            "Action": "sts:AssumeRole",
+            "Condition": {
+                "StringEquals":{
+                    "sts:Externalid": "vmimport"
+                }
+            }
+        }
+    ]
+}
diff --git a/terraform/bootstrap/.terraform.lock.hcl b/terraform/bootstrap/.terraform.lock.hcl
new file mode 100644
index 0000000..3c7404d
--- /dev/null
+++ b/terraform/bootstrap/.terraform.lock.hcl
@@ -0,0 +1,20 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/aws" {
+  version = "3.53.0"
+  hashes = [
+    "h1:oRCCzfwGCDNyuhIJ8kCg0N7h4W2WESm37o2GIt0ETpQ=",
+    "zh:35a77c79170b0cf3fb7eb835f3ce0b715aeeceda0a259e96e49fed5a30cf6646",
+    "zh:519d5470a932b1ec9a0fe08876c5e0f0f84f8e506b652c051e4ab708be081e89",
+    "zh:58cfa5b454602d57c47acd15c2ad166a012574742cdbcf950787ce79b6510218",
+    "zh:5fc3c0162335a730701c0175809250233f45f1021da8fa52c73635e4c08372d8",
+    "zh:6790f9d6261eb4bd5cdd7cd9125f103befce2ba127f9ba46eef83585b86e1d11",
+    "zh:76e1776c3bf9568d520f78419ec143c081f653b8df4fb22577a8c4a35d3315f9",
+    "zh:ca8ed88d0385e45c35223ace59b1bf77d81cd2154d5416e63a3dddaf0def30e6",
+    "zh:d002562c4a89a9f1f6cd8d854fad3c66839626fc260e5dde5267f6d34dbd97a4",
+    "zh:da5e47fb769e90a2f16c90fd0ba95d62da3d76eb006823664a5c6e96188731b0",
+    "zh:dfe7f33ec252ea550e090975a5f10940c27302bebb5559957957937b069646ea",
+    "zh:fa91574605ddce726e8a4e421297009a9dabe023106e139ac46da49c8285f2fe",
+  ]
+}
diff --git a/terraform/bootstrap/bootstrap.tf b/terraform/bootstrap/bootstrap.tf
new file mode 100644
index 0000000..10020a8
--- /dev/null
+++ b/terraform/bootstrap/bootstrap.tf
@@ -0,0 +1,12 @@
+provider "aws" {
+  region = "us-east-1"
+}
+
+resource "aws_s3_bucket" "bucket" {
+  bucket = "xeserv-tf-state-paranoid"
+  acl    = "private"
+
+  tags = {
+    Name = "Terraform State"
+  }
+}
diff --git a/terraform/bootstrap/terraform.tfstate b/terraform/bootstrap/terraform.tfstate
new file mode 100644
index 0000000..837b562
--- /dev/null
+++ b/terraform/bootstrap/terraform.tfstate
@@ -0,0 +1,59 @@
+{
+  "version": 4,
+  "terraform_version": "1.0.4",
+  "serial": 1,
+  "lineage": "f70bcdee-6de7-dd3f-6e7f-749ded4ad6b1",
+  "outputs": {},
+  "resources": [
+    {
+      "mode": "managed",
+      "type": "aws_s3_bucket",
+      "name": "bucket",
+      "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
+      "instances": [
+        {
+          "schema_version": 0,
+          "attributes": {
+            "acceleration_status": "",
+            "acl": "private",
+            "arn": "arn:aws:s3:::xeserv-tf-state-paranoid",
+            "bucket": "xeserv-tf-state-paranoid",
+            "bucket_domain_name": "xeserv-tf-state-paranoid.s3.amazonaws.com",
+            "bucket_prefix": null,
+            "bucket_regional_domain_name": "xeserv-tf-state-paranoid.s3.amazonaws.com",
+            "cors_rule": [],
+            "force_destroy": false,
+            "grant": [],
+            "hosted_zone_id": "Z3AQBSTGFYJSTF",
+            "id": "xeserv-tf-state-paranoid",
+            "lifecycle_rule": [],
+            "logging": [],
+            "object_lock_configuration": [],
+            "policy": null,
+            "region": "us-east-1",
+            "replication_configuration": [],
+            "request_payer": "BucketOwner",
+            "server_side_encryption_configuration": [],
+            "tags": {
+              "Name": "Terraform State"
+            },
+            "tags_all": {
+              "Name": "Terraform State"
+            },
+            "versioning": [
+              {
+                "enabled": false,
+                "mfa_delete": false
+              }
+            ],
+            "website": [],
+            "website_domain": null,
+            "website_endpoint": null
+          },
+          "sensitive_attributes": [],
+          "private": "bnVsbA=="
+        }
+      ]
+    }
+  ]
+}