Nightscout on Ubuntu VPS server with Nginx


This guide was translated using Google Translate and may contain translation errors.
I beg your pardon.


The Nightscout installation with Apache 2, as written in the original guide, has not proven to be as practical.
In general, everything works with Apache 2, but only as long as you are on a wireless network without port blocking.
If a port lock comes into play, you can no longer call up Nightscout.
If you now set up port forwarding via Apache 2 (instructions here), this works, but not with AAPS.
AAPS throws an XHR poll error when using port forwarding with Apache 2 and cannot connect to Nightscout.
For this reason there is now a new guide here.
Install Nightscout on a VPS running Ubuntu 20.04 and Nginx (pronounced Engin X).

Adding to this guide: I am working with nginx for the first time. If there is an error in the instructions, I would be happy to receive constructive criticism.




After successful installation of the server we start with the preparations.
Login with Putty of course required.


Uninstall Apache2

First, Apache 2 is uninstalled, for this we stop the Apache service.

$ sudo service apache2 stop

Perform uninstallation:

$ sudo apt-get purge apache2 apache2-utils

also delete leftovers:

$ sudo rm -rf /etc/apache2
$ sudo rm -rf /usr/sbin/apache2
$ sudo rm -rf /usr/lib/apache2
$ sudo rm -rf /etc/apache2
$ sudo rm -rf /usr/share/apache2
$ sudo rm -rf /usr/share/man/man8/apache2.8.gz

Find files and directories related to Apache

$ whereis apache2

If directories are still displayed, delete them as well.


Update Ubuntu

$ apt update

If updates are available, install them

$ apt upgrade


Install important components

Firewall (Firewall will be set up later):

$ apt install ufw

nginx:

$ apt install nginx

Nano:

$ apt-get install nano

Git:

$ apt install git

Python:

$ apt install python

GCC, if not already present:

$ apt install gcc


Install MongoDB

$ apt install mongodb

After successful installation check the Mongo DB status:

$ systemctl status mongodb

MongoDB should be active, now let’s check the connection:

$mongo --eval 'db.runCommand({ connectionStatus: 1 })'

Output:

MongoDB shell version v3.6.8
connecting to: mongodb://127.0.0.1:27017
Implicit session: session { „id“ : UUID(„e3c1f2a1-a426-4366-b5f8-c8b8e7813135“) }
MongoDB server version: 3.6.8
{
„authInfo“ : {
„authenticatedUsers“ : [ ],
„authenticatedUserRoles“ : [ ]
},
„okay“ : 1
}

Create Mongo database

(“change username” “password” as desired and remember/write it down)

$ mongo
> use Nightscout
> db.createUser({user: "username", pwd: "password", roles:["readWrite"]})
> quit()


Create user

Next, a new Ubuntu user is created (mainuser=username).

Create new user:

$ adduser mainuser

Grant root permission to mainuser:

$ usermod -aG sudo mainuser

Check authorization:

$ su mainuser

grep ‚^sudo‘ /etc/group

Stay logged in as main user!


Install nodejs

$ sudo apt install nodejs
$ sudo apt install build-essential checkinstall
$ sudo apt install libssl-dev
$ wget -qO- https://raw.githubusercontent.com/creationix/nvm/v0.33.8/install.sh | bash

– restart console – login with mainuser –

$ source /etc/profile
$ nvm ls-remote
$ nvm install 14.18.1 (old)

$ nvm install 16.20.2
$ nvm list
$ nvm use 14.18.1
(old)
$ nvm use 16.20.2

Install NPM

$ sudo apt install npm


Git clones

Check which directory you are in:

$pwd
> /home/mainuser

If not in the home/mainuser directory

§ cd /home/mainuser

Git Copy/Clone

$ git clone https://github.com/nightscout/cgm-remote-monitor.git
$ cd cgm-remote-monitor
$ npm install

After installation

$nano start.sh

insert and save the following text. Change/specify „user“ „password“ of the Mongo database, specify API_Secret as desired, change base url if necessary. Which plugins/modules are required depends on the user individually.
The plugins/modules listed here are optimal for me. There is a list of possible plugins on github
https://github.com/nightscout/cgm-remote-monitor#plugins :

#!/bin/bash

# environment variables
export DISPLAY_UNITS="mg/dl"
export MONGO_CONNECTION="mongodb://benutzer:passwort@localhost:27017/Nightscout"
export BASE_URL="127.0.0.1:1337"
export API_SECRET="12-stellige-API-Secret-Code"
export PUMP_FIELDS="reservoir battery status"
export DEVICESTATUS_ADVANCED=true
export ENABLE="careportal loop iob cob openaps pump bwg rawbg basal cors direction timeago devicestatus ar2 profile boluscalc food sage iage cage alexa basalprofile bgi directions bage upbat googlehome errorcodes reservoir battery openapsbasal"
export TIME_FORMAT=24
export INSECURE_USE_HTTP=true
export LANGUAGE=de
export EDIT_MODE=on
export PUMP_ENABLE_ALERTS=true
export PUMP_FIELDS="reservoir battery clock status"
export PUMP_RETRO_FIELDS="reservoir battery clock"
export PUMP_WARN_CLOCK=30
export PUMP_URGENT_CLOCK=60
export PUMP_WARN_RES=50
export PUMP_URGENT_RES=10
export PUMP_WARN_BATT_P=30
export PUMP_URGENT_BATT_P=20
export PUMP_WARN_BATT_V=1.35
export PUMP_URGENT_BATT_V=1.30
export OPENAPS_ENABLE_ALERTS=false
export OPENAPS_WARN=30
export OPENAPS_URGENT=60
export OPENAPS_FIELDS="status-symbol status-label iob meal-assist rssi freq"
export OPENAPS_RETRO_FIELDS="status-symbol status-label iob meal-assist rssi"
export LOOP_ENABLE_ALERTS=false
export LOOP_WARN=30
export LOOP_URGENT=60
export SHOW_PLUGINS=careportal
export SHOW_FORECAST="ar2 openaps"

