From 26a35719eb666e80ca2b31c35e2c9ea18e2c93fe Mon Sep 17 00:00:00 2001
From: Adam French <adam.a.french@outlook.com>
Date: Thu, 30 Apr 2026 15:51:27 +0100
Subject: [PATCH] Add Open-WebUI service behind /openwebui/ admin gate

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 docker-compose.yml            | 18 ++++++++++++++
 nginx/entrypoint.sh           |  4 ++--
 nginx/nginx.conf.template     | 22 ++++++++++++++++++
 nginx/nginx_dev.conf.template | 44 +++++++++++++++++++++++++++++++++++
 4 files changed, 86 insertions(+), 2 deletions(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index 991f90a..9b392f6 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -14,6 +14,8 @@ volumes:
   vue_dist:
   # Searxng data
   searxng_data:
+  # Open-WebUI data
+  openwebui_data:
 
 services:
   vue:
@@ -41,6 +43,7 @@ services:
       - hasura
       - quartz
       - searxng
+      - open-webui
     networks:
       - app-network
     ports:
@@ -170,6 +173,21 @@ services:
     volumes:
       - searxng_data:/etc/searxng
 
+  open-webui:
+    image: ghcr.io/open-webui/open-webui:main
+    container_name: "${OPENWEBUI_HOST}"
+    restart: always
+    networks:
+      - app-network
+    env_file:
+      - ./.env
+    environment:
+      - OLLAMA_BASE_URL=${OLLAMA_BASE_URL}
+      - WEBUI_AUTH=False
+      - WEBUI_URL=https://www.${DOMAIN}/openwebui
+    volumes:
+      - openwebui_data:/app/backend/data
+
   gitea:
     image: docker.gitea.com/gitea:1.25.4-rootless
     container_name: "${GITEA_HOST}"
diff --git a/nginx/entrypoint.sh b/nginx/entrypoint.sh
index 64bf332..2ed89eb 100755
--- a/nginx/entrypoint.sh
+++ b/nginx/entrypoint.sh
@@ -13,13 +13,13 @@ if [ "$DEV_MODE" = "true" ]; then
       -subj "/CN=localhost" 2>/dev/null
   fi
   # In dev mode, so use nginx_dev.conf.template
-  envsubst '${DOMAIN} ${BACKEND_HOST} ${BACKEND_PORT} ${BACKEND_ENDPOINT} ${ICECAST_HOST} ${ICECAST_PORT} ${GITEA_HOST} ${GITEA_PORT} ${HASURA_HOST} ${HASURA_PORT} ${QUARTZ_HOST} ${QUARTZ_PORT} ${UPTIMEKUMA_HOST} ${UPTIMEKUMA_PORT} ${SEARXNG_HOST} ${SEARXNG_PORT} ${WALLABAG_HOST} ${WALLABAG_PORT}' \
+  envsubst '${DOMAIN} ${BACKEND_HOST} ${BACKEND_PORT} ${BACKEND_ENDPOINT} ${ICECAST_HOST} ${ICECAST_PORT} ${GITEA_HOST} ${GITEA_PORT} ${HASURA_HOST} ${HASURA_PORT} ${QUARTZ_HOST} ${QUARTZ_PORT} ${UPTIMEKUMA_HOST} ${UPTIMEKUMA_PORT} ${SEARXNG_HOST} ${SEARXNG_PORT} ${WALLABAG_HOST} ${WALLABAG_PORT} ${OPENWEBUI_HOST} ${OPENWEBUI_PORT}' \
     </etc/nginx/nginx_dev.conf.template \
     >/etc/nginx/nginx.conf
 elif [ -f "/etc/letsencrypt/live/$DOMAIN/fullchain.pem" ] && [ -f "/etc/letsencrypt/live/$DOMAIN/privkey.pem" ]; then
   echo "Certificates found. Using production nginx config."
   # In production with certificates already existing, so use nginx.conf.template
-  envsubst '${DOMAIN} ${BACKEND_HOST} ${BACKEND_PORT} ${BACKEND_ENDPOINT} ${ICECAST_HOST} ${ICECAST_PORT} ${GITEA_HOST} ${GITEA_PORT} ${HASURA_HOST} ${HASURA_PORT} ${QUARTZ_HOST} ${QUARTZ_PORT} ${UPTIMEKUMA_HOST} ${UPTIMEKUMA_PORT} ${SEARXNG_HOST} ${SEARXNG_PORT} ${WALLABAG_HOST} ${WALLABAG_PORT}' \
+  envsubst '${DOMAIN} ${BACKEND_HOST} ${BACKEND_PORT} ${BACKEND_ENDPOINT} ${ICECAST_HOST} ${ICECAST_PORT} ${GITEA_HOST} ${GITEA_PORT} ${HASURA_HOST} ${HASURA_PORT} ${QUARTZ_HOST} ${QUARTZ_PORT} ${UPTIMEKUMA_HOST} ${UPTIMEKUMA_PORT} ${SEARXNG_HOST} ${SEARXNG_PORT} ${WALLABAG_HOST} ${WALLABAG_PORT} ${OPENWEBUI_HOST} ${OPENWEBUI_PORT}' \
     </etc/nginx/nginx.conf.template \
     >/etc/nginx/nginx.conf
 else
diff --git a/nginx/nginx.conf.template b/nginx/nginx.conf.template
index 6a0be40..f961a1f 100644
--- a/nginx/nginx.conf.template
+++ b/nginx/nginx.conf.template
@@ -79,6 +79,7 @@ http {
         set $upstream_hasura http://$HASURA_HOST:$HASURA_PORT;
         set $upstream_quartz http://$QUARTZ_HOST:$QUARTZ_PORT;
         set $upstream_searxng http://$SEARXNG_HOST:$SEARXNG_PORT;
+        set $upstream_openwebui http://$OPENWEBUI_HOST:$OPENWEBUI_PORT;
 
