Updates

Author: aritchie

astro.config.mjs

@@ -364,6 +364,14 @@ export default defineConfig({
                   { label: 'Client', link: 'aspire/orleans/client' }
                 ]
               },
+              {
+                label: 'Gluetun VPN',
+                items:[
+                  { label: 'Getting Started', link: 'aspire/gluetun/' },
+                  { label: 'Configuration', link: 'aspire/gluetun/configuration' },
+                  { label: 'Container Routing', link: 'aspire/gluetun/routing' }
+                ]
+              },
               { label: 'Release Notes', link: 'aspire/release-notes' }
             ]
           }

src/content/docs/aspire/gluetun/configuration.mdx

@@ -0,0 +1,97 @@
+---
+title: Configuration
+description: VPN provider, server selection, proxy, and firewall configuration for Gluetun
+---
+import NugetBadge from '/src/components/NugetBadge.tsx';
+
+<NugetBadge name="Shiny.Aspire.Hosting.Gluetun" showLabel={true} />
+
+## VPN Provider
+
+Every Gluetun setup requires a VPN service provider:
+
+```csharp
+var vpn = builder.AddGluetun("vpn")
+    .WithVpnProvider("mullvad");
+```
+
+See the [Gluetun wiki](https://github.com/qdm12/gluetun-wiki) for the full list of supported providers.
+
+## VPN Protocol
+
+### WireGuard
+
+```csharp
+// String key (for development/testing)
+vpn.WithWireGuard("my-private-key");
+
+// Aspire parameter resource (recommended for secrets)
+vpn.WithWireGuard(builder.AddParameter("wireguard-key", secret: true));
+```
+
+Sets `VPN_TYPE=wireguard` and `WIREGUARD_PRIVATE_KEY`.
+
+### OpenVPN
+
+```csharp
+// String credentials (for development/testing)
+vpn.WithOpenVpn("username", "password");
+
+// Aspire parameter resources (recommended for secrets)
+vpn.WithOpenVpn(
+    builder.AddParameter("openvpn-user"),
+    builder.AddParameter("openvpn-pass", secret: true));
+```
+
+Sets `VPN_TYPE=openvpn`, `OPENVPN_USER`, and `OPENVPN_PASSWORD`.
+
+## Server Selection
+
+```csharp
+vpn.WithServerCountries("US", "Canada", "Germany");
+vpn.WithServerCities("New York", "Toronto");
+```
+
+Values are comma-joined and set as `SERVER_COUNTRIES` / `SERVER_CITIES` environment variables.
+
+## Proxy Features
+
+Gluetun includes built-in HTTP and Shadowsocks proxies:
+
+```csharp
+vpn.WithHttpProxy();           // HTTPPROXY=on
+vpn.WithHttpProxy(false);      // HTTPPROXY=off
+vpn.WithShadowsocks();         // SHADOWSOCKS=on
+vpn.WithShadowsocks(false);    // SHADOWSOCKS=off
+```
+
+To expose the proxy ports, pass them when creating the resource:
+
+```csharp
+var vpn = builder.AddGluetun("vpn", httpProxyPort: 8888, shadowsocksPort: 8388)
+    .WithHttpProxy()
+    .WithShadowsocks();
+```
+
+## Network & Firewall
+
+```csharp
+vpn.WithFirewallOutboundSubnets("10.0.0.0/8", "192.168.0.0/16");
+vpn.WithTimezone("America/New_York");
+```
+
+`WithFirewallOutboundSubnets` sets `FIREWALL_OUTBOUND_SUBNETS`, useful for allowing traffic to local network resources outside the VPN tunnel.
+
+## Generic Environment Variables
+
+For any Gluetun environment variable not covered by the typed methods:
+
+```csharp
+// String value
+vpn.WithGluetunEnvironment("DNS_ADDRESS", "1.1.1.1");
+
+// Aspire parameter resource
+vpn.WithGluetunEnvironment("UPDATER_PERIOD", builder.AddParameter("updater-period"));
+```
+
+This is useful for provider-specific settings. See the [Gluetun wiki](https://github.com/qdm12/gluetun-wiki) for the full list of environment variables.

