From be9da6eb254e8a0fefb1de4ed2c922d28009984d Mon Sep 17 00:00:00 2001 From: first Date: Tue, 8 Jul 2025 07:23:54 +0000 Subject: [PATCH] Update README.md --- README.md | 93 +++++++++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 91 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 1707893..d2ad057 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,92 @@ -# onepush +# Automated Open WebUI Installer for Debian -Open WebUI setup - Due to time constraints, get it all out in one go \ No newline at end of file +![Debian](https://img.shields.io/badge/OS-Debian-A81D33?style=for-the-badge&logo=debian)![License](https://img.shields.io/badge/License-MIT-blue.svg?style=for-the-badge) + +A single, robust, and intelligent shell script to fully automate the deployment of [Open WebUI](https://github.com/open-webui/open-webui) on a Debian server. This script transforms a manual setup process into a production-ready, one-shot command, complete with security hardening and full life-cycle automation. + +This project was born from an iterative process of converting a manual guide into a fully automated script, adding features and fixing real-world deployment issues like Let's Encrypt rate limits, firewall pre-configurations, and fragile cron job commands. + +## Features + +- **Fully Automated Deployment:** Runs non-interactively after an initial prompt for configuration details. +- **Security First:** + - **Firewall Aware:** Intelligently detects and manages `UFW`, ensuring web ports are open or disabling it decisively to prevent silent failures. + - **Brute-Force Protection:** Installs and configures `Fail2Ban` with a precise filter to block IPs that repeatedly fail login attempts. +- **Robust Service Management:** Deploys Open WebUI via Docker, the recommended method, with the application port bound securely to the local interface. +- **Automatic HTTPS:** Uses Nginx as a reverse proxy and `Certbot` to automatically obtain and renew a free Let's Encrypt SSL certificate. +- **Production-Ready Automation:** + - **System Updates:** Configures `unattended-upgrades` to automatically apply system security patches. + - **Container Updates:** Deploys `Watchtower` to automatically update the Open WebUI container to the latest version. + - **Scheduled Reboots:** Implements a robust weekly reboot via a cron job for system health and to apply kernel updates. +- **Intelligent & Flexible:** + - Handles both root domains (with/without `www`) and subdomains correctly. + - Includes a **Let's Encrypt Staging Mode** to prevent rate-limiting during testing. + - Uses a reliable `cron.d` file for scheduling, avoiding common scripting pitfalls. + +## Prerequisites + +Before running the script, you will need: + +1. A server running **Debian 11 or 12**. +2. `sudo` or `root` access. +3. A domain or subdomain with a DNS **A record** pointing to your server's public IP address. + +## Usage + +1. Clone this repository to your Debian server: + ```bash + git clone + cd + ``` + +2. Make the script executable: + ```bash + chmod +x onepush.sh + ``` + +3. Run the script with `sudo`: + ```bash + sudo ./onepush.sh + ``` + +The script will then prompt you for the necessary configuration details before proceeding with the automated installation. + +### The Interactive Prompts + +The script will ask you a few questions to configure your environment: + +- **`Enter your domain or subdomain`**: The public-facing URL for your Open WebUI instance (e.g., `ai.example.com`). +- **`Enter your email address`**: Used by Let's Encrypt for certificate registration and renewal notices. +- **`Also secure the 'www' version? [y/N]`**: + - Answer `y` if you are using a root domain (like `example.com`) and have a DNS record for `www.example.com`. + - Answer `N` (the default) if you are using a subdomain (like `ai.example.com`). +- **`Use Let's Encrypt staging environment? [y/N]`**: + - **Crucial for testing.** Answer `y` if you are running the script for the first time or for testing purposes. This avoids hitting Let's Encrypt's strict rate limits. Your site will work but will show a browser security warning. + - Answer `N` (the default) for your final, production deployment. +- **`Allow this script to manage UFW rules? [Y/n]`**: + - The script auto-detects if `UFW` is installed (as it is on Vultr's Debian images). + - Answer `Y` (the default) to have the script automatically add the `allow 'Nginx Full'` rule. + - Answer `n` if you want to manage the firewall yourself. **If you choose 'n' and UFW is active, the script will disable UFW entirely** to guarantee the script can complete. + +## Post-Installation + +Once the script finishes, you will have a fully functional and secure Open WebUI instance. + +- **Access Your Instance:** `https://your.domain.com` +- **Admin Account:** The first user to register on the site will automatically be granted administrator privileges. +- **Automations:** All automated services (system updates, container updates, reboots) are running in the background. No further action is needed. + +### Rerunning the Script + +The script is designed to be idempotent (safe to run multiple times). If you need to change a setting or switch from a staging certificate to a production one, you can simply re-run `./onepush.sh`. It will overwrite the existing configurations with the new ones. + +The most common reason to re-run the script is to get a production SSL certificate after testing with the staging environment. + +## Security Considerations + +- **Fail2Ban:** The jail `[open-webui]` is configured in `/etc/fail2ban/jail.d/open-webui.local`. It monitors the Nginx log file (`/var/log/nginx/your.domain.com.access.log`) for failed sign-in attempts (`POST /api/v1/auths/signin` with a `400` status code). After 5 failures, the offending IP is banned for 24 hours. +- **Firewall:** The script binds the Open WebUI Docker container to the localhost interface (`127.0.0.1:3000`), meaning it is not directly exposed to the internet. Only Nginx can access it. If you opt-out of UFW management, you are responsible for ensuring a firewall (either on the host or at the network level) is configured to allow traffic on ports 80 and 443. + +## License + +This project is licensed under the MIT License. See the [LICENSE](LICENSE) file for details. \ No newline at end of file