From 4e9155e0dbd318563d22d1faf3d120dc4c0483c5 Mon Sep 17 00:00:00 2001
From: vincent <vincent@ducamps.win>
Date: Sat, 4 Nov 2023 21:33:51 +0100
Subject: [PATCH] prepare DNS migration

---
 ansible/group_vars/database/database          |   4 +
 ansible/group_vars/database/vault_database    |  81 +++++----
 docs/ADR/004-DNS.md                           |   2 +-
 nomad-job/pdns-auth.nomad                     | 162 ++++++++++++++++++
 .../cloud}/.terraform.lock.hcl                |   0
 {infra => terraform/cloud}/dns.tf             |  64 -------
 {infra => terraform/cloud}/firewall.tf        |   0
 {infra => terraform/cloud}/output.tf          |   0
 {infra => terraform/cloud}/providers.tf       |   0
 {infra => terraform/cloud}/server.tf          |   0
 {infra => terraform/cloud}/ssh.tf             |   0
 {infra => terraform/cloud}/variable.tf        |   2 +-
 terraform/dns/.terraform.lock.hcl             |  56 ++++++
 terraform/dns/CnameReverse.tf                 |  17 ++
 terraform/dns/main.tf                         |  25 +++
 terraform/dns/makefile                        |  12 ++
 terraform/dns/records.tf                      | 115 +++++++++++++
 terraform/dns/variable.tf                     |  47 +++++
 terraform/dns/zone.tf                         |  20 +++
 terraform/exportTFsecret.sh                   |   3 +
 .../vault}/.terraform.lock.hcl                |   0
 {vault => terraform/vault}/drone-vault.tf     |   0
 {vault => terraform/vault}/ldap.tf            |   0
 {vault => terraform/vault}/main.tf            |   0
 {vault => terraform/vault}/migrateBackend.hcl |   0
 {vault => terraform/vault}/nomad.tf           |   4 +-
 {vault => terraform/vault}/policy.tf          |   0
 .../vault}/standalone_vault.sh                |   0
 {vault => terraform/vault}/variable.tf        |   0
 {vault => terraform/vault}/vault-snapshot.tf  |   0
 30 files changed, 510 insertions(+), 104 deletions(-)
 create mode 100644 nomad-job/pdns-auth.nomad
 rename {infra => terraform/cloud}/.terraform.lock.hcl (100%)
 rename {infra => terraform/cloud}/dns.tf (69%)
 rename {infra => terraform/cloud}/firewall.tf (100%)
 rename {infra => terraform/cloud}/output.tf (100%)
 rename {infra => terraform/cloud}/providers.tf (100%)
 rename {infra => terraform/cloud}/server.tf (100%)
 rename {infra => terraform/cloud}/ssh.tf (100%)
 rename {infra => terraform/cloud}/variable.tf (94%)
 create mode 100644 terraform/dns/.terraform.lock.hcl
 create mode 100644 terraform/dns/CnameReverse.tf
 create mode 100644 terraform/dns/main.tf
 create mode 100644 terraform/dns/makefile
 create mode 100644 terraform/dns/records.tf
 create mode 100644 terraform/dns/variable.tf
 create mode 100644 terraform/dns/zone.tf
 create mode 100755 terraform/exportTFsecret.sh
 rename {vault => terraform/vault}/.terraform.lock.hcl (100%)
 rename {vault => terraform/vault}/drone-vault.tf (100%)
 rename {vault => terraform/vault}/ldap.tf (100%)
 rename {vault => terraform/vault}/main.tf (100%)
 rename {vault => terraform/vault}/migrateBackend.hcl (100%)
 rename {vault => terraform/vault}/nomad.tf (96%)
 rename {vault => terraform/vault}/policy.tf (100%)
 rename {vault => terraform/vault}/standalone_vault.sh (100%)
 rename {vault => terraform/vault}/variable.tf (100%)
 rename {vault => terraform/vault}/vault-snapshot.tf (100%)

diff --git a/ansible/group_vars/database/database b/ansible/group_vars/database/database
index 74b49ca..9c809b5 100644
--- a/ansible/group_vars/database/database
+++ b/ansible/group_vars/database/database
@@ -18,6 +18,10 @@ postgresql_databases:
     owner: vikunja
   - name: ghostfolio
     owner: ghostfolio
+  - name: pdns-auth
+    owner: pdns-auth
+  - name: pdns-admin
+    owner: pdns-admin
 
 postgres_consul_service: true
 postgres_consul_service_name: db
diff --git a/ansible/group_vars/database/vault_database b/ansible/group_vars/database/vault_database
index af70022..49c917f 100644
--- a/ansible/group_vars/database/vault_database
+++ b/ansible/group_vars/database/vault_database
@@ -1,38 +1,45 @@
 $ANSIBLE_VAULT;1.1;AES256
-31336239306162353439323635633133393530396161656139303031323330366431653665623032
-3133326132353635336331353236396334623736383461310a633931616636396665363931393432
-34663535363362363030323439646134653163656538306230323739653739316464363232623264
-3638643737316132640a316461316335336432383066356134356231323964383861313465373765
-39393536636531663136346461383530343233346233613562336633353934353861313135643239
