primemover/onepush
1
0
Fork 0
Code Issues Pull requests Projects Releases 1 Activity
Open WebUI setup - Due to time constraints, get it all out in one go
13 commits 2 branches 1 tag 88 KiB
Find a file
Exact
first 3edd29c6fc backups refer to regularbm
2025-07-23 22:16:17 +00:00
LICENSE Initial commit 2025-07-08 07:18:03 +00:00
onepush.sh remove openssl dependency 2025-07-23 21:33:43 +00:00
README.md backups refer to regularbm 2025-07-23 22:16:17 +00:00

README.md

Automated Open WebUI & SearXNG Installer

DebianLicense

A single, robust, and intelligent shell script to fully automate the deployment of Open WebUI and an optional, private SearXNG instance on a Debian server. This script transforms a manual setup process into a production-ready, one-shot command, complete with security hardening and full life-cycle automation.

This project was born from an iterative process of converting a manual guide into a fully automated script, adding features and fixing real-world deployment issues like Let's Encrypt rate limits, firewall pre-configurations, fragile cron jobs, and complex multi-container networking and configuration bugs.

Features

  • Fully Automated Deployment: Runs non-interactively after an initial prompt for configuration details.
  • Optional SearXNG Stack:
    • Deploys a private SearXNG instance on a secure Docker network.
    • Exposes it publicly on a separate subdomain with Basic Auth protection.
    • Allows internal access from Open WebUI tools without authentication for fast, secure searching.
    • Supports an optional Brave Search API key for enhanced, ad-free results.
    • Adds a custom JSON engine to SearXNG for advanced integrations.
  • Security First:
    • Firewall Aware: Intelligently detects and manages UFW.
    • Brute-Force Protection: Installs and configures Fail2Ban to protect the Open WebUI login.
  • Robust Service Management: Deploys services via Docker on a shared private network, the recommended method.
  • Automatic HTTPS: Uses Nginx as a reverse proxy and Certbot to automatically obtain and renew free Let's Encrypt SSL certificates.
  • Production-Ready Automation:
    • System Updates: Configures unattended-upgrades.
    • Container Updates: Deploys Watchtower for automatic container updates.
    • Scheduled Reboots: Implements a robust weekly reboot via a cron.d file.

Prerequisites

Before running the script, you will need:

  1. A server running Debian 11 or 12.
  2. sudo or root access.
  3. A domain for Open WebUI (e.g., ai.example.com) with a DNS A record pointing to your server's IP.
  4. If deploying SearXNG, a second domain (e.g., search.example.com) also pointing to your server's IP. (The script uses search.example.com by default but the variable can be changed).

Usage

  1. Download the script to your Debian server: 
    curl -fsSL -o onepush.sh https://git.r21.io/primemover/onepush/raw/branch/master/onepush.sh
  2. Make the script executable: 
    chmod +x onepush.sh
  3. Run the script with sudo: 
    sudo ./onepush.sh

The Interactive Prompts

The script will ask you a few questions to configure your environment:

  • Enter your domain or subdomain: The public-facing URL for your Open WebUI instance (e.g., ai.example.com).
  • Enter your email address: Used by Let's Encrypt for certificate registration and renewal notices.
  • Also secure the 'www' version? [y/N]:
    • Answer y if you are using a root domain (like example.com) and have a DNS record for www.example.com.
    • Answer N (the default) if you are using a subdomain (like ai.example.com).
  • Use Let's Encrypt staging environment? [y/N]:
    • Crucial for testing. Answer y if you are running the script for the first time or for testing purposes. This avoids hitting Let's Encrypt's strict rate limits. Your site will work but will show a browser security warning.
    • Answer N (the default) for your final, production deployment.
  • Allow this script to manage UFW rules? [Y/n]:
    • The script auto-detects if UFW is installed (as it is on Vultr's Debian images).
    • Answer Y (the default) to have the script automatically add the allow 'Nginx Full' rule.
    • Answer n if you want to manage the firewall yourself. If you choose 'n' and UFW is active, the script will disable UFW entirely to guarantee the script can complete.

The script will then prompt you for the necessary configuration details before proceeding with the automated installation.

Post-Installation

Once the script finishes, you will have a fully functional and secure Open WebUI instance.

  • Access Your Instance: https://ai.example.com
  • Access SearXNG: https://search.example.com (user: admin, with the password you set during installation).
  • Admin Account: The first user to register on the site will automatically be granted administrator privileges.
  • Automations: All automated services (system updates, container updates, reboots) are running in the background. No further action is needed.

Rerunning the Script

The script is designed to be idempotent (safe to run multiple times). If you need to change a setting or switch from a staging certificate to a production one, you can simply re-run ./onepush.sh. It will overwrite the existing configurations with the new ones.

The most common reason to re-run the script is to get a production SSL certificate after testing with the staging environment.

Security Considerations

  • Fail2Ban: The jail [open-webui] is configured in /etc/fail2ban/jail.d/open-webui.local. It monitors the Nginx log file (/var/log/nginx/ai.example.com.access.log) for failed sign-in attempts (POST /api/v1/auths/signin with a 400 status code). After 5 failures, the offending IP is banned for 24 hours.
  • Firewall: The script binds the Open WebUI Docker container to the localhost interface (127.0.0.1:3000), meaning it is not directly exposed to the internet. Only Nginx can access it. If you opt-out of UFW management, you are responsible for ensuring a firewall (either on the host or at the network level) is configured to allow traffic on ports 80 and 443.

Using Your Private SearXNG Instance

If you deployed SearXNG, you now have two powerful ways to enable web search for your models.

Option A: Native Web Search (Recommended)

This is the simplest and most integrated method.

  1. Log in to Open WebUI as an admin.
  2. Go to the Admin Panel -> Settings -> Web Search.
  3. Enable the Web Search toggle.
  4. In the SearXNG URL field, enter: http://searxng:8080 (This special URL works because the containers can talk to each other directly over their private Docker network).
  5. Click Save.

You can now enable the "Web Search" capability for any model in the "Models" section of your settings.

Option B: Advanced Python Research Tool

This method provides more granular control and is useful for complex workflows.

  1. Go to Settings -> Tools and click Add Tool.
  2. In the Load from URL field, paste the following link and click the load button: 
    https://raw.githubusercontent.com/iamarcel/open-webui-utils/main/research_tool.py
  3. Click the Settings tab in the tool editor (the gear icon).
  4. In the Environment Variables section, add the following key-value pair:
    • Key: SEARXNG_BASE_URL
    • Value: http://searxng:8080
  5. Click Save.

The tool is now installed and can be called in any chat using @research.

Backups

See regularbm.sh.

License

This project is licensed under the MIT License. See the LICENSE file for details.