From be9da6eb254e8a0fefb1de4ed2c922d28009984d Mon Sep 17 00:00:00 2001
From: first <first@noreply.git.r21.io>
Date: Tue, 8 Jul 2025 07:23:54 +0000
Subject: [PATCH] Update README.md

---
 README.md | 93 +++++++++++++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 91 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 1707893..d2ad057 100644
--- a/README.md
+++ b/README.md
@@ -1,3 +1,92 @@
-# onepush
+# Automated Open WebUI Installer for Debian
 
-Open WebUI setup - Due to time constraints, get it all out in one go
\ No newline at end of file
+![Debian](https://img.shields.io/badge/OS-Debian-A81D33?style=for-the-badge&logo=debian)![License](https://img.shields.io/badge/License-MIT-blue.svg?style=for-the-badge)
+
+A single, robust, and intelligent shell script to fully automate the deployment of [Open WebUI](https://github.com/open-webui/open-webui) on a Debian server. This script transforms a manual setup process into a production-ready, one-shot command, complete with security hardening and full life-cycle automation.
+
+This project was born from an iterative process of converting a manual guide into a fully automated script, adding features and fixing real-world deployment issues like Let's Encrypt rate limits, firewall pre-configurations, and fragile cron job commands.
+
+## Features
+
+-   **Fully Automated Deployment:** Runs non-interactively after an initial prompt for configuration details.
+-   **Security First:**
+    -   **Firewall Aware:** Intelligently detects and manages `UFW`, ensuring web ports are open or disabling it decisively to prevent silent failures.
+    -   **Brute-Force Protection:** Installs and configures `Fail2Ban` with a precise filter to block IPs that repeatedly fail login attempts.
+-   **Robust Service Management:** Deploys Open WebUI via Docker, the recommended method, with the application port bound securely to the local interface.
+-   **Automatic HTTPS:** Uses Nginx as a reverse proxy and `Certbot` to automatically obtain and renew a free Let's Encrypt SSL certificate.
+-   **Production-Ready Automation:**
+    -   **System Updates:** Configures `unattended-upgrades` to automatically apply system security patches.
+    -   **Container Updates:** Deploys `Watchtower` to automatically update the Open WebUI container to the latest version.
+    -   **Scheduled Reboots:** Implements a robust weekly reboot via a cron job for system health and to apply kernel updates.
+-   **Intelligent & Flexible:**
+    -   Handles both root domains (with/without `www`) and subdomains correctly.
+    -   Includes a **Let's Encrypt Staging Mode** to prevent rate-limiting during testing.
+    -   Uses a reliable `cron.d` file for scheduling, avoiding common scripting pitfalls.
+
+## Prerequisites
+
+Before running the script, you will need:
+
+1.  A server running **Debian 11 or 12**.
+2.  `sudo` or `root` access.
+3.  A domain or subdomain with a DNS **A record** pointing to your server's public IP address.
+
+## Usage
+
+1.  Clone this repository to your Debian server:
+    ```bash
+    git clone <your-repository-url>
+    cd <repository-directory>
+    ```
+
+2.  Make the script executable:
+    ```bash
+    chmod +x onepush.sh
+    ```
+
+3.  Run the script with `sudo`:
+    ```bash
+    sudo ./onepush.sh
+    ```
+
+The script will then prompt you for the necessary configuration details before proceeding with the automated installation.
+
+### The Interactive Prompts
+
+The script will ask you a few questions to configure your environment:
+
+-   **`Enter your domain or subdomain`**: The public-facing URL for your Open WebUI instance (e.g., `ai.example.com`).
+-   **`Enter your email address`**: Used by Let's Encrypt for certificate registration and renewal notices.
+-   **`Also secure the 'www' version? [y/N]`**:
+    -   Answer `y` if you are using a root domain (like `example.com`) and have a DNS record for `www.example.com`.
+    -   Answer `N` (the default) if you are using a subdomain (like `ai.example.com`).
+-   **`Use Let's Encrypt staging environment? [y/N]`**:
+    -   **Crucial for testing.** Answer `y` if you are running the script for the first time or for testing purposes. This avoids hitting Let's Encrypt's strict rate limits. Your site will work but will show a browser security warning.
+    -   Answer `N` (the default) for your final, production deployment.
+-   **`Allow this script to manage UFW rules? [Y/n]`**:
+    -   The script auto-detects if `UFW` is installed (as it is on Vultr's Debian images).
+    -   Answer `Y` (the default) to have the script automatically add the `allow 'Nginx Full'` rule.
+    -   Answer `n` if you want to manage the firewall yourself. **If you choose 'n' and UFW is active, the script will disable UFW entirely** to guarantee the script can complete.
+
+## Post-Installation
+
+Once the script finishes, you will have a fully functional and secure Open WebUI instance.
+
+-   **Access Your Instance:** `https://your.domain.com`
+-   **Admin Account:** The first user to register on the site will automatically be granted administrator privileges.
+-   **Automations:** All automated services (system updates, container updates, reboots) are running in the background. No further action is needed.
+
+### Rerunning the Script
+
+The script is designed to be idempotent (safe to run multiple times). If you need to change a setting or switch from a staging certificate to a production one, you can simply re-run `./onepush.sh`. It will overwrite the existing configurations with the new ones.
+
+The most common reason to re-run the script is to get a production SSL certificate after testing with the staging environment.
+
+## Security Considerations
+
+-   **Fail2Ban:** The jail `[open-webui]` is configured in `/etc/fail2ban/jail.d/open-webui.local`. It monitors the Nginx log file (`/var/log/nginx/your.domain.com.access.log`) for failed sign-in attempts (`POST /api/v1/auths/signin` with a `400` status code). After 5 failures, the offending IP is banned for 24 hours.
+-   **Firewall:** The script binds the Open WebUI Docker container to the localhost interface (`127.0.0.1:3000`), meaning it is not directly exposed to the internet. Only Nginx can access it. If you opt-out of UFW management, you are responsible for ensuring a firewall (either on the host or at the network level) is configured to allow traffic on ports 80 and 443.
+
+## License
+
+This project is licensed under the MIT License. See the [LICENSE](LICENSE) file for details.
\ No newline at end of file