diff --git a/ansible/hermes.yml b/ansible/hermes.yml
index baccc0f..496ca8e 100644
--- a/ansible/hermes.yml
+++ b/ansible/hermes.yml
@@ -2,16 +2,24 @@
   hosts: all
   gather_facts: no
   roles:
-    - cloudinit-wait
+    - cloudinit_wait
 
 - name: Install services
   hosts: all
   pre_tasks:
+    - name: Delete externally managed environment file
+      shell:
+        cmd: "rm /usr/lib/python*/EXTERNALLY-MANAGED"
+      register: rm
+      changed_when: "rm.rc == 0"
+      failed_when: "false"
+
     - name: Copy resolv.conf
       copy:
         src: resolv.conf
         dest: /etc/resolv.conf
+
   roles:
     - {role: apt, tags: apt}
     - {role: dnsmasq, tags: dnsmasq}
-    - {role: nsd, tags: nsd}
+    - {role: powerdns, tags: powerdns}
diff --git a/ansible/inventory/host_vars/hermes.yml b/ansible/inventory/host_vars/hermes.yml
index c2a2498..ab05003 100644
--- a/ansible/inventory/host_vars/hermes.yml
+++ b/ansible/inventory/host_vars/hermes.yml
@@ -1,63 +1,84 @@
 apt_install_packages:
   - qemu-guest-agent
   - dnsutils
+  - pdns-server
+  - pdns-backend-pgsql
+  - postgresql-client
 
 ssh_ca_dir: /root/ssh_ca
 ssh_ca_user_ca_public_key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGKOClnK6/Hj8INjEgULY/lD2FM/nbiJHqaSXtEw4+Fj User Certificate Authority for DMZ"
 ssh_ca_host_ca_public_key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAX2IhgHNxC6JTvLu9cej+iWuG+uJFMXn4AiRro9533x Host Certficate Authority for DMZ"
 ssh_ca_user_ca_private_key: !vault |
-          $ANSIBLE_VAULT;1.1;AES256
-          64343164666336316635323733353839373835316465653038333062386438363131353566626130
-          6531653835313838396638366330386331383533303435300a306333363238633864623864393665
-          31393036346532353134646466666465386633303061346662393430666532366137323866646561
-          3131653064323565370a656361326462336238333464353635303066323565633865663032313661
-          38366238613361626161633862353938326365306634303166346461366531663063343264353533
-          61656630633734643639333738616566326531653264306134363837616365643039626262613433
-          61656361326234313130386533363761366665383064643735316133313133643865616536306466
-          33303733663834646435303935633436383632306330616264343263303861313635383866636163
-          39653064373966643437636530326235653131616366396563386139333837616535616135323337
-          66626161336539356637373138613464376133373234353863383330313362623236633462386234
-          31386635613936306262346264343732623761303331623831353061343035626361623639326530
-          62643139663733666662623039396461623334666565663439613430353364626162653731303535
-          32396638393534363533303039343938346339656266303766613931316337333635373664643461
-          37303332386233663937636631373935613231356262346530323337393733373764613864616563
-          66383137393738316638393530616234653264613363383663366261303433636236326632323734
-          35616133386438613636663631653139386466303534636263393633633663303664326137373139
-          35626336653966396335623330663161333432306538316664376231616161353235353032633438
-          62363663613135616462323363333863376532623764663066616431636632653938666263383731
-          65666564656130383262373964386631643332323066386635643032663833306565643164376239
-          32383732393236336235363936303063663963343061306161643331623330326139663836323561
-          31353532313639613563393938643333326462653833623531613935363265333534663762333831
-          36376264636432656537313834373036623339306430333837323836303134323062306265356430
-          39663238363338666362663364643063613337646237356431383237616465643634313166643435
-          32623864313537336634373631396465643362333237646462336362656430653036656263613162
-          64306662313934643661333462306336333561626335303866306131326538653264343465633139
-          3466663135663239616135353764373532323935613233316132
+  $ANSIBLE_VAULT;1.1;AES256
+  64343164666336316635323733353839373835316465653038333062386438363131353566626130
+  6531653835313838396638366330386331383533303435300a306333363238633864623864393665
+  31393036346532353134646466666465386633303061346662393430666532366137323866646561
+  3131653064323565370a656361326462336238333464353635303066323565633865663032313661
+  38366238613361626161633862353938326365306634303166346461366531663063343264353533
+  61656630633734643639333738616566326531653264306134363837616365643039626262613433
+  61656361326234313130386533363761366665383064643735316133313133643865616536306466
+  33303733663834646435303935633436383632306330616264343263303861313635383866636163
+  39653064373966643437636530326235653131616366396563386139333837616535616135323337
+  66626161336539356637373138613464376133373234353863383330313362623236633462386234
