# Ticket: Gluetun Private Internet Access proxy service

## Metadata
- Type: Ticket
- Status: Deployed - proxy ready for use
- Project: Homelab Operations
- Created: 2026-06-07
- Updated: 2026-06-07
- Priority: Medium

## Goal

Deploy Gluetun with Private Internet Access as an optional proxy/VPN egress path for selected network users or services.

## Why

The user wants an optional managed proxy path using PIA without forcing all services through it by default.

## Scope

Included:
- Define intended users/services and routing model.
- Store PIA credentials/secrets in Vaultwarden, not git.
- Verify Proxmox target resources before creation.
- Deploy Gluetun safely.
- Expose only approved proxy interfaces to LAN/Tailscale.
- Document verification and rollback.

Not included:
- Routing all network traffic through VPN by default without explicit approval.
- Storing PIA credentials in repo or chat.

## Acceptance Criteria

This ticket is done when:
- [x] Routing/use model is documented — HTTP/SOCKS5 proxy at `192.168.0.151:8888/8388`.
- [x] PIA secret storage/retrieval path is approved — `.tokens/pia.txt`.
- [x] Gluetun is deployed — CT 109 at `192.168.0.151`, Docker-based, PIA connected.
- [ ] One approved client/service can use the proxy path — proxy tested from Nimrod; services can be configured to use it.
- [x] Non-proxied traffic remains unaffected — only specified ports exposed.
- [x] Rollback is documented.

## Notes

- Requires controlled assistant Vaultwarden access or user-mediated secret entry.