-36303930363663633936626361623835633932633863653230313532336239653931303530623536
-36626631363662346661313664303866343165303337376131656663373266383261643331386263
-64333137653134613365383538646463653336663637623163666365646439383636376238643131
-35373965326561666238656363333266633262373431653837623562633436386132376239363461
-37376631336265326137626138653063353766346264663632366266636635313364303432363731
-32323938386430653238303834636465333865383962623066356430396531353463393133653730
-33383364373130366437393938616431646536623635356464356438323664383635363665323561
-65613463636633643033396232386437373532663338346437656562333536333863306538386563
-34326138646331663165323061336139323963666632626635643931363330316136353262306637
-65343432643136383136636335313038343963383937663865303430623466383465623332373764
-66366232646132653632366530643362323131616333333534616264326136636363386138623463
-61323562303261363331653363326137313966323563373331356362373431313735613937313239
-30373130336637623766393130646330366235373831336538376364376139396362326336396238
-33353234323036333631343137323130303531616133363630633336633434363932386334333964
-66396632616433643637306564656431663531353762356534663866613765376631356566626164
-62646262616265313533666362653837373230303863313336656566623036396530346561313937
-66376662353361653532616637666439653565383737636239396233613435373330653664323931
-61333434346430623637653232363462336330386538646433303830373235333539326433333261
-32306634396531626638366465646364393330653739393764623639396565653234376634366535
-36303361613662353337333162343633313437316431336332646235636332653239366338623737
-35643262316531623538626335343563636238363639373730333332393032396565643735383236
-61383437336237363934626535343037353036343532646339393937316535623532633838373964
-61633932626664353264653535373130346334626262373665666137663366663738656563393966
-62313939643930353165356430363031613830383738333938386635333234636630313735613266
-62373862306335383839656566386163333530626539353436623031303432643461623663303036
-66313064323363623438316532386331313762343266323430303066643861653261363765623038
-38613334356431323033653733363835616534316233383431303136623761333935343231626430
-38353237333430633063303264653033316539353862336433366661303538653933373437346161
-34313164346332336637653563336631313762333031333237326265663437666539306332396136
-36323736313562636235353139663532333436363163383238643531336131386664636530336239
-38336539363661333330643238326263333730663035313534643039376237313332363638663863
-32643334343034333438383132666134386562643566643463346561313036363837
+64656332666561346439636331396439333566646361333031613764376634363061623635356630
+3832326235316435316264653637396130383465323234630a653138393161316232323236323366
+32363661633631623132323864663366633766396266623630636135396165663062353434613231
+6363646665626439610a313233313639333232393035633139326561316431393837616231313933
+38646532613665666136316635376533653161616630313532333330393364636662653331336637
+39353462336130333933383033656634633461333461393730633333343330306432623466623062
+32353962623338356630393935646537313335313335323464666265303732653633396332363965
+36356338386330653863646134623234623230356232643535643763303162626132333530626639
+39316166613862356264336362303833343236616635613136356433663766383861333832656261
+35613662653266396461383162303230613865373232353437646131633063633634346633383563
+31323736303537643433633235613464376230373332613331623439643462313362356437623463
+65326335653938626461353332356434303962376630626666666631386334316261653639623633
+34326633393330313064326562363838316366316361626662393435363262333264626333396136
+66353936623763323865656632373763303365316131663064343830663330323566346535316436
+63623931383461363364613632363661613734306535373536643236656161393634633435653862
+34316666353234646633633635653934373335396635343035663238323636323662346632303865
+35326333366439646661303437626238326435313032373031636535353963666263636635366234
+36336562633666623932653465376237366232306262386565646631346432346631353566326535
+32356337333762653161376439353035323633363833633862336134366132623963326231643461
+35623863373730313935393631626266336465613261636364353533666233613831323031643035
+32663630316264633932643132633061303438613339646264666334306630643038323632366330
+31366365333039636434613537386436313539396632613766333136663638393462653263613165
+33323937313031626233623237616464323939303131613465326362346632346538323161343362
