diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..0deee8b
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,6 @@
+*
+!/.gitignore
+!/**/*.tf
+!/.terraform.lock.hcl
+!/dns-records.csv
+!/dns/
diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl
new file mode 100644
index 0000000..1cbbf72
--- /dev/null
+++ b/.terraform.lock.hcl
@@ -0,0 +1,18 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/timohirt/hetznerdns" {
+  version     = "2.2.0"
+  constraints = "2.2.0"
+  hashes = [
+    "h1:HyskQAglrOueur79gSCBgx9MNDOs0tz39aNYQiFgxz8=",
+    "zh:5bb0ab9f62be3ed92070235e507f3c290491d51391ef4edcc70df53b65a83019",
+    "zh:5ccdfac7284f5515ac3cff748336b77f21c64760e429e811a1eeefa8ebb86e12",
+    "zh:687c35665139ae37c291e99085be2e38071f6b355c4e1e8957c5a6a3bcdf9caf",
+    "zh:6de27f0d0d1513b3a4b7e81923b4a8506c52759bd466e2b4f8156997b0478931",
+    "zh:85770a9199a4c2d16ca41538d7a0f7a7bfc060678104a1faac19213e6f0a800c",
+    "zh:a5ff723774a9ccfb27d5766c5e6713537f74dd94496048c89c5d64dba597e59e",
+    "zh:bf9ab76fd37cb8aebb6868d73cbe8c08cee36fc25224cc1ef5949efa3c34b06c",
+    "zh:db998fe3bdcd4902e99fa470bb3f355883170cf4c711c8da0b5f1f4510f1be41",
+  ]
+}
diff --git a/dns.tf b/dns.tf
new file mode 100644
index 0000000..24b4522
--- /dev/null
+++ b/dns.tf
@@ -0,0 +1,79 @@
+locals {
+  // gmail had a different dns-setting in the past,
+  // but they claim it's still totally valid for old installations
+  // they even guarantee to keep it valid in future
+  // see: https://support.google.com/a/answer/174125?hl=en#zippy=%2Cgoogle-workspace-legacy-version-before
+  dns_gmail_until_april_2023 = [
+    { name = "@", ttl = var.gmail_dns_default_ttl, type = "MX", value = "1 aspmx.l.google.com." },
+    { name = "@", ttl = var.gmail_dns_default_ttl, type = "MX", value = "5 alt1.aspmx.l.google.com." },
+    { name = "@", ttl = var.gmail_dns_default_ttl, type = "MX", value = "5 alt2.aspmx.l.google.com." },
+    { name = "@", ttl = var.gmail_dns_default_ttl, type = "MX", value = "10 alt3.aspmx.l.google.com." },
+    { name = "@", ttl = var.gmail_dns_default_ttl, type = "MX", value = "10 alt1.aspmx.l.google.com." },
+    { name = "@", ttl = var.gmail_dns_default_ttl, type = "TXT", value = "v=spf1 include:_spf.google.com a mx ~all" },
+  ]
+  dns_gmail_starting_april_2023 = [
+    { name = "@", ttl = var.gmail_dns_default_ttl, type = "MX", value = "1 smtp.google.com." },
+    { name = "@", ttl = var.gmail_dns_default_ttl, type = "TXT", value = "v=spf1 include:_spf.google.com a mx ~all" },
+  ]
+  dns_website_default = [
+    { name = "@", ttl = 900, type = "A", value = "62.138.6.205" },
+    { name = "*", ttl = 900, type = "A", value = "62.138.6.205" },
+  ]
+}
+
+module "dns_goperte_de" {
+  source   = "./dns"
+  zone     = "goperte.de"
+  records  = local.dns_website_default
+}
+
+module "dns_nehrke_info" {
+  source   = "./dns"
+  zone     = "nehrke.info"
+  records  = concat(
+    local.dns_website_default,
+    [
+      { name = "_dmarc", ttl = var.gmail_dns_default_ttl, type = "TXT", value = "v=DMARC1; p=none;" },
+      { name = "google._domainkey", ttl = var.gmail_dns_default_ttl, type = "TXT", value = var.google_dkim["nehrke.info"] }
+    ],
+    local.dns_gmail_until_april_2023,
+  )
+}
+
+module "dns_sozpaedil_net" {
+  source   = "./dns"