src/content/docs/aspire/gluetun/index.mdx

@@ -0,0 +1,67 @@
+---
+title: Getting Started
+description: Aspire hosting integration for Gluetun VPN containers
+---
+import NugetBadge from '/src/components/NugetBadge.tsx';
+import { Steps } from '@astrojs/starlight/components';
+
+Aspire hosting integration for [Gluetun](https://github.com/qdm12/gluetun), a lightweight VPN client container supporting 30+ providers. Models Gluetun as a first-class Aspire resource and lets other containers route their traffic through the VPN tunnel.
+
+- [GitHub Repository](https://github.com/shinyorg/aspire)
+- [Gluetun Wiki](https://github.com/qdm12/gluetun-wiki)
+
+## Package
+
+| Package | NuGet |
+|---|---|
+| Aspire AppHost | <NugetBadge name="Shiny.Aspire.Hosting.Gluetun" showLabel={true} /> |
+
+## Features
+
+- **First-class Aspire resource** — Gluetun VPN container with `NET_ADMIN` capability and `/dev/net/tun` device access
+- **Container routing** — route any container's traffic through the VPN with a single method call
+- **VPN provider support** — typed configuration for OpenVPN and WireGuard, with support for any Gluetun environment variable
+- **Aspire parameter integration** — use `ParameterResource` for secrets (private keys, passwords)
+- **Docker Compose publish** — routed containers automatically get `network_mode: "service:<vpn>"` and their ports are transferred to the Gluetun service
+
+## Quick Start
+
+<Steps>
+1. Install the package into your AppHost project
+
+   <NugetBadge name="Shiny.Aspire.Hosting.Gluetun" showLabel={true} />
+
+2. Add a Gluetun VPN container and route other containers through it
+
+   ```csharp
+   var builder = DistributedApplication.CreateBuilder(args);
+
+   var vpn = builder.AddGluetun("vpn")
+       .WithVpnProvider("mullvad")
+       .WithWireGuard(builder.AddParameter("wireguard-key", secret: true))
+       .WithServerCountries("US", "Canada");
+
+   var scraper = builder.AddContainer("scraper", "my-scraper")
+       .WithHttpEndpoint(targetPort: 8080);
+
+   vpn.WithRoutedContainer(scraper);
+
+   builder.Build().Run();
+   ```
+</Steps>
+
+## AI Coding Assistant
+
+An AI skill is available for Shiny Aspire Gluetun to help configure AppHost and VPN routing directly in your IDE.
+
+**Claude Code**
+```bash
+claude plugin add github:shinyorg/skills
+```
+
+**GitHub Copilot** — Copy the [shiny-aspire](https://github.com/shinyorg/skills/blob/main/skills/shiny-aspire/SKILL.md) skill file into your repository's [custom instructions](https://docs.github.com/en/copilot/customizing-copilot/adding-repository-custom-instructions).
+
+## Requirements
+
+- .NET 10
+- .NET Aspire 13.1+

src/content/docs/aspire/gluetun/routing.mdx

@@ -0,0 +1,67 @@
+---
+title: Container Routing
+description: Route container traffic through the Gluetun VPN tunnel
+---
+import NugetBadge from '/src/components/NugetBadge.tsx';
+
+<NugetBadge name="Shiny.Aspire.Hosting.Gluetun" showLabel={true} />
+
+## Routing Containers Through the VPN
+
+Use `WithRoutedContainer` to send a container's traffic through the Gluetun VPN tunnel:
+
+```csharp
+var vpn = builder.AddGluetun("vpn")
+    .WithVpnProvider("mullvad")
+    .WithWireGuard(builder.AddParameter("wireguard-key", secret: true));
+
+var scraper = builder.AddContainer("scraper", "my-scraper")
+    .WithHttpEndpoint(targetPort: 8080);
+
+var downloader = builder.AddContainer("downloader", "my-downloader")
+    .WithHttpEndpoint(targetPort: 9090);
+
+vpn.WithRoutedContainer(scraper);
+vpn.WithRoutedContainer(downloader);
+```
+
+You can route multiple containers through the same VPN.
+
+## What Happens
+
+Each `WithRoutedContainer` call:
+
+1. Adds a `GluetunRoutedResourceAnnotation` to the Gluetun resource
+2. Sets `--network container:<vpn-name>` runtime args on the routed container, so at runtime the container shares the Gluetun network namespace
+3. On Docker Compose publish, sets `network_mode: "service:<vpn-name>"` on the routed container and transfers its port mappings to the Gluetun service
+
+## Docker Compose Output
+
+When you publish as Docker Compose, the generated output handles networking and port forwarding automatically:
+
+```yaml
+services:
+  vpn:
+    image: qmcgaw/gluetun:latest
+    cap_add:
+      - NET_ADMIN
+    devices:
+      - /dev/net/tun
+    environment:
+      - VPN_SERVICE_PROVIDER=mullvad
+      - VPN_TYPE=wireguard
+      - WIREGUARD_PRIVATE_KEY=${wireguard-key}
+    ports:
+      - "8080:8080"    # forwarded from scraper
+      - "9090:9090"    # forwarded from downloader
+  scraper:
+    image: my-scraper
+    network_mode: "service:vpn"
+    # ports moved to vpn service
+  downloader:
+    image: my-downloader
+    network_mode: "service:vpn"
+    # ports moved to vpn service
+```
+
+Containers using `network_mode: "service:vpn"` share the Gluetun network stack. Since they no longer have their own network namespace, their ports must be exposed on the Gluetun container instead — this transfer is handled automatically.

