Pre-Build Checklist · April 22, 2026

IEXDG Cloud Platform · VM Pre-Build

Ten steps to a production-ready Compute Engine VM on the renamed project, ready to host the IEXDG Nexus stack. Run through this when you are ready to build, not today. Today is the Revenue Sprint pipeline.

Project Display

IEXDG Cloud Platform

Project ID (immutable)

drdnicole-youtube-manager

Project Number

918058969668

Target Region

us-east4 · 60mi from MD

VM Type

e2-small Ubuntu 24.04

Est. Monthly Cost

$21-30 USD

Time to Complete

45-60 min

Difficulty

Medium · Terminal

Display name renamed to "IEXDG Cloud Platform"

Done

You already did this. Project ID stays drdnicole-youtube-manager, the display label is now "IEXDG Cloud Platform." Future VMs, buckets, and service accounts all live under the renamed project without any re-auth.

Install or verify the gcloud CLI on your Mac

5 min

The gcloud command-line tool is how we will create and manage the VM from Terminal. You likely do not have it yet, so this step installs it via Homebrew.

Step 1a. Check if gcloud is already installed

which gcloud && gcloud --version

If you see a version number (e.g. "Google Cloud SDK 472.0.0"), skip to Step 2. If you see "gcloud not found," continue.

Step 1b. Install via Homebrew (if needed)

brew install --cask google-cloud-sdk

If Homebrew itself is missing, install it first from brew.sh using the one-line script on that page. Then rerun this command.

Step 1c. Add gcloud to your shell PATH

echo 'source "$(brew --prefix)/share/google-cloud-sdk/path.zsh.inc"' >> ~/.zshrc
echo 'source "$(brew --prefix)/share/google-cloud-sdk/completion.zsh.inc"' >> ~/.zshrc
source ~/.zshrc

Verify: run gcloud --version again. Should now print the SDK version. If it does, move on.

Authenticate gcloud and set "IEXDG Cloud Platform" as the default project

3 min

gcloud needs to know who you are and which project to target. This is a one-time setup. Every command after this defaults to the IEXDG project.

Step 2a. Log in to Google Cloud

gcloud auth login

Opens your default browser. Sign in with the same Google account that owns drdnicole-youtube-manager. Close the browser tab when it says "You are now authenticated."

Step 2b. Set the project as your default

gcloud config set project drdnicole-youtube-manager

Prints: "Updated property [core/project]."

Step 2c. Confirm the default region and zone (we will use us-east4 Virginia)

gcloud config set compute/region us-east4
gcloud config set compute/zone us-east4-b

us-east4 is Northern Virginia (Ashburn), the closest GCP region to Maryland at roughly 60 miles. Keeps latency to your Mac and to any East Coast clients low. Zone us-east4-b is one of three zones in that region, chosen for standard resource availability.

Step 2d. Verify your config

gcloud config list

Verify: output should show project = drdnicole-youtube-manager, region = us-east4, zone = us-east4-b, and your Google account.

Verify billing account is attached to the project

2 min

Compute Engine is NOT free tier beyond the smallest e2-micro. An e2-small VM requires an active billing account linked to the project. This step confirms billing is attached before you spend any time creating resources that will fail to provision.

Step 3a. Check billing link

gcloud beta billing projects describe drdnicole-youtube-manager

Should show: billingAccountName: billingAccounts/XXXXXX-XXXXXX-XXXXXX billingEnabled: true

If billingEnabled is false or the command errors: open the browser to console.cloud.google.com/billing, sign in, and link an active billing account to project "IEXDG Cloud Platform." Stop here and send me a message. Do not proceed.

Step 3b. See current month's spend on the project (sanity check)

gcloud beta billing accounts list

This lists every billing account you have access to. Note the ACCOUNT_ID of the one linked to IEXDG Cloud Platform. You will not need it today, but good to have for cost alerts later.

Enable Compute Engine and required APIs

3 min

APIs are off by default on a GCP project. Turning on Compute Engine lets us create VMs. Turning on the others (IAM, Secret Manager, Logging, Monitoring) enables service accounts, secret storage, and observability for the VM once it is running.

Step 4. Enable all required APIs in one batch

gcloud services enable \
  compute.googleapis.com \
  iam.googleapis.com \
  secretmanager.googleapis.com \
  logging.googleapis.com \
  monitoring.googleapis.com \
  cloudresourcemanager.googleapis.com

Takes 30-60 seconds. Prints "Operation ... finished successfully" for each. No errors = all APIs enabled.