         root /etc/nginx/html;
         index index.html;
@@ -288,6 +289,27 @@ http {
             proxy_set_header X-Forwarded-Proto $scheme;
         }
 
+        location /openwebui {
+            return 301 /openwebui/;
+        }
+
+        location /openwebui/ {
+            auth_request /internal/auth/admin-validate;
+            error_page 401 403 = @auth_denied;
+            rewrite ^/openwebui/(.*)$ /$1 break;
+            proxy_pass $upstream_openwebui;
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "upgrade";
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_buffering off;
+            proxy_read_timeout 300s;
+            proxy_send_timeout 300s;
+        }
+
 
     }
 
diff --git a/nginx/nginx_dev.conf.template b/nginx/nginx_dev.conf.template
index 01d00ea..88539fb 100644
--- a/nginx/nginx_dev.conf.template
+++ b/nginx/nginx_dev.conf.template
@@ -52,6 +52,7 @@ http {
         set $upstream_hasura http://$HASURA_HOST:$HASURA_PORT;
         set $upstream_quartz http://$QUARTZ_HOST:$QUARTZ_PORT;
         set $upstream_searxng http://$SEARXNG_HOST:$SEARXNG_PORT;
+        set $upstream_openwebui http://$OPENWEBUI_HOST:$OPENWEBUI_PORT;
 
         location /uploads/ {
             alias /uploads/;
@@ -205,6 +206,27 @@ http {
             proxy_set_header X-Forwarded-Proto $scheme;
         }
 
+        location /openwebui {
+            return 301 /openwebui/;
+        }
+
+        location /openwebui/ {
+            auth_request /internal/auth/admin-validate;
+            error_page 401 403 = @auth_denied;
+            rewrite ^/openwebui/(.*)$ /$1 break;
+            proxy_pass $upstream_openwebui;
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "upgrade";
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_buffering off;
+            proxy_read_timeout 300s;
+            proxy_send_timeout 300s;
+        }
+
 
     }
 
@@ -221,6 +243,7 @@ http {
         set $upstream_hasura http://$HASURA_HOST:$HASURA_PORT;
         set $upstream_quartz http://$QUARTZ_HOST:$QUARTZ_PORT;
         set $upstream_searxng http://$SEARXNG_HOST:$SEARXNG_PORT;
+        set $upstream_openwebui http://$OPENWEBUI_HOST:$OPENWEBUI_PORT;
 
         location /uploads/ {
             alias /uploads/;
@@ -374,6 +397,27 @@ http {
             proxy_set_header X-Forwarded-Proto $scheme;
         }
 
+        location /openwebui {
+            return 301 /openwebui/;
+        }
+
+        location /openwebui/ {
+            auth_request /internal/auth/admin-validate;
+            error_page 401 403 = @auth_denied;
+            rewrite ^/openwebui/(.*)$ /$1 break;
+            proxy_pass $upstream_openwebui;
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "upgrade";
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_buffering off;
+            proxy_read_timeout 300s;
+            proxy_send_timeout 300s;
+        }
+
 
     }