Skip to content

Deployment

Deployment Options

ansible-tower-mcp exposes its MCP server (console script ansible-tower-mcp) four ways. Pick the row that matches where the server runs relative to your MCP client, then copy the matching mcp_config.json below. Add the service-connection environment variables documented in the Configuration section.

# Option Transport Where it runs mcp_config.json key
1 stdio stdio client launches a subprocess command
2 Streamable-HTTP (local) streamable-http a local network port command or url
3 Local container / uv stdio or streamable-http Docker / Podman / uv on this host command or url
4 Remote URL streamable-http a remote host behind Caddy url

1. stdio (local subprocess)

The client launches the server over stdio via uvx — best for local IDEs (Cursor, Claude Desktop, VS Code):

{
  "mcpServers": {
    "ansible-tower-mcp": {
      "command": "uvx",
      "args": ["--from", "ansible-tower-mcp", "ansible-tower-mcp"]
    }
  }
}

2. Streamable-HTTP (local process)

Run the server as a long-lived HTTP process:

uvx --from ansible-tower-mcp ansible-tower-mcp --transport streamable-http --host 0.0.0.0 --port 8000
curl -s http://localhost:8000/health        # {"status":"OK"}

Then either let the client launch it:

{
  "mcpServers": {
    "ansible-tower-mcp": {
      "command": "uvx",
      "args": ["--from", "ansible-tower-mcp", "ansible-tower-mcp", "--transport", "streamable-http", "--port", "8000"],
      "env": {
        "TRANSPORT": "streamable-http",
        "HOST": "0.0.0.0",
        "PORT": "8000"
      }
    }
  }
}

…or connect to the already-running process by URL:

{
  "mcpServers": {
    "ansible-tower-mcp": { "url": "http://localhost:8000/mcp" }
  }
}

3. Local container / uv

(a) Launch a container directly from mcp_config.json (stdio over the container — no ports to manage). Swap docker for podman for a daemonless runtime:

{
  "mcpServers": {
    "ansible-tower-mcp": {
      "command": "docker",
      "args": [
        "run", "-i", "--rm",
        "-e", "TRANSPORT=stdio",
        "knucklessg1/ansible-tower-mcp:latest"
      ]
    }
  }
}

(b) Run a local streamable-http container, then connect by URL:

docker run -d --name ansible-tower-mcp -p 8000:8000 \
  -e TRANSPORT=streamable-http \
  -e PORT=8000 \
  knucklessg1/ansible-tower-mcp:latest
# or, from a clone of this repo:
docker compose -f docker/mcp.compose.yml up -d
{
  "mcpServers": {
    "ansible-tower-mcp": { "url": "http://localhost:8000/mcp" }
  }
}

(c) From a local checkout with uv:

uv run ansible-tower-mcp --transport streamable-http --port 8000

4. Remote URL (deployed behind Caddy)

When the server is deployed remotely (e.g. as a Docker service) and published through Caddy on the internal *.arpa zone, connect with the "url" key — no local process or image required:

{
  "mcpServers": {
    "ansible-tower-mcp": { "url": "http://ansible-tower-mcp.arpa/mcp" }
  }
}

Caddy reverse-proxies http://ansible-tower-mcp.arpa to the container's :8000 streamable-http listener; http://ansible-tower-mcp.arpa/health returns {"status":"OK"} when the service is live.

This page covers running ansible-tower-mcp as a long-lived server: the transports, the companion A2A agent server, a Docker Compose stack, putting it behind a Caddy reverse proxy, and giving it a DNS name with Technitium.

ansible-tower-mcp ships two servers: an MCP server (console script ansible-tower-mcp) and an A2A agent server (console script ansible-tower-agent). The MCP server is a typed, deterministic tool surface; the agent server is a graph-routed Pydantic-AI agent that calls those tools over an MCP_URL.

Run the MCP server

The transport is selected with --transport (or the TRANSPORT env var):

ansible-tower-mcp
For IDE / desktop MCP clients that launch the server as a subprocess.

ansible-tower-mcp --transport streamable-http --host 0.0.0.0 --port 8000
A network server with a /health endpoint and /mcp route.

ansible-tower-mcp --transport sse --host 0.0.0.0 --port 8000

Health check (HTTP transports):

curl -s http://localhost:8000/health        # {"status":"OK"}

Configuration (environment)

ansible-tower-mcp is configured entirely from the environment. The connection to the Tower / AWX controller uses the following required set (provide a token, or a username / password pair, or an OAuth client id / secret pair):

Var Default Meaning
ANSIBLE_BASE_URL none Tower / AWX controller base URL (e.g. https://tower.example.com)
ANSIBLE_USERNAME none Controller user id
ANSIBLE_PASSWORD none Controller password
ANSIBLE_TOKEN none Pre-issued API token (bypasses username / password)
ANSIBLE_CLIENT_ID none OAuth application client id
ANSIBLE_CLIENT_SECRET none OAuth application client secret
ANSIBLE_VERIFY False Verify TLS (set True for trusted certificates)

Transport and server settings:

Var Default Meaning
HOST 0.0.0.0 Bind address (HTTP transports)
PORT 8000 Bind port (HTTP transports)
TRANSPORT stdio stdio, streamable-http, or sse
ENABLE_OTEL True OpenTelemetry / Langfuse export
EUNOMIA_TYPE none Access-governance mode: none, embedded, remote

Every per-resource tool can be toggled with its *TOOL switch (for example INVENTORYTOOL, JOBSTOOL, JOB_TEMPLATESTOOL, SYSTEMTOOL). The full set, with defaults, is documented in .env.example. Copy it to .env and fill in only what you use.

