Script to instanciate in ~3min a Scaleway VM as Wireguard VPN with Unbound and Pi-hole, using cloud-init facilities. All these applications are dockerized, and the docker images are regularly pulled/updated by watchtower.
Scaleway is a french cloud provider with affordable costs.
Cheaper instances:
- STARDUST1-S (only available at fr-par-1 and nl-ams-1)
- AMP2-C1 (only available at fr-par-2; arm64)
.-~~~-. ┌───────────────────────────────────┐
.- ~ ~-( )_ _ │VPS │
/ Internet ~ -. │ ┌────────────┐ DNS │
| ◄──────┼─┤Unbound ◄───────┐ │
\ ▲ .' │ │(DNS solver)│ │ │
~- ._ ,..,.,.,., ,.│ -~ │ └────────────┘ │ │
' │ │ ┌──────┴─────┐ │
┌─────────────────┐ │ │ │Pi-Hole │ │
│ PC/Phone │ │ │ │(DNS filter)│ │
│ │ │ │ └──────▲─────┘ │
│ ┌─────────┐ │ │ │ ┌─────────┐ │ │
│ │Wireguard│ │ └────────┼──┤Wireguard├─────────┘ │
│ │ Client │ │ │ │ Server │ DNS │
│ │ │ ─┴──────────────────┴─ │ (VPN) │ │
│ │ ├──► VPN Tunnel ──► │ ┌────────────────┐ │
│ └─────────┘ ─┬──────────────────┬─ └─────────┘ │Watchtower │ │
│ │ │ │(images updater)│ │
└─────────────────┘ │ └────────────────┘ │
└───────────────────────────────────┘
- a Scaleway account
- scaleway-cli, using your account (
scw init
done) - jq
- perl
- tput
# AMP2-C1 available at fr-par-2 for testing, as cheap as STARDUST1-S, but arm64 instead of x86_64
vm_name=test zone=fr-par-2 type=AMP2-C1 ./create-scw-wireguard_pi-hole_unbound.sh
Note the parameters vm_name
, zone
and type
in the command-line.
Default values will be wireguard-vps
, nl-ams-1
and DEV1-S
otherwise.
NB: [ctrl]+[q]
to close the VM console attached to your terminal.
The script create-scw-wireguard_pi-hole_unbound.sh will:
- check the availability for this VM type
- create a VM
- attach the console to the running terminal
- run the cloud-init script.
The script basic_script.sh does exactly the same, but without any check or information display.
The cloud-init script pushed when creating the instance will:
- upgrade the OS
- install docker and other things (fail2ban, ...)
- generate a random password for root
- create a config file for Unbound
- create and start an application stack composed of Unbound, Wireguard, Pi-Hole and Watchtower using docker-compose
- add several blocklists and will also whitelist several domains in Pi-Hole
- set a service to print the login and wireguard client information on the server console
- reboot the OS.
Very largely inspired/copied from IAmStoxe/wirehole, but modified and a bit simplified according to my needs.
The docker-compose stack relies on:
- alpinelinux/unbound (was previously mvance/unbound, but the latter was x86_64-only)
- linuxserver/docker-wireguard
- pihole/pihole
- containrrr/watchtower
Thanks to them for building these docker images, and of course to people involved in these projects.
for zone in fr-par-1 fr-par-2 fr-par-3 nl-ams-1 nl-ams-2 pl-waw-1 pl-waw-2; do
echo -e "\n== $zone ==\n"
scw instance server-type list --output=human zone=$zone
done
Open the console on your VM using the Scaleway console and restart the VM if you need to retrieve the root password and/or the wireguard information.
Alternative:
# List instances
scw instance server list zone=all
# Populate these variables
ZONE=<get value from instance list>
ID=<get value from instance list>
# Reboot instance
scw instance server reboot zone=$ZONE $ID
# Attach to the instance console ([CTRL]+[Q] to detach from console)
scw instance server console zone=$ZONE $ID
# List instances
scw instance server list zone=all
# Populate these variables
ZONE=<get value from instance list>
ID=<get value from instance list>
# Delete instance
scw instance server terminate with-ip=true with-block=true zone=$ZONE $ID
scw marketplace image list