A dual-stack (production + beta) containerized deployment of Open WebUI with Ollama support, securely accessible via Tailscale with automatically-issued valid HTTPS certificates. No port forwarding. No self-signed warnings. Pure private network security.
Current Version: v1.1.0 - Security Hardening & Stability Release
- π€ Open WebUI - Modern web interface for LLM chat and interactions
- π§ Ollama Backend - Local LLM runtime with persistent models
- π Tailscale Integration - End-to-end encrypted private network (no port forwarding needed)
- β Valid HTTPS Certificates - Automatic certs via Tailscale Serve (zero warnings; currently using HTTP mode while ACME rate limit recovers β see TROUBLESHOOTING.md)
- π Dual-Stack Architecture - Production and beta environments running independently
- π¨ Visual Differentiation - Beta marked with red branding for quick identification
- π¦ Docker Compose - Reproducible, version-controlled infrastructure
- π οΈ Interactive TUI - Beautiful terminal interface with keyboard navigation
- ποΈ Ansible Automation - Enterprise-grade declarative operations
- π‘οΈ Security Hardened - 12 critical security & stability improvements in v1.1.0
Security Hardening Release with comprehensive improvements:
- Security Headers - HTTP headers added (X-Frame-Options, X-Content-Type-Options, X-XSS-Protection) to prevent clickjacking and injection attacks
- Tailscale Image - Sidecars use
tailscale/tailscale:unstableto access the--serviceVIP flag not yet in stable releases; operators should expect upstream changes on upgrade - Safe Configuration Parsing - Robust YAML parsing prevents injection vulnerabilities in image version detection
- Resource Limits - CPU (4 cores) and memory (8GB) limits enforced per container to prevent OOM crashes
- Robust Error Handling - Error traps with line-number reporting for faster diagnostics
- Improved Container Detection - Fixed race conditions in Tailscale readiness checks
- Consistent Networking - Production and beta stacks now use identical network modes for reliability
- Dynamic Volume Management - Stack destruction now safely handles volumes even if project directory is renamed
- Better TUI Feedback - Dialog now distinguishes between user cancellations and actual errors
- Optimized Log Parsing - Robust image tag parsing prevents configuration errors from YAML format changes
- TUI Cleanup - Removed unnecessary temporary file operations (faster startup)
- Consistent Tailscale Configuration - Both prod and beta use identical HTTPS/HTTP proxying syntax
jarvis/
βββ π Core Management
β βββ docker-compose.yaml β Root unified orchestration
β βββ docker-compose.nvidia.yaml β GPU override (NVIDIA)
β βββ docker-compose.amd.yaml β GPU override (AMD)
β βββ tui.sh β Interactive TUI (recommended)
β βββ manage.sh β CLI tool + TUI launcher
β βββ .gitignore β Secrets protection
β
βββ π³ Docker Stack Configurations
β βββ production/ β Production stack (pinned versions)
β β βββ docker-compose.yaml β Prod-specific overrides
β β βββ nginx.conf β Reverse proxy config
β β βββ README.md β Prod documentation
β β βββ .env.example β Template for auth keys
β β
β βββ beta/ β Beta stack (latest features)
β βββ docker-compose.yaml β Beta-specific overrides
β βββ nginx.conf β Reverse proxy config
β βββ tailscale-entrypoint.sh β Custom Tailscale startup
β βββ assets/ β Red branding (favicon + logo)
β βββ README.md β Beta documentation
β βββ .env.example β Template for auth keys
β
βββ π€ Ansible Automation (Optional)
β βββ README.md β Ansible setup guide
β βββ IMPLEMENTATION.md β Technical details
β βββ Makefile β Easy command interface
β βββ quickstart.sh β One-command deployment
β βββ ansible.cfg β Ansible configuration
β βββ playbooks/ β Start/stop/status/restart
β βββ roles/ β Setup, environment, stack
β
βββ π Documentation
βββ README.md β Main overview (you are here!)
βββ USER_GUIDE.md β User-facing guide for chat access
βββ CLAUDE.md β Project instructions for Claude Code
βββ DEPLOYMENT.md β Server deployment guide
βββ DEVELOPMENT.md β Dev workflow & git practices
βββ TROUBLESHOOTING.md β Common issues and fixes
βββ STACK_MANAGEMENT.md β Manual Docker operations
βββ BETA_QUICKSTART.md β Beta testing checklist
βββ ANSIBLE_MIGRATION.md β Ansible workflow guide
- Docker & Docker Compose - v2.0+
- Tailscale Account - Free at https://tailscale.com
- Tailscale Auth Keys - Generate 2 (one for prod, one for beta)
- Go to: https://login.tailscale.com/admin/settings/keys
- Create with Reusable + Ephemeral options enabled
1. Clone/extract the repository
cd /path/to/jarvis2. Add your Tailscale auth keys
cp production/.env.example production/.env
cp beta/.env.example beta/.env
# Edit both files with your auth keys
nano production/.env # Add TS_AUTHKEY=tskey-auth-xxxxx
nano beta/.env # Add TS_AUTHKEY_BETA=tskey-auth-yyyyy3. Start everything
./manage.sh start4. Access your stacks
- Production:
https://jarvis.YOUR_TAILNET.ts.net - Beta:
https://jarvis-beta.YOUR_TAILNET.ts.net(red branding) - Local HTTP:
http://localhost:8080(prod),http://localhost:8081(beta)
Done! Both stacks are now running.