+65353839386133326233356561363864336261663135343865323861623330613736333835396261
+64653361333530326630363633383836396565646463396239616261646635303535316135306537
+64343830616566663633323531383464383834373539646637633465616533383238346565303337
+34386561626266303833353665306335326264343533386263626562373633303135313735643733
+37333766373465326133663663303166316134643732343938343930616631383137356137373564
+31633831663264653762326534343635323364313632353661323330646638363062346137646337
+61323334623434613333613038633637666131393338653839373835633062396661653537343138
+61643961623366393735393438356461333731326265313937613066323038313163353835363135
+33323932353264313536393865373232333930613636343661613033656165616237373439383531
+38393932366633616639303964386333386462353935646432663330313137306465386634633931
+33656533306665653836363830363164303039356463386130663536636330396138643363383838
+35393966646630663535623836303262353739353063303763333530383630353838623939376535
+34343239373831623232343530396561393730303066323236306539333263656133366363396534
+30666662336435313561666536643231633562663037353837303936326164353366333032656431
+39303063343536336431336637323239356432616562656565306561666664663930303232313464
+34333236613239656562323037656137376135396636323361383565336636303338663138396238
+65396130303931393266636630656637333464346361303763653931383464326365333232623437
+61623263316562643636386637303531626238333131656130306236636230626362653935353331
+34366663303235653431616135343963643935303336313231343562376430343564393832343335
+36363130313533373137383738346438666634303537633232636535303835636333653636303937
+39356339656234303432
diff --git a/docs/ADR/004-DNS.md b/docs/ADR/004-DNS.md
index 9c5bf44..0a739cb 100644
--- a/docs/ADR/004-DNS.md
+++ b/docs/ADR/004-DNS.md
@@ -68,7 +68,7 @@ we have curently three authority domain on NAS:
 
 we could migrate authority DNS in cluster
 ducamps.win and ducamps.eu are only use for application access so no dependence with cluster build
-need to study cluster build dependance for lan.ducamps.eu
+need to study cluster build dependance for lan.ducamps.eu-> in every case in case of build from scratch need to use IP
 need keepalive IP and check if no conflict if store on same machine than pihole->ok don't need to listen on 53 only request by recursor
 DNS authority will dependant to storage (less problematic than recursor)
 
diff --git a/nomad-job/pdns-auth.nomad b/nomad-job/pdns-auth.nomad
new file mode 100644
index 0000000..16267a0
--- /dev/null
+++ b/nomad-job/pdns-auth.nomad
@@ -0,0 +1,162 @@
+
+job "pdns-auth" {
+  datacenters = ["homelab"]
+  priority    = 100
+  meta {
+    force = 2
+  }
+  type = "service"
+  constraint {
+    attribute = "${attr.cpu.arch}"
+    value     = "amd64"
+  }
+  group "pdns-auth" {
+    network {
+      port "dns" {
+        static=5300
+      }
+      port "http" {
+        static = 8081
+      }
+      port "pdnsadmin"{
+        to = 80
+      }
+    }
+  vault {
+    policies = ["pdns"]
+  }
+  task "pdns-auth" {
+
+    driver = "docker"
+    service {
+        name = "pdns-auth"
+        port = "dns"
+
+        check {
+          name     = "service: dns tcp check"
+          type     = "tcp"
+          interval = "10s"
+          timeout  = "2s"
+
+          success_before_passing   = "3"
+          failures_before_critical = "3"
+        }
+      }
+      config {
+        image = "powerdns/pdns-auth-48:latest"        
+        network_mode = "host"
+
+        volumes = [
+          "/mnt/diskstation/nomad/pdns-auth/var:/var/lib/powerdns/",
+          "local/dnsupdate.conf:/etc/powerdns/pdns.d/dnsupdate.conf",
+          "local/pdns.conf:/etc/powerdns/pdns.conf"
+        ]
+      }
+      template {
+        destination = "secrets/env"
+
+        data = <<EOH
+{{ with secret "secrets/data/nomad/pdns"}}
+          PDNS_AUTH_API_KEY="{{.Data.data.API_KEY}}"
+{{ end }}
+        EOH
+        env = true
+      }
+      template{
+        destination = "local/dnsupdate.conf"
+        data = <<EOH
+dnsupdate=yes
+allow-dnsupdate-from=192.168.1.41/24
+local-address=0.0.0.0:5300
+local-port=5300
+        EOH
+      }
+      template{
+        destination = "local/pdns.conf"
+        data = <<EOH
+launch=gpgsql
+gpgsql-host=active.db.service.consul
+gpgsql-port=5432
+gpgsql-user=pdns-auth
+{{ with secret "secrets/data/database/pdns"}}
+gpgsql-password={{ .Data.data.pdnsauth }}
+{{ end }}
+include-dir=/etc/powerdns/pdns.d
+        EOH
+      }
+      resources {
