diff --git a/apps/nightscout/kustomization.yaml b/apps/nightscout/kustomization.yaml
new file mode 100644
index 0000000..01dbd3b
--- /dev/null
+++ b/apps/nightscout/kustomization.yaml
@@ -0,0 +1,12 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - namespace.yaml
+  - nightscout-configmap.yaml
+  - mongo-pvc.yaml
+  - mongo-deployment.yaml
+  - mongo-service.yaml
+  - nightscout-deployment.yaml
+  - nightscout-service.yaml
+  - nightscout-ingress.yaml
diff --git a/apps/nightscout/mongo-deployment.yaml b/apps/nightscout/mongo-deployment.yaml
new file mode 100644
index 0000000..fc7aae5
--- /dev/null
+++ b/apps/nightscout/mongo-deployment.yaml
@@ -0,0 +1,47 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: mongodb
+  namespace: nightscout
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: mongodb
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        app: mongodb
+    spec:
+      containers:
+        - name: mongodb
+          image: mongo:4.4
+          ports:
+            - containerPort: 27017
+              name: mongo
+          volumeMounts:
+            - name: mongo-data
+              mountPath: /data/db
+          livenessProbe:
+            exec:
+              command: ["mongo", "--eval", "db.adminCommand('ping')"]
+            initialDelaySeconds: 30
+            periodSeconds: 30
+          readinessProbe:
+            exec:
+              command: ["mongo", "--eval", "db.adminCommand('ping')"]
+            initialDelaySeconds: 10
+            periodSeconds: 10
+          resources:
+            requests:
+              cpu: 100m
+              memory: 256Mi
+            limits:
+              cpu: 1000m
+              memory: 512Mi
+      volumes:
+        - name: mongo-data
+          persistentVolumeClaim:
+            claimName: mongo-data
diff --git a/apps/nightscout/mongo-pvc.yaml b/apps/nightscout/mongo-pvc.yaml
new file mode 100644
index 0000000..040430c
--- /dev/null
+++ b/apps/nightscout/mongo-pvc.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: mongo-data
+  namespace: nightscout
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 5Gi
diff --git a/apps/nightscout/mongo-service.yaml b/apps/nightscout/mongo-service.yaml
new file mode 100644
index 0000000..61e359a
--- /dev/null
+++ b/apps/nightscout/mongo-service.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: mongodb
+  namespace: nightscout
+spec:
+  selector:
+    app: mongodb
+  ports:
+    - port: 27017
+      targetPort: 27017
+      name: mongo
diff --git a/apps/nightscout/namespace.yaml b/apps/nightscout/namespace.yaml
new file mode 100644
index 0000000..d7b3460
--- /dev/null
+++ b/apps/nightscout/namespace.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: nightscout
diff --git a/apps/nightscout/nightscout-configmap.yaml b/apps/nightscout/nightscout-configmap.yaml
new file mode 100644
index 0000000..2f0e129
--- /dev/null
+++ b/apps/nightscout/nightscout-configmap.yaml
@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: nightscout-config
+  namespace: nightscout
+data:
+  DISPLAY_UNITS: "mmol/L"
+  BASE_URL: "https://ns.aleshym.co"
+  INSECURE_USE_HTTP: "true"
+  HOSTNAME: "0.0.0.0"
+  ENABLE: "careportal basal iob cob bwp cage sage iage bage boluscalc pump openaps loop profile timeago bgnow delta direction upbat errorcodes ar2 rawbg"
+  AUTH_DEFAULT_ROLES: "careportal"
+  THEME: "colors"
+  NODE_ENV: "production"
diff --git a/apps/nightscout/nightscout-deployment.yaml b/apps/nightscout/nightscout-deployment.yaml
new file mode 100644
index 0000000..db042f8
--- /dev/null
+++ b/apps/nightscout/nightscout-deployment.yaml
@@ -0,0 +1,45 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nightscout
+  namespace: nightscout
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: nightscout
+  template:
+    metadata:
+      labels:
+        app: nightscout
+    spec:
+      containers:
+        - name: nightscout
+          image: nightscout/cgm-remote-monitor:latest
+          ports:
+            - containerPort: 1337
+              name: http
+          envFrom:
+            - configMapRef:
+                name: nightscout-config
+            - secretRef:
+                name: nightscout-secret
+          livenessProbe:
+            httpGet:
+              path: /api/v1/status
+              port: 1337
+            initialDelaySeconds: 60
+            periodSeconds: 30
+          readinessProbe:
+            httpGet:
+              path: /api/v1/status
+              port: 1337
+            initialDelaySeconds: 30
+            periodSeconds: 10
+          resources:
+            requests:
+              cpu: 100m
+              memory: 256Mi
+            limits:
+              cpu: 500m
+              memory: 512Mi
diff --git a/apps/nightscout/nightscout-ingress.yaml b/apps/nightscout/nightscout-ingress.yaml
new file mode 100644
index 0000000..e8422e0
--- /dev/null
+++ b/apps/nightscout/nightscout-ingress.yaml
@@ -0,0 +1,25 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: nightscout
+  namespace: nightscout
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+spec:
+  ingressClassName: traefik
+  rules:
+    - host: ns.aleshym.co
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: nightscout
+                port:
+                  name: http
+  tls:
+    - hosts:
+        - ns.aleshym.co
+      secretName: nightscout-tls
diff --git a/apps/nightscout/nightscout-secret.yaml.example b/apps/nightscout/nightscout-secret.yaml.example
new file mode 100644
index 0000000..8accf7c
--- /dev/null
+++ b/apps/nightscout/nightscout-secret.yaml.example
@@ -0,0 +1,18 @@
+# DO NOT COMMIT THE REAL VERSION OF THIS FILE.
+# apps/nightscout/nightscout-secret.yaml is gitignored — apply it manually once:
+#
+#   cp apps/nightscout/nightscout-secret.yaml.example apps/nightscout/nightscout-secret.yaml
+#   # fill in real values below, then:
+#   kubectl apply -f apps/nightscout/nightscout-secret.yaml
+#   kubectl annotate secret nightscout-secret -n nightscout \
+#     argocd.argoproj.io/sync-options=Prune=false --overwrite
+#
+# API_SECRET must be at least 12 characters.
+apiVersion: v1
+kind: Secret
+metadata:
+  name: nightscout-secret
+  namespace: nightscout
+stringData:
+  API_SECRET: "CHANGE_ME"
+  MONGODB_URI: "mongodb://mongodb:27017/nightscout"
diff --git a/apps/nightscout/nightscout-service.yaml b/apps/nightscout/nightscout-service.yaml
new file mode 100644
index 0000000..09c07c6
--- /dev/null
+++ b/apps/nightscout/nightscout-service.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: nightscout
+  namespace: nightscout
+spec:
+  selector:
+    app: nightscout
+  ports:
+    - port: 1337
+      targetPort: 1337
+      name: http
diff --git a/argocd/nightscout.yaml b/argocd/nightscout.yaml
new file mode 100644
index 0000000..de1474f
--- /dev/null
+++ b/argocd/nightscout.yaml
@@ -0,0 +1,27 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: nightscout
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://git.aleshym.co/funman300/k3s-homelab.git
+    targetRevision: main
+    path: apps/nightscout
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: nightscout
+  ignoreDifferences:
+    - group: ""
+      kind: Secret
+      name: nightscout-secret
+      namespace: nightscout
+      jsonPointers:
+        - /data
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true