diff --git a/README.md b/README.md index df99eeb..8c2e1ae 100644 --- a/README.md +++ b/README.md @@ -1,27 +1,29 @@ -# Automated Open WebUI Installer for Debian +# Automated Open WebUI & SearXNG Installer ![Debian](https://img.shields.io/badge/OS-Debian-A81D33?style=for-the-badge&logo=debian)![License](https://img.shields.io/badge/License-MIT-blue.svg?style=for-the-badge) -A single, robust, and intelligent shell script to fully automate the deployment of [Open WebUI](https://github.com/open-webui/open-webui) on a Debian server. This script transforms a manual setup process into a production-ready, one-shot command, complete with security hardening and full life-cycle automation. +A single, robust, and intelligent shell script to fully automate the deployment of [Open WebUI](https://github.com/open-webui/open-webui) and an optional, private [SearXNG](https://github.com/searxng/searxng) instance on a Debian server. This script transforms a manual setup process into a production-ready, one-shot command, complete with security hardening and full life-cycle automation. -This project was born from an iterative process of converting a manual guide into a fully automated script, adding features and fixing real-world deployment issues like Let's Encrypt rate limits, firewall pre-configurations, and fragile cron job commands. +This project was born from an iterative process of converting a manual guide into a fully automated script, adding features and fixing real-world deployment issues like Let's Encrypt rate limits, firewall pre-configurations, fragile cron jobs, and complex multi-container networking and configuration bugs. ## Features - **Fully Automated Deployment:** Runs non-interactively after an initial prompt for configuration details. +- **Optional SearXNG Stack:** + - Deploys a private SearXNG instance on a secure Docker network. + - Exposes it publicly on a separate subdomain with Basic Auth protection. + - Allows internal access from Open WebUI tools without authentication for fast, secure searching. + - Supports an optional Brave Search API key for enhanced, ad-free results. + - **Adds a custom JSON engine** to SearXNG for advanced integrations. - **Security First:** - - **Firewall Aware:** Intelligently detects and manages `UFW`, ensuring web ports are open or disabling it decisively to prevent silent failures. - - **Brute-Force Protection:** Installs and configures `Fail2Ban` with a precise filter to block IPs that repeatedly fail login attempts. -- **Robust Service Management:** Deploys Open WebUI via Docker, the recommended method, with the application port bound securely to the local interface. -- **Automatic HTTPS:** Uses Nginx as a reverse proxy and `Certbot` to automatically obtain and renew a free Let's Encrypt SSL certificate. + - **Firewall Aware:** Intelligently detects and manages `UFW`. + - **Brute-Force Protection:** Installs and configures `Fail2Ban` to protect the Open WebUI login. +- **Robust Service Management:** Deploys services via Docker on a shared private network, the recommended method. +- **Automatic HTTPS:** Uses Nginx as a reverse proxy and `Certbot` to automatically obtain and renew free Let's Encrypt SSL certificates. - **Production-Ready Automation:** - - **System Updates:** Configures `unattended-upgrades` to automatically apply system security patches. - - **Container Updates:** Deploys `Watchtower` to automatically update the Open WebUI container to the latest version. - - **Scheduled Reboots:** Implements a robust weekly reboot via a cron job for system health and to apply kernel updates. -- **Intelligent & Flexible:** - - Handles both root domains (with/without `www`) and subdomains correctly. - - Includes a **Let's Encrypt Staging Mode** to prevent rate-limiting during testing. - - Uses a reliable `cron.d` file for scheduling, avoiding common scripting pitfalls. + - **System Updates:** Configures `unattended-upgrades`. + - **Container Updates:** Deploys `Watchtower` for automatic container updates. + - **Scheduled Reboots:** Implements a robust weekly reboot via a `cron.d` file. ## Prerequisites @@ -29,27 +31,24 @@ Before running the script, you will need: 1. A server running **Debian 11 or 12**. 