Every edge in atomic agreement. Verified.

One file or command declares what's public → edge allowlist + split-horizon internal/public DNS, default-deny, with plan/apply preview.

What it is

Crenel is a command-line tool that controls what your self-hosted reverse proxy lets the outside world reach. Instead of editing config files by hand and hoping, you say "expose my photos app" or "stop exposing it" — Crenel reads what's actually live right now, shows you exactly what will change (loudly flagging anything about to become public), applies it across every edge and DNS provider as one all-or-nothing step, then re-reads the live system to prove the change landed. Nothing is reachable unless you explicitly opened it.

A crenel is the gap in a castle's battlement — the deliberate opening you choose to expose. The wall is solid by default; you cut the gaps.

What sets it apart

Crenel doesn't replace your stack — it makes the tools you already run (Caddy / Traefik / nginx, AdGuard, Cloudflare, Tailscale) work better together. A control plane, not another proxy or tunnel.

Why not the alternatives

Install

# Go 1.22+ · standard library only, zero dependencies
$ go install github.com/crenelhq/crenel/cmd/crenel@latest

# or batteries-included: default-deny Caddy edge + Crenel + demo, one command
$ git clone https://github.com/crenelhq/crenel && cd crenel/bundle && docker compose up -d

Proof, not promises

Default-deny is structural, every mutation is read-back-verified, and anything Crenel can't fully parse is declared unknown — never guessed. The claims are exercised against real production edges, recorded byte-for-byte, and the tests are hermetic (~500 test functions, race-clean, zero real infra). Read the plain-English explainer or the audit package.

Source

github.com/crenelhq/crenel — Apache-2.0, open-core, no VC.