+  zone     = "sozpaedil.net"
+  records  = concat(
+    local.dns_website_default,
+    [
+      { name = "_dmarc", ttl = var.gmail_dns_default_ttl, type = "TXT", value = "v=DMARC1; p=none;" },
+      { name = "google._domainkey", ttl = var.gmail_dns_default_ttl, type = "TXT", value = var.google_dkim["sozpaedil.net"] }
+    ],
+    local.dns_gmail_until_april_2023,
+  )
+}
+
+module "dns_tovot_de" {
+  source   = "./dns"
+  zone     = "tovot.de"
+  records  = local.dns_website_default
+}
+
+module "dns_tovot_net" {
+  source   = "./dns"
+  zone     = "tovot.net"
+  records  = local.dns_website_default
+}
+
+module "dns_tovot_org" {
+  source   = "./dns"
+  zone     = "tovot.org"
+  records  = local.dns_website_default
+}
+
+module "dns_xn--alleingnger-r8a_de" {
+  source   = "./dns"
+  zone     = "xn--alleingnger-r8a.de"
+  records  = local.dns_website_default
+}
+
diff --git a/dns/main.tf b/dns/main.tf
new file mode 100644
index 0000000..6c49849
--- /dev/null
+++ b/dns/main.tf
@@ -0,0 +1,25 @@
+resource "hetznerdns_zone" "this" {
+  name = var.zone
+  ttl  = var.zone_ttl
+}
+
+locals {
+  records = {
+    for record in var.records : "${record.type}#${record.name}#${md5(record.value)}" => {
+      for key, value in record : key => value
+    }
+  }
+}
+
+resource "hetznerdns_record" "this" {
+  for_each = local.records
+  zone_id  = hetznerdns_zone.this.id
+  name     = each.value.name
+  type     = each.value.type
+  value = (each.value.type == "TXT"
+    ? "\"${join("\" \"", [for c in chunklist(split("", each.value.value), 255) : join("", c)])}\""
+    : each.value.value
+  )
+  ttl = each.value.ttl
+}
+
diff --git a/dns/outputs.tf b/dns/outputs.tf
new file mode 100644
index 0000000..e69de29
diff --git a/dns/variables.tf b/dns/variables.tf
new file mode 100644
index 0000000..2397198
--- /dev/null
+++ b/dns/variables.tf
@@ -0,0 +1,19 @@
+variable "zone" {
+  type = string
+}
+
+variable "zone_ttl" {
+  type = number
+  default = 3600
+}
+
+variable "records" {
+  type = set(object({
+    name = string
+    value = string
+    type = string
+    ttl = optional(number, 3600)
+  }))
+  default = []
+}
+
diff --git a/dns/versions.tf b/dns/versions.tf
new file mode 100644
index 0000000..a2ad6d0
--- /dev/null
+++ b/dns/versions.tf
@@ -0,0 +1,10 @@
+terraform {
+  required_providers {
+    hetznerdns = {
+      source = "timohirt/hetznerdns"
+      version = "2.2.0"
+    }
+  }
+}
+
+
diff --git a/main.tf b/main.tf
new file mode 100644
index 0000000..9e55d65
--- /dev/null
+++ b/main.tf
@@ -0,0 +1,3 @@
+provider "hetznerdns" {
+  apitoken = var.hetzner_apitoken
+}
diff --git a/outputs.tf b/outputs.tf
new file mode 100644
index 0000000..e69de29
diff --git a/variables.tf b/variables.tf
new file mode 100644
index 0000000..0c35df8
--- /dev/null
+++ b/variables.tf
@@ -0,0 +1,13 @@
+variable "hetzner_apitoken" {
+  type = string
+}
+
+variable "google_dkim" {
+  type = map(string)
+}
+
+variable "gmail_dns_default_ttl" {
+  type    = number
+  default = 3600
+}
+
diff --git a/versions.tf b/versions.tf
new file mode 100644
index 0000000..06acbcf
--- /dev/null
+++ b/versions.tf
@@ -0,0 +1,8 @@
+terraform {
+  required_providers {
+    hetznerdns = {
+      source = "timohirt/hetznerdns"
+      version = "2.2.0"
+    }
+  }
+}