Update nightscout-setup.md #980
Conversation
nits formatted links typos clarification These graphics are not showing on this page: AddRole, AddSubject Dana/Scott/others: please see notes in brackets above.
| If it's not ok it will exit the setup script and tell you which permissions are missing. | ||
| - Change the token in `ns.ini`. It's the third argument of the `args=` line, e.g. | ||
| - Change the token in `ns.ini`. It's the third argument of the `args=` line: [***NOTE to Dana Scott or ?***: this did not change the chrontab.txt file to the token= for me. It left the hashed API secret. I had to run the oref0-setup.sh again. That changed the crontab.txt file to the token= text.] |
There was a problem hiding this comment.
The crontab.txt is a backup made when oref0-setup is about to ask if you want to delete your old crontab. So its contents always reflect your previous loop configuration, not your current one. https://github.com/openaps/oref0/blob/master/bin/oref0-setup.sh#L935-L940
You can see your current crontab by running crontab -l
There was a problem hiding this comment.
I added a claryfing line in #981
"You must also change your API_SECRET in your crontab, e.g. API_SECRET=token=myrigname-27c914cabc506fa3. Use crontab -e to edit your crontab."
| ``` | ||
| 4. Test the rig, e.g. by running `openaps upload` or `openaps upload-ns-status` or just running the pump loop. You'll see the update from myrigname in the OpenAPS pill in Nightscout. | ||
| 4. Test the rig by running `openaps upload` or `openaps upload-ns-status` or just running the pump loop. You'll see the update from myrigname in the OpenAPS pill in Nightscout. [***NOTE to Dana Scott or ?***: this was not obvious to me. I did not see evidence of this even after I had run the oref0-setup.sh command.] |
There was a problem hiding this comment.
These tokenauth directions were all from @PieterGit, so perhaps he can comment.
There was a problem hiding this comment.
openaps upload will upload your pump basals to Nightscout and upload-ns-status will update the openaps pill. Perhaps the sentence on openap upload can be a bit more verbose, but I don't understand what you suggest, or what's not clear to you.
| 5. When all the rigs are 0.5.0 and are all using token based authentication, you can change the environment variables of your Nightscout: | ||
| - `AUTH_DEFAULT_ROLES` from `readable devicestatus-upload` to `denied` if you wish to block read-only access to your Nightscout instance. If you don't mind your CGM data being accessible to anyone with your Nightscout URL, you can just leave `AUTH_DEFAULT_ROLES` as `readable`. | ||
| - `AUTH_DEFAULT_ROLES` from `readable devicestatus-upload` to `denied` if you wish to block read-only access to your Nightscout instance. If you don't mind your CGM data being accessible to anyone with your Nightscout URL, you can just leave `AUTH_DEFAULT_ROLES` as `readable`. [***NOTE to Dana Scott or ?***: this variable AUTH_DEFAULT_ROLES was not in config variables for me. I had to add it. Not sure if I'm a one-off.] |
There was a problem hiding this comment.
Perhaps this was an oversight, and should be added to oref0-setup?
There was a problem hiding this comment.
AUTH_DEFAULT_ROLES is readable by default. So if it's not there your Nightscout is readable. Can you make that more explicit?
| - You must always secure your Nightscout site with secure http (https), so don't use http://mynightscout.herokuapp.com but always use https://mynightscout.herokuapp.com | ||
| - Keep your API_SECRET as a root/Administrator password and only use it for configuring Nightscout. For just reading use a token with the `readable` role, and if you want to use the Careportal add the `careportal` role for that user. | ||
| - You must always secure your Nightscout site with secure http (https). Don't use http://mynightscout.herokuapp.com but rather always use https://mynightscout.herokuapp.com. | ||
| - Keep your API_SECRET as a root/Administrator password and only use it for configuring Nightscout. For just reading use a token with the `readable` role, and if you want to use the Careportal add the `careportal` role for that user. [***NOTE to Dana Scott or ?***: this is very unclear to me. I don't know what to do with this information.] |
There was a problem hiding this comment.
@PieterGit can confirm, but I think this is talking about how you would normally "authorize" a Nightscout client by putting in your API secret into the browser. There is now another more secure way to do it: set up a user with the careportal role and enter that user's credentials into the browser instead of the API secret. We should probably clarify this language to detail (or link to) directions on how to do that.
There was a problem hiding this comment.
@scottleibrand Thanks, Scott. Yes, I agree. I'm still not sure I did the tokenauth correctly. I assume so, because both of my rigs have the token= in crontab and NS is set with those users. But I think the docs could use some clarification in this section. This part is still confusing to me: "There is now another more secure way to do it: set up a user with the careportal role and enter that user's credentials into the browser instead of the API secret." Not sure what is meant by this and how to do it.
There was a problem hiding this comment.
