{"id":50103165,"url":"https://github.com/powerdns-authadmin/powerdns-authadmin","last_synced_at":"2026-06-04T00:01:10.091Z","repository":{"id":359731508,"uuid":"1246454422","full_name":"PowerDNS-AuthAdmin/powerdns-authadmin","owner":"PowerDNS-AuthAdmin","description":"Modern self-hosted DNS administration UI for PowerDNS Authoritative - RBAC, OIDC SSO, audit log, DNSSEC, multi-backend (clusters \u0026 primary/secondary). A maintained alternative to PowerDNS-Admin.","archived":false,"fork":false,"pushed_at":"2026-06-01T02:53:49.000Z","size":10069,"stargazers_count":3,"open_issues_count":2,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-06-01T04:24:08.210Z","etag":null,"topics":["authoritative-dns","dns","dns-management","dns-server","dnssec","docker","homelab","nextjs","oidc","powerdns","powerdns-admin","rbac","self-hosted","selfhosted","sso","typescript"],"latest_commit_sha":null,"homepage":"https://powerdns-authadmin.org","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/PowerDNS-AuthAdmin.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-05-22T07:55:46.000Z","updated_at":"2026-06-01T03:11:55.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/PowerDNS-AuthAdmin/powerdns-authadmin","commit_stats":null,"previous_names":["jseifeddine/powerdns-authadmin"],"tags_count":4,"template":false,"template_full_name":null,"purl":"pkg:github/PowerDNS-AuthAdmin/powerdns-authadmin","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PowerDNS-AuthAdmin%2Fpowerdns-authadmin","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PowerDNS-AuthAdmin%2Fpowerdns-authadmin/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PowerDNS-AuthAdmin%2Fpowerdns-authadmin/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PowerDNS-AuthAdmin%2Fpowerdns-authadmin/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/PowerDNS-AuthAdmin","download_url":"https://codeload.github.com/PowerDNS-AuthAdmin/powerdns-authadmin/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PowerDNS-AuthAdmin%2Fpowerdns-authadmin/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33884734,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-03T02:00:06.370Z","response_time":59,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authoritative-dns","dns","dns-management","dns-server","dnssec","docker","homelab","nextjs","oidc","powerdns","powerdns-admin","rbac","self-hosted","selfhosted","sso","typescript"],"created_at":"2026-05-23T09:00:22.264Z","updated_at":"2026-06-04T00:01:10.080Z","avatar_url":"https://github.com/PowerDNS-AuthAdmin.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\n \u003cpicture\u003e\n \u003csource media=\"(prefers-color-scheme: dark)\" srcset=\"./public/brand/logo-wordmark-dark.png\" /\u003e\n \u003cimg src=\"./public/brand/logo-wordmark-light.png\" alt=\"PowerDNS-AuthAdmin\" width=\"440\" /\u003e\n \u003c/picture\u003e\n\u003c/p\u003e\n\n# PowerDNS-AuthAdmin\n\n\u003e A modern, self-hosted DNS administration UI for PowerDNS Authoritative - first-class RBAC,\n\u003e audit log with diffs, SSO with group-driven role mapping, optimistic concurrency in the editor,\n\u003e and a UI built for teams that actually run multi-backend infrastructure.\n\n[![CI](https://github.com/PowerDNS-AuthAdmin/powerdns-authadmin/actions/workflows/ci.yml/badge.svg?branch=main)](https://github.com/PowerDNS-AuthAdmin/powerdns-authadmin/actions/workflows/ci.yml?query=branch%3Amain)\n[![Release](https://img.shields.io/github/v/release/PowerDNS-AuthAdmin/powerdns-authadmin)](https://github.com/PowerDNS-AuthAdmin/powerdns-authadmin/releases/latest)\n[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/PowerDNS-AuthAdmin/powerdns-authadmin/badge)](https://scorecard.dev/viewer/?uri=github.com/PowerDNS-AuthAdmin/powerdns-authadmin)\n\n[![Container: