LICENSE | ||
onepush.sh | ||
README.md |
Automated Open WebUI & SearXNG Installer
A single, robust, and intelligent shell script to fully automate the deployment of Open WebUI and an optional, private SearXNG instance on a Debian server. This script transforms a manual setup process into a production-ready, one-shot command, complete with security hardening and full life-cycle automation.
This project was born from an iterative process of converting a manual guide into a fully automated script, adding features and fixing real-world deployment issues like Let's Encrypt rate limits, firewall pre-configurations, fragile cron jobs, and complex multi-container networking and configuration bugs.
Features
- Fully Automated Deployment: Runs non-interactively after an initial prompt for configuration details.
- Optional SearXNG Stack:
- Deploys a private SearXNG instance on a secure Docker network.
- Exposes it publicly on a separate subdomain with Basic Auth protection.
- Allows internal access from Open WebUI tools without authentication for fast, secure searching.
- Supports an optional Brave Search API key for enhanced, ad-free results.
- Adds a custom JSON engine to SearXNG for advanced integrations.
- Security First:
- Firewall Aware: Intelligently detects and manages
UFW
. - Brute-Force Protection: Installs and configures
Fail2Ban
to protect the Open WebUI login.
- Firewall Aware: Intelligently detects and manages
- Robust Service Management: Deploys services via Docker on a shared private network, the recommended method.
- Automatic HTTPS: Uses Nginx as a reverse proxy and
Certbot
to automatically obtain and renew free Let's Encrypt SSL certificates. - Production-Ready Automation:
- System Updates: Configures
unattended-upgrades
. - Container Updates: Deploys
Watchtower
for automatic container updates. - Scheduled Reboots: Implements a robust weekly reboot via a
cron.d
file.
- System Updates: Configures
Prerequisites
Before running the script, you will need:
- A server running Debian 11 or 12.
sudo
orroot
access.- A domain for Open WebUI (e.g.,
ai.example.com
) with a DNS A record pointing to your server's IP. - If deploying SearXNG, a second domain (e.g.,
search.example.com
) also pointing to your server's IP. (The script usessearch.example.com
by default but the variable can be changed).
Usage
- Download the script to your Debian server:
curl -fsSL -o onepush.sh https://git.r21.io/primemover/onepush/raw/branch/master/onepush.sh
- Make the script executable:
chmod +x onepush.sh
- Run the script with
sudo
:sudo ./onepush.sh
The Interactive Prompts
The script will ask you a few questions to configure your environment:
Enter your domain or subdomain
: The public-facing URL for your Open WebUI instance (e.g.,ai.example.com
).Enter your email address
: Used by Let's Encrypt for certificate registration and renewal notices.Also secure the 'www' version? [y/N]
:- Answer
y
if you are using a root domain (likeexample.com
) and have a DNS record forwww.example.com
. - Answer
N
(the default) if you are using a subdomain (likeai.example.com
).
- Answer
Use Let's Encrypt staging environment? [y/N]
:- Crucial for testing. Answer
y
if you are running the script for the first time or for testing purposes. This avoids hitting Let's Encrypt's strict rate limits. Your site will work but will show a browser security warning. - Answer
N
(the default) for your final, production deployment.
- Crucial for testing. Answer
Allow this script to manage UFW rules? [Y/n]
:- The script auto-detects if
UFW
is installed (as it is on Vultr's Debian images). - Answer
Y
(the default) to have the script automatically add theallow 'Nginx Full'
rule. - Answer
n
if you want to manage the firewall yourself. If you choose 'n' and UFW is active, the script will disable UFW entirely to guarantee the script can complete.
- The script auto-detects if
The script will then prompt you for the necessary configuration details before proceeding with the automated installation.
Post-Installation
Once the script finishes, you will have a fully functional and secure Open WebUI instance.
- Access Your Instance:
https://ai.example.com
- Access SearXNG:
https://search.example.com
(user:admin
, with the password you set during installation). - Admin Account: The first user to register on the site will automatically be granted administrator privileges.
- Automations: All automated services (system updates, container updates, reboots) are running in the background. No further action is needed.
Rerunning the Script
The script is designed to be idempotent (safe to run multiple times). If you need to change a setting or switch from a staging certificate to a production one, you can simply re-run ./onepush.sh
. It will overwrite the existing configurations with the new ones.
The most common reason to re-run the script is to get a production SSL certificate after testing with the staging environment.
Security Considerations
- Fail2Ban: The jail
[open-webui]
is configured in/etc/fail2ban/jail.d/open-webui.local
. It monitors the Nginx log file (/var/log/nginx/ai.example.com.access.log
) for failed sign-in attempts (POST /api/v1/auths/signin
with a400
status code). After 5 failures, the offending IP is banned for 24 hours. - Firewall: The script binds the Open WebUI Docker container to the localhost interface (
127.0.0.1:3000
), meaning it is not directly exposed to the internet. Only Nginx can access it. If you opt-out of UFW management, you are responsible for ensuring a firewall (either on the host or at the network level) is configured to allow traffic on ports 80 and 443.
Using Your Private SearXNG Instance
If you deployed SearXNG, you now have two powerful ways to enable web search for your models.
Option A: Native Web Search (Recommended)
This is the simplest and most integrated method.
- Log in to Open WebUI as an admin.
- Go to the Admin Panel -> Settings -> Web Search.
- Enable the Web Search toggle.
- In the SearXNG URL field, enter:
http://searxng:8080
(This special URL works because the containers can talk to each other directly over their private Docker network). - Click Save.
You can now enable the "Web Search" capability for any model in the "Models" section of your settings.
Option B: Advanced Python Research Tool
This method provides more granular control and is useful for complex workflows.
- Go to Settings -> Tools and click Add Tool.
- In the Load from URL field, paste the following link and click the load button:
https://raw.githubusercontent.com/iamarcel/open-webui-utils/main/research_tool.py
- Click the Settings tab in the tool editor (the gear icon).
- In the Environment Variables section, add the following key-value pair:
- Key:
SEARXNG_BASE_URL
- Value:
http://searxng:8080
- Key:
- Click Save.
The tool is now installed and can be called in any chat using @research
.
Backups
See regularbm.sh
.
License
This project is licensed under the MIT License. See the LICENSE file for details.