Open WebUI Venv Deploy Role¶
Deploys Open WebUI on Ubuntu using a uv-managed virtualenv and systemd, with Traefik routing and optional basic auth.
Quick Start¶
- hosts: macmini
become: true
roles:
- role: local.ops_library.open_webui_venv_deploy
vars:
open_webui_ollama_base_url: "http://studio.tailde2ec.ts.net:11434"
open_webui_traefik_host: "open-webui.home.xn--wersdrfer-47a.de"
open_webui_basic_auth_user: "admin"
open_webui_basic_auth_password: "CHANGEME"
open_webui_data_dir: "/mnt/cryptdata/open-webui/data"
Note: the inventory host is macstudio, but the Tailscale hostname is studio.tailde2ec.ts.net (not macstudio.tailde2ec.ts.net). Use the studio hostname for open_webui_ollama_base_url.
Architecture¶
Open WebUI runs directly from a uv-managed virtualenv.
A systemd service executes
open-webui serveon the configured port.DATA_DIRis set explicitly to ensure persistent data is stored outside the venv.Traefik routes HTTPS traffic to the loopback-bound service with optional basic auth.
Role Variables¶
Variable |
Default |
Description |
|---|---|---|
|
|
Base directory for the app and venv. |
|
|
Persistent Open WebUI data directory. |
|
|
Log directory (for future use). |
|
|
Environment file path. |
|
|
Virtualenv path. |
|
|
Python version installed via uv. |
|
|
Package spec for uv pip install (e.g., |
|
|
Path to the uv binary. |
|
|
Install uv automatically via |
|
|
Bind host passed to |
|
|
Port for |
|
|
Add |
|
|
Additional CLI args passed to |
|
|
Ollama base URL Open WebUI should use. |
|
|
Optional |
|
|
Whether to set |
|
|
Optional OpenAI API key. |
|
|
Optional OpenAI-compatible base URL. |
|
|
Extra environment variables to append to the env file. |
|
|
Manage Traefik routing. |
|
|
Hostname routed via Traefik. |
|
|
Enable basic auth for external access. |
|
|
Basic auth username. |
|
|
Basic auth password (bcrypt hash generated). |
|
|
Pre-generated bcrypt hash (overrides password). |
|
RFC1918 + Tailnet ranges |
IPs that bypass basic auth. |
Environment Variables¶
The role renders an env file with the following Open WebUI settings (if non-empty):
OLLAMA_BASE_URL- base URL for Ollama.WEBUI_AUTH- set tofalseonly for first-time setup (Open WebUI defaults to auth enabled).WEBUI_SECRET_KEY- optional secret for session signing (recommended for production).OPENAI_API_KEY- optional OpenAI key for external providers.OPENAI_API_BASE_URL- optional OpenAI-compatible base URL.
You can provide any additional env vars via open_webui_extra_env.
Storage¶
Open WebUI stores its persistent data under DATA_DIR. This role sets DATA_DIR={{ open_webui_data_dir }} so upgrades
keep user data intact.
Traefik Routing¶
Traefik uses a dual-router pattern:
Internal IPs bypass basic auth.
External access requires basic auth.
The Traefik dynamic config path defaults to /etc/traefik/dynamic/open-webui.yml via open_webui_traefik_config_path. In ops-control, the basic auth inputs typically map to traefik_secrets.basic_auth_user and traefik_secrets.basic_auth_password.
Set open_webui_traefik_entrypoints, open_webui_traefik_middlewares, and open_webui_traefik_cert_resolver
if your Traefik instance needs custom settings.
Testing¶
systemctl status open-webui
curl -fsS http://127.0.0.1:3000/
Deploy preflight (ops-control)¶
The ops-control deploy playbook includes a port-collision preflight. If you intentionally need to bypass it, use:
SKIP_PREFLIGHT_PORTS=true just deploy-one open_webui
Or when calling Ansible directly:
ansible-playbook -e skip_preflight_ports=true playbooks/deploy-open-webui.yml
Troubleshooting¶
Service does not start¶
Check
journalctl -u open-webui -ffor errors.Ensure
{{ open_webui_venv_path }}/bin/open-webuiexists.If the CLI does not support
--host, setopen_webui_use_host_flag=false.
Traefik route not responding¶
Confirm
/etc/traefik/dynamic/open-webui.ymlexists.Restart Traefik (
systemctl restart traefik).
Removal¶
Use the open_webui_venv_remove role to stop the service and clean up data when desired.