GHCR](https://img.shields.io/badge/ghcr.io-powerdns--authadmin-2496ED?logo=docker\u0026logoColor=white)](https://github.com/PowerDNS-AuthAdmin/powerdns-authadmin/pkgs/container/powerdns-authadmin)\n[![GHCR version](https://ghcr-badge.ngn.au/powerdns-authadmin/powerdns-authadmin/latest_tag?ignore=latest,edge,*sha*\u0026label=ghcr.io\u0026color=%232ea44f)](https://github.com/PowerDNS-AuthAdmin/powerdns-authadmin/pkgs/container/powerdns-authadmin)\n[![GHCR pulls](https://img.shields.io/badge/dynamic/json?url=https%3A%2F%2Fghcr-badge.elias.eu.org%2Fapi%2Fpowerdns-authadmin%2Fpowerdns-authadmin\u0026query=%24.downloadCount\u0026label=ghcr%20pulls\u0026logo=docker\u0026logoColor=white\u0026color=2496ED)](https://github.com/PowerDNS-AuthAdmin/powerdns-authadmin/pkgs/container/powerdns-authadmin)\n[![GHCR image size](https://ghcr-badge.ngn.au/powerdns-authadmin/powerdns-authadmin/size?tag=latest\u0026label=image%20size\u0026color=%232ea44f)](https://github.com/PowerDNS-AuthAdmin/powerdns-authadmin/pkgs/container/powerdns-authadmin)\n\n[![Node.js 24](https://img.shields.io/badge/Node.js-24-339933?logo=node.js\u0026logoColor=white)](.nvmrc)\n[![Next.js 16](https://img.shields.io/badge/Next.js-16-000000?logo=next.js)](https://nextjs.org)\n[![TypeScript strict](https://img.shields.io/badge/TypeScript-strict-3178C6?logo=typescript\u0026logoColor=white)](tsconfig.json)\n\n**[Website](https://powerdns-authadmin.org/)** \n**[Live demo](https://demo.powerdns-authadmin.org/)** (sign in with `admin@example.com` / `change-me-now`)\n\nPowerDNS-AuthAdmin manages one or many PowerDNS Authoritative backends from a single web app. It\nships with a permissive RBAC engine, OIDC single sign-on with group→role mapping, transactional\nzone editing, NOTIFY-aware sync probes for cluster + primary/secondary topologies, an append-only\naudit log, scoped API tokens, and a YAML-driven first-boot provisioning system that brings up a\nready-to-use install without a single click.\n\n**PowerDNS Auth version compatibility tests:**\n\n[![PowerDNS 4.6](https://github.com/PowerDNS-AuthAdmin/powerdns-authadmin/actions/workflows/pdns-compat-46.yml/badge.svg)](https://github.com/PowerDNS-AuthAdmin/powerdns-authadmin/actions/workflows/pdns-compat-46.yml)\n[![PowerDNS 4.7](https://github.com/PowerDNS-AuthAdmin/powerdns-authadmin/actions/workflows/pdns-compat-47.yml/badge.svg)](https://github.com/PowerDNS-AuthAdmin/powerdns-authadmin/actions/workflows/pdns-compat-47.yml)\n[![PowerDNS 4.8](https://github.com/PowerDNS-AuthAdmin/powerdns-authadmin/actions/workflows/pdns-compat-48.yml/badge.svg)](https://github.com/PowerDNS-AuthAdmin/powerdns-authadmin/actions/workflows/pdns-compat-48.yml)\n[![PowerDNS 4.9](https://github.com/PowerDNS-AuthAdmin/powerdns-authadmin/actions/workflows/pdns-compat-49.yml/badge.svg)](https://github.com/PowerDNS-AuthAdmin/powerdns-authadmin/actions/workflows/pdns-compat-49.yml)\n[![PowerDNS 5.0](https://github.com/PowerDNS-AuthAdmin/powerdns-authadmin/actions/workflows/pdns-compat-50.yml/badge.svg)](https://github.com/PowerDNS-AuthAdmin/powerdns-authadmin/actions/workflows/pdns-compat-50.yml)\n\n## At a glance\n\n- **Multi-backend.** One install fronts standalone primaries, primary + secondaries groups, and\n multi-primary clusters. Backends are visible side-by-side; zones merge into one amalgamated\n list. Per-cluster peer-selection strategies (round-robin / random / lowest-latency / least-load)\n route reads and writes to a member of the cluster.\n- **Real RBAC.** Five system roles plus org-defined custom roles. Permissions span ~60 actions\n across zones, records, DNSSEC, TSIG, metadata, autoprimaries, templates, users, teams, servers,\n API tokens, audit, and OIDC providers. Assignments scope to global / team / zone / server.\n- **Auth.** Local accounts (Argon2id), generic OIDC with PKCE + per-provider group→role mapping,\n TOTP MFA (greyed out for SSO-only users - the IdP is the trust root), `pda_pat_` API tokens\n with per-token permission scopes.