2. `sudo` or `root` access. -3. A domain or subdomain with a DNS **A record** pointing to your server's public IP address. +3. A domain for Open WebUI (e.g., `ai.example.com`) with a DNS **A record** pointing to your server's IP. +4. **If deploying SearXNG**, a second domain (e.g., `search.example.com`) also pointing to your server's IP. *(The script uses `search.example.com` by default but the variable can be changed)*. ## Usage -1. Clone this repository to your Debian server: +1. Download the script to your Debian server: ```bash curl -fsSL -o onepush.sh https://git.r21.io/primemover/onepush/raw/branch/master/onepush.sh ``` - 2. Make the script executable: ```bash chmod +x onepush.sh ``` - 3. Run the script with `sudo`: ```bash sudo ./onepush.sh ``` -The script will then prompt you for the necessary configuration details before proceeding with the automated installation. - ### The Interactive Prompts The script will ask you a few questions to configure your environment: @@ -67,11 +66,14 @@ The script will ask you a few questions to configure your environment: - Answer `Y` (the default) to have the script automatically add the `allow 'Nginx Full'` rule. - Answer `n` if you want to manage the firewall yourself. **If you choose 'n' and UFW is active, the script will disable UFW entirely** to guarantee the script can complete. +The script will then prompt you for the necessary configuration details before proceeding with the automated installation. + ## Post-Installation Once the script finishes, you will have a fully functional and secure Open WebUI instance. -- **Access Your Instance:** `https://your.domain.com` +- **Access Your Instance:** `https://ai.example.com` +- **Access SearXNG:** `https://search.example.com` (user: `admin`, with the password you set during installation). - **Admin Account:** The first user to register on the site will automatically be granted administrator privileges. - **Automations:** All automated services (system updates, container updates, reboots) are running in the background. No further action is needed. @@ -83,9 +85,43 @@ The most common reason to re-run the script is to get a production SSL certifica ## Security Considerations -- **Fail2Ban:** The jail `[open-webui]` is configured in `/etc/fail2ban/jail.d/open-webui.local`. It monitors the Nginx log file (`/var/log/nginx/your.domain.com.access.log`) for failed sign-in attempts (`POST /api/v1/auths/signin` with a `400` status code). After 5 failures, the offending IP is banned for 24 hours. +- **Fail2Ban:** The jail `[open-webui]` is configured in `/etc/fail2ban/jail.d/open-webui.local`. It monitors the Nginx log file (`/var/log/nginx/ai.example.com.access.log`) for failed sign-in attempts (`POST /api/v1/auths/signin` with a `400` status code). After 5 failures, the offending IP is banned for 24 hours. - **Firewall:** The script binds the Open WebUI Docker container to the localhost interface (`127.0.0.1:3000`), meaning it is not directly exposed to the internet. Only Nginx can access it. If you opt-out of UFW management, you are responsible for ensuring a firewall (either on the host or at the network level) is configured to allow traffic on ports 80 and 443. +### Using Your Private SearXNG Instance + +If you deployed SearXNG, you now have two powerful ways to enable web search for your models. + +#### Option A: Native Web Search (Recommended) + +This is the simplest and most integrated method. + +1. Log in to Open WebUI as an admin. +2. Go to the **Admin Panel** -> **Settings** -> **Web Search**. +3. Enable the **Web Search** toggle. +4. In the **SearXNG URL** field, enter: `http://searxng:8080` + *(This special URL works because the containers can talk to each other directly over their private Docker network).* +5. Click **Save**. + +You can now enable the "Web Search" capability for any model in the "Models" section of your settings. + +#### Option B: Advanced Python Research Tool + +This method provides more granular control and is useful for complex workflows. + +1. Go to **Settings** -> **Tools** and click **Add Tool**. +2. In the **Load from URL** field, paste the following link and click the load button: + ``` + https://raw.githubusercontent.com/iamarcel/open-webui-utils/main/research_tool.py + ``` +3. Click the **Settings** tab in the tool editor (the gear icon). +4. In the **Environment Variables** section, add the following key-value pair: + - **Key:** `SEARXNG_BASE_URL` + - **Value:** `http://searxng:8080` +5. Click **Save**. + +The tool is now installed and can be called in any chat using `@research`. + ## License This project is licensed under the MIT License. See the [LICENSE](LICENSE) file for details. \ No newline at end of file