Backing Service

The Ansible Tower / AWX controller this connector targets is an external Ansible Automation Platform — Red Hat Ansible Automation Platform is a managed / commercial product, and the upstream AWX project is deployed through the AWX Operator on Kubernetes. This package does not provision the controller; only connection configuration (the ANSIBLE_* variables above) is required. Point ANSIBLE_BASE_URL at an already-running controller and supply credentials.

Docker Compose

The repo ships docker/mcp.compose.yml. It reads a sibling .env and publishes the HTTP server on :8000:

services:
  ansible-tower-mcp-mcp:
    image: knucklessg1/ansible-tower-mcp:latest
    container_name: ansible-tower-mcp-mcp
    hostname: ansible-tower-mcp-mcp
    restart: always
    env_file:
      - ../.env
    environment:
      - PYTHONUNBUFFERED=1
      - HOST=0.0.0.0
      - PORT=8000
      - TRANSPORT=streamable-http
    ports:
      - "8000:8000"
    healthcheck:
      test: ["CMD", "python3", "-c", "import urllib.request; urllib.request.urlopen('http://localhost:8000/health')"]
      interval: 30s
      timeout: 10s
      retries: 3
cp .env.example .env          # then set ANSIBLE_* values
docker compose -f docker/mcp.compose.yml up -d
docker compose -f docker/mcp.compose.yml logs -f

Run the agent server

The companion A2A agent server is the ansible-tower-agent console script. It is a graph-routed Pydantic-AI agent that connects to the MCP server over MCP_URL and exposes an AG-UI web interface and an A2A endpoint on its own port (default 9012):

export MCP_URL=http://localhost:8000/mcp
export PROVIDER=openai
export MODEL_ID=gpt-4o
ansible-tower-agent --host 0.0.0.0 --port 9012

The repo ships docker/agent.compose.yml, which runs the MCP server and the agent server together. The agent service wires MCP_URL to the MCP container and publishes the agent on :9012:

services:
  ansible-tower-mcp-agent:
    image: knucklessg1/ansible-tower-mcp:latest
    container_name: ansible-tower-mcp-agent
    depends_on:
      - ansible-tower-mcp-mcp
    command: [ "ansible-tower-agent" ]
    environment:
      - HOST=0.0.0.0
      - PORT=9012
      - MCP_URL=http://ansible-tower-mcp-mcp:8000/mcp
      - PROVIDER=${PROVIDER:-openai}
      - MODEL_ID=${MODEL_ID:-gpt-4o}
      - ENABLE_WEB_UI=True
    ports:
      - "9012:9012"
docker compose -f docker/agent.compose.yml up -d

Behind a Caddy reverse proxy

Expose the HTTP server on a hostname with automatic TLS. Add to your Caddyfile:

# Internal (self-signed) — homelab .arpa zone
ansible-tower-mcp.arpa {
    tls internal
    reverse_proxy ansible-tower-mcp-mcp:8000
}
# Public — automatic Let's Encrypt
ansible-tower-mcp.example.com {
    reverse_proxy ansible-tower-mcp-mcp:8000
}

Reload Caddy:

docker compose -f services/caddy/compose.yml exec caddy caddy reload --config /etc/caddy/Caddyfile

DNS with Technitium

Point the hostname at the host running Caddy. Via the Technitium API:

curl -s "http://technitium.arpa:5380/api/zones/records/add" \
  --data-urlencode "token=$TECHNITIUM_DNS_TOKEN" \
  --data-urlencode "domain=ansible-tower-mcp.arpa" \
  --data-urlencode "zone=arpa" \
  --data-urlencode "type=A" \
  --data-urlencode "ipAddress=10.0.0.10" \
  --data-urlencode "ttl=3600"

…or add an A record ansible-tower-mcp.arpa → <caddy-host-ip> in the Technitium web console (http://technitium.arpa:5380). The ecosystem technitium-dns-mcp automates this as a tool.

Register with an MCP client

Add to your client's mcp_config.json:

{
  "mcpServers": {
    "ansible-tower-mcp": {
      "command": "uv",
      "args": ["run", "ansible-tower-mcp"],
      "env": {
        "ANSIBLE_BASE_URL": "https://your-tower.example.com",
        "ANSIBLE_USERNAME": "admin",
        "ANSIBLE_PASSWORD": "secret",
        "ANSIBLE_VERIFY": "False"
      }
    }
  }
}

For a remote HTTP server, point the client at http://ansible-tower-mcp.arpa/mcp instead.