\n- **RP-initiated logout.** OIDC sessions sign you out at the IdP, not just locally; the\n `end_session_endpoint` + `id_token_hint` flow lands you on the IdP's signed-out screen.\n- **Zones + records.** Per-RRset editor with diff-before-apply, zone cloning, zone templates\n (NS + SOA timers + prelude records + zone-object settings + per-kind metadata), per-type\n record validators, optimistic concurrency at the RRset level.\n- **DNSSEC.** Cryptokey create / update / delete with per-key activity surfaced from the audit\n log. Zone metadata management with diff history.\n- **TSIG + autoprimaries.** Manage TSIG keys (read vs reveal split into separate permissions),\n configure autoprimary registrations.\n- **Cluster + sync.** A \"cluster\" is N writable PDNS peers behind a replicated store. Sync probe\n for primary+secondaries: compare every secondary's serial against the primary, record-for-record\n diff on demand. Sync probe for clusters: same UI shape, all peers compared against the\n highest-serial peer as anchor.\n- **Audit.** Append-only log of every write. Before/after JSONB snapshots redacted for known\n secret fields. Per-zone history feed with chip-coloured action types. Operator-driven export.\n- **Provisioning.** `provisioning.yaml` applied on first boot: settings, custom roles, teams,\n zone templates, PDNS clusters + servers, demo zones, OIDC providers (with group mappings).\n See [`provisioning.example.yaml`](./provisioning.example.yaml) for an exhaustive reference.\n- **Observability.** Pino structured logs (secret-redacted), Prometheus `/metrics`, `/healthz`\n liveness, `/readyz` readiness (gated on DB + migration version).\n- **Self-contained.** One Docker image, no CDN, no telemetry phone-home. Migrations run inside\n the app entrypoint; on Postgres they're serialized by an advisory lock so multi-replica boots\n are safe.\n\nThe full feature catalog with module-level docs is in [`docs/FEATURES.md`](./docs/FEATURES.md).\n\n## Screenshots\n\n**Dashboard** - live PowerDNS stats, active sessions, and operator-attention surfaces.\n\n\u003cpicture\u003e\n \u003csource media=\"(prefers-color-scheme: dark)\" srcset=\"screenshots/dark/dashboard.png\" /\u003e\n \u003cimg src=\"screenshots/light/dashboard.png\" alt=\"Dashboard\" /\u003e\n\u003c/picture\u003e\n\n\u003cbr\u003e\n\n**Multi-backend** - clusters, primary + secondaries groups, and standalone primaries side by side. Live sync state, drift advisories, and the dashboard PowerDNS-metrics tab are opt-in via [`PDNS_BACKGROUND_POLLING=true`](./docs/03-CONFIGURATION.md#pdns_background_polling) - recommended for replication topologies, off by default for standalone installs.\n\n\u003cpicture\u003e\n \u003csource media=\"(prefers-color-scheme: dark)\" srcset=\"screenshots/dark/powerdns-servers.png\" /\u003e\n \u003cimg src=\"screenshots/light/powerdns-servers.png\" alt=\"PowerDNS servers\" /\u003e\n\u003c/picture\u003e\n\n\u003cbr\u003e\n\n**Amalgamated zones** - every backend's zones in one searchable list with serial + per-row sync state.\n\n\u003cpicture\u003e\n \u003csource media=\"(prefers-color-scheme: dark)\" srcset=\"screenshots/dark/zones-list.png\" /\u003e\n \u003cimg src=\"screenshots/light/zones-list.png\" alt=\"Zones\" /\u003e\n\u003c/picture\u003e\n\n\u003cbr\u003e\n\n**Per-RRset editor** - per-type structured editors with inline validation.\n\n\u003cpicture\u003e\n \u003csource media=\"(prefers-color-scheme: dark)\" srcset=\"screenshots/dark/zone-edit.png\" /\u003e\n \u003cimg src=\"screenshots/light/zone-edit.png\" alt=\"Edit record dialog\" /\u003e\n\u003c/picture\u003e\n\n\u003cbr\u003e\n\n**Diff-before-apply** - every change previewed as a BIND-style before / after diff before it's written.