# Automated Open WebUI Installer for Debian ![Debian](https://img.shields.io/badge/OS-Debian-A81D33?style=for-the-badge&logo=debian)![License](https://img.shields.io/badge/License-MIT-blue.svg?style=for-the-badge) A single, robust, and intelligent shell script to fully automate the deployment of [Open WebUI](https://github.com/open-webui/open-webui) on a Debian server. This script transforms a manual setup process into a production-ready, one-shot command, complete with security hardening and full life-cycle automation. This project was born from an iterative process of converting a manual guide into a fully automated script, adding features and fixing real-world deployment issues like Let's Encrypt rate limits, firewall pre-configurations, and fragile cron job commands. ## Features - **Fully Automated Deployment:** Runs non-interactively after an initial prompt for configuration details. - **Security First:** - **Firewall Aware:** Intelligently detects and manages `UFW`, ensuring web ports are open or disabling it decisively to prevent silent failures. - **Brute-Force Protection:** Installs and configures `Fail2Ban` with a precise filter to block IPs that repeatedly fail login attempts. - **Robust Service Management:** Deploys Open WebUI via Docker, the recommended method, with the application port bound securely to the local interface. - **Automatic HTTPS:** Uses Nginx as a reverse proxy and `Certbot` to automatically obtain and renew a free Let's Encrypt SSL certificate. - **Production-Ready Automation:** - **System Updates:** Configures `unattended-upgrades` to automatically apply system security patches. - **Container Updates:** Deploys `Watchtower` to automatically update the Open WebUI container to the latest version. - **Scheduled Reboots:** Implements a robust weekly reboot via a cron job for system health and to apply kernel updates. - **Intelligent & Flexible:** - Handles both root domains (with/without `www`) and subdomains correctly. - Includes a **Let's Encrypt Staging Mode** to prevent rate-limiting during testing. - Uses a reliable `cron.d` file for scheduling, avoiding common scripting pitfalls. ## Prerequisites Before running the script, you will need: 1. A server running **Debian 11 or 12**. 2. `sudo` or `root` access. 3. A domain or subdomain with a DNS **A record** pointing to your server's public IP address. ## Usage 1. Clone this repository to your Debian server: ```bash curl -fsSL -o onepush.sh https://git.r21.io/primemover/onepush/raw/branch/master/onepush.sh ``` 2. Make the script executable: ```bash chmod +x onepush.sh ``` 3. Run the script with `sudo`: ```bash sudo ./onepush.sh ``` The script will then prompt you for the necessary configuration details before proceeding with the automated installation. ### The Interactive Prompts The script will ask you a few questions to configure your environment: - **`Enter your domain or subdomain`**: The public-facing URL for your Open WebUI instance (e.g., `ai.example.com`). - **`Enter your email address`**: Used by Let's Encrypt for certificate registration and renewal notices. - **`Also secure the 'www' version? [y/N]`**: - Answer `y` if you are using a root domain (like `example.com`) and have a DNS record for `www.example.com`. - Answer `N` (the default) if you are using a subdomain (like `ai.example.com`). - **`Use Let's Encrypt staging environment? [y/N]`**: - **Crucial for testing.** Answer `y` if you are running the script for the first time or for testing purposes. This avoids hitting Let's Encrypt's strict rate limits. Your site will work but will show a browser security warning. - Answer `N` (the default) for your final, production deployment. - **`Allow this script to manage UFW rules? [Y/n]`**: - The script auto-detects if `UFW` is installed (as it is on Vultr's Debian images). - Answer `Y` (the default) to have the script automatically add the `allow 'Nginx Full'` rule. - Answer `n` if you want to manage the firewall yourself. **If you choose 'n' and UFW is active, the script will disable UFW entirely** to guarantee the script can complete. ## Post-Installation Once the script finishes, you will have a fully functional and secure Open WebUI instance. - **Access Your Instance:** `https://your.domain.com` - **Admin Account:** The first user to register on the site will automatically be granted administrator privileges. - **Automations:** All automated services (system updates, container updates, reboots) are running in the background. No further action is needed. ### Rerunning the Script The script is designed to be idempotent (safe to run multiple times). If you need to change a setting or switch from a staging certificate to a production one, you can simply re-run `./onepush.sh`. It will overwrite the existing configurations with the new ones. The most common reason to re-run the script is to get a production SSL certificate after testing with the staging environment. ## Security Considerations - **Fail2Ban:** The jail `[open-webui]` is configured in `/etc/fail2ban/jail.d/open-webui.local`. It monitors the Nginx log file (`/var/log/nginx/your.domain.com.access.log`) for failed sign-in attempts (`POST /api/v1/auths/signin` with a `400` status code). After 5 failures, the offending IP is banned for 24 hours. - **Firewall:** The script binds the Open WebUI Docker container to the localhost interface (`127.0.0.1:3000`), meaning it is not directly exposed to the internet. Only Nginx can access it. If you opt-out of UFW management, you are responsible for ensuring a firewall (either on the host or at the network level) is configured to allow traffic on ports 80 and 443. ## License This project is licensed under the MIT License. See the [LICENSE](LICENSE) file for details.