131 lines
No EOL
7.5 KiB
Markdown
131 lines
No EOL
7.5 KiB
Markdown
# Automated Open WebUI & SearXNG Installer
|
|
|
|
|
|
|
|
A single, robust, and intelligent shell script to fully automate the deployment of [Open WebUI](https://github.com/open-webui/open-webui) and an optional, private [SearXNG](https://github.com/searxng/searxng) instance on a Debian server. This script transforms a manual setup process into a production-ready, one-shot command, complete with security hardening and full life-cycle automation.
|
|
|
|
This project was born from an iterative process of converting a manual guide into a fully automated script, adding features and fixing real-world deployment issues like Let's Encrypt rate limits, firewall pre-configurations, fragile cron jobs, and complex multi-container networking and configuration bugs.
|
|
|
|
## Features
|
|
|
|
- **Fully Automated Deployment:** Runs non-interactively after an initial prompt for configuration details.
|
|
- **Optional SearXNG Stack:**
|
|
- Deploys a private SearXNG instance on a secure Docker network.
|
|
- Exposes it publicly on a separate subdomain with Basic Auth protection.
|
|
- Allows internal access from Open WebUI tools without authentication for fast, secure searching.
|
|
- Supports an optional Brave Search API key for enhanced, ad-free results.
|
|
- **Adds a custom JSON engine** to SearXNG for advanced integrations.
|
|
- **Security First:**
|
|
- **Firewall Aware:** Intelligently detects and manages `UFW`.
|
|
- **Brute-Force Protection:** Installs and configures `Fail2Ban` to protect the Open WebUI login.
|
|
- **Robust Service Management:** Deploys services via Docker on a shared private network, the recommended method.
|
|
- **Automatic HTTPS:** Uses Nginx as a reverse proxy and `Certbot` to automatically obtain and renew free Let's Encrypt SSL certificates.
|
|
- **Production-Ready Automation:**
|
|
- **System Updates:** Configures `unattended-upgrades`.
|
|
- **Container Updates:** Deploys `Watchtower` for automatic container updates.
|
|
- **Scheduled Reboots:** Implements a robust weekly reboot via a `cron.d` file.
|
|
|
|
## Prerequisites
|
|
|
|
Before running the script, you will need:
|
|
|
|
1. A server running **Debian 11 or 12**.
|
|
2. `sudo` or `root` access.
|
|
3. A domain for Open WebUI (e.g., `ai.example.com`) with a DNS **A record** pointing to your server's IP.
|
|
4. **If deploying SearXNG**, a second domain (e.g., `search.example.com`) also pointing to your server's IP. *(The script uses `search.example.com` by default but the variable can be changed)*.
|
|
|
|
## Usage
|
|
|
|
1. Download the script to your Debian server:
|
|
```bash
|
|
curl -fsSL -o onepush.sh https://git.r21.io/primemover/onepush/raw/branch/master/onepush.sh
|
|
```
|
|
2. Make the script executable:
|
|
```bash
|
|
chmod +x onepush.sh
|
|
```
|
|
3. Run the script with `sudo`:
|
|
```bash
|
|
sudo ./onepush.sh
|
|
```
|
|
|
|
### The Interactive Prompts
|
|
|
|
The script will ask you a few questions to configure your environment:
|
|
|
|
- **`Enter your domain or subdomain`**: The public-facing URL for your Open WebUI instance (e.g., `ai.example.com`).
|
|
- **`Enter your email address`**: Used by Let's Encrypt for certificate registration and renewal notices.
|
|
- **`Also secure the 'www' version? [y/N]`**:
|
|
- Answer `y` if you are using a root domain (like `example.com`) and have a DNS record for `www.example.com`.
|
|
- Answer `N` (the default) if you are using a subdomain (like `ai.example.com`).
|
|
- **`Use Let's Encrypt staging environment? [y/N]`**:
|
|
- **Crucial for testing.** Answer `y` if you are running the script for the first time or for testing purposes. This avoids hitting Let's Encrypt's strict rate limits. Your site will work but will show a browser security warning.