\n\n\u003cpicture\u003e\n \u003csource media=\"(prefers-color-scheme: dark)\" srcset=\"screenshots/dark/zone-edit-diff.png\" /\u003e\n \u003cimg src=\"screenshots/light/zone-edit-diff.png\" alt=\"Review changes diff\" /\u003e\n\u003c/picture\u003e\n\n\u003cbr\u003e\n\n**Backend health** - bell-driven advisories for unreachable hosts, replication drift, missing TSIG keys, daemon-config drift.\n\n\u003cpicture\u003e\n \u003csource media=\"(prefers-color-scheme: dark)\" srcset=\"screenshots/dark/backend-health.png\" /\u003e\n \u003cimg src=\"screenshots/light/backend-health.png\" alt=\"Backend health alerts\" /\u003e\n\u003c/picture\u003e\n\n\u003cbr\u003e\n\n**Append-only audit log** - redacted before/after snapshots, per-row PDNS HTTP trail, CSV export.\n\n\u003cpicture\u003e\n \u003csource media=\"(prefers-color-scheme: dark)\" srcset=\"screenshots/dark/audit-log.png\" /\u003e\n \u003cimg src=\"screenshots/light/audit-log.png\" alt=\"Audit log\" /\u003e\n\u003c/picture\u003e\n\n### Mobile-first\n\nEvery page is responsive down to a phone viewport - the off-canvas hamburger\ndrawer, the bell + theme + avatar cluster, and the record table all reflow\ncleanly. Screenshots are rendered inside an iPhone 16 Pro bezel by\n[`scripts/screenshots.mjs`](./scripts/screenshots.mjs).\n\n\u003cp align=\"center\"\u003e\n \u003cpicture\u003e\n \u003csource media=\"(prefers-color-scheme: dark)\" srcset=\"screenshots/dark/dashboard-mobile.png\" /\u003e\n \u003cimg src=\"screenshots/light/dashboard-mobile.png\" alt=\"Dashboard on mobile\" width=\"260\" /\u003e\n \u003c/picture\u003e\n \u0026nbsp;\n \u003cpicture\u003e\n \u003csource media=\"(prefers-color-scheme: dark)\" srcset=\"screenshots/dark/zone-detail-mobile.png\" /\u003e\n \u003cimg src=\"screenshots/light/zone-detail-mobile.png\" alt=\"Zone detail on mobile\" width=\"260\" /\u003e\n \u003c/picture\u003e\n \u0026nbsp;\n \u003cpicture\u003e\n \u003csource media=\"(prefers-color-scheme: dark)\" srcset=\"screenshots/dark/audit-log-mobile.png\" /\u003e\n \u003cimg src=\"screenshots/light/audit-log-mobile.png\" alt=\"Audit log on mobile\" width=\"260\" /\u003e\n \u003c/picture\u003e\n\u003c/p\u003e\n\nFull gallery - every page, four variants:\n[**screenshots/README.md**](./screenshots/README.md).\n\n## Run it\n\nThe app ships as a single image - **[`ghcr.io/powerdns-authadmin/powerdns-authadmin`](https://github.com/PowerDNS-AuthAdmin/powerdns-authadmin/pkgs/container/powerdns-authadmin)**.\nIt runs on **SQLite** (single instance: homelab, eval, small teams) or **Postgres** (multi-instance,\nwrite-concurrent). Migrations and the system-role seed run automatically on boot.\n\n\u003e New here? The [Quickstart](./docs/01-QUICKSTART.md) gets you clicking around in ~2 minutes; the\n\u003e [Installation guide](./docs/02-INSTALLATION.md) covers a real production deploy.\n\n### Try it instantly - the minimal-demo stack\n\nA throwaway SQLite stack with a bundled PowerDNS and 10 pre-seeded demo zones:\n\n```sh\ngit clone https://github.com/PowerDNS-AuthAdmin/powerdns-authadmin.git\ncd powerdns-authadmin\ndocker compose up -d\n# → http://localhost:3000 (login: admin@example.com / change-me-now)\n```\n\n\u003e ⚠️ Demo only: it reads `.env.example` directly, which ships public throwaway secrets. Don't expose it.\n\n### Production\n\nFor a real deployment - SQLite or Postgres, TLS, backups, and the boot sequence -\nfollow the **[Installation guide](./docs/02-INSTALLATION.md)**. It's four copy-paste\nsteps and the canonical source of truth (the demo above is evaluation-only).\n\n\u003e Store `APP_SECRET_KEY` / `APP_ENCRYPTION_KEY` once in a persistent **`.env`** next to\n\u003e your compose file - **never** shell `export`s. Exports vanish when the shell closes, and\n\u003e a regenerated `APP_ENCRYPTION_KEY` makes every stored PowerDNS API key, OIDC secret, and\n\u003e MFA secret undecryptable. Generate once, back the `.env` up, never change them.