Every edge in atomic agreement. Verified.
One file or command declares what's public → edge allowlist + split-horizon internal/public DNS, default-deny, with plan/apply preview.
What it is
Crenel is a command-line tool that controls what your self-hosted reverse proxy lets the outside world reach. Instead of editing config files by hand and hoping, you say "expose my photos app" or "stop exposing it" — Crenel reads what's actually live right now, shows you exactly what will change (loudly flagging anything about to become public), applies it across every edge and DNS provider as one all-or-nothing step, then re-reads the live system to prove the change landed. Nothing is reachable unless you explicitly opened it.
A crenel is the gap in a castle's battlement — the deliberate opening you choose to expose. The wall is solid by default; you cut the gaps.
What sets it apart
Crenel doesn't replace your stack — it makes the tools you already run (Caddy / Traefik / nginx, AdGuard, Cloudflare, Tailscale) work better together. A control plane, not another proxy or tunnel.
- One change, not four edits. Exposing a service
today means hand-editing your reverse proxy, internal DNS, public DNS, and overlay
separately — and hoping they agree. With Crenel it's one
declared change,
expose/unexpose, with a plan/apply preview of every edit before it happens. Default-deny: nothing is public unless you said so. - Built for multi-edge. A home proxy + a lean VPS edge + an overlay + split-horizon DNS is exactly where hand-kept configs drift and leak. Crenel keeps every edge in atomic agreement: a service is exposed correctly across all of them, or not at all. And it reads live state — there's nothing stored to drift.
- Never guessing.
auditanddriftshow exactly what's exposed right now, and exit non-zero when reality disagrees — provable from cron, not vibes.
Why not the alternatives
- By hand — several independent edits that fail silently: a wildcard left open, a forgotten auth gate, two resolvers quietly disagreeing. Nothing errors; you find out later.
- Declarative IaC — a stored desired state that drifts the moment anything else touches the live system, and "apply succeeded" is not proof the edge serves what the plan said.
- Tunnel appliances — coherence by replacing your stack. No help for the Caddy / Traefik / nginx + DNS setup you already run.
- Crenel — drives the stack you already have, treats the live edge as the only source of truth, applies atomically, verifies by re-reading. Remove it tomorrow and everything keeps running.
Install
# Go 1.22+ · standard library only, zero dependencies $ go install github.com/crenelhq/crenel/cmd/crenel@latest # or batteries-included: default-deny Caddy edge + Crenel + demo, one command $ git clone https://github.com/crenelhq/crenel && cd crenel/bundle && docker compose up -d
Proof, not promises
Default-deny is structural, every mutation is read-back-verified, and anything Crenel can't fully parse is declared unknown — never guessed. The claims are exercised against real production edges, recorded byte-for-byte, and the tests are hermetic (~500 test functions, race-clean, zero real infra). Read the plain-English explainer or the audit package.
Source
github.com/crenelhq/crenel — Apache-2.0, open-core, no VC.