|
|
- Answer `N` (the default) for your final, production deployment.
|
|
- **`Allow this script to manage UFW rules? [Y/n]`**:
|
|
- The script auto-detects if `UFW` is installed (as it is on Vultr's Debian images).
|
|
- Answer `Y` (the default) to have the script automatically add the `allow 'Nginx Full'` rule.
|
|
- Answer `n` if you want to manage the firewall yourself. **If you choose 'n' and UFW is active, the script will disable UFW entirely** to guarantee the script can complete.
|
|
|
|
The script will then prompt you for the necessary configuration details before proceeding with the automated installation.
|
|
|
|
## Post-Installation
|
|
|
|
Once the script finishes, you will have a fully functional and secure Open WebUI instance.
|
|
|
|
- **Access Your Instance:** `https://ai.example.com`
|
|
- **Access SearXNG:** `https://search.example.com` (user: `admin`, with the password you set during installation).
|
|
- **Admin Account:** The first user to register on the site will automatically be granted administrator privileges.
|
|
- **Automations:** All automated services (system updates, container updates, reboots) are running in the background. No further action is needed.
|
|
|
|
### Rerunning the Script
|
|
|
|
The script is designed to be idempotent (safe to run multiple times). If you need to change a setting or switch from a staging certificate to a production one, you can simply re-run `./onepush.sh`. It will overwrite the existing configurations with the new ones.
|
|
|
|
The most common reason to re-run the script is to get a production SSL certificate after testing with the staging environment.
|
|
|
|
## Security Considerations
|
|
|
|
- **Fail2Ban:** The jail `[open-webui]` is configured in `/etc/fail2ban/jail.d/open-webui.local`. It monitors the Nginx log file (`/var/log/nginx/ai.example.com.access.log`) for failed sign-in attempts (`POST /api/v1/auths/signin` with a `400` status code). After 5 failures, the offending IP is banned for 24 hours.
|
|
- **Firewall:** The script binds the Open WebUI Docker container to the localhost interface (`127.0.0.1:3000`), meaning it is not directly exposed to the internet. Only Nginx can access it. If you opt-out of UFW management, you are responsible for ensuring a firewall (either on the host or at the network level) is configured to allow traffic on ports 80 and 443.
|
|
|
|
### Using Your Private SearXNG Instance
|
|
|
|
If you deployed SearXNG, you now have two powerful ways to enable web search for your models.
|
|
|
|
#### Option A: Native Web Search (Recommended)
|
|
|
|
This is the simplest and most integrated method.
|
|
|
|
1. Log in to Open WebUI as an admin.
|
|
2. Go to the **Admin Panel** -> **Settings** -> **Web Search**.
|
|
3. Enable the **Web Search** toggle.
|
|
4. In the **SearXNG URL** field, enter: `http://searxng:8080`
|
|
*(This special URL works because the containers can talk to each other directly over their private Docker network).*
|
|
5. Click **Save**.
|
|
|
|
You can now enable the "Web Search" capability for any model in the "Models" section of your settings.
|
|
|
|
#### Option B: Advanced Python Research Tool
|
|
|
|
This method provides more granular control and is useful for complex workflows.
|
|
|
|
1. Go to **Settings** -> **Tools** and click **Add Tool**.
|
|
2. In the **Load from URL** field, paste the following link and click the load button:
|
|
```
|
|
https://raw.githubusercontent.com/iamarcel/open-webui-utils/main/research_tool.py
|
|
```
|
|
3. Click the **Settings** tab in the tool editor (the gear icon).
|
|
4. In the **Environment Variables** section, add the following key-value pair:
|
|
- **Key:** `SEARXNG_BASE_URL`
|
|
- **Value:** `http://searxng:8080`
|
|
5. Click **Save**.
|
|
|
|
The tool is now installed and can be called in any chat using `@research`.
|
|
|
|
## Backups
|
|
|
|
See [`regularbm.sh`](https://git.r21.io/primemover/regularbm).
|
|
|
|
## License
|
|
|
|
This project is licensed under the MIT License. See the [LICENSE](LICENSE) file for details. |