diff --git a/nix-system-configs/modules/system/traefik.nix b/nix-system-configs/modules/system/traefik.nix
index 13e4e8e..4cca408 100644
--- a/nix-system-configs/modules/system/traefik.nix
+++ b/nix-system-configs/modules/system/traefik.nix
@@ -64,7 +64,8 @@ in {
             PUBLIC_URL = "https://anubis.prg-radio.org";
 
             # Cookie domain for proper scoping (leading dot for all subdomains)
-            COOKIE_DOMAIN = ".prg-radio.org";
+            # Use bare domain (no leading dot) for consistent modern browser behavior
+            COOKIE_DOMAIN = "prg-radio.org";
 
             # Difficulty level
             DIFFICULTY = 7;
@@ -119,6 +120,10 @@ in {
             BIND_NETWORK = "tcp";
             BIND = "127.0.0.1:8094";
             TARGET = "http://10.1.1.249:8087"; # PartDB backend
+            # When running Anubis in reverse-proxy (inline) mode we must tell
+            # the instance the public URL it serves so redirects and assets use
+            # the protected host instead of the central anubis host.
+            PUBLIC_URL = "https://partdb.prg-radio.org";
             DIFFICULTY = 20;
             SERVE_ROBOTS_TXT = true;
             WEBMASTER_EMAIL = "dtu.prg@gmail.com";
@@ -265,9 +270,13 @@ in {
           };
 
           partdb.loadBalancer = {
+            # Route PartDB through the local Anubis reverse-proxy instance so the
+            # challenge page and cookies are served inline on the same origin.
             servers = [
-              {url = "http://10.1.1.249:8087";}
+              {url = "http://127.0.0.1:8094";}
             ];
+            # Ensure Traefik forwards the original Host header to Anubis (and
+            # ultimately to the backend) so absolute links and redirects are correct.
             passHostHeader = true;
           };
         };