Step 4b. Verify

gcloud services list --enabled --filter="config.name:compute OR config.name:secretmanager"

Verify: should list compute.googleapis.com and secretmanager.googleapis.com as ENABLED.

Reserve a static external IP in us-east4

2 min

VMs get a dynamic IP by default, which changes on every stop/start. For a production server that we want to reach by domain name (or from the MCP), we reserve a static IP now. Static IPs cost about $3/month when attached to a running VM, $7/month when detached.

Step 5. Reserve the IP

gcloud compute addresses create iexdg-nexus-ip \
  --region=us-east4 \
  --network-tier=STANDARD \
  --description="Static IP for IEXDG Nexus VM, Apr 22 2026"

Prints: "Created [https://www.googleapis.com/compute/v1/projects/drdnicole-youtube-manager/regions/us-east4/addresses/iexdg-nexus-ip]"

Step 5b. Note the IP for later

gcloud compute addresses describe iexdg-nexus-ip --region=us-east4 --format="value(address)"

Copy the printed IP into a note. You will use it when attaching to the VM in Step 6 and when configuring DNS later.

Standard tier vs Premium: Standard tier is ~40% cheaper than Premium and uses Google's external peering rather than its private backbone. Fine for a single-VM IEXDG setup. If you ever need global multi-region, upgrade to PREMIUM later. Easy change.

Create the VM · e2-small Ubuntu 24.04 LTS with labels

5 min

e2-small is 2 vCPU burst + 2 GB RAM. Enough to run the IEXDG Nexus stack (Python workers, Caddy reverse proxy, lightweight dashboards) with headroom. Ubuntu 24.04 LTS gets security updates until April 2029. Labels make cost allocation and later filtering easy.

Step 6. Create the VM

gcloud compute instances create iexdg-nexus-vm \
  --zone=us-east4-b \
  --machine-type=e2-small \
  --image-family=ubuntu-2404-lts-amd64 \
  --image-project=ubuntu-os-cloud \
  --boot-disk-size=30GB \
  --boot-disk-type=pd-standard \
  --address=iexdg-nexus-ip \
  --network-tier=STANDARD \
  --tags=http-server,https-server,iexdg-nexus \
  --labels=environment=prod,owner=iexdg,purpose=nexus,created=apr22-2026 \
  --metadata=enable-oslogin=TRUE \
  --shielded-secure-boot \
  --shielded-vtpm \
  --shielded-integrity-monitoring

Takes 30-90 seconds. Prints a table with NAME, ZONE, MACHINE_TYPE, INTERNAL_IP, EXTERNAL_IP (should match your reserved IP from Step 5), STATUS = RUNNING.

What each flag does:

--machine-type=e2-small · 2 vCPU, 2 GB RAM, ~$13/mo
--boot-disk-size=30GB · standard persistent disk, ~$1.20/mo at 30 GB
--tags=http-server,https-server · these tags are what the default firewall rules look for
--labels · for billing reports and later filtering. Never affects the VM itself.
--metadata=enable-oslogin=TRUE · SSH access tied to your Google identity. Safer than managing keys manually.
--shielded-* · three flags that enable Secure Boot, vTPM, and integrity monitoring. Zero cost, stronger security posture.

Configure firewall rules · SSH plus HTTPS only

3 min

By default GCP projects have a permissive default firewall. We narrow it to exactly what the Nexus stack needs: SSH from anywhere (later restrict to your home IP if you want) and HTTPS on port 443 (for Caddy reverse proxy). No direct Python ports exposed.

Step 7a. Check what firewall rules already exist

gcloud compute firewall-rules list --filter="network:default"

If you see rules named "default-allow-http" and "default-allow-https" already ALLOW on tcp:80 and tcp:443, skip to Step 7c.

Step 7b. Create firewall rules if missing

gcloud compute firewall-rules create iexdg-allow-https \
  --direction=INGRESS \
  --action=ALLOW \
  --rules=tcp:443 \
  --source-ranges=0.0.0.0/0 \
  --target-tags=https-server \
  --description="HTTPS to IEXDG Nexus VM for public endpoints"

Step 7c. Verify SSH works

gcloud compute ssh iexdg-nexus-vm --zone=us-east4-b

First time: gcloud generates an SSH key, adds it via OS Login, and connects. Prompt changes to: "your_username@iexdg-nexus-vm:~$"

Verify: once the prompt appears, type uname -a and press enter. Should print a line starting with "Linux iexdg-nexus-vm ... Ubuntu ... 24.04 ...". You are in the VM.

Type exit to leave the VM and return to your Mac Terminal when done exploring.