+        memory = 100
+      }
+    }
+  task "pnds-admin" {
+    service {
+      name = "pdns-admin"
+      tags = [
+        "homer.enable=true",
+        "homer.name=PDNS-ADMIN",
+        "homer.service=Application",
+        "homer.target=_blank",
+        "homer.url=http://${NOMAD_ADDR_pdnsadmin}",
+
+      ]
+      port = "pdnsadmin"
+    }
+    driver = "docker"
+    config {
+     image = "powerdnsadmin/pda-legacy:latest"        
+     ports= ["pdnsadmin"]  
+      volumes = [
+        "/mnt/diskstation/nomad/pdns-admin/:/data/node_module/",
+      ]
+      }
+      template{
+        destination = "secrets/pdns-admin.env"
+        env = true
+        data = <<EOH
+{{ with secret "secrets/data/nomad/pdns"}}
+SECRET_KEY="{{ .Data.data.SECRET_KEY }}"
+GUNICORN_WORKERS=2
+{{ end }}
+{{ with secret "secrets/data/database/pdns"}}
+SQLALCHEMY_DATABASE_URI=postgresql://pdns-admin:{{ .Data.data.pdnsadmin }}@active.db.service.consul/pdns-admin
+{{end}}
+        EOH
+      }
+
+  }
+  task "keepalived" {
+    driver = "docker"
+      lifecycle {
+        hook    = "poststart"
+        sidecar = true
+      }
+
+      env {
+        KEEPALIVED_ROUTER_ID     = "52"
+        KEEPALIVED_STATE         = "MASTER"
+        KEEPALIVED_VIRTUAL_IPS   = "192.168.1.5"
+      }
+      template{
+        destination = "local/env.yaml"
+        change_mode = "restart"
+        env= true
+        data = <<EOH
+        KEEPALIVED_INTERFACE= {{ sockaddr "GetPrivateInterfaces | include \"network\" \"192.168.1.0/24\" | attr \"name\"" }}
+        EOH
+      }
+      config {
+        image        = "osixia/keepalived:2.0.20"
+        network_mode = "host"
+        cap_add = [
+          "NET_ADMIN",
+          "NET_BROADCAST",
+          "NET_RAW"
+        ]
+      }
+      resources {
+        cpu    = 20
+        memory = 20
+      }
+    }
+  }
+}
diff --git a/infra/.terraform.lock.hcl b/terraform/cloud/.terraform.lock.hcl
similarity index 100%
rename from infra/.terraform.lock.hcl
rename to terraform/cloud/.terraform.lock.hcl
diff --git a/infra/dns.tf b/terraform/cloud/dns.tf
similarity index 69%
rename from infra/dns.tf
rename to terraform/cloud/dns.tf
index c8dcf21..ef46515 100644
--- a/infra/dns.tf
+++ b/terraform/cloud/dns.tf
@@ -7,71 +7,7 @@ resource "hetznerdns_zone" "externalZone" {
   ttl  = 1700
 }
 
-resource "hetznerdns_zone" "externalZoneEU" {
-    name = "ducamps.eu"
-    ttl  = 1700
-}
 
-resource "hetznerdns_record" "MX1Eu" {
-    zone_id = hetznerdns_zone.externalZoneEU.id
-    name    = "@"
-    value   = "20 mail"
-    type    = "MX"
-}
-
-resource "hetznerdns_record" "mailEu" {
-      zone_id = hetznerdns_zone.externalZoneEU.id
-      name    = "mail"
-      value    = local.defaultCname
-      type= "CNAME"
-}
-resource "hetznerdns_record" "serverEU" {
-  zone_id = hetznerdns_zone.externalZoneEU.id
-  name    = local.defaultCname
-  value   = hcloud_server.HomeLab2[0].ipv4_address
-  type    = "A"
-}
-resource "hetznerdns_record" "spfEu" {
-  zone_id = hetznerdns_zone.externalZoneEU.id
-  name    = "@"
-  value   = "\"v=spf1 ip4:${hcloud_server.HomeLab2[0].ipv4_address} ~all\""
-  type    = "TXT"
-}
-
-resource "hetznerdns_record" "dkimRecordEu" {
-  zone_id = hetznerdns_zone.externalZoneEU.id
-  name    = "mail._domainkey"
-  value   = "\"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0GadPljh+zM+Hf8MAf2wyj+h9p72aBFeFaiDhnswxO68fM9Uk6XhN4s1BkHLY5AWQh0SP1JDBaFWDfJiOV/27E3qJIa4KDHPZcgxgvo+SbfgNZq5qGIhKyqAAtyg/dI8IMKVOZ5Cevdv9VFrSF84xnTmDBCrWydPyV8D5+xA/bVna/AVCAVUeXVppyMPpC0s1HpRNJ0YaY23RH1KwChxvZY+BkanELSzTA8K0ATbIzwgQaK10/lc1S6EFvaSNG8sy6EIoondl6t+uiqU3bHgAW68r8snzl2gclG+uMkjXkH7YGPJzL9Co1o1MlKOHIONz89CCe0puIH4qaCo1G6EDwIDAQAB\""
-  type    = "TXT"
-}
-
-resource "hetznerdns_record" "dmarcEU" {
-
-  zone_id = hetznerdns_zone.externalZoneEU.id
-  name = "_dmarc"
-  value = "\"v=DMARC1; p=none; rua=mailto:vincent@ducamps.eu; ruf=mailto:vincent@ducamps.eu; sp=none; ri=86400\""
-  type  = "TXT"
-}
-
-resource "hetznerdns_record" "imapsAutodiscoverEU" {
-  zone_id = hetznerdns_zone.externalZoneEU.id
-  name = "_imaps._tcp"
-  value = "0 0 993 mail.ducamps.eu"
-  type  = "SRV"
-}
-
-resource "hetznerdns_record" "submissionAutodiscoverEU" {
-  zone_id = hetznerdns_zone.externalZoneEU.id
-  name = "_submission._tcp"
-  value = "0 0 465 mail.ducamps.eu"
-  type  = "SRV"
-}
-resource "hetznerdns_record" "NSEU" {
-    zone_id = hetznerdns_zone.externalZoneEU.id
-    name    = "@"
-    value   = "hydrogen.ns.hetzner.com."
