diff --git a/flake.nix b/flake.nix
index 12917a6..c3abfa6 100644
--- a/flake.nix
+++ b/flake.nix
@@ -31,9 +31,10 @@
     terraform = pkgs.opentofu;
     terraformCfg = terranix.lib.terranixConfiguration {
       inherit system;
-      modules = [ 
+      modules = [
         ./terraform
         {
+          bagel.gandi.enable = true;
           bagel.hydra.enable = true;
         }
       ];
diff --git a/terraform/default.nix b/terraform/default.nix
index 222d3bc..da1aa29 100644
--- a/terraform/default.nix
+++ b/terraform/default.nix
@@ -1,6 +1,7 @@
 {
   imports = [
     ./common.nix
+    ./gandi.nix
     ./hydra.nix
     ./state.nix
   ];
diff --git a/terraform/gandi.nix b/terraform/gandi.nix
new file mode 100644
index 0000000..a837fa0
--- /dev/null
+++ b/terraform/gandi.nix
@@ -0,0 +1,65 @@
+{ lib, config, ... }:
+let
+  inherit (lib) mkEnableOption mkIf tf;
+  cfg = config.bagel.gandi;
+in
+{
+  options.bagel.gandi = {
+    enable = mkEnableOption "the Gandi DNS configuration";
+  };
+
+  config = mkIf cfg.enable {
+    terraform.required_providers.gandi = {
+      version = "~> 2.3.0";
+      source = "go-gandi/gandi";
+    };
+
+    resource.secret_resource.gandi_pat.lifecycle.prevent_destroy = true;
+
+    provider.gandi = {
+      personal_access_token = tf.ref "resource.secret_resource.gandi_pat.value";
+    };
+
+    resource.gandi_livedns_domain.forkos_org = {
+      name = "forkos.org";
+    };
+
+    resource.gandi_livedns_record = let
+      record = name: ttl: type: values: {
+        inherit name ttl type values;
+      };
+
+      # TODO: make less fragile and have actual unique and stable names
+      canonicalName = record: let
+        name = builtins.replaceStrings ["."] ["_"] record.name;
+      in
+        "forkos_org_${record.type}_${name}";
+
+      forkosRecords = records:
+        builtins.listToAttrs (map (record: {
+          name = canonicalName record;
+          value = record // {
+            zone = tf.ref "resource.gandi_livedns_domain.forkos_org.id";
+          };
+        }) records);
+
+    in forkosRecords [
+      (record "cl" 3600 "A" ["163.172.69.160"])
+      (record "cl" 3600 "AAAA" ["2001:bc8:38ee:100:1000::10"])
+
+      (record "fodwatch" 3600 "A" ["163.172.69.160"])
+      (record "fodwatch" 3600 "AAAA" ["2001:bc8:38ee:100:1000::30"])
+
+      (record "netbox" 3600 "A" ["163.172.69.160"])
+      (record "netbox" 3600 "AAAA" ["2001:bc8:38ee:100:1000::20"])
+
+      (record "gerrit01.infra" 3600 "AAAA" ["2001:bc8:38ee:100:1000::10"])
+      (record "fodwatch.infra" 3600 "AAAA" ["2001:bc8:38ee:100:1000::30"])
+      (record "meta01.infra" 3600 "AAAA" ["2001:bc8:38ee:100:1000::20"])
+
+      (record "grafana" 3600 "CNAME" ["netbox"])
+      (record "loki" 3600 "CNAME" ["meta01.infra"])
+      (record "mimir" 3600 "CNAME" ["grafana"])
+    ];
+  };
+}