Open WebUI Deploy Role¶
Deploys Open WebUI on Ubuntu using Docker Compose and exposes it through Traefik with optional basic auth.
Quick Start¶
- hosts: macmini
become: true
roles:
- role: local.ops_library.open_webui_deploy
vars:
open_webui_ollama_base_url: "http://studio.tailde2ec.ts.net:11434"
open_webui_traefik_host: "open-webui.home.xn--wersdrfer-47a.de"
open_webui_basic_auth_user: "admin"
open_webui_basic_auth_password: "CHANGEME"
Note: the inventory host is macstudio, but the Tailscale hostname is studio.tailde2ec.ts.net (not macstudio.tailde2ec.ts.net). Use the studio hostname for open_webui_ollama_base_url.
Architecture¶
Open WebUI runs as a Docker container managed by a systemd oneshot unit.
Traefik routes HTTPS traffic to the local container port bound on loopback.
Persistent state is stored in a host bind mount that maps to
/app/backend/datainside the container.
Role Variables¶
Variable |
Default |
Description |
|---|---|---|
|
|
Docker image tag to deploy. |
|
|
Host interface used for the container bind. |
|
|
Host port bound to the container. |
|
|
Container port for Open WebUI. |
|
|
Directory holding compose + env files. |
|
|
Persistent storage mapped to |
|
|
Ollama base URL Open WebUI should use. |
|
|
Optional |
|
|
Whether to set |
|
|
Optional OpenAI API key. |
|
|
Optional OpenAI-compatible base URL. |
|
|
Extra environment variables to append to |
|
|
Manage Traefik routing. |
|
|
Hostname routed via Traefik. |
|
|
Enable basic auth for external access. |
|
|
Basic auth username. |
|
|
Basic auth password (bcrypt hash generated). |
|
|
Pre-generated bcrypt hash (overrides password). |
|
RFC1918 + Tailnet ranges |
IPs that bypass basic auth. |
Environment Variables¶
The role renders an .env file with the following Open WebUI settings (if non-empty):
OLLAMA_BASE_URL– base URL for Ollama.WEBUI_AUTH– set tofalseonly for first-time setup (Open WebUI defaults to auth enabled).WEBUI_SECRET_KEY– optional secret for session signing (recommended for production).OPENAI_API_KEY– optional OpenAI key for external providers.OPENAI_API_BASE_URL– optional OpenAI-compatible base URL.
You can provide any additional env vars via open_webui_extra_env.
Storage¶
Open WebUI stores its persistent data under /app/backend/data inside the container. This role maps that path
from open_webui_data_dir on the host so upgrades keep user data intact.
Traefik Routing¶
Traefik uses a dual-router pattern:
Internal IPs bypass basic auth.
External access requires basic auth.
The Traefik dynamic config path defaults to /etc/traefik/dynamic/open-webui.yml via open_webui_traefik_config_path. In ops-control, the basic auth inputs typically map to traefik_secrets.basic_auth_user and traefik_secrets.basic_auth_password.
Set open_webui_traefik_entrypoints, open_webui_traefik_middlewares, and open_webui_traefik_cert_resolver
if your Traefik instance needs custom settings.
Testing¶
# Check container status
systemctl status open-webui
# Verify local HTTP response
curl -fsS http://127.0.0.1:3000/
Deploy preflight (ops-control)¶
The ops-control deploy playbook includes a port-collision preflight. If you intentionally need to bypass it, use:
SKIP_PREFLIGHT_PORTS=true just deploy-one open_webui
Or when calling Ansible directly:
ansible-playbook -e skip_preflight_ports=true playbooks/deploy-open-webui.yml
Troubleshooting¶
Service does not start¶
Check
journalctl -u open-webui -ffor Docker errors.Ensure Docker Compose v2 is installed (
docker compose version).
Traefik route not responding¶
Confirm
/etc/traefik/dynamic/open-webui.ymlexists.Restart Traefik (
systemctl restart traefik).
Removal¶
Use the open_webui_remove role to stop the service and clean up data when desired.