-    type    = "NS"
-}
 resource "hetznerdns_record" "rootalias" {
   zone_id = hetznerdns_zone.externalZone.id
   name    = "@"
diff --git a/infra/firewall.tf b/terraform/cloud/firewall.tf
similarity index 100%
rename from infra/firewall.tf
rename to terraform/cloud/firewall.tf
diff --git a/infra/output.tf b/terraform/cloud/output.tf
similarity index 100%
rename from infra/output.tf
rename to terraform/cloud/output.tf
diff --git a/infra/providers.tf b/terraform/cloud/providers.tf
similarity index 100%
rename from infra/providers.tf
rename to terraform/cloud/providers.tf
diff --git a/infra/server.tf b/terraform/cloud/server.tf
similarity index 100%
rename from infra/server.tf
rename to terraform/cloud/server.tf
diff --git a/infra/ssh.tf b/terraform/cloud/ssh.tf
similarity index 100%
rename from infra/ssh.tf
rename to terraform/cloud/ssh.tf
diff --git a/infra/variable.tf b/terraform/cloud/variable.tf
similarity index 94%
rename from infra/variable.tf
rename to terraform/cloud/variable.tf
index 00da00b..c96da95 100644
--- a/infra/variable.tf
+++ b/terraform/cloud/variable.tf
@@ -16,7 +16,7 @@ variable "instances" {
 
 variable "server_type" {
   type=string
-  default = "cpx21"
+  default = "CPX21"
 }
 
 variable "os_type" {
diff --git a/terraform/dns/.terraform.lock.hcl b/terraform/dns/.terraform.lock.hcl
new file mode 100644
index 0000000..1a0e319
--- /dev/null
+++ b/terraform/dns/.terraform.lock.hcl
@@ -0,0 +1,56 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/vault" {
+  version = "3.22.0"
+  hashes = [
+    "h1:AyHIjPpd3CMimsJiwRCpi3Jo9SF8MhWkWHj7TjmUyvc=",
+    "zh:2ebe83a6d3c03c69610899408c3b9fcc6eb7a47e62a5c50126a20244fe2e0e2e",
+    "zh:46985c7bc1070f4cbb7241063046c165112aed47b0ef3d323197d11525a7c3e1",
+    "zh:4f3b1cc0eb4990b02a30d366e4c0b77e56e70610f283fb223f60171ab8ba4ee1",
+    "zh:6b445c90130201f6babb83b3d68969c7fc8936ddb29bd62597782b973a204a67",
+    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+    "zh:9097ca5bc78c701126c610b34127f58aeeba446ae2e03e94d8a42b4fb7ed6e4c",
+    "zh:98a81d03a45ada9a10a4d3cfdf4a7c223e5da3251aa0aaa6e24a48cea475903f",
+    "zh:b878afb67d3aa57413071321cc293cd67ab064fc1d6b3747b8702aef2351327d",
+    "zh:c546747894fd1ca8108c00bfed8888d0f2cbd60e4bdc2122b1652fb4f0f8b9d4",
+    "zh:cd6cc39872ed1439897e3f63d4251f31e5758b303ff8f471aac3dff32fb53e54",
+    "zh:d149c68271db77344b278e7e6c40db5dcf35a83642a60d588fbe72822bb40977",
+    "zh:fe29e024658c6ae9306c0847469508e835f86c961c998efc298aa1a5b928f72c",
+  ]
+}
+
+provider "registry.terraform.io/pan-net/powerdns" {
+  version = "1.5.0"
+  hashes = [
+    "h1:bsz18KLloevlTZkXwZr8u0sFCZKcOYyts2RaWkV6YNc=",
+    "zh:02d1a87c28635779f66d1dcf165b5f16530f809deb6c71c35c3e58d715a88bf4",
+    "zh:1285a419c7fd2947f891771bd77d2f6e7dd0cb00621c547b6993947085616009",
+    "zh:340faecd0a0036e721480564acbad2ba0da6a9c0c0cd633957dcde76a4ba3798",
+    "zh:5646f78d9980038c4ae70e09828da01c7cc6ba2b3b1e9ea8a1988efafaba1b75",
+    "zh:66fef65aede775d9972be163a2bd25d8fda5a8ad2235ceef30d515bf35e2e5d4",
+    "zh:7130faa5dd892b1d41b9b3ebd1b2d7854bf780193073de58806e088311bb554c",
+    "zh:9f47b66ce7f4b23d25c4a726ffc5e504f797f247912cfa5dff23b3da0ba18982",
+    "zh:ada63a886bc5d7980eeb22b59b166713617847626627007d2e8429eeb4346327",
+    "zh:c853237b7831942d3d0f0f7a7a334e8f9df8a12f217c5680a76db256e368230d",
+    "zh:d2e8827d9d8662a892dbd1df6155823c8167db6f6762f38885037c7da87612b1",
+    "zh:d6e1069bb9d9f368e5d55a8bdf55de23636a586d698515f0075733499d6b9ccc",
+    "zh:dd224d521af2f72bfdc3498c5ccd54b09844cfaa347b3008f61faad465cc9769",
