Requirements - Nuon documentation

Before installing Nuon BYOC on AWS, Azure, or GCP, you’ll need to configure the following dependencies. These requirements are shared across all cloud platforms.

DNS

Root DNS

You will need to expose the Nuon APIs and Dashboard, which requires DNS. For example, if you wanted to host Nuon BYOC at nuon.my-domain.com, complete the following steps.

Before installation, create the DNS zone my-domain.com if it does not already exist.
Provide nuon.my-domain.com as the value for the Root Domain input.
Once Nuon BYOC has fully provisioned, the Cloud DNS nameservers for the install will be available in the outputs.
Create an NS record named nuon.my-domain.com using the Cloud DNS nameserver values.
Once propagation is complete, the Nuon Dashboard should be reachable at app.nuon.my-domain.com.

Nuon will provision the following subdomains under the domain you configure. Only the runner API needs to be exposed to the Internet. The rest can be private to your network.

Subdomain	Service	Public
app	The vendor dashboard
api	The control plane API, used by the Vendor Dashboard and the CLI
admin	The admin API. Exposes functionality for administration of the control plane
runner	The API used by runners to communicate with the control plane	true
slack	The Slack integration listener (OAuth callback, slash commands, events, interactions). Provisioned on every install — active once Slack credentials are configured.	true

The Nuon Dashboard uses cookies for authentication, and they will be shared on all subdomains of the provided root domain. We strongly recommend creating a Nuon-specific subdomain to avoid leaking auth cookies.

Delegation DNS

If you don’t want your customers to set up DNS when installing your app, you can configure DNS delegation: a unique subdomain is provisioned for each install under a shared subdomain you control. In Nuon Cloud, for example, installs land at inl160z2xmng8w1jnq0xxhelln.nuon.run. To brand this subdomain so your customers see your domain instead of nuon.run (e.g. <install-id>.installs.your-domain.com), see Custom Domains.

GitHub App

Create a GitHub App so Nuon can clone code for components from private repos. You’ll share the App ID, Client ID, app name, and PEM key with Nuon — Nuon configures them on your install.

Go to GitHub App Settings and click New GitHub App.
Configure the app with these settings:

Setting	Value
GitHub App name	Choose any name (e.g., “Nuon BYOC”)
Homepage URL	`https://app.<your-root-domain>`
Setup URL	`https://app.<your-root-domain>/connect`
Redirect on Update	Checked
Webhook	Unchecked

Set permissions:

Permission	Access
Contents	Read-only

Under “Where can this GitHub App be installed?”, select Only on this account (unless you need to access repos in other GitHub organizations).
Click Create GitHub App.
After creation, scroll to the bottom and click Generate a private key. Save the PEM file — you’ll provide it as a secret later.
Note the App ID and Client ID from the app settings page — share these along with the app name and PEM file with Nuon.

Identity Providers

Nuon must be configured to use your IdP for authentication.

Google

To use Google as your IdP, set up an OAuth client in the Google Cloud Console.

Go to the Google Cloud Console and create or select a project.
Navigate to APIs & Services > Credentials.
Click Create Credentials > OAuth client ID and select Web application as the application type.
Configure the OAuth client:

Setting	Value
Name	`BYOC Nuon` (or any name)
Authorized JavaScript origins	`https://auth.<your-root-domain>`
Authorized redirect URIs	`https://auth.<your-root-domain>/auth`

Save the Client ID and Client Secret — you’ll need them for the install inputs and secrets.

Okta

To use Okta as your IdP, set up an OIDC Application in Okta.

In the Okta Admin Console, navigate to Applications and create a new OIDC application.
1. For Sign-in method: Select OIDC - OpenID Connect
2. For Application type: Select Web Application
Set the Sign In Redirect to https://auth.<your-root-domain>/auth
Set Trusted Origins to <your-root-domain>
Save the client id and secret.

Auth0

Nuon BYOC previously required Auth0 for authentication, but this dependency has been removed. This documentation is retained for anyone still using Auth0, but new Nuon BYOC installs should use the new IdP integration documented above.

To use Auth0 for authentication, you will need to configure an API, applications, and a custom action in your Auth0 tenant. Nuon provides a Terraform module to automate Auth0 configuration. We recommend this over manual configuration. Apply the following Terraform to use it.

module "byoc_auth0" {
  source = "github.com/nuonco/byoc-auth0"
  # Your Auth0 tenant domain
  auth0_domain = "your-tenant.auth0.com"
  # The root domain for your BYOC install
  public_domain = "<your-root-domain>"
  # Your Nuon install ID
  install_id   = "<your-install-id>"
  install_name = "<your-install-name>"
}

After applying, the module outputs the values you will need for the install inputs. If you prefer to configure Auth0 manually, follow the steps below. Add an action to enrich the access token with the user’s email.

Go to Actions > Library in your Auth0 dashboard
Click Create Action > Build from scratch
Name it AddScope and select the latest runtime
Replace the code with:

exports.onExecutePostLogin = async (event, api) => {
  const email = event.user.email;
  api.accessToken.setCustomClaim(`email`, email);
};

Deploy the action
Go to Actions > Triggers > Post Login
Drag the AddScope action into the flow and save

Create an API with the following settings.

Setting	Value
Name	`API Gateway <your-install-id>`
Identifier	`api.<your-root-domain>`
Maximum Access Token Lifetime	`2592000`
Implicit/Hybrid Flow Access Token Lifetime	`86400`
Allow Skipping User Consent	`true`

The Identifier must match your API URL exactly. It cannot be changed after creation.

Create a Single Page Application for the Dashboard UI.

Setting	Value
Name	`Nuon App - <your-install-name>`
Allowed Callback URLs	`https://app.<your-root-domain>/api/auth/callback`
Allowed Logout URLs	`https://app.<your-root-domain>`
Allowed Web Origins	`https://app.<your-root-domain>`
Allow Cross-Origin Authentication	`true`
Maximum Refresh Token Lifetime	`31557600`
Allow Refresh Token Rotation	`true`
Rotation Overlap Period	`0`

Create a Native Application for CLI authentication.

Setting	Value
Name	`Nuon CTL API - <your-install-name>`
Description	`For BYOC Nuon Install <your-install-id>`
Allow Cross-Origin Authentication	`true`
Device Code (Advanced > Grant Types)	Checked

Slack App (Optional)

If you would like Nuon BYOC to send notifications to your Slack workspace, you can configure a Slack app for it to integrate with. This is optional. You can skip this, or enable it later.

Since the Slack app requires secrets, enabling it later will require reprovisioning the install, so you can provide these secrets to the Stack.

For detailed instructions on setting up the Slack app, see the Slack integration guide.

​DNS

​Root DNS

​Delegation DNS

​GitHub App

​Identity Providers

​Google

​Okta

​Auth0

​Slack App (Optional)

DNS

Root DNS

Delegation DNS

GitHub App

Identity Providers

Google

Okta

Auth0

Slack App (Optional)