You have three options for managing stacks:
Beautiful keyboard-driven interface with status dashboard:
# Install dialog (one-time)
sudo apt install dialog # Debian/Ubuntu
sudo dnf install dialog # Fedora
# Launch TUI
./manage.sh # Auto-launches when no args
./tui.sh # Direct TUI launchFeatures:
- πΉ Keyboard navigation (arrow keys + Enter)
- π Real-time status dashboard with health icons
- π Live log streaming
β οΈ Confirmation dialogs for destructive operations
Direct command execution without TUI:
./manage.sh start # Start both stacks
./manage.sh restart-beta # Restart beta only
./manage.sh logs-prod # View production logs
./manage.sh help # Show all commandsFor idempotent, declarative operations:
cd ansible
make install # One-time setup
make start # Start both stacks
make restart-beta # Restart beta only
make status # Check statusSee ansible/README.md for full Ansible documentation.
./manage.sh status./manage.sh logs # All stacks
./manage.sh logs-prod # Production only
./manage.sh logs-beta # Beta onlydocker exec -it open-webui2 ollama pull llama2
docker exec -it open-webui-beta ollama pull mistral./manage.sh stopSince everything runs on Tailscale, you can access it from any device on your Tailnet:
-
From another Linux box:
curl https://jarvis.YOUR_TAILNET.ts.net
-
From Windows/Mac with Tailscale installed:
- Open browser:
https://jarvis.YOUR_TAILNET.ts.net - Works exactly like localhost but encrypted end-to-end
- Open browser:
-
From mobile (iOS/Android Tailscale app):
- Install Tailscale app
- Same FQDN works
The root docker-compose.yaml uses profiles to manage multiple stacks:
docker-compose --profile all up -d # Both prod + beta
docker-compose --profile prod up -d # Production only
docker-compose --profile beta up -d # Beta onlyUse manage.sh to avoid remembering these flags.
- USER_GUIDE.md - For end users accessing JARVIS
- CLAUDE.md - Project overview and architecture for developers
- DEVELOPMENT.md - Development workflow and git practices
- DEPLOYMENT.md - Deploy to remote Linux servers
- TROUBLESHOOTING.md - Common issues and fixes
- STACK_MANAGEMENT.md - Deep dive into manual operations
- ansible/README.md - Ansible automation guide
-
GPU Support: Automatically detected (NVIDIA or AMD)
- Use
./manage.sh start --cputo force CPU-only mode
- Use
-
Model Management: Ollama models stored in persistent volumes
- Production:
docker volume inspect jarvis_ollama - Beta:
docker volume inspect jarvis_ollama-beta
- Production:
-
Memory: Monitor with
docker stats
- β All traffic encrypted (Tailscale VPN + HTTPS)
- β No port forwarding needed
- β Valid certificates (no self-signed warnings)
- β Auth keys expire and auto-approve (90 days)
- β Hardened with security headers (XSS, clickjacking protection)
Best Practices:
- Regenerate auth keys periodically
- Keep Tailscale updated
- Review connected devices: https://login.tailscale.com/admin/machines
- Use separate keys for prod and beta
This repo tracks:
- β Configuration files (docker-compose.yaml, nginx.conf)
- β Deployment scripts (manage.sh, tui.sh)
- β Documentation
- β
.envfiles (gitignored - contains secrets) - β Volumes/data (handled by Docker)
Current Release:
- Version: v1.1.0 (Security Hardening & Stability Release)
- Branch:
main(production-stable) - Previous: v2025.12.6.003
View all releases: git tag -l | sort -V
Issue: Can't connect to jarvis.YOUR_TAILNET.ts.net
- Verify device is approved in Tailscale admin
- Check:
./manage.sh status - View logs:
./manage.sh logs
Issue: Models not persisting?
docker volume ls | grep jarvis
docker volume inspect jarvis_ollamaIssue: Slow responses?
- Try a smaller model
- Check GPU is being used:
./manage.sh monitor-gpu
More issues? See TROUBLESHOOTING.md
MIT License - Feel free to use, modify, and share
- v1.1.0 - Security hardening: 12 critical improvements (headers, pinned deps, resource limits, error handling, etc.)
- v2025.12.6.003 - Code review remediations
- v2025.12.6.002 - Fixed logging and cert rotation
- v2025.12.6.001 - Initial release with Tailscale HTTPS certificates
Found a bug or have an improvement? Submit a pull request or open an issue on GitHub.