+    "zh:e02960d79ccfeeaea64c07aa1ad88cdd3688f49b670c9b607ea188283cd519d6",
+  ]
+}
+
+provider "registry.terraform.io/timohirt/hetznerdns" {
+  version = "2.2.0"
+  hashes = [
+    "h1:HyskQAglrOueur79gSCBgx9MNDOs0tz39aNYQiFgxz8=",
+    "zh:5bb0ab9f62be3ed92070235e507f3c290491d51391ef4edcc70df53b65a83019",
+    "zh:5ccdfac7284f5515ac3cff748336b77f21c64760e429e811a1eeefa8ebb86e12",
+    "zh:687c35665139ae37c291e99085be2e38071f6b355c4e1e8957c5a6a3bcdf9caf",
+    "zh:6de27f0d0d1513b3a4b7e81923b4a8506c52759bd466e2b4f8156997b0478931",
+    "zh:85770a9199a4c2d16ca41538d7a0f7a7bfc060678104a1faac19213e6f0a800c",
+    "zh:a5ff723774a9ccfb27d5766c5e6713537f74dd94496048c89c5d64dba597e59e",
+    "zh:bf9ab76fd37cb8aebb6868d73cbe8c08cee36fc25224cc1ef5949efa3c34b06c",
+    "zh:db998fe3bdcd4902e99fa470bb3f355883170cf4c711c8da0b5f1f4510f1be41",
+  ]
+}
diff --git a/terraform/dns/CnameReverse.tf b/terraform/dns/CnameReverse.tf
new file mode 100644
index 0000000..438961f
--- /dev/null
+++ b/terraform/dns/CnameReverse.tf
@@ -0,0 +1,17 @@
+resource "powerdns_record" "Cname" {
+  for_each = toset(var.cnameList)
+    zone    = powerdns_zone.ducampseu.name
+    name    = "${each.key}.${powerdns_zone.ducampseu.name}"
+    type    = "CNAME"
+    ttl     = 1700
+    records = [var.localEndpoint]
+}
+
+resource "hetznerdns_record" "Cname" {
+  for_each = var.enableHetzner ? toset(var.cnameList) : []
+
+  zone_id = hetznerdns_zone.externalZoneEU[0].id
+  name    = each.key
+  value   = var.cloudEndpoint
+  type    = "A"
+}
diff --git a/terraform/dns/main.tf b/terraform/dns/main.tf
new file mode 100644
index 0000000..df409c1
--- /dev/null
+++ b/terraform/dns/main.tf
@@ -0,0 +1,25 @@
+terraform {
+  backend "consul" {
+    path  = "terraform/dns"
+  }
+  required_providers {
+    powerdns = {
+      source = "pan-net/powerdns"
+    }   
+    hetznerdns = {
+      source="timohirt/hetznerdns"
+    }
+  }
+}
+provider vault {
+}
+
+provider "powerdns" {
+  api_key    = var.powerDnsApiKey
+  server_url = var.powerDnsURL
+}
+
+provider "hetznerdns" {
+    apitoken = var.hetznerApiKey
+}
+
diff --git a/terraform/dns/makefile b/terraform/dns/makefile
new file mode 100644
index 0000000..1073779
--- /dev/null
+++ b/terraform/dns/makefile
@@ -0,0 +1,12 @@
+
+
+setenv:
+	export TF_VAR_hetznerApiKey=`vault kv get -field=hdns_token secrets/hetzner`
+	export TF_VAR_powerDnsApiKey=`vault kv get -field=API_KEY secrets/nomad/pdns`
+
+apply: setenv
+	terraform apply
+
+plan: setenv
+	export
+	terraform plan
diff --git a/terraform/dns/records.tf b/terraform/dns/records.tf
new file mode 100644
index 0000000..bb45b81
--- /dev/null
+++ b/terraform/dns/records.tf
@@ -0,0 +1,115 @@
+resource "hetznerdns_record" "MX1Eu" {
+    count = var.enableHetzner ? 1 : 0
+    zone_id = hetznerdns_zone.externalZoneEU[0].id
+    name    = "@"
+    value   = "20 mail"
+    type    = "MX"
+}
+
+resource "hetznerdns_record" "spfEu" {
+  count = var.enableHetzner ? 1 : 0
+  zone_id = hetznerdns_zone.externalZoneEU[0].id
+  name    = "@"
+  value   = "\"v=spf1 ip4:${var.cloudEndpoint} ~all\""
+  type    = "TXT"
+}
+
+resource "hetznerdns_record" "dkimRecordEu" {
+  count = var.enableHetzner ? 1 : 0
+  zone_id = hetznerdns_zone.externalZoneEU[0].id
+  name    = "mail._domainkey"
+  value   = "\"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0GadPljh+zM+Hf8MAf2wyj+h9p72aBFeFaiDhnswxO68fM9Uk6XhN4s1BkHLY5AWQh0SP1JDBaFWDfJiOV/27E3qJIa4KDHPZcgxgvo+SbfgNZq5qGIhKyqAAtyg/dI8IMKVOZ5Cevdv9VFrSF84xnTmDBCrWydPyV8D5+xA/bVna/AVCAVUeXVppyMPpC0s1HpRNJ0YaY23RH1KwChxvZY+BkanELSzTA8K0ATbIzwgQaK10/lc1S6EFvaSNG8sy6EIoondl6t+uiqU3bHgAW68r8snzl2gclG+uMkjXkH7YGPJzL9Co1o1MlKOHIONz89CCe0puIH4qaCo1G6EDwIDAQAB\""