\n\n### High availability (replicas \u003e 1)\n\nTo run more than one app replica, use **Postgres + Redis** and put a load balancer\nin front. Sessions are already shared (they live in Postgres); setting `REDIS_URL`\nmakes the three remaining per-process pieces - auth rate limiting, one-time reveal\ntokens, and the realtime SSE event bus - coordinate across replicas. Without Redis\nthose degrade to per-replica behaviour (looser rate limits, reveal tokens that only\nwork on their origin replica, live updates that don't cross replicas), so Redis is\n**required** past one replica. See [ADR-0016](./docs/adr/0016-redis-horizontal-scale.md).\n\n\u003e SQLite is single-instance only - a file-backed DB isn't shared storage. HA means\n\u003e Postgres. The boot log says so if it detects the combination.\n\n```yaml\n# docker-compose.ha.yml - Postgres + Redis, app fronted by your load balancer.\nservices:\n app:\n image: ghcr.io/powerdns-authadmin/powerdns-authadmin:latest\n restart: unless-stopped\n # No host port - your load balancer (nginx/Traefik/cloud LB) fronts the replicas.\n expose: [\"3000\"]\n depends_on:\n postgres: { condition: service_healthy }\n redis: { condition: service_healthy }\n environment:\n APP_URL: https://dns.example.com\n DATABASE_URL: postgres://pdns:${POSTGRES_PASSWORD}@postgres:5432/powerdns_authadmin\n REDIS_URL: redis://redis:6379 # ← enables cross-replica coordination\n APP_SECRET_KEY: ${APP_SECRET_KEY}\n APP_ENCRYPTION_KEY: ${APP_ENCRYPTION_KEY}\n BOOTSTRAP_ADMIN_EMAIL: admin@example.com\n BOOTSTRAP_ADMIN_PASSWORD: ${BOOTSTRAP_ADMIN_PASSWORD}\n # Plain compose: `docker compose -f docker-compose.ha.yml up -d --scale app=3`.\n # Swarm / k8s: set replicas in your orchestrator instead.\n deploy:\n replicas: 3\n postgres:\n image: postgres:16-alpine\n restart: unless-stopped\n environment:\n POSTGRES_USER: pdns\n POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}\n POSTGRES_DB: powerdns_authadmin\n volumes: [\"pg-data:/var/lib/postgresql/data\"]\n healthcheck:\n test: [\"CMD-SHELL\", \"pg_isready -U pdns -d powerdns_authadmin\"]\n interval: 5s\n timeout: 5s\n retries: 10\n redis:\n image: redis:7-alpine\n restart: unless-stopped\n command: [\"redis-server\", \"--save\", \"\", \"--appendonly\", \"no\"]\n healthcheck:\n test: [\"CMD\", \"redis-cli\", \"ping\"]\n interval: 5s\n timeout: 3s\n retries: 10\nvolumes:\n pg-data:\n```\n\n\u003e Migrations are serialized across replica boots by a Postgres advisory lock\n\u003e (ADR-0011), so starting N replicas at once is safe - only one applies migrations.\n\u003e Redis here is a coordination cache, not a datastore: persistence is off\n\u003e (`--save \"\" --appendonly no`) because nothing it holds needs to survive a restart.\n\n### Configuration\n\nEvery variable is documented in [`.env.example`](./.env.example). The essentials:\n\n| Variable | Required | What |\n| ---------------------------------------------------- | ----------- | ---------------------------------------------------------------------- |\n| `APP_URL` | ✅ | Public URL the app is served from, no trailing slash. |\n| `APP_SECRET_KEY` | ✅ | Session / CSRF / token HMAC secret. `openssl rand -base64 32`. |\n| `APP_ENCRYPTION_KEY` | ✅ | AES-256 key (base64, decodes to ≥32 bytes). `openssl rand -base64 32`. |\n| `DATABASE_URL` | ✅ | `file:/data/powerdns_authadmin.db` (SQLite) or `postgres://…`. |\n| `REDIS_URL` | optional | Enables cross-replica coordination - **required** for replicas \u003e 1. |\n| `BOOTSTRAP_ADMIN_EMAIL` / `_PASSWORD` | ⭐ | First SuperAdmin (password ≥12 chars). |\n| `OIDC_*` | optional | SSO - or add providers in the UI instead. |\n| `SMTP_*` | optional | Transactional email (verify-email, password reset). |\n| `APP_PDNS_ALLOW_PRIVATE_NETWORKS` / `_INSECURE_HTTP` | situational | Allow internal-network / `http://` PDNS backends. |\n| `APP_OIDC_ALLOW_PRIVATE_NETWORKS` / `_INSECURE_HTTP` | situational | Allow internal-network / `http://` OIDC issuers (SSRF guard). |\n\nFull reference with every variable: **[Configuration](./docs/03-CONFIGURATION.md)**. For SSO setup\n(env vs provisioning vs UI), see **[OIDC single sign-on](./docs/05-OIDC.md)**.