I wanted to set up a Google Cloud server using their free tier and figured doing it for FoundryVTT would be a fun experiment.
My goals were:
- Create a vm in Google Cloud’s free tier
- Create a kill switch if billing went over $50 in a month
- Set up a proxy server for security purposes and to allow letsencrypt to work without opening up 443 to the world
- Set up firewalls so that I could add and remove IP access to specific hosts
- Manage this using Ansible
Requirements
You need to install the Google Cloud CLI. Since I’m on Linux, I did this:
sudo dnf install google-cloud-cli python3-google-auth
Follow Google’s documentation to initialize gcloud and authenticate. You shouldn’t need to create the project; the playbook will create it. I did the following:
gcloud auth initglcloud auth logingcloud components install beta
You will need your billing account number. If you go into billing in Google Cloud, you should see an ID embedded in the URL in the format of letters and numbers, ######-######-######.
Preparing the Project
I first created a folder for this project and created the necessary starting pieces:
mkdir -p foundryvtt/group_vars foundryvtt/scripts foundryvtt/templates foundryvtt/safety_net_code
requirements.yml
We need the google.cloud collections for Ansible. We put this in requirements.yml:
collections: - name: google.cloud
inventory
Now to create the inventory file:
[localhost]127.0.0.1 ansible_connection=local[foundry_servers]TBD
Once we get the public IP we can update DNS for our domain and update the TBD to the FQDN we’ll be using.
group_vars/all.yml
Now we need to create the group_vars/all.yml file.
---# GCP Project Configurationproject_id: "REPLACE_WITH_DESIRED_PROJECT_NAME"billing_account: "REPLACE_WITH_BILLING_ACCOUNT"region: "us-west1" # Use one of the free regionszone: "us-west1-b" # Use one of the free zones within the free region# Infrastructure Detailsinstance_name: "REPLACE_WITH_DESIRED_INSTANCE_NAME"machine_type: "e2-micro" # Free Machine Typeimage_family: "projects/debian-cloud/global/images/family/debian-12" # Free image family...network_tag: "foundry-server" # Network tag# Safety & Billingbudget_name: "Lab-Safety-Budget"budget_limit: 50.0topic_name: "budget-kill-switch"# SSL & Domain Configurationdomain_name: "TBD"admin_email: "REPLACE_WITH_DESIRED_EMAIL_ADDRESS"foundry_port: 30000# Default IP Management# This is used as a fallback or starting point for whitelistingallowed_ips: - "REPLACE_WITH_MY_PUBLIC_IP/32"ansible_user: REPLACE_WITH_GOOGLE_USER # Name before the @gmail.com used for gooogle cloudansible_ssh_private_key_file: '~/.ssh/gcp-foundry' # This was created automatically from glcloud initansible_ssh_common_args: '-o StrictHostKeyChecking=no' # For now we're not worried about man in the middle attacks
- project_id – can be any legal Google Cloud option like my-foundry-vtt-free
- billing_account – See above
- region and zone
- Some of these won’t have resources, so you have to test and change accordingly
- region – One of the free regions
- zone – The zone within the free region
- As of date of this document, the free regions and zones are:
- us-east1 (South Carolina): Zones
us-east1-b,us-east1-c,us-east1-d - us-west1 (Oregon): Zones
us-west1-a,us-west1-b,us-west1-c - us-central1 (Iowa): Zones
us-central1-a,us-central1-b,us-central1-c,us-central1-f
- us-east1 (South Carolina): Zones
- instance_name – Any legal instance name, like my-foundrry-vtt-server
- machine_type – Only the e2-micro is in free tier (as of date of this document)
- image_family – Fedora can be used, however, debian has a longer life cycle
- network-tag – A tag to associate firewall rules with the instance
- budget_name – Name of budget to create
- budget_limit – Threshold amount to shutdown everything
- topic_name – Required topic name
- domain_name – Used for setting up ssl, will be whatever you set up in dns
- admin_email – Email to use for SSL config
- allowed_ips – This uses your public IP of the host you’re using to configure google cloud. For instance, use IP Chicken or similar to find your public IP
- ansible_user – The user part of the user@gmail.com
- ansible_ssh_private_key_file – Private key file created to access the instance
- ansible_ssh_common_args – For now, we’re not worried about man in the middle
templates/foundry_nginx.conf.j2
We need to configure nginx as a proxy. Note, we could change the port 30000 to something else here or by var:
server { listen 80; server_name {{ domain_name }}; return 301 https://$host$request_uri;}server { listen 443 ssl; server_name {{ domain_name }}; ssl_certificate /etc/letsencrypt/live/{{ domain_name }}/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/{{ domain_name }}/privkey.pem; # Performance Tuning for Foundry client_max_body_size 300M; location / { proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; proxy_pass http://127.0.0.1:{{ foundry_port | default(30000) }}; }}
safety_net_code/requirements.txt
We need some python libs, we put this in requirements.txt:
functions-framework==3.*google-api-python-client==2.*google-auth==2.*
safety_net_code/main.py
For full disclosure, I used Google Gemini to create the following. It required a lot of back and forth to get something that worked for me.
I acknowledge that there are a lot of ethical, social, economic, and environmental issues with AI. Because of many factors, I am compelled to use it. However, I do try to use it sparingly and transparently.
You need this for the budget kill switch:
import base64import jsonimport functions_frameworkfrom googleapiclient import discovery@functions_framework.cloud_eventdef stop_billing_limit(cloud_event): # Determine the project ID project_id = 'REPLACE_ME_WITH_PROJECT_ID' # Gen 2 events wrap the Pub/Sub message in cloud_event.data if 'message' in cloud_event.data: message_data = cloud_event.data['message'].get('data', '') else: print("No message data found in CloudEvent.") return if not message_data: return # Decode and check budget decoded_message = json.loads(base64.b64decode(message_data).decode('utf-8')) cost = float(decoded_message.get('costAmount', 0)) budget = float(decoded_message.get('budgetAmount', 0)) print(f"Audit: Current cost {cost} against budget {budget}") # Trigger shutdown if we are at or over budget if cost >= budget: print("Threshold reached. Initiating project-wide shutdown...") compute = discovery.build('compute', 'v1', cache_discovery=False) request = compute.instances().aggregatedList(project=project_id) while request is not None: response = request.execute() for zone_path, instances_in_zone in response.get('items', {}).items(): # Extract zone name from the path (e.g., 'zones/us-west1-b') zone = zone_path.split('/')[-1] for instance in instances_in_zone.get('instances', []): if instance['status'] == 'RUNNING': name = instance['name'] print(f"Stopping {name} in {zone}...") compute.instances().stop( project=project_id, zone=zone, instance=name ).execute() request = compute.instances().aggregatedList_next(request, response)
Cosmicnonsense 