Deployment¶
Deployment Options¶
ansible-tower-mcp exposes its MCP server (console script ansible-tower-mcp) four ways. Pick the row that
matches where the server runs relative to your MCP client, then copy the matching
mcp_config.json below. Add the service-connection environment variables documented in the Configuration section.
| # | Option | Transport | Where it runs | mcp_config.json key |
|---|---|---|---|---|
| 1 | stdio | stdio |
client launches a subprocess | command |
| 2 | Streamable-HTTP (local) | streamable-http |
a local network port | command or url |
| 3 | Local container / uv | stdio or streamable-http |
Docker / Podman / uv on this host | command or url |
| 4 | Remote URL | streamable-http |
a remote host behind Caddy | url |
1. stdio (local subprocess)¶
The client launches the server over stdio via uvx — best for local IDEs
(Cursor, Claude Desktop, VS Code):
{
"mcpServers": {
"ansible-tower-mcp": {
"command": "uvx",
"args": ["--from", "ansible-tower-mcp", "ansible-tower-mcp"]
}
}
}
2. Streamable-HTTP (local process)¶
Run the server as a long-lived HTTP process:
uvx --from ansible-tower-mcp ansible-tower-mcp --transport streamable-http --host 0.0.0.0 --port 8000
curl -s http://localhost:8000/health # {"status":"OK"}
Then either let the client launch it:
{
"mcpServers": {
"ansible-tower-mcp": {
"command": "uvx",
"args": ["--from", "ansible-tower-mcp", "ansible-tower-mcp", "--transport", "streamable-http", "--port", "8000"],
"env": {
"TRANSPORT": "streamable-http",
"HOST": "0.0.0.0",
"PORT": "8000"
}
}
}
}
…or connect to the already-running process by URL:
3. Local container / uv¶
(a) Launch a container directly from mcp_config.json (stdio over the container —
no ports to manage). Swap docker for podman for a daemonless runtime:
{
"mcpServers": {
"ansible-tower-mcp": {
"command": "docker",
"args": [
"run", "-i", "--rm",
"-e", "TRANSPORT=stdio",
"knucklessg1/ansible-tower-mcp:latest"
]
}
}
}
(b) Run a local streamable-http container, then connect by URL:
docker run -d --name ansible-tower-mcp -p 8000:8000 \
-e TRANSPORT=streamable-http \
-e PORT=8000 \
knucklessg1/ansible-tower-mcp:latest
# or, from a clone of this repo:
docker compose -f docker/mcp.compose.yml up -d
(c) From a local checkout with uv:
4. Remote URL (deployed behind Caddy)¶
When the server is deployed remotely (e.g. as a Docker service) and published through
Caddy on the internal *.arpa zone, connect with the "url" key — no local process or
image required:
Caddy reverse-proxies http://ansible-tower-mcp.arpa to the container's :8000
streamable-http listener; http://ansible-tower-mcp.arpa/health returns
{"status":"OK"} when the service is live.
This page covers running ansible-tower-mcp as a long-lived server: the
transports, the companion A2A agent server, a Docker Compose stack, putting it
behind a Caddy reverse proxy, and giving it a DNS name with Technitium.
ansible-tower-mcpships two servers: an MCP server (console scriptansible-tower-mcp) and an A2A agent server (console scriptansible-tower-agent). The MCP server is a typed, deterministic tool surface; the agent server is a graph-routed Pydantic-AI agent that calls those tools over anMCP_URL.
Run the MCP server¶
The transport is selected with --transport (or the TRANSPORT env var):
Health check (HTTP transports):
Configuration (environment)¶
ansible-tower-mcp is configured entirely from the environment. The connection
to the Tower / AWX controller uses the following required set (provide a
token, or a username / password pair, or an OAuth client id / secret pair):
| Var | Default | Meaning |
|---|---|---|
ANSIBLE_BASE_URL |
none | Tower / AWX controller base URL (e.g. https://tower.example.com) |
ANSIBLE_USERNAME |
none | Controller user id |
ANSIBLE_PASSWORD |
none | Controller password |
ANSIBLE_TOKEN |
none | Pre-issued API token (bypasses username / password) |
ANSIBLE_CLIENT_ID |
none | OAuth application client id |
ANSIBLE_CLIENT_SECRET |
none | OAuth application client secret |
ANSIBLE_VERIFY |
False |
Verify TLS (set True for trusted certificates) |
Transport and server settings:
| Var | Default | Meaning |
|---|---|---|
HOST |
0.0.0.0 |
Bind address (HTTP transports) |
PORT |
8000 |
Bind port (HTTP transports) |
TRANSPORT |
stdio |
stdio, streamable-http, or sse |
ENABLE_OTEL |
True |
OpenTelemetry / Langfuse export |
EUNOMIA_TYPE |
none |
Access-governance mode: none, embedded, remote |
Every per-resource tool can be toggled with its *TOOL switch (for example
INVENTORYTOOL, JOBSTOOL, JOB_TEMPLATESTOOL, SYSTEMTOOL). The full set,
with defaults, is documented in
.env.example.