Initial OS hardening and baseline packages

10 min

Fresh Ubuntu VMs have all 2024-era packages. We pull the latest security patches, install the tools the Nexus stack needs (Python 3, git, curl, pip), and install unattended-upgrades so security fixes land automatically from this point forward.

Step 8. SSH into the VM and run the baseline setup

gcloud compute ssh iexdg-nexus-vm --zone=us-east4-b

# Once inside the VM, run everything below as one block:
sudo apt-get update
sudo apt-get upgrade -y
sudo apt-get install -y python3 python3-pip python3-venv git curl wget htop ufw unattended-upgrades
sudo dpkg-reconfigure -f noninteractive unattended-upgrades
python3 --version
pip3 --version
git --version

First apt-get update takes ~20 seconds, upgrade takes 1-2 minutes. Final three commands print versions: Python 3.12.x, pip 24.x, git 2.43.x (approximately).

Step 8b. Enable UFW firewall as second layer

sudo ufw allow OpenSSH
sudo ufw allow 443/tcp
sudo ufw --force enable
sudo ufw status

"Status: active" with two rules allowing SSH and 443/tcp.

UFW is a local-firewall belt-and-suspenders on top of the GCP firewall. Both layers have to allow traffic for it to reach a service, which makes accidental exposure less likely.

Exit the VM with exit when done. You are back on your Mac.

Post-create smoke test · prove the VM is production-ready

5 min

Before you trust the VM with real work, a short smoke test proves SSH + external IP + Python + outbound HTTPS all work end to end. If any of these fail, stop and diagnose before installing Nexus code.

Step 9a. SSH back in

gcloud compute ssh iexdg-nexus-vm --zone=us-east4-b

Step 9b. Run the smoke test (paste all four commands)

echo "[1] Uptime:" && uptime
echo "[2] Disk:" && df -h / | tail -1
echo "[3] Outbound HTTPS (pings google.com):" && curl -sI https://www.google.com | head -1
echo "[4] Python HTTPS (pings GitHub API):" && python3 -c "import urllib.request,json; r=urllib.request.urlopen('https://api.github.com').read(); print('   OK bytes:', len(r))"

All four should return OK-looking output. Example: [1] Uptime: 03:15:42 up 8 min [2] Disk: 28G available [3] Outbound HTTPS: HTTP/2 200 [4] Python HTTPS: OK bytes: 3421

Verify: if all four pass, the VM is production-ready. Exit with exit.

Step 9c. From your Mac, ping the static IP directly

# Replace THE.IP with the IP you saved in Step 5
ping -c 3 THE.IP

3 packets sent, 3 received, 0% loss. Round-trip 25-50 ms if you are on the East Coast.

Cost projection and shutdown safety

3 min

Before the VM runs overnight for the first time, set up a budget alert so you never get surprised by a bill. Also know the shutdown commands in case you need to pause the VM for any reason.

Monthly cost breakdown (baseline, no heavy traffic)

e2-small VM (730 hrs): $13.00 / mo 30 GB standard persistent disk: $1.20 / mo Static IP (attached to VM): $2.92 / mo Outbound network (est. 10 GB): $1.20 / mo Logging + monitoring: $0.00 / mo (free tier) ----------------------------------------------- TOTAL: $18-22 / mo

Set a monthly budget alert (send email at 50%, 90%, 100%)

gcloud billing budgets create \
  --billing-account=YOUR_BILLING_ACCOUNT_ID \
  --display-name="IEXDG Cloud Platform Monthly" \
  --budget-amount=50USD \
  --threshold-rule=percent=0.5 \
  --threshold-rule=percent=0.9 \
  --threshold-rule=percent=1.0 \
  --filter-projects=drdnicole-youtube-manager

Replace YOUR_BILLING_ACCOUNT_ID with the ID you noted in Step 3b. $50 is 2x expected, giving you headroom for growth but still a hard stop if anything goes wrong.

To STOP the VM (zero CPU cost, disk still billed)

gcloud compute instances stop iexdg-nexus-vm --zone=us-east4-b

To START the VM back up

gcloud compute instances start iexdg-nexus-vm --zone=us-east4-b

To DELETE the VM permanently (rarely needed)

gcloud compute instances delete iexdg-nexus-vm --zone=us-east4-b
gcloud compute addresses delete iexdg-nexus-ip --region=us-east4

Delete is destructive. Run only if you are intentionally tearing down. The second line releases the static IP so you stop paying the detached rate.

You now have a production-ready VM

IEXDG Nexus code, Caddy reverse proxy, workers, and cron deploys come next. That is a separate build guide when you are ready. Today's checklist gets you to the foundation.