+  31386635613936306262346264343732623761303331623831353061343035626361623639326530
+  62643139663733666662623039396461623334666565663439613430353364626162653731303535
+  32396638393534363533303039343938346339656266303766613931316337333635373664643461
+  37303332386233663937636631373935613231356262346530323337393733373764613864616563
+  66383137393738316638393530616234653264613363383663366261303433636236326632323734
+  35616133386438613636663631653139386466303534636263393633633663303664326137373139
+  35626336653966396335623330663161333432306538316664376231616161353235353032633438
+  62363663613135616462323363333863376532623764663066616431636632653938666263383731
+  65666564656130383262373964386631643332323066386635643032663833306565643164376239
+  32383732393236336235363936303063663963343061306161643331623330326139663836323561
+  31353532313639613563393938643333326462653833623531613935363265333534663762333831
+  36376264636432656537313834373036623339306430333837323836303134323062306265356430
+  39663238363338666362663364643063613337646237356431383237616465643634313166643435
+  32623864313537336634373631396465643362333237646462336362656430653036656263613162
+  64306662313934643661333462306336333561626335303866306131326538653264343465633139
+  3466663135663239616135353764373532323935613233316132
 ssh_ca_host_ca_private_key: !vault |
-          $ANSIBLE_VAULT;1.1;AES256
-          34613835376232653534353636303364613437666563653530363564346164656136643732626234
-          6430316165623933666461646639303435386433333335660a393538303835616366333066353665
-          64663236353233383236656365356264653963366464303433313133386430646230363634353465
-          6365313836666534330a633832303963616162623631663732623236383665383333323032383364
-          36313663366461643733373836326335386562663362326438353033376431356537326133646338
-          31623064303662616464343639346663323437333038346664393166333930336539373031313161
-          39343365373238383661343234666430336131323666313032333666306333366566336361383536
-          64626261363138323766306239303133376632386235666633363461303135613865343161356266
-          33333634613761616336653162396662633131333336613264663764333761633032313436376534
-          65376631383239666235313939363265643364376638623630373839303236633635356431356263
-          66366535656335326335616666316534366232353262336164663562613439623135303262356130
-          36316134366366623331393230396132366535356435613563663937376639653339343761306431
-          33353331306334336133316234326133663939636430376139376231383966346363303362386265
-          32356166363231613962383434333536356138623039663561313137653037663231666666646230
-          66323932333031626637616434383737623634353933613861326666313737636133333438656634
-          31363461373639366464343836333031313632346465346535303139623038633330356334633866
-          61303765353439303966623030303966656465353538323932343536393764616566386261306466
-          36343237393333376366303933373139353161376262333739353138666162663339393136303634
-          39383433323563666661313631613761343532373736386537626433323631323465623736653165
-          35356163356361346438366430636563656531363164306534353865393039643136366634323638
-          62656261396635353332376661353661353931663932386465643238343031376235363239303832
-          63393437613362623963306364356363396134623739656265326433356134303835356266326465
-          64623631353163653438376534316162666330663963363064326161656335383639356164393237
-          39346231666362313632363737623139373632376461373362656563616566633265653438393361
-          39393734393061653639313365633931373963666635316138663538356265386562373837393530
-          6537646639613534666533626339356335396634613765616664
+  $ANSIBLE_VAULT;1.1;AES256
+  34613835376232653534353636303364613437666563653530363564346164656136643732626234
+  6430316165623933666461646639303435386433333335660a393538303835616366333066353665
+  64663236353233383236656365356264653963366464303433313133386430646230363634353465
+  6365313836666534330a633832303963616162623631663732623236383665383333323032383364
+  36313663366461643733373836326335386562663362326438353033376431356537326133646338
+  31623064303662616464343639346663323437333038346664393166333930336539373031313161
+  39343365373238383661343234666430336131323666313032333666306333366566336361383536
+  64626261363138323766306239303133376632386235666633363461303135613865343161356266
+  33333634613761616336653162396662633131333336613264663764333761633032313436376534
+  65376631383239666235313939363265643364376638623630373839303236633635356431356263
+  66366535656335326335616666316534366232353262336164663562613439623135303262356130