Sorry, I'm no native speaker, so please help me improve the text. If you use the API_SECRET with the admin account, the rig can do everything. Security best practices always try to minimize the permissions. So a rig can do with the oref0rig role. If you only need to need viewing you can use the readable role, and if you also want to be able to use the Careportal features you need a user/token with the careportal role. Does that make sense?
|
@dirkgastaldo Please try to contact me on Gitter if there is still something not clear. |
* Update loops-in-progress.md * Update loops-in-progress.md Adding my name to the list of people who have loops in progress. * Update ifttt-integration.md Searching for "maker" no longer yields the correct action service. Must now search for "webhooks," icon is now blue instead of green. With apologies, didn't know how to update screen shots. * Fix some typos * Update loops-in-progress.md * Update useful-mobile-apps.md "uname -a" no longer reports the version of jubilinux you're running but rather the version of the Linux kernel you're running. * Note that kernel version is useful for determining jubilinux version * Update how-openaps-works-overview.md nits * Update index.rst (#963) Conforming in same paragraph "internet" to "Internet" (capital "I"). * Update overview-of-build-process.md (#965) missing word added "usually" to code snippet because they're not always code snippets, sometimes buttons, and other screen references * Update hardware.md (#967) Conform to manufacturers' name styles/conventions (OmniPod, t:slim) Remove ' because not possessive but rather plural Lower rather than lesser * Update nightscout-setup.md Provided information for users who use mmol instead of mgdl on how to set BG targets in Heroku so don't end up with "urgent high" alerts when they are in range. * Update loops-in-progress.md (#970) * Update understanding-your-Explorer-Board-rig.md (#972) Just a few edits to clarify this step. It took me a while to realize I needed two sets of screws! * Adding my name to Loops in Progress * Add meetup group URLs * adding emphasis to max-iob and maxSafeBasal (#977) * adding emphasis to max-iob and maxSafeBasal * screenshot of maxSafeBasal * typo fix * word smithing * Add a linkable header * combine people from both copies of loops-in-progress.md so we can delete one * fix broken images for token based authentications after doc update (#981) * fix broken images after doc update * add line to explain API_SECRET is also in crontab * Update collect-data-and-prepare.md (#978) Nits Typos Name styles Conform periods in lists * Update understanding-your-Explorer-Board-rig.md (#982) Conform to "LiPo" Conform to "Explorer" "and hold" nits simplified language, deleted excess words embedded link for video replaced ellipsis with comma * Update loops-in-progress.md (#984) Added my name. Trying to build the loop for my son. * Update loops-in-progress.md (#985) * Specify version 0.1.1 (or earlier) of Jubilinux (#986) * Specify version 0.1.1 (or earlier) of Jubilinux Current oref0 master doesn't work with 0.2.0. * Remove "or earlier" There are some fixes in 0.1.1 that are useful for easier setup and increased reliability of OpenAPS rigs * Adding my name to the list (#987) Adding myself to the list . * image link fixes (#983) * Delete old loopers file that's now in a different place * Update usability-considerations.md (#959) * Update edison.md (#974) "Jubilinux" is styled with initial lower case "jubilinux" Remove double-preposition (on and to) Replace "ones" with "Edisons" Replace "more" with "additional" Removed unnecessary / Spelled out LiPo Replace and/or with or Change LIPO to LiPo Inserted link for battery URL Added missing .) at end of Amazon link. Inserted link for other battery URL Corrected type easilly internet to Internet (style) Style preference on extended sentence with a hyphen followed by "however" Replace exacto with X-ACTO Initial cap "Explorer" Added . to end sentence Replace "screw" with "attach" Typo harware Added . to end sentence Conform mah to mAh with a space after the # Added (as well as some 2500 mAh options) * Update edison.md (#954) * Update edison.md The original text said to use M2 as spacers, which means you have to screws these spacers between the boards onto the M2 screw, which is kind of difficult and impossible to tighten. If you use slightly larger nuts as spacers, you can just push the screws through the board then through the spacers then the other board and then put a nut on. This is way more secure and you won't have to tighten them every day! * Clarify * Update CGM.md (#969) * Update CGM.md nits * Lowercase openaps toolkit * Update offline-looping-and-monitoring.md (#973) Did the best I could to say that offline looping is possible with iPhone via modified Loop app, but don't really know enough to explain it well. Hope this is helpful. * Update nightscout-setup.md (#980) * Update nightscout-setup.md nits formatted links typos clarification These graphics are not showing on this page: AddRole, AddSubject Dana/Scott/others: please see notes in brackets above. * Remove NOTEs and clarify using token auth roles * Fix image links * Redirected urls (#990) * add quotes * update links to reflect https://readthedocs.org/dashboard/openaps/redirects/ * Update update-your-rig.md * Update edison.md
4 participants
nits
formatted links
typos
clarification
These graphics are not showing on this page: AddRole, AddSubject
Dana/Scott/others: please see notes in brackets above.