# start server
/home/mainuser/.nvm/versions/node/v14.18.1/bin/node server.js

Save and exit with: Ctrl+X – Y – enter

$ chmod 775 start.sh
$ ./start.sh

After success message Ctrl+c


Set up nightscout service

When setting up the Nightscout Service, there are different statements about the „Type“. I use the type „simple“ from the beginning.
The „forked“ type is recommended in various forums. The type „simple“ should normally suffice. If Nightscout doesn’t start, you can change the type to „forked“ afterwards. After each change to the Nightscout Service or the start.sh file, the Nightscout Service must be restarted (sudo systemctl restart nightscout.service)

$ sudo nano /etc/systemd/system/nightscout.service

insert and save:

[Unit]
Description=Nightscout Service
After=network.target


[Service]
Type=simple
WorkingDirectory=/home/mainuser/cgm-remote-monitor
ExecStart=/home/mainuser/cgm-remote-monitor/start.sh

[Install]
WantedBy=multi-user.target

Save and exit with: „Ctrl+X“ – „Y“ – „enter“
Reload systemd:

$ sudo systemctl daemon-reload

Activate and start Nigtscout service:

$ sudo systemctl enable nightscout.service
$ sudo systemctl start nightscout.service

Display Nightscout service status:

$ sudo systemctl status nightscout.service

Output:

● nightscout.service – Nightscout Service
Loaded: loaded (/etc/systemd/system/nightscout.service; enabled; vendor preset: enabled)
Active: active (running)
[..]


Assign domain to host

(Main domain and a subdomain for ns).
So that Nightscout is not immediately found by strangers via the main domain, I use a subdomain.

$ sudo nano /etc/hosts

[…]
IP.of.your.server.Domain.de

IP.of.your.server.sub.domain.de

[…]

Save with „ctrl+X“ – „Y“ – „enter“

Create a configuration for main domain and subdomain

For the main domain we configure the default nginx config. Here we enter the server_name.

$ sudo nano /etc/nginx/sites-available/default

server_name domain.de;
server_name www.domain.de;

Next, set up the subdomain (unencrypted port forwarding)

$ sudo nano /etc/nginx/sites-available/Sub.domain.de.conf

Copy this text, change server_name to your subdomain before:

server {
listen 80;

server_name Sub.domain.de;
server_name www.sub.doamin.de;

location / {
proxy_pass http://127.0.0.1:1337;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Forwarded-Proto "https";
}
}

Next, enable the Nginx configuration for the subdoamin:

$ sudo ln -s /etc/nginx/sites-available/Sub.doamin.de.conf /etc/nginx/sites-enabled/

Restart Nginx for the configuration to take effect.

$ sudo service nginx restart


Install Certbot for Nginx

If not already installed, install certbot/python3:

$ sudo apt install certbot python3-certbot-nginx

Request certificate:

Certificate for the main domain:

$ sudo certbot --nginx -d domain.de -d www.doamin.de

The terms of use must be accepted when the certificate is created for the first time.
Your email address will also be requested, this must be entered.
Advertising from partners can be answered with no.

Confirm redirect with 2! This means that every call to your site is automatically routed to SSL encryption.

–> Enter email address “Enter”
–> Confirm terms of use “A”+”Enter”
-> Newsletter/News „N“+“Enter“
-> After a moment select whether all requests should be redirected to https.
1 = No 2 = Yes confirm with „Enter“.

Then request a certificate for the subdomain:

$ sudo certbot --nginx -d Sub.domain.de -d www.Sub.domain.de

Confirm redirect with 2.

Check Certbot timer:

$ sudo systemctl status certbot.timer

Test renewal process

$ sudo certbot renew --dry-run


Renew certificate or redirect

I can not understand this step, but creates what is desired. Request or repair the certificate again for the subdomain. I had to do this step with every test installation so that the subdomain was properly encrypted and forwarded to the Nightscout port.

To do this, simply enter the certificate request command again:

$ sudo certbot --nginx -d Sub.domain.de -d www.Sub.domain.de

It is reported that a certificate already exists. Here with „1“ restore the certificate.

1: Attempt to reinstall this existing certificate

Now the encrypted port forwarding should work properly.


Configure/enable firewall

To configure the firewall, log in with the root account!
Release port 27017 (allows external access to Mongo DB e.g. with Robot3T)
Allow Nginx and OpenSSH.
Release port 1337 (Opinions differ here as to whether it makes sense or not.)

$ ufw allow 1337
$ ufw allow 'Nginx Full'
$ ufw allow 27017
$ ufw allow OpenSSH

Next, we enable the firewall:

$ ufw enable

To see whether the firewall is activated and the above settings are allowed, check the status:

$ ufw status

The result should look like this:

State: active

To Action From
—— —-
1337 ALLOW Anywhere
27017 ALLOW Anywhere
OpenSSH ALLOW Anywhere
Apache Full ALLOW Anywhere
Nginx Full ALLOW Anywhere
1337 (v6) ALLOW Anywhere (v6)
27017 (v6) ALLOW Anywhere (v6)
OpenSSH (v6) ALLOW Anywhere (v6)
Apache Full (v6) ALLOW Anywhere (v6)
Nginx Full (v6) ALLOW Anywhere (v6)


Now the nginx test page should appear when you call up the main domain (automatically encrypted) and the Nightscout installation should appear when you call up the subdomain (without specifying port 1337, since a forwarding has already been set up above)

Optionally, you can restart the server once,
The boot process until Nightscout is fully accessible again can take up to 5 minutes.