+  36316134366366623331393230396132366535356435613563663937376639653339343761306431
+  33353331306334336133316234326133663939636430376139376231383966346363303362386265
+  32356166363231613962383434333536356138623039663561313137653037663231666666646230
+  66323932333031626637616434383737623634353933613861326666313737636133333438656634
+  31363461373639366464343836333031313632346465346535303139623038633330356334633866
+  61303765353439303966623030303966656465353538323932343536393764616566386261306466
+  36343237393333376366303933373139353161376262333739353138666162663339393136303634
+  39383433323563666661313631613761343532373736386537626433323631323465623736653165
+  35356163356361346438366430636563656531363164306534353865393039643136366634323638
+  62656261396635353332376661353661353931663932386465643238343031376235363239303832
+  63393437613362623963306364356363396134623739656265326433356134303835356266326465
+  64623631353163653438376534316162666330663963363064326161656335383639356164393237
+  39346231666362313632363737623139373632376461373362656563616566633265653438393361
+  39393734393061653639313365633931373963666635316138663538356265386562373837393530
+  6537646639613534666533626339356335396634613765616664
+
+api_key: !vault |
+  $ANSIBLE_VAULT;1.1;AES256
+  65376335393463353232386437613533396261383332653738323764633965393262363239376165
+  3566666139376135643833343535663130353631326466610a623161633238363338633461383434
+  63373365613765663830613565313164323938336338616666313365623261663037626132623531
+  3638653833626532300a656632356563613631633162643464356236396635633237376133323433
+  37363261376535306161393039396333656430323534616462393366643662306631306339346363
+  3065303163643732613435323561663035646365383237643464
+
+postgresql_password: !vault |
+  $ANSIBLE_VAULT;1.1;AES256
+  64646633623535383761356434643064383736626638333738323363393037393133363130623361
+  3965323132656263393365366131343732646239316564390a613263386166383438366162303561
+  63626162656337313034663830626432303437363764653336613338393038393737663238313737
+  3164323834393165380a393138363265393963613835376331623735303538316162343036306230
+  63633335343332313861393135366332313061353064306265653631613735336631653438383066
+  3034323733323333646532613233666333323363643534336233
diff --git a/ansible/requirements.yml b/ansible/requirements.yml
index 1e51c6b..2e1c9b2 100644
--- a/ansible/requirements.yml
+++ b/ansible/requirements.yml
@@ -1,6 +1,9 @@
 - name: apt
   src: https://github.com/sunscrapers/ansible-role-apt.git
   scm: git
-- name: cloudinit-wait
+- name: cloudinit_wait
   src: https://git.pim.kunis.nl/pim/ansible-role-cloudinit-wait
   scm: git
+- name: postgresql_database
+  src: https://git.pim.kunis.nl/home/ansible-role-postgresql-database
+  scm: git
diff --git a/ansible/roles/nsd/files/nsd.conf b/ansible/roles/nsd/files/nsd.conf
deleted file mode 100644
index f46b306..0000000
--- a/ansible/roles/nsd/files/nsd.conf
+++ /dev/null
@@ -1,29 +0,0 @@
-server:
-        ip-address: ens4
-	port: 53
-        server-count: 1
-        verbosity: 1
-        hide-version: yes
-        zonesdir: "/etc/nsd/zones"
-        ip-transparent: yes
-        ip-freebind: yes
-
-zone:
-	name: pim.kunis.nl
-	zonefile: pim.kunis.nl
-
-zone:
-	name: pizzapim.nl
-	zonefile: pizzapim.nl
-	provide-xfr: 87.253.155.96/27 NOKEY
-        provide-xfr: 157.97.168.160/27 NOKEY
-
-zone:
-	name: geokunis2.nl
-	zonefile: geokunis2.nl
-	provide-xfr: 87.253.155.96/27 NOKEY
-        provide-xfr: 157.97.168.160/27 NOKEY
-
-zone:
-	name: kun.is
-	zonefile: kun.is
diff --git a/ansible/roles/nsd/files/zones/geokunis2.nl b/ansible/roles/nsd/files/zones/geokunis2.nl
deleted file mode 100644
index ee25471..0000000
--- a/ansible/roles/nsd/files/zones/geokunis2.nl
+++ /dev/null
@@ -1,36 +0,0 @@
-$ORIGIN geokunis2.nl.
-$TTL 60
-
-geokunis2.nl.		IN	SOA	ns.geokunis2.nl. niels.kunis.nl. 2023052600 1800 3600 1209600 3600
-				NS	ns.geokunis2.nl.
-				NS	ns0.transip.net.
-				NS	ns1.transip.nl.
-				NS	ns2.transip.eu.
-				A	84.245.14.149
-				AAAA	2a02:58:19a:f730:b62e:99ff:fe77:1bda
-				CAA	0 issue "letsencrypt.org"
-jenl			IN	A	217.123.41.225
-wg				IN	A	84.245.14.149
-wg				IN	AAAA	2a02:58:1:e::1afb
-wg4				IN	A	84.245.14.149
-wg6				IN	AAAA	2a02:58:1:e::1afb
-kms				IN	A	84.245.14.149
-tuindersweijde	IN	A	84.245.14.149
-files			IN	A	84.245.14.149
-files			IN	AAAA 2a02:58:19a:f730:b62e:99ff:fe77:1bda
-ns				A	84.245.14.149
-				AAAA	2a02:58:19a:f730:c8fe:c0ff:feff:ee07
-cyberchef		IN	A	84.245.14.149
-				AAAA	2a02:58:19a:f730:c8fe:c0ff:feff:ee03
-inbucket		IN	A	84.245.14.149
-
-; proton shizzle
-@			IN	TXT	"protonmail-verification=e712bb186d5278b3775b413b8851ffc7740e845b"
-@			IN	TXT	"sl-verification=sgrkojlcdgroiyjihxfleicgtpzgcb"
-@			IN	MX	10 mx1.simplelogin.co.
