Open WebUI setup - Due to time constraints, get it all out in one go
Find a file
2025-07-11 06:53:44 +00:00
LICENSE Initial commit 2025-07-08 07:18:03 +00:00
onepush.sh progress 2025-07-11 06:53:44 +00:00
README.md Curl 2025-07-08 16:21:25 +00:00

Automated Open WebUI Installer for Debian

DebianLicense

A single, robust, and intelligent shell script to fully automate the deployment of Open WebUI on a Debian server. This script transforms a manual setup process into a production-ready, one-shot command, complete with security hardening and full life-cycle automation.

This project was born from an iterative process of converting a manual guide into a fully automated script, adding features and fixing real-world deployment issues like Let's Encrypt rate limits, firewall pre-configurations, and fragile cron job commands.

Features

  • Fully Automated Deployment: Runs non-interactively after an initial prompt for configuration details.
  • Security First:
    • Firewall Aware: Intelligently detects and manages UFW, ensuring web ports are open or disabling it decisively to prevent silent failures.
    • Brute-Force Protection: Installs and configures Fail2Ban with a precise filter to block IPs that repeatedly fail login attempts.
  • Robust Service Management: Deploys Open WebUI via Docker, the recommended method, with the application port bound securely to the local interface.
  • Automatic HTTPS: Uses Nginx as a reverse proxy and Certbot to automatically obtain and renew a free Let's Encrypt SSL certificate.
  • Production-Ready Automation:
    • System Updates: Configures unattended-upgrades to automatically apply system security patches.
    • Container Updates: Deploys Watchtower to automatically update the Open WebUI container to the latest version.
    • Scheduled Reboots: Implements a robust weekly reboot via a cron job for system health and to apply kernel updates.
  • Intelligent & Flexible:
    • Handles both root domains (with/without www) and subdomains correctly.
    • Includes a Let's Encrypt Staging Mode to prevent rate-limiting during testing.
    • Uses a reliable cron.d file for scheduling, avoiding common scripting pitfalls.

Prerequisites

Before running the script, you will need:

  1. A server running Debian 11 or 12.
  2. sudo or root access.
  3. A domain or subdomain with a DNS A record pointing to your server's public IP address.

Usage

  1. Clone this repository to your Debian server:

    curl -fsSL -o onepush.sh https://git.r21.io/primemover/onepush/raw/branch/master/onepush.sh
    
  2. Make the script executable:

    chmod +x onepush.sh
    
  3. Run the script with sudo:

    sudo ./onepush.sh
    

The script will then prompt you for the necessary configuration details before proceeding with the automated installation.

The Interactive Prompts

The script will ask you a few questions to configure your environment:

  • Enter your domain or subdomain: The public-facing URL for your Open WebUI instance (e.g., ai.example.com).
  • Enter your email address: Used by Let's Encrypt for certificate registration and renewal notices.
  • Also secure the 'www' version? [y/N]:
    • Answer y if you are using a root domain (like example.com) and have a DNS record for www.example.com.
    • Answer N (the default) if you are using a subdomain (like ai.example.com).
  • Use Let's Encrypt staging environment? [y/N]:
    • Crucial for testing. Answer y if you are running the script for the first time or for testing purposes. This avoids hitting Let's Encrypt's strict rate limits. Your site will work but will show a browser security warning.
    • Answer N (the default) for your final, production deployment.
  • Allow this script to manage UFW rules? [Y/n]:
    • The script auto-detects if UFW is installed (as it is on Vultr's Debian images).
    • Answer Y (the default) to have the script automatically add the allow 'Nginx Full' rule.
    • Answer n if you want to manage the firewall yourself. If you choose 'n' and UFW is active, the script will disable UFW entirely to guarantee the script can complete.

Post-Installation

Once the script finishes, you will have a fully functional and secure Open WebUI instance.

  • Access Your Instance: https://your.domain.com
  • Admin Account: The first user to register on the site will automatically be granted administrator privileges.
  • Automations: All automated services (system updates, container updates, reboots) are running in the background. No further action is needed.

Rerunning the Script

The script is designed to be idempotent (safe to run multiple times). If you need to change a setting or switch from a staging certificate to a production one, you can simply re-run ./onepush.sh. It will overwrite the existing configurations with the new ones.

The most common reason to re-run the script is to get a production SSL certificate after testing with the staging environment.

Security Considerations

  • Fail2Ban: The jail [open-webui] is configured in /etc/fail2ban/jail.d/open-webui.local. It monitors the Nginx log file (/var/log/nginx/your.domain.com.access.log) for failed sign-in attempts (POST /api/v1/auths/signin with a 400 status code). After 5 failures, the offending IP is banned for 24 hours.
  • Firewall: The script binds the Open WebUI Docker container to the localhost interface (127.0.0.1:3000), meaning it is not directly exposed to the internet. Only Nginx can access it. If you opt-out of UFW management, you are responsible for ensuring a firewall (either on the host or at the network level) is configured to allow traffic on ports 80 and 443.

License

This project is licensed under the MIT License. See the LICENSE file for details.