\n\n### Advanced topologies\n\nTo see a primary + secondaries group or a multi-primary cluster wired up end-to-end (Postgres-backed,\nall official PowerDNS images), use the topology compose files:\n[`docker-compose-combined.yml`](./docker-compose-combined.yml),\n[`docker-compose-primary-secondaries.yml`](./docker-compose-primary-secondaries.yml),\n[`docker-compose-multi-primary.yml`](./docker-compose-multi-primary.yml).\n\n### Local development\n\n```sh\nnvm use \u0026\u0026 npm ci # Node 24 from .nvmrc\ncp .env.example .env.local # set APP_SECRET_KEY + APP_ENCRYPTION_KEY\ndocker compose up pdns -d # a local PowerDNS to talk to\nnpm run dev # http://localhost:3000\nnpm run validate # lint + typecheck + format + test\n```\n\nFull workflow + troubleshooting in [`docs/dev-setup.md`](./docs/dev-setup.md).\n\n## Documentation\n\nFull guides live in **[`docs/`](./docs/)** - start at the\n[documentation index](./docs/README.md).\n\n| Guide | Purpose |\n| ----------------------------------------------------- | ---------------------------------------------------------------- |\n| [Quickstart](./docs/01-QUICKSTART.md) | Run the demo stack end-to-end in ~2 minutes. |\n| [Installation](./docs/02-INSTALLATION.md) | Production install - SQLite or Postgres, TLS, backups, upgrades. |\n| [Configuration](./docs/03-CONFIGURATION.md) | Every environment variable, grouped and explained. |\n| [Connecting PowerDNS backends](./docs/04-BACKENDS.md) | Primaries, secondaries, and multi-primary clusters. |\n| [OIDC single sign-on](./docs/05-OIDC.md) | SSO with group → role mapping (env vs provisioning vs UI). |\n| [First-boot provisioning](./docs/06-PROVISIONING.md) | Bring up a configured install from one YAML file. |\n| [Roles \u0026 permissions (RBAC)](./docs/07-RBAC.md) | Roles, the permission vocabulary, and scopes. |\n| [Hardening \u0026 best practices](./docs/08-HARDENING.md) | Lock down a production deployment. |\n| [Upgrading](./docs/09-UPGRADING.md) | Move to a new version safely. |\n| [Troubleshooting](./docs/10-TROUBLESHOOTING.md) | Fix startup errors and backend connectivity. |\n\n### Reference\n\n| Doc | Purpose |\n| ---------------------------------------------------------- | -------------------------------------------------------------------- |\n| [`docs/FEATURES.md`](./docs/FEATURES.md) | The full feature catalog with module pointers. |\n| [`docs/dev-setup.md`](./docs/dev-setup.md) | Local development workflow. |\n| [`docs/adr/`](./docs/adr/) | Architecture Decision Records - why the codebase is shaped this way. |\n| [`provisioning.example.yaml`](./provisioning.example.yaml) | Exhaustive provisioning reference. |\n| [`.env.example`](./.env.example) | Documented environment variables. |\n| [`CONTRIBUTING.md`](./CONTRIBUTING.md) | Code standards, testing, security, perf budgets. |\n| [`SECURITY.md`](./SECURITY.md) | Vulnerability reporting policy. |\n| [`CLAUDE.md`](./CLAUDE.md) | Guidance for AI coding agents working on this repo. |\n\n## Status\n\n**Production-ready.** Deploy on SQLite or Postgres with the published image; see\n[Run it](#run-it). Released versions and changes are in\n[`CHANGELOG.md`](./CHANGELOG.md); the roadmap is tracked in GitHub issues -\ncontributions welcome, read [`CONTRIBUTING.md`](./CONTRIBUTING.md) first.\n\n## License\n\n[![License: MIT](https://img.shields.io/github/license/PowerDNS-AuthAdmin/powerdns-authadmin)](./LICENSE)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpowerdns-authadmin%2Fpowerdns-authadmin","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpowerdns-authadmin%2Fpowerdns-authadmin","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpowerdns-authadmin%2Fpowerdns-authadmin/lists"}