-@			IN	MX	20 mx2.simplelogin.co.
-@			IN	TXT	"v=spf1 include:simplelogin.co ~all"
-dkim02._domainkey	IN	CNAME	dkim02._domainkey.simplelogin.co.
-dkim._domainkey		IN	CNAME	dkim._domainkey.simplelogin.co.
-dkim03._domainkey	IN	CNAME	dkim03._domainkey.simplelogin.co.
-_dmarc			IN	TXT	"v=DMARC1; p=quarantine; pct=100; adkim=s; aspf=s"
diff --git a/ansible/roles/nsd/files/zones/kun.is b/ansible/roles/nsd/files/zones/kun.is
deleted file mode 100644
index dd60b90..0000000
--- a/ansible/roles/nsd/files/zones/kun.is
+++ /dev/null
@@ -1,13 +0,0 @@
-$ORIGIN kun.is.
-$TTL 60
-
-kun.is.	IN 	SOA	ns1.kun.is. pim.kunis.nl. 2023051702 1800 3600 1209600 3600
-		NS	ns1.kun.is.
-		NS	ns2.kun.is.
-
-ns1		A	84.245.14.149
-ns2		A	84.245.14.149
-
-pim		A	84.245.14.149
-
-*		A	84.245.14.149
diff --git a/ansible/roles/nsd/files/zones/pim.kunis.nl b/ansible/roles/nsd/files/zones/pim.kunis.nl
deleted file mode 100644
index 87d36e4..0000000
--- a/ansible/roles/nsd/files/zones/pim.kunis.nl
+++ /dev/null
@@ -1,33 +0,0 @@
-$ORIGIN pim.kunis.nl.
-$TTL 60
-
-pim.kunis.nl.	IN 	SOA	ns.pim.kunis.nl. pim.kunis.nl. 2023052000 1800 3600 1209600 3600
-
-			NS	ns.pim.kunis.nl.
-			A	84.245.14.149
-#			AAAA	2a02:58:19a:f730:b62e:99ff:fe77:1bda
-			TXT	"v=spf1 ~all"
-
-_dmarc		IN	TXT	"v=DMARC1; p=reject; aspf=s; adkim=s; rua=mailto:wpux1bq8@ag.eu.dmarcian.com;"
-
-www		IN	A	84.245.14.149
-ns		IN	A	84.245.14.149
-		IN	AAAA	2a02:58:19a:f730:c8fe:c0ff:feff:ee07
-
-social		IN	CNAME	www.pim.kunis.nl.
-dav		IN	CNAME	www.pim.kunis.nl.
-git		IN	CNAME	www.pim.kunis.nl.
-meet            IN      CNAME   www.pim.kunis.nl.
-rss             IN      CNAME   www.pim.kunis.nl.
-latex		IN	CNAME	www.pim.kunis.nl.
-md		IN	CNAME	www.pim.kunis.nl.
-swarm		IN	CNAME	www.pim.kunis.nl.
-traefik		IN	CNAME	www.pim.kunis.nl.
-syncthing	IN	CNAME	www.pim.kunis.nl.
-cloud		IN	CNAME	www.pim.kunis.nl.
-pihole		IN	CNAME	www.pim.kunis.nl.
-ntfy		IN	CNAME	www.pim.kunis.nl.
-apprise		IN	CNAME	www.pim.kunis.nl.
-uptime		IN	CNAME	www.pim.kunis.nl.
-concourse	IN	CNAME	www.pim.kunis.nl.
-discourse	IN	CNAME	www.pim.kunis.nl.
diff --git a/ansible/roles/nsd/files/zones/pizzapim.nl b/ansible/roles/nsd/files/zones/pizzapim.nl
deleted file mode 100644
index 5e607d0..0000000
--- a/ansible/roles/nsd/files/zones/pizzapim.nl
+++ /dev/null
@@ -1,18 +0,0 @@
-$ORIGIN pizzapim.nl.
-$TTL 60
-
-pizzapim.nl.	IN 	SOA	ns.pizzapim.nl. pim.kunis.nl. 2023050400 1800 3600 1209600 3600
-
-			NS	ns.pizzapim.nl.
-			NS	ns0.transip.net.
-			NS	ns1.transip.nl.
-			NS	ns2.transip.eu.
