Setup locally hosted Nightscout instance with Let's Encrypt.md

Self Hosted Nightscout Instance

This document describes making a self hosted nightscout instance, with SSL encryption and certificate with Let's Encrypt.

Ubuntu Machine

Set up a Digital Ocean or Linode virtual private server (VPS) using Ubuntu LTS. Dave chose 20.04 at the time of writing (2020-07-10)

Update the Ubuntu instance: sudo apt-get update && sudo apt-get upgrade

Update node:

sudo npm cache clean -f
sudo npm install -g n
sudo n stable

Install CGM-Remote-Monitor (Nightscout)

Install Node.js and npm sudo apt-get install nodejs npm

NOTE: If when you install Nightscout it complains about your node version, use Node Version Manager, nvm, by installing it using this command -

curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.35.3/install.sh | bash

More instructions on nvm here

Download cgm-remote-monitor (nightscout) from github: git clone https://github.com/nightscout/cgm-remote-monitor.git Alternatively fork a copy of cgm-remote-monitor and clone your own copy.

cd cgm-remote-monitor

Install cgm-remote-monitor: git checkout dev npm install

setup your cgm-remote-monitor environment as you normally would, for example creating a file my.env :

MONGO_CONNECTION=mongodb://localhost:27017/nightscout
TIME_FORMAT=24
API_SECRET=mynameisjonasimcarryingthewheelthanksforallyouveshownus
CUSTOM_TITLE=DaveDiabetes
BASE_URL=cgms.davediabet.es
ALARM_TIMEAGO_WARN=off
INSECURE_USE_HTTP=true
ALARM_HIGH=off
ALARM_LOW=off
CAGE_WARN=48
CAGE_URGENT=72
THEME=colors
ENABLE=speech%20pump%20maker%20bridge%20iob%20careportal%20basal%20cob%20cage%20sage%20loop%20alexa
SHOW_FORECAST=loop
SHOW_PLUGINS=speech%20pum%20bridge%20iob%20careportal%20basal%20cob%20cage%20sage%20loop
DEVICESTATUS_ADVANCED=true
PUMP_FIELDS=reservoir%20battery
PORT=1337
BRIDGE_USER_NAME=%username%
BRIDGE_PASSWORD=%password%
BRIDGE_SERVER=US
BRIDGE_MAX_COUNT=3
BG_TARGET_TOP=180
BG_TARGET_BOTTOM=75
BG_HIGH=200
BASAL_RENDER=default
SCALE_Y=linear
SAGE_WARN=192
SAGE_URGENT=216

Install pm2 to monitor nightscout processs

sudo npm install pm2 -g

Start cgm-remote-monitor with pm2: env $(cat my.env) PORT=1337 pm2 start server.js

Make pm2 start cgm-remote-monitor on startup pm2 startup ubuntu - this will give you a command you need to run as superuser to allow pm2 to start the app on reboot The command will be something like: sudo su -c "env PATH=$PATH:/usr/bin pm2 startup ubuntu -u username --hp /home/username" And then: pm2 save

Create Reverse nginx proxy

Install nginx:

sudo apt-get install nginx

edit this file:

sudo vim /etc/nginx/sites-available/default Delete the existing contents and replace with this: I'm assuming the proxy is on the same host as nightscout and the proxy_pass http://127.0.0.1:1337 line - 1337 is replaced with the port that nightscout is using

server {
    listen 80;

    server_name example.com;

    location / {
        proxy_pass http://127.0.0.1:1337;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
    }
}

Then restart the nginx service sudo service nginx restart

Let's Encrypt SSL

install Let's Encrypt sudo apt-get install -y certbot

Obtain SSL certificate using webroot plugin Allow access to /.well-known directory for Lets Encrypt sudo vim /etc/nginx/sites-available/default

Stop ngnix service sudo service nginx stop

Obtain letsencrypt certificate - sudo certbot certonly enter your domain name when prompted. This will create the certificates for your domain name. The certificates should now be available at /etc/letsencrypt/live/your_domain_name

improve SSL security by generating a strong Diffie-Hellman group sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

Add this to the etc/nginx/sites-enabled/defaults file:

server {
        listen       443 ssl;
      	 server_name   your_domain_name;
        root         /usr/share/nginx/html;
	
	ssl_certificate     /etc/letsencrypt/live/your_domain_name/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/your_domain_name/privkey.pem;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_dhparam /etc/ssl/certs/dhparam.pem;
        ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-E
CDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECD
HE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA3
84:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-
RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-S
HA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DE
S-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
        ssl_session_timeout 1d;
        ssl_session_cache shared:SSL:50m;
        ssl_stapling on;
        ssl_stapling_verify on;
        add_header Strict-Transport-Security max-age=15768000;

        location ~ /.well-known {
                allow all;
        }


        location / {
		proxy_pass http://localhost:1337/;  # Note port number for your cgm-remote-monitor should be changed if it isn't 1337
        }

}

restart nginx sudo service nginx restart

You can test the quality of the SSL connection using: https://www.ssllabs.com/ssltest/analyze.html?d=your_domain_name Unfortunately only works with port 443

Arrange auto renewal of certificates. Add this line to the su crontab sudo crontab -e

30 2 * * 1 certbot renew >> /var/log/le-renew.log

Hopefully that is now done!

Updating Nightscout

See https://gist.github.com/loudestnoise/a4d8981b5ce7373e91fce3557d326c00 for updating instructions