src/content/docs/aspire/orleans/index.mdx

@@ -109,7 +109,7 @@ An AI skill is available for Shiny Aspire Orleans to help configure AppHost, Sil
 claude plugin add github:shinyorg/skills
 ```
 
-**GitHub Copilot** — Copy the [shiny-aspire-orleans](https://github.com/shinyorg/skills/blob/main/skills/shiny-aspire-orleans/SKILL.md) skill file into your repository's [custom instructions](https://docs.github.com/en/copilot/customizing-copilot/adding-repository-custom-instructions).
+**GitHub Copilot** — Copy the [shiny-aspire](https://github.com/shinyorg/skills/blob/main/skills/shiny-aspire/SKILL.md) skill file into your repository's [custom instructions](https://docs.github.com/en/copilot/customizing-copilot/adding-repository-custom-instructions).
 
 ## Requirements
 

src/content/docs/aspire/release-notes.mdx

@@ -5,9 +5,17 @@ tableOfContents: true
 
 import RN from '/src/components/ReleaseNote.astro';
 
-## Orleans
+## 1.0.0 - TBD
 
-### 1.0.0 - February 25, 2026
+### Gluetun VPN
+<RN type="feature" repo="aspire">Gluetun VPN container as a first-class Aspire resource via `AddGluetun`</RN>
+<RN type="feature" repo="aspire">Route container traffic through the VPN via `WithRoutedContainer`</RN>
+<RN type="feature" repo="aspire">Typed configuration for OpenVPN and WireGuard with `ParameterResource` support for secrets</RN>
+<RN type="feature" repo="aspire">VPN provider, server country/city, proxy, and firewall configuration</RN>
+<RN type="feature" repo="aspire">Docker Compose publish support with automatic `network_mode` and port transfer</RN>
+<RN type="feature" repo="aspire">Generic environment variable passthrough via `WithGluetunEnvironment`</RN>
+
+### Orleans
 <RN type="feature" repo="aspire">Automatic Orleans database schema provisioning from Aspire AppHost via `WithDatabaseSetup`</RN>
 <RN type="feature" repo="aspire">Orleans silo ADO.NET configuration via `UseOrleansWithAdoNet`</RN>
 <RN type="feature" repo="aspire">Orleans client ADO.NET clustering via `UseOrleansClientWithAdoNet`</RN>

src/content/docs/index.mdx

@@ -99,7 +99,9 @@ import allanImg from '/src/assets/allanritchie.jpg';
 
     **Orleans** — Simplified Orleans hosting for Aspire with streamlined AppHost configuration, Silo setup, and client wiring. Get a fully orchestrated Orleans cluster running in your Aspire app with minimal code.
 
-    [Get Started](/aspire/orleans/)
+    **Gluetun VPN** — Model a [Gluetun](https://github.com/qdm12/gluetun) VPN container as a first-class Aspire resource. Route other containers through the VPN tunnel with a single method call, with full Docker Compose publish support.
+
+    [Orleans](/aspire/orleans/) · [Gluetun VPN](/aspire/gluetun/)
 </Card>
 </CardGrid>
 
@@ -129,7 +131,7 @@ claude plugin add github:shinyorg/skills
 | [shiny-reflector](https://github.com/shinyorg/skills/blob/main/skills/shiny-reflector/SKILL.md) | [Reflector](/extensions/reflector) | Source-generated reflection, assembly info, JSON serialization |
 | [shiny-extensions](https://github.com/shinyorg/skills/blob/main/skills/shiny-extensions/SKILL.md) | [DI](/extensions/di) · [Stores](/extensions/stores) | Attribute-driven DI registration, key/value stores |
 | [localizegen](https://github.com/shinyorg/skills/blob/main/skills/localizegen/SKILL.md) | [Localization Generator](/extensions/localizegen) | Strongly-typed localization from .resx files |
-| [shiny-aspire-orleans](https://github.com/shinyorg/skills/blob/main/skills/shiny-aspire-orleans/SKILL.md) | [Aspire Orleans](/aspire/orleans/) | AppHost, Silo, and Client configuration |
+| [shiny-aspire](https://github.com/shinyorg/skills/blob/main/skills/shiny-aspire/SKILL.md) | [Aspire Orleans](/aspire/orleans/) | AppHost, Silo, and Client configuration |
 
 ---