-			A	84.245.14.149
-			TXT	"v=spf1 ~all"
-			CAA	0 issue "letsencrypt.org"
-
-_dmarc		IN	TXT	"v=DMARC1; p=reject; aspf=s; adkim=s; rua=mailto:wpux1bq8@ag.eu.dmarcian.com;"
-
-social		IN	A	84.245.14.149
-ns		IN	A	84.245.14.149
-			AAAA	2a02:58:19a:f730:c8fe:c0ff:feff:ee07
diff --git a/ansible/roles/nsd/tasks/main.yml b/ansible/roles/nsd/tasks/main.yml
deleted file mode 100644
index 39d1547..0000000
--- a/ansible/roles/nsd/tasks/main.yml
+++ /dev/null
@@ -1,18 +0,0 @@
-- name: Install nsd
-  apt:
-    name: nsd
-- name: Copy nsd.conf
-  copy:
-    src: "{{ role_path }}/files/nsd.conf"
-    dest: /etc/nsd/nsd.conf
-  register: config
-- name: Copy zone directory
-  copy:
-    src: "{{ role_path }}/files/zones"
-    dest: /etc/nsd
-  register: zones
-- name: Enable nsd
-  systemd:
-    name: nsd
-    enabled: true
-    state: "{{ 'restarted' if config.changed or zones.changed else 'started' }}"
diff --git a/ansible/roles/powerdns/api.conf.j2 b/ansible/roles/powerdns/api.conf.j2
new file mode 100644
index 0000000..fdbf48d
--- /dev/null
+++ b/ansible/roles/powerdns/api.conf.j2
@@ -0,0 +1,5 @@
+api=yes
+api-key={{ api_key }}
+webserver-address=0.0.0.0
+webserver-port=3000
+webserver-allow-from=0.0.0.0/0
diff --git a/ansible/roles/powerdns/gpgsql.conf.j2 b/ansible/roles/powerdns/gpgsql.conf.j2
new file mode 100644
index 0000000..0aa6213
--- /dev/null
+++ b/ansible/roles/powerdns/gpgsql.conf.j2
@@ -0,0 +1,5 @@
+launch=gpgsql
+gpgsql-host=thecloud.dmz
+gpgsql-dbname=powerdns
+gpgsql-user=powerdns
+gpgsql-password={{ postgresql_password }}
diff --git a/ansible/roles/powerdns/handlers/main.yml b/ansible/roles/powerdns/handlers/main.yml
new file mode 100644
index 0000000..d358e6e
--- /dev/null
+++ b/ansible/roles/powerdns/handlers/main.yml
@@ -0,0 +1,4 @@
+- name: restart powerdns
+  systemd:
+    name: pdns
+    state: restarted
diff --git a/ansible/roles/powerdns/overwrite.conf b/ansible/roles/powerdns/overwrite.conf
new file mode 100644
index 0000000..698393e
--- /dev/null
+++ b/ansible/roles/powerdns/overwrite.conf
@@ -0,0 +1,2 @@
+local-address=192.168.30.7, 127.0.0.1, ::
+default-soa-content=ns.@ noreply.@ 0 10800 3600 604800 3600
diff --git a/ansible/roles/powerdns/tasks/main.yml b/ansible/roles/powerdns/tasks/main.yml
new file mode 100644
index 0000000..aa50105
--- /dev/null
+++ b/ansible/roles/powerdns/tasks/main.yml
@@ -0,0 +1,28 @@
+- name: Remove BIND powerdns config
+  file:
+    path: /etc/powerdns/pdns.d/bind.conf
+    state: absent
+  notify: restart powerdns
+
+- name: Copy postgresql powerdns config
+  template:
+    src: gpgsql.conf.j2
+    dest: /etc/powerdns/pdns.d/gpgsql.conf
+  notify: restart powerdns
+
+- name: Add API powerdns config
+  template:
+    src: api.conf.j2
+    dest: /etc/powerdns/pdns.d/api.conf
+  notify: restart powerdns
+
+- name: Overwrite powerdns config
+  copy:
+    src: overwrite.conf
+    dest: /etc/powerdns/pdns.d/overwrite.conf
+  notify: restart powerdns
+
+- name: Start powerdns
+  systemd:
+    name: pdns
+    state: started
diff --git a/terraform/dns/geokunis2_nl.tf b/terraform/dns/geokunis2_nl.tf
new file mode 100644
index 0000000..11fed3f
--- /dev/null
+++ b/terraform/dns/geokunis2_nl.tf
@@ -0,0 +1,190 @@
+resource "powerdns_zone" "geokunis2_nl" {
+ name         = "geokunis2.nl."
+ kind         = "Native"
+ nameservers  = ["ns.geokunis2.nl.", "ns0.transip.net.", "ns1.transip.nl.", "ns2.transip.eu."]
+ soa_edit_api = "DEFAULT"
+}
+
+resource "powerdns_record" "geokunis2_nl_a" {
+ zone    = powerdns_zone.geokunis2_nl.name
+ name    = "geokunis2.nl."
+ type    = "A"
+ records = ["84.245.14.149"]
+ ttl     = 60
+}
+
+resource "powerdns_record" "geokunis2_nl_aaaa" {
+ zone    = powerdns_zone.geokunis2_nl.name
+ name    = "geokunis2.nl."
