diff --git a/modules/powerdns.nix b/modules/powerdns.nix
new file mode 100644
index 0000000..9a04c5a
--- /dev/null
+++ b/modules/powerdns.nix
@@ -0,0 +1,78 @@
+{ lib, pkgs, ... }:
+let
+  #pdns_database = "/var/lib/powerdns/pdns.sqlite3";
+  #pdnsa_database = "/var/lib/powerdns-admin/pdnsa.sqlite3";
+  pdns_database = "pdns";
+  pdns_user = "pdns";
+  pdns_password = builtins.readFile /etc/nixos/keys/powerdns-dbpassword;
+  pdnsa_database = "powerdnsadmin";
+  pdnsa_password = builtins.readFile /etc/nixos/keys/powerdnsadmin-dbpassword;
+  pgsql_host = "/run/postgresql";
+  pdns_web_port = "8081";
+  pdns_api_key = builtins.readFile /etc/nixos/keys/powerdns-apikey;
+in
+{
+  services.powerdns = {
+    enable = true;
+    extraConfig = ''
+      launch=gpgsql
+      gpgsql-host=${pgsql_host}
+      gpgsql-dbname=${pdns_database}
+      gpgsql-user=${pdns_user}
+      gpgsql-password=${pdns_password}
+      webserver=yes
+      webserver-port=${pdns_web_port}
+      api=yes
+      api-key=${pdns_api_key}
+    '';
+  };
+
+  services.powerdns-admin = {
+    enable = true;
+    secretKeyFile = "/etc/nixos/keys/powerdns-secret";
+    saltFile = "/etc/nixos/keys/powerdns-salt";
+    config = ''
+      SQLALCHEMY_DATABASE_URI = 'postgresql://${pdnsa_database}@/${pdnsa_database}?host=/run/postgresql'
+    '';
+  };
+
+  imports = [ ./postgresql.nix ];
+
+  services.postgresql = {
+    ensureDatabases = [ pdns_database pdnsa_database];
+    ensureUsers = [
+      {
+        name = pdns_user;
+        ensurePermissions = {
+          "DATABASE ${pdns_database}" = "ALL PRIVILEGES";
+        };
+      }
+      {
+        name = pdnsa_database;
+        ensurePermissions = {
+          "DATABASE ${pdnsa_database}" = "ALL PRIVILEGES";
+        };
+      }
+    ];
+  };
+
+  services.postgresqlBackup.databases = [
+    pdns_database
+    pdnsa_database
+  ];
+
+  systemd.services."powerdns-admin" = {
+    serviceConfig = {
+    #  ExecStartPre = lib.mkForce "${pkgs.bash}/bin/bash -c 'ls -ahlp /run/postgresql/.s.PGSQL.5432'";
+      BindReadOnlyPaths = [ "/run/postgresql/.s.PGSQL.5432" ];
+    };
+    #preStart = lib.mkForce "ls -ahlp /run/postgresql/.s.PGSQL.5432";
+    #systemd.services.powerdns-admin = serviceConfig = {
+    #};
+  };
+
+  networking.firewall.allowedTCPPorts = [ 53 ];
+  networking.firewall.allowedUDPPorts = [ 53 ];
+}
+
+# vim: set et ts=2 sw=2 ai:
diff --git a/systems/mc5/configuration.nix b/systems/mc5/configuration.nix
index 4c98a04..b562b0c 100644
--- a/systems/mc5/configuration.nix
+++ b/systems/mc5/configuration.nix
@@ -6,6 +6,7 @@
       ./modules/generic.nix
       #./modules/ceph-common.nix
       ./modules/borg.nix
+      ./modules/powerdns.nix
     ];
 
   #services.ceph = {