diff --git a/nix-system-configs/modules/system/traefik.nix b/nix-system-configs/modules/system/traefik.nix
index 3d5cded..4406d02 100644
--- a/nix-system-configs/modules/system/traefik.nix
+++ b/nix-system-configs/modules/system/traefik.nix
@@ -195,6 +195,17 @@ in {
         ];
 
         http.routers = {
+          # Route the bare root (/) directly to the backend so the app's
+          # initial redirect to /en/ happens before Anubis protection is applied.
+          # This avoids Anubis capturing a root request and emitting a null redir.
+          partdb-root = {
+            rule = "Host(`partdb.prg-radio.org`) && Path(`/`)";
+            service = "partdb-direct";
+            entryPoints = ["websecure"];
+            tls = {};
+            priority = 200; # ensure this matches before the protected router
+          };
+
           #anubis-api = {
           #  rule = "Host(`anubis.prg-radio.org`) && PathPrefix(`/.within.website/x/cmd/anubis/api`)";
           #  service = "anubis";
@@ -245,6 +256,12 @@ in {
         };
 
         http.services = {
+          # Direct backend service (used only for the root path bypass)
+          partdb-direct.loadBalancer = {
+            servers = [ { url = "http://10.1.1.249:8087"; } ];
+            passHostHeader = true;
+          };
+
           # Anubis service (challenge UI / redirect endpoint)
           anubis.loadBalancer = {
             servers = [