+ type    = "AAAA"
+ records = ["2a02:58:19a:f730:b62e:99ff:fe77:1bda"]
+ ttl     = 60
+}
+
+resource "powerdns_record" "geokunis2_nl_caa" {
+ zone    = powerdns_zone.geokunis2_nl.name
+ name    = "geokunis2.nl."
+ type    = "CAA"
+ records = ["0 issue \"letsencrypt.org\""]
+ ttl     = 60
+}
+
+resource "powerdns_record" "jenl_geokunis2_nl_a" {
+ zone    = powerdns_zone.geokunis2_nl.name
+ name    = "jenl.geokunis2.nl."
+ type    = "A"
+ records = ["217.123.41.225"]
+ ttl     = 60
+}
+
+resource "powerdns_record" "wg_geokunis2_nl_a" {
+ zone    = powerdns_zone.geokunis2_nl.name
+ name    = "wg.geokunis2.nl."
+ type    = "A"
+ records = ["84.245.14.149"]
+ ttl     = 60
+}
+
+resource "powerdns_record" "wg_geokunis2_nl_aaaa" {
+ zone    = powerdns_zone.geokunis2_nl.name
+ name    = "wg.geokunis2.nl."
+ type    = "AAAA"
+ records = ["2a02:58:1:e::1afb"]
+ ttl     = 60
+}
+
+resource "powerdns_record" "wg4_geokunis2_nl_a" {
+ zone    = powerdns_zone.geokunis2_nl.name
+ name    = "wg4.geokunis2.nl."
+ type    = "A"
+ records = ["84.245.14.149"]
+ ttl     = 60
+}
+
+resource "powerdns_record" "wg6_geokunis2_nl_aaaa" {
+ zone    = powerdns_zone.geokunis2_nl.name
+ name    = "wg6.geokunis2.nl."
+ type    = "AAAA"
+ records = ["2a02:58:1:e::1afb"]
+ ttl     = 60
+}
+
+resource "powerdns_record" "tuindersweijde_geokunis2_nl_a" {
+ zone    = powerdns_zone.geokunis2_nl.name
+ name    = "tuindersweijde.geokunis2.nl."
+ type    = "A"
+ records = ["84.245.14.149"]
+ ttl     = 60
+}
+
+resource "powerdns_record" "ns_geokunis2_nl_a" {
+ zone    = powerdns_zone.geokunis2_nl.name
+ name    = "ns.geokunis2.nl."
+ type    = "A"
+ records = ["84.245.14.149"]
+ ttl     = 60
+}
+
+resource "powerdns_record" "ns_geokunis2_nl_aaaa" {
+ zone    = powerdns_zone.geokunis2_nl.name
+ name    = "ns.geokunis2.nl."
+ type    = "AAAA"
+ records = ["2a02:58:19a:f730:c8fe:c0ff:feff:ee07"]
+ ttl     = 60
+}
+
+resource "powerdns_record" "geokunis2_nl_txt" {
+ zone    = powerdns_zone.geokunis2_nl.name
+ name    = "geokunis2.nl."
+ type    = "TXT"
+ records = ["\"protonmail-verification=e712bb186d5278b3775b413b8851ffc7740e845b\"", "\"sl-verification=sgrkojlcdgroiyjihxfleicgtpzgcb\"", "\"v=spf1 include:simplelogin.co ~all\""]
+ ttl     = 60
+}
+
+resource "powerdns_record" "geokunis2_nl_mx" {
+ zone    = powerdns_zone.geokunis2_nl.name
+ name    = "geokunis2.nl."
+ type    = "MX"
+ records = ["10 mx1.simplelogin.co.", "20 mx2.simplelogin.co."]
+ ttl     = 60
+}
+
+resource "powerdns_record" "dkim02__domainkey_geokunis2_nl_cname" {
+ zone    = powerdns_zone.geokunis2_nl.name
+ name    = "dkim02._domainkey.geokunis2.nl."
+ type    = "CNAME"
+ records = ["dkim02._domainkey.simplelogin.co."]
+ ttl     = 60
+}
+
+resource "powerdns_record" "dkim__domainkey_geokunis2_nl_cname" {
+ zone    = powerdns_zone.geokunis2_nl.name
+ name    = "dkim._domainkey.geokunis2.nl."
+ type    = "CNAME"
+ records = ["dkim._domainkey.simplelogin.co."]
+ ttl     = 60
+}
+
+resource "powerdns_record" "dkim03__domainkey_geokunis2_nl_cname" {
+ zone    = powerdns_zone.geokunis2_nl.name
+ name    = "dkim03._domainkey.geokunis2.nl."
+ type    = "CNAME"
+ records = ["dkim03._domainkey.simplelogin.co."]
+ ttl     = 60
+}
+
+resource "powerdns_record" "_dmarc_geokunis2_nl_txt" {
+ zone    = powerdns_zone.geokunis2_nl.name
+ name    = "_dmarc.geokunis2.nl."
