5.8 KiB
Automated Open WebUI Installer for Debian
A single, robust, and intelligent shell script to fully automate the deployment of Open WebUI on a Debian server. This script transforms a manual setup process into a production-ready, one-shot command, complete with security hardening and full life-cycle automation.
This project was born from an iterative process of converting a manual guide into a fully automated script, adding features and fixing real-world deployment issues like Let's Encrypt rate limits, firewall pre-configurations, and fragile cron job commands.
Features
- Fully Automated Deployment: Runs non-interactively after an initial prompt for configuration details.
- Security First:
- Firewall Aware: Intelligently detects and manages
UFW
, ensuring web ports are open or disabling it decisively to prevent silent failures. - Brute-Force Protection: Installs and configures
Fail2Ban
with a precise filter to block IPs that repeatedly fail login attempts.
- Firewall Aware: Intelligently detects and manages
- Robust Service Management: Deploys Open WebUI via Docker, the recommended method, with the application port bound securely to the local interface.
- Automatic HTTPS: Uses Nginx as a reverse proxy and
Certbot
to automatically obtain and renew a free Let's Encrypt SSL certificate. - Production-Ready Automation:
- System Updates: Configures
unattended-upgrades
to automatically apply system security patches. - Container Updates: Deploys
Watchtower
to automatically update the Open WebUI container to the latest version. - Scheduled Reboots: Implements a robust weekly reboot via a cron job for system health and to apply kernel updates.
- System Updates: Configures
- Intelligent & Flexible:
- Handles both root domains (with/without
www
) and subdomains correctly. - Includes a Let's Encrypt Staging Mode to prevent rate-limiting during testing.
- Uses a reliable
cron.d
file for scheduling, avoiding common scripting pitfalls.
- Handles both root domains (with/without
Prerequisites
Before running the script, you will need:
- A server running Debian 11 or 12.
sudo
orroot
access.- A domain or subdomain with a DNS A record pointing to your server's public IP address.
Usage
-
Clone this repository to your Debian server:
git clone <your-repository-url> cd <repository-directory>
-
Make the script executable:
chmod +x onepush.sh
-
Run the script with
sudo
:sudo ./onepush.sh
The script will then prompt you for the necessary configuration details before proceeding with the automated installation.
The Interactive Prompts
The script will ask you a few questions to configure your environment:
Enter your domain or subdomain
: The public-facing URL for your Open WebUI instance (e.g.,ai.example.com
).Enter your email address
: Used by Let's Encrypt for certificate registration and renewal notices.Also secure the 'www' version? [y/N]
:- Answer
y
if you are using a root domain (likeexample.com
) and have a DNS record forwww.example.com
. - Answer
N
(the default) if you are using a subdomain (likeai.example.com
).
- Answer
Use Let's Encrypt staging environment? [y/N]
:- Crucial for testing. Answer
y
if you are running the script for the first time or for testing purposes. This avoids hitting Let's Encrypt's strict rate limits. Your site will work but will show a browser security warning. - Answer
N
(the default) for your final, production deployment.
- Crucial for testing. Answer
Allow this script to manage UFW rules? [Y/n]
:- The script auto-detects if
UFW
is installed (as it is on Vultr's Debian images). - Answer
Y
(the default) to have the script automatically add theallow 'Nginx Full'
rule. - Answer
n
if you want to manage the firewall yourself. If you choose 'n' and UFW is active, the script will disable UFW entirely to guarantee the script can complete.
- The script auto-detects if
Post-Installation
Once the script finishes, you will have a fully functional and secure Open WebUI instance.
- Access Your Instance:
https://your.domain.com
- Admin Account: The first user to register on the site will automatically be granted administrator privileges.
- Automations: All automated services (system updates, container updates, reboots) are running in the background. No further action is needed.
Rerunning the Script
The script is designed to be idempotent (safe to run multiple times). If you need to change a setting or switch from a staging certificate to a production one, you can simply re-run ./onepush.sh
. It will overwrite the existing configurations with the new ones.
The most common reason to re-run the script is to get a production SSL certificate after testing with the staging environment.
Security Considerations
- Fail2Ban: The jail
[open-webui]
is configured in/etc/fail2ban/jail.d/open-webui.local
. It monitors the Nginx log file (/var/log/nginx/your.domain.com.access.log
) for failed sign-in attempts (POST /api/v1/auths/signin
with a400
status code). After 5 failures, the offending IP is banned for 24 hours. - Firewall: The script binds the Open WebUI Docker container to the localhost interface (
127.0.0.1:3000
), meaning it is not directly exposed to the internet. Only Nginx can access it. If you opt-out of UFW management, you are responsible for ensuring a firewall (either on the host or at the network level) is configured to allow traffic on ports 80 and 443.
License
This project is licensed under the MIT License. See the LICENSE file for details.