+  type    = "TXT"
+}
+
+resource "hetznerdns_record" "dmarcEU" {
+  count = var.enableHetzner ? 1 : 0
+  zone_id = hetznerdns_zone.externalZoneEU[0].id
+  name = "_dmarc"
+  value = "\"v=DMARC1; p=none; rua=mailto:vincent@ducamps.eu; ruf=mailto:vincent@ducamps.eu; sp=none; ri=86400\""
+  type  = "TXT"
+}
+
+resource "hetznerdns_record" "imapsAutodiscoverEU" {
+  count = var.enableHetzner ? 1 : 0
+  zone_id = hetznerdns_zone.externalZoneEU[0].id
+  name = "_imaps._tcp"
+  value = "0 0 993 mail.ducamps.eu"
+  type  = "SRV"
+}
+
+resource "hetznerdns_record" "submissionAutodiscoverEU" {
+  count = var.enableHetzner ? 1 : 0
+  zone_id = hetznerdns_zone.externalZoneEU[0].id
+  name = "_submission._tcp"
+  value = "0 0 465 mail.ducamps.eu"
+  type  = "SRV"
+}
+resource "hetznerdns_record" "caldavs" {
+    count = var.enableHetzner ? 1 : 0
+    zone_id = hetznerdns_zone.externalZoneEU[0].id
+    name = "_caldavs_tcp"
+    value = "10 20 443 www.ducamps.eu"
+    type  = "SRV"
+}
+resource "hetznerdns_record" "carddavs" {
+      count = var.enableHetzner ? 1 : 0
+      zone_id = hetznerdns_zone.externalZoneEU[0].id
+      name = "_carddavs_tcp"
+      value = "10 20 443 www.ducamps.eu"
+      type  = "SRV"
+}
+resource "hetznerdns_record" "NSEU" {
+    count = var.enableHetzner ? 1 : 0
+    zone_id = hetznerdns_zone.externalZoneEU[0].id
+    name    = "@"
+    value   = "hydrogen.ns.hetzner.com."
+    type    = "NS"
+}
+
+resource "hetznerdns_record" "rootalias" {
+  count = var.enableHetzner ? 1 : 0
+  zone_id = hetznerdns_zone.externalZoneEU[0].id
+  name    = "@"
+  value   = var.cloudEndpoint
+  type    = "A"
+}
+
+resource "powerdns_record" "mail" {
+  zone= powerdns_zone.ducampseu.name
+  type= "MX"
+  name= "mail.${powerdns_zone.ducampseu.name}"
+  ttl= 1700
+  records = ["10 ${var.localEndpoint}"]
+}
+
+resource "powerdns_record" "merlin" {
+    zone= powerdns_zone.ducampseu.name
+    type= "A"
+    name= "merlin.lan.${powerdns_zone.ducampseu.name}"
+    ttl= 1700
+    records = ["10.0.0.4"]
+}
+resource "powerdns_record" "corwin" {
+    zone= powerdns_zone.ducampseu.name
+    type= "A"
+    name= "corwin.lan.${powerdns_zone.ducampseu.name}"
+    ttl= 1700
+    records = ["10.0.0.1"]
+}
+
+resource "powerdns_record" "gerard" {
+    zone= powerdns_zone.ducampseu.name
+    type= "A"
+    name= "gerard.lan.${powerdns_zone.ducampseu.name}"
+    ttl= 1700
+    records = ["192.168.1.41"]
+}
+
+resource "powerdns_record" "diskstation" {
+      zone= powerdns_zone.ducampseu.name
+      type= "A"
+      name= "diskstation.lan.${powerdns_zone.ducampseu.name}"
+      ttl= 1700
+      records = ["192.168.1.10"]
+}
diff --git a/terraform/dns/variable.tf b/terraform/dns/variable.tf
new file mode 100644
index 0000000..265ad00
--- /dev/null
+++ b/terraform/dns/variable.tf
@@ -0,0 +1,47 @@
+variable powerDnsApiKey {
+  type= string
+  sensitive= true
+}
+variable hetznerApiKey {
+  type= string
+  sensitive= true
+}
+variable enableHetzner {
+ type= bool
+ default = true
+}
+variable powerDnsURL {
+  type=string
+  default="http://192.168.1.5:8081"
+}
+variable cnameList{
+  type=list
+  default= [
+    "arch",
+    "dashboard",
+    "drone",
+    "file",
+    "ghostfolio",
+    "git",
+    "grafana",
+    "hass",
+    "jellyfin",
+    "jellyfin-vue",
+    "paperless-ng",
+    "supysonic",
+    "syno",
+    "torrent",
+    "vault",
+    "vikunja",
+    "www"
+  ]
+}
+
+variable localEndpoint{
+  type= string
+  default= "traefik-local.service.consul."