+ type    = "TXT"
+ records = ["\"v=DMARC1; p=quarantine; pct=100; adkim=s; aspf=s\""]
+ ttl     = 60
+}
+
+resource "powerdns_record" "files_geokunis2_nl_a" {
+ zone    = powerdns_zone.geokunis2_nl.name
+ name    = "files.geokunis2.nl."
+ type    = "A"
+ records = ["84.245.14.149"]
+ ttl     = 60
+}
+
+resource "powerdns_record" "files_geokunis2_nl_aaaa" {
+ zone    = powerdns_zone.geokunis2_nl.name
+ name    = "files.geokunis2.nl."
+ type    = "AAAA"
+ records = ["2a02:58:19a:f730:b62e:99ff:fe77:1bda"]
+ ttl     = 60
+}
+
+resource "powerdns_record" "cyberchef_geokunis2_nl_a" {
+ zone    = powerdns_zone.geokunis2_nl.name
+ name    = "cyberchef.geokunis2.nl."
+ type    = "A"
+ records = ["84.245.14.149"]
+ ttl     = 60
+}
+
+resource "powerdns_record" "cyberchef_geokunis2_nl_aaaa" {
+ zone    = powerdns_zone.geokunis2_nl.name
+ name    = "cyberchef.geokunis2.nl."
+ type    = "AAAA"
+ records = ["2a02:58:19a:f730:c8fe:c0ff:feff:ee03"]
+ ttl     = 60
+}
+
+resource "powerdns_record" "inbucket_geokunis2_nl_a" {
+ zone    = powerdns_zone.geokunis2_nl.name
+ name    = "inbucket.geokunis2.nl."
+ type    = "A"
+ records = ["84.245.14.149"]
+ ttl     = 60
+}
+
+resource "powerdns_record" "kms_geokunis2_nl_a" {
+ zone    = powerdns_zone.geokunis2_nl.name
+ name    = "kms.geokunis2.nl."
+ type    = "A"
+ records = ["84.245.14.149"]
+ ttl     = 60
+}
diff --git a/terraform/dns/kun_is.tf b/terraform/dns/kun_is.tf
new file mode 100644
index 0000000..9dd60a3
--- /dev/null
+++ b/terraform/dns/kun_is.tf
@@ -0,0 +1,38 @@
+resource "powerdns_zone" "kun_is" {
+  name         = "kun.is."
+  kind         = "Native"
+  nameservers  = ["ns1.kun.is.", "ns2.kun.is."]
+  soa_edit_api = "DEFAULT"
+}
+
+resource "powerdns_record" "ns_kun_is_a" {
+  zone    = powerdns_zone.kun_is.name
+  name    = "ns.kun.is."
+  type    = "A"
+  records = ["84.245.14.149"]
+  ttl     = 60
+}
+
+resource "powerdns_record" "ns1_kun_is_a" {
+  zone    = powerdns_zone.kun_is.name
+  name    = "ns1.kun.is."
+  type    = "A"
+  records = ["84.245.14.149"]
+  ttl     = 60
+}
+
+resource "powerdns_record" "ns2_kun_is_a" {
+  zone    = powerdns_zone.kun_is.name
+  name    = "ns2.kun.is."
+  type    = "A"
+  records = ["84.245.14.149"]
+  ttl     = 60
+}
+
+resource "powerdns_record" "wildcard_kun_is_a" {
+  zone    = powerdns_zone.kun_is.name
+  name    = "*.kun.is."
+  type    = "A"
+  records = ["84.245.14.149"]
+  ttl     = 60
+}
diff --git a/terraform/dns/main.tf b/terraform/dns/main.tf
new file mode 100644
index 0000000..4510d7e
--- /dev/null
+++ b/terraform/dns/main.tf
@@ -0,0 +1,22 @@
+terraform {
+  backend "pg" {
+    schema_name = "hermes_dns"
+    conn_str    = "postgres://terraform@10.42.0.1/terraform_state"
+  }
+
+  required_providers {
+    powerdns = {
+      source  = "pan-net/powerdns"
+      version = "1.5.0"
+    }
+  }
+}
+
+data "external" "secrets" {
+  program = ["cat", pathexpand("~/.tfvars.json")]
+}
+
+provider "powerdns" {
+  server_url = "http://hermes.dmz:3000"
+  api_key    = data.external.secrets.result.powerdns_api_key
+}
diff --git a/terraform/dns/pim_kunis_nl.tf b/terraform/dns/pim_kunis_nl.tf
new file mode 100644
index 0000000..455561f
--- /dev/null
+++ b/terraform/dns/pim_kunis_nl.tf
@@ -0,0 +1,54 @@
+resource "powerdns_zone" "pim_kunis_nl" {
+  name         = "pim.kunis.nl."
