diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml
index 1a185e3..75c24de 100644
--- a/.github/workflows/terraform.yml
+++ b/.github/workflows/terraform.yml
@@ -11,8 +11,12 @@ jobs:
   terraform-deploy:
     if: github.repository == 'nix-community/infra'
     runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: terraform
     env:
       SOPS_AGE_KEY: ${{ secrets.SOPS_AGE_KEY }}
+      TF_TOKEN_app_terraform_io: ${{ secrets.TF_TOKEN_APP_TERRAFORM_IO }}
       TF_IN_AUTOMATION: true
     steps:
       - uses: actions/checkout@v3
@@ -31,16 +35,16 @@ jobs:
             accept-flake-config = true
       - name: init
         if: steps.changes.outputs.terraform == 'true'
-        run: nix develop -c ./terraform/terraform init -input=false
+        run: nix develop -c terraform init -input=false
       - name: validate
         if: steps.changes.outputs.terraform == 'true'
-        run: nix develop -c ./terraform/terraform validate
+        run: nix develop -c terraform validate
       - name: fmt
         if: steps.changes.outputs.terraform == 'true'
-        run: nix develop -c ./terraform/terraform fmt -check
+        run: nix develop -c terraform fmt -check
       - name: plan
         if: steps.changes.outputs.terraform == 'true' && github.ref == 'refs/heads/trying'
-        run: nix develop -c ./terraform/terraform plan -input=false
+        run: nix develop -c terraform plan -input=false
       - name: apply
         if: steps.changes.outputs.terraform == 'true' && github.ref == 'refs/heads/staging'
-        run: nix develop -c ./terraform/terraform apply -auto-approve -input=false
+        run: nix develop -c terraform apply -auto-approve -input=false
diff --git a/shell.nix b/shell.nix
index fa01bc1..97303ca 100644
--- a/shell.nix
+++ b/shell.nix
@@ -11,6 +11,7 @@ mkShellNoCC {
         p.external
         p.hydra
         p.null
+        p.sops
         p.tfe
       ]
     ))
diff --git a/terraform/terraform b/terraform/terraform
deleted file mode 100755
index 5b407c9..0000000
--- a/terraform/terraform
+++ /dev/null
@@ -1,9 +0,0 @@
-#!/usr/bin/env bash
-set -euo pipefail
-
-pushd "$(dirname "$0")" >/dev/null
-
-# terraform cloud without the remote execution part
-TF_FORCE_LOCAL_BACKEND="1" sops exec-env secrets.yaml "terraform ${*@Q}"
-
-popd >/dev/null
diff --git a/terraform/terraform_providers.tf b/terraform/terraform_providers.tf
index 5e6464d..30cf557 100644
--- a/terraform/terraform_providers.tf
+++ b/terraform/terraform_providers.tf
@@ -6,15 +6,29 @@ terraform {
     hydra = {
       source = "DeterminateSystems/hydra"
     }
+    sops = {
+      source = "carlpett/sops"
+    }
     tfe = {
       source = "hashicorp/tfe"
     }
   }
 }
 
-provider "cloudflare" {}
+data "sops_file" "nix-community" {
+  source_file = "secrets.yaml"
+}
+
+provider "cloudflare" {
+  api_token = data.sops_file.nix-community.data["CLOUDFLARE_API_TOKEN"]
+}
 
 provider "hydra" {
   host     = "https://hydra.nix-community.org"
+  password = data.sops_file.nix-community.data["HYDRA_PASSWORD"]
   username = "admin"
 }
+
+provider "tfe" {
+  token = data.sops_file.nix-community.data["TFE_TOKEN"]
+}