diff --git a/src/gitlab-tofu.sh b/src/gitlab-tofu.sh
index 3e9c167d34abe5f53acb24bc9d215f848412b3bb..b5759c68285b1b3f31e6ea8ec4e038fb713444ae 100644
--- a/src/gitlab-tofu.sh
+++ b/src/gitlab-tofu.sh
@@ -1,5 +1,35 @@
 #!/usr/bin/env sh
 
+# gitlab-tofu is a wrapper around the tofu command
+# from the OpenTofu project.
+#
+# It's main purpose is to setup tofu to work inside
+# GitLab pipelines and together with the
+# OpenTofu CI/CD component.
+# Detailed information about it is in the README:
+# https://gitlab.com/components/opentofu
+#
+# Respected Environment Variables:
+# --------------------------------
+# GITLAB_TOFU_SOURCE: forces this script in source-mode. Required when source auto-detection fails.
+#
+# OpenTofu Environment Variables:
+# > these are variables that are
+# > respected if set and avoid using
+# > the gitlab-tofu values for them.
+# ----------------------------------
+# TF_HTTP_USERNAME: username for the HTTP backend. Defaults to `gitlab-ci-token`.
+# TF_HTTP_PASSWORD: password for the HTTP backend. Defaults to `$CI_JOB_TOKEN`.
+#
+# Respected GitLab CI/CD Variables:
+# > these are variables exposed by
+# > GitLab CI/CD and respected by
+# > the gitlab-tofu script for
+# > certain configurations.
+# CI_JOB_TOKEN:
+#   - used as default value for TF_HTTP_PASSWORD.
+#   - used as value for TF_TOKEN_<host> variable.
+
 # set some shell options
 set -o errexit
 
@@ -66,14 +96,9 @@ JQ_PLAN='
   }
 '
 
-# If TF_USERNAME is unset then default to GITLAB_USER_LOGIN
-TF_USERNAME="${TF_USERNAME:-${GITLAB_USER_LOGIN}}"
-
-# If TF_PASSWORD is unset then default to gitlab-ci-token/CI_JOB_TOKEN
-if [ -z "${TF_PASSWORD}" ]; then
-  TF_USERNAME="gitlab-ci-token"
-  TF_PASSWORD="${CI_JOB_TOKEN}"
-fi
+# Default state backend credentials to gitlab-ci-token/CI_JOB_TOKEN
+state_backend_username="gitlab-ci-token"
+state_backend_password="${CI_JOB_TOKEN}"
 
 # If TF_ADDRESS is unset but TF_STATE_NAME is provided, then default to GitLab backend in current project
 if [ -n "${TF_STATE_NAME}" ] && [ -z "${TF_ADDRESS}" ]; then
@@ -117,8 +142,8 @@ export TF_HTTP_LOCK_ADDRESS="${TF_HTTP_LOCK_ADDRESS:-${TF_ADDRESS}/lock}"
 export TF_HTTP_LOCK_METHOD="${TF_HTTP_LOCK_METHOD:-POST}"
 export TF_HTTP_UNLOCK_ADDRESS="${TF_HTTP_UNLOCK_ADDRESS:-${TF_ADDRESS}/lock}"
 export TF_HTTP_UNLOCK_METHOD="${TF_HTTP_UNLOCK_METHOD:-DELETE}"
-export TF_HTTP_USERNAME="${TF_HTTP_USERNAME:-${TF_USERNAME}}"
-export TF_HTTP_PASSWORD="${TF_HTTP_PASSWORD:-${TF_PASSWORD}}"
+export TF_HTTP_USERNAME="${TF_HTTP_USERNAME:-${state_backend_username}}"
+export TF_HTTP_PASSWORD="${TF_HTTP_PASSWORD:-${state_backend_password}}"
 export TF_HTTP_RETRY_WAIT_MIN="${TF_HTTP_RETRY_WAIT_MIN:-5}"
 
 # Expose Gitlab specific variables to terraform since no -tf-var is available