+  kind         = "Native"
+  nameservers  = ["ns.pim.kunis.nl."]
+  soa_edit_api = "DEFAULT"
+}
+
+resource "powerdns_record" "pim_kunis_nl_a" {
+  zone    = powerdns_zone.pim_kunis_nl.name
+  name    = "pim.kunis.nl."
+  type    = "A"
+  records = ["84.245.14.149"]
+  ttl     = 60
+}
+
+resource "powerdns_record" "pim_kunis_nl_txt" {
+  zone    = powerdns_zone.pim_kunis_nl.name
+  name    = "pim.kunis.nl."
+  type    = "TXT"
+  records = ["\"v=spf1 ~all\""]
+  ttl     = 60
+}
+
+resource "powerdns_record" "_dmarc_pim_kunis_nl_txt" {
+  zone    = powerdns_zone.pim_kunis_nl.name
+  name    = "_dmarc.pim.kunis.nl."
+  type    = "TXT"
+  records = ["\"v=DMARC1; p=reject; aspf=s; adkim=s; rua=mailto:wpux1bq8@ag.eu.dmarcian.com;\""]
+  ttl     = 60
+}
+
+resource "powerdns_record" "ns_pim_kunis_nl_a" {
+  zone    = powerdns_zone.pim_kunis_nl.name
+  name    = "ns.pim.kunis.nl."
+  type    = "A"
+  records = ["84.245.14.149"]
+  ttl     = 60
+}
+
+resource "powerdns_record" "ns_pim_kunis_nl_aaaa" {
+  zone    = powerdns_zone.pim_kunis_nl.name
+  name    = "ns.pim.kunis.nl."
+  type    = "AAAA"
+  records = ["2a02:58:19a:f730:c8fe:c0ff:feff:ee07"]
+  ttl     = 60
+}
+
+resource "powerdns_record" "wildcard_pim_kunis_nl_a" {
+  zone    = powerdns_zone.pim_kunis_nl.name
+  name    = "*.pim.kunis.nl."
+  type    = "A"
+  records = ["84.245.14.149"]
+  ttl     = 60
+}
diff --git a/terraform/dns/pizzapim_nl.tf b/terraform/dns/pizzapim_nl.tf
new file mode 100644
index 0000000..2702e45
--- /dev/null
+++ b/terraform/dns/pizzapim_nl.tf
@@ -0,0 +1,62 @@
+resource "powerdns_zone" "pizzapim_nl" {
+  name         = "pizzapim.nl."
+  kind         = "Native"
+  nameservers  = ["ns.pizzapim.nl.", "ns0.transip.net.", "ns1.transip.nl.", "ns2.transip.eu."]
+  soa_edit_api = "DEFAULT"
+}
+
+resource "powerdns_record" "pizzapim_nl_a" {
+  zone    = powerdns_zone.pizzapim_nl.name
+  name    = "pizzapim.nl."
+  type    = "A"
+  records = ["84.245.14.149"]
+  ttl     = 60
+}
+
+resource "powerdns_record" "pizzapim_nl_txt" {
+  zone    = powerdns_zone.pizzapim_nl.name
+  name    = "pizzapim.nl."
+  type    = "TXT"
+  records = ["\"v=spf1 ~all\""]
+  ttl     = 60
+}
+
+resource "powerdns_record" "pizzapim_nl_caa" {
+  zone    = powerdns_zone.pizzapim_nl.name
+  name    = "pizzapim.nl."
+  type    = "CAA"
+  records = ["0 issue \"letsencrypt.org\""]
+  ttl     = 60
+}
+
+resource "powerdns_record" "_dmarc_pizzapim_nl_txt" {
+  zone    = powerdns_zone.pizzapim_nl.name
+  name    = "_dmarc.pizzapim.nl."
+  type    = "TXT"
+  records = ["\"v=DMARC1; p=reject; aspf=s; adkim=s; rua=mailto:wpux1bq8@ag.eu.dmarcian.com;\""]
+  ttl     = 60
+}
+
+resource "powerdns_record" "ns_pizzapim_nl_a" {
+  zone    = powerdns_zone.pizzapim_nl.name
+  name    = "ns.pizzapim.nl."
+  type    = "A"
+  records = ["84.245.14.149"]
+  ttl     = 60
+}
+
+resource "powerdns_record" "ns_pizzapim_nl_aaaa" {
+  zone    = powerdns_zone.pizzapim_nl.name
+  name    = "ns.pizzapim.nl."
+  type    = "AAAA"
+  records = ["2a02:58:19a:f730:c8fe:c0ff:feff:ee07"]
+  ttl     = 60
+}
+
+resource "powerdns_record" "social_pizzapim_nl_a" {
+  zone    = powerdns_zone.pizzapim_nl.name
+  name    = "social.pizzapim.nl."
+  type    = "A"
+  records = ["84.245.14.149"]
+  ttl     = 60
+}