+}
+variable cloudEndpoint{
+  type= string
+  default= "135.181.150.203"
+}
diff --git a/terraform/dns/zone.tf b/terraform/dns/zone.tf
new file mode 100644
index 0000000..181b95d
--- /dev/null
+++ b/terraform/dns/zone.tf
@@ -0,0 +1,20 @@
+resource "powerdns_zone" "ducampseu" {
+  name        = "ducamps.eu."
+  kind        = "Native"
+}
+
+resource "powerdns_zone" "landucampseu" {
+  name        = "lan.ducamps.eu."
+  kind        = "Native"
+}
+
+resource "powerdns_zone" "reversezone" {
+  name        = "1.168.192.in-addr.arpa."
+  kind        = "Native"
+}
+
+resource "hetznerdns_zone" "externalZoneEU" {
+    count = var.enableHetzner ? 1 : 0
+    name = "ducamps.eu"
+    ttl  = 1700
+}
diff --git a/terraform/exportTFsecret.sh b/terraform/exportTFsecret.sh
new file mode 100755
index 0000000..b205f35
--- /dev/null
+++ b/terraform/exportTFsecret.sh
@@ -0,0 +1,3 @@
+	export TF_VAR_hetznerApiKey=`vault kv get -field=hdns_token secrets/hetzner`
+	export TF_VAR_powerDnsApiKey=`vault kv get -field=API_KEY secrets/nomad/pdns`
+  export TF_VAR_hcloud_token=`vault kv get -field=hcloud_token secrets/hetzner`
diff --git a/vault/.terraform.lock.hcl b/terraform/vault/.terraform.lock.hcl
similarity index 100%
rename from vault/.terraform.lock.hcl
rename to terraform/vault/.terraform.lock.hcl
diff --git a/vault/drone-vault.tf b/terraform/vault/drone-vault.tf
similarity index 100%
rename from vault/drone-vault.tf
rename to terraform/vault/drone-vault.tf
diff --git a/vault/ldap.tf b/terraform/vault/ldap.tf
similarity index 100%
rename from vault/ldap.tf
rename to terraform/vault/ldap.tf
diff --git a/vault/main.tf b/terraform/vault/main.tf
similarity index 100%
rename from vault/main.tf
rename to terraform/vault/main.tf
diff --git a/vault/migrateBackend.hcl b/terraform/vault/migrateBackend.hcl
similarity index 100%
rename from vault/migrateBackend.hcl
rename to terraform/vault/migrateBackend.hcl
diff --git a/vault/nomad.tf b/terraform/vault/nomad.tf
similarity index 96%
rename from vault/nomad.tf
rename to terraform/vault/nomad.tf
index e47cf1e..871e6f2 100644
--- a/vault/nomad.tf
+++ b/terraform/vault/nomad.tf
@@ -22,7 +22,9 @@ locals {
     "vikunja",
     "ghostfolio",
     "alertmanager",
-    "vault-backup"
+    "vault-backup",
+    "pdns",
+    "torrent"
   ]
 
 }
diff --git a/vault/policy.tf b/terraform/vault/policy.tf
similarity index 100%
rename from vault/policy.tf
rename to terraform/vault/policy.tf
diff --git a/vault/standalone_vault.sh b/terraform/vault/standalone_vault.sh
similarity index 100%
rename from vault/standalone_vault.sh
rename to terraform/vault/standalone_vault.sh
diff --git a/vault/variable.tf b/terraform/vault/variable.tf
similarity index 100%
rename from vault/variable.tf
rename to terraform/vault/variable.tf
diff --git a/vault/vault-snapshot.tf b/terraform/vault/vault-snapshot.tf
similarity index 100%
rename from vault/vault-snapshot.tf
rename to terraform/vault/vault-snapshot.tf