Copy it to .env and fill in only what you use.
Backing Service¶
The Ansible Tower / AWX controller this connector targets is an external
Ansible Automation Platform — Red Hat Ansible Automation Platform is a
managed / commercial product, and the upstream AWX project is deployed through
the AWX Operator on Kubernetes. This package does not provision the controller;
only connection configuration (the ANSIBLE_* variables above) is required.
Point ANSIBLE_BASE_URL at an already-running controller and supply credentials.
Docker Compose¶
The repo ships docker/mcp.compose.yml.
It reads a sibling .env and publishes the HTTP server on :8000:
services:
ansible-tower-mcp-mcp:
image: knucklessg1/ansible-tower-mcp:latest
container_name: ansible-tower-mcp-mcp
hostname: ansible-tower-mcp-mcp
restart: always
env_file:
- ../.env
environment:
- PYTHONUNBUFFERED=1
- HOST=0.0.0.0
- PORT=8000
- TRANSPORT=streamable-http
ports:
- "8000:8000"
healthcheck:
test: ["CMD", "python3", "-c", "import urllib.request; urllib.request.urlopen('http://localhost:8000/health')"]
interval: 30s
timeout: 10s
retries: 3
cp .env.example .env # then set ANSIBLE_* values
docker compose -f docker/mcp.compose.yml up -d
docker compose -f docker/mcp.compose.yml logs -f
Run the agent server¶
The companion A2A agent server is the ansible-tower-agent console script.
It is a graph-routed Pydantic-AI agent that connects to the MCP server over
MCP_URL and exposes an AG-UI web interface and an A2A endpoint on its own port
(default 9012):
export MCP_URL=http://localhost:8000/mcp
export PROVIDER=openai
export MODEL_ID=gpt-4o
ansible-tower-agent --host 0.0.0.0 --port 9012
The repo ships docker/agent.compose.yml,
which runs the MCP server and the agent server together. The agent service wires
MCP_URL to the MCP container and publishes the agent on :9012:
services:
ansible-tower-mcp-agent:
image: knucklessg1/ansible-tower-mcp:latest
container_name: ansible-tower-mcp-agent
depends_on:
- ansible-tower-mcp-mcp
command: [ "ansible-tower-agent" ]
environment:
- HOST=0.0.0.0
- PORT=9012
- MCP_URL=http://ansible-tower-mcp-mcp:8000/mcp
- PROVIDER=${PROVIDER:-openai}
- MODEL_ID=${MODEL_ID:-gpt-4o}
- ENABLE_WEB_UI=True
ports:
- "9012:9012"
Behind a Caddy reverse proxy¶
Expose the HTTP server on a hostname with automatic TLS. Add to your Caddyfile:
# Internal (self-signed) — homelab .arpa zone
ansible-tower-mcp.arpa {
tls internal
reverse_proxy ansible-tower-mcp-mcp:8000
}
# Public — automatic Let's Encrypt
ansible-tower-mcp.example.com {
reverse_proxy ansible-tower-mcp-mcp:8000
}
Reload Caddy:
DNS with Technitium¶
Point the hostname at the host running Caddy. Via the Technitium API:
curl -s "http://technitium.arpa:5380/api/zones/records/add" \
--data-urlencode "token=$TECHNITIUM_DNS_TOKEN" \
--data-urlencode "domain=ansible-tower-mcp.arpa" \
--data-urlencode "zone=arpa" \
--data-urlencode "type=A" \
--data-urlencode "ipAddress=10.0.0.10" \
--data-urlencode "ttl=3600"
…or add an A record ansible-tower-mcp.arpa → <caddy-host-ip> in the
Technitium web console (http://technitium.arpa:5380). The ecosystem
technitium-dns-mcp
automates this as a tool.
Register with an MCP client¶
Add to your client's mcp_config.json:
{
"mcpServers": {
"ansible-tower-mcp": {
"command": "uv",
"args": ["run", "ansible-tower-mcp"],
"env": {
"ANSIBLE_BASE_URL": "https://your-tower.example.com",
"ANSIBLE_USERNAME": "admin",
"ANSIBLE_PASSWORD": "secret",
"ANSIBLE_VERIFY": "False"
}
}
}
}
For a remote HTTP server, point the client at
http://ansible-tower-mcp.arpa/mcp instead.