Why Ansible instead of Terraform for on-premise deployments?

Terraform is designed for cloud provisioning (creating VMs, networks, storage). Our on-premise servers already physically exist. Ansible is agentless, connects via SSH, and configures software. Different tools for different problems.

How long does it take to create an Ansible playbook from scratch?

Our first playbook took a week. Today, starting from existing roles, a new playbook for a different product takes 1-2 days. The savings accumulate with every subsequent deployment.

Back to Blog

Software & AIFebruary 11, 2026

Ansible: How We Automate Every On-Premise Server in 20 Minutes

ansible automazione infrastruttura on-premise devops deploy

Installing RAG Enterprise on a client's server used to mean 2 days of manual configuration. Today with our Ansible playbooks everything is ready in 20 minutes: hardened OS, configured services, active monitoring. Here's how we made every deployment reproducible.

Ansible: How We Automate Every On-Premise Server in 20 Minutes - Software & AI | i3k

From 2 Days to 20 Minutes: Why Ansible

Our first on-premise RAG Enterprise deployment was a nightmare. Two engineers, two days, a 47-step Google Docs document. Installing dependencies, configuring UFW, creating system users, setting up systemd, configuring Nginx, installing Certbot, deploying code, configuring Qdrant, loading embedding models. In the end it worked, but the second deployment revealed we'd forgotten three steps and the document was already outdated. We evaluated three options: Terraform, Puppet, and Ansible. Terraform is excellent for cloud (provisioning VMs, networks, storage on AWS/GCP), but our on-premise servers are already physically there — no infrastructure provisioning needed. Puppet requires an agent installed on every server and a centralized master server, excessive complexity for our 20-30 deployments. Ansible is agentless: it connects via SSH, runs tasks, and leaves. No software to maintain on client servers. The first Ansible playbook took us a week of work. But from the second deployment onward, every installation went from 2 days to 20 minutes. One command (ansible-playbook -i inventory.yml site.yml) and the server is ready. Reproducible, documented, versioned in Git.

Hardening and Provisioning Playbooks

Our playbooks are organized into reusable Ansible roles. The "base-hardening" role is the first executed on every server: updates the system, configures UFW with deny-all policy, installs and configures fail2ban, disables root SSH login, sets key-only authentication, configures unattended-upgrades for automatic security patches. This role is identical for all deployments, regardless of the product. The "rag-enterprise" role installs the entire application stack: Python 3.12 with virtualenv, Qdrant as a systemd service, embedding models (downloaded from our private mirror to avoid HuggingFace dependency in production), the FastAPI backend with Gunicorn and 4 workers, and the React frontend as static files served by Nginx. Every component has its own Jinja2 template for configuration — ports, paths, memory limits are variables that change for each client. We also have a "monitoring" role that installs node_exporter for Prometheus, configures systemd timers for health checks, and sets up Slack alerts. The entire monitoring stack is activated with a single tag: ansible-playbook site.yml --tags monitoring. If a client doesn't want external monitoring, we exclude it without touching anything else.

Multi-Server Orchestration and Updates

Some enterprise clients have RAG Enterprise installations across multiple servers: one for the API backend, one for Qdrant with more RAM, and one for local LLM models with a dedicated GPU. Ansible handles this orchestration with an inventory file that defines host groups. The playbook runs roles in the correct order: first the Qdrant database (must be ready before the backend), then the embedding service, finally the API backend that connects to both. Updating existing deployments is where Ansible shines most. When we release a new RAG Enterprise version, the update playbook backs up the database, stops services, updates code from our private repository, runs database migrations if needed, and restarts everything. Ansible's idempotency guarantees that running the playbook twice doesn't break anything — if a task is already in the desired state, it's skipped. We have a central inventory of all client servers (encrypted with ansible-vault, of course). With a single command we can verify the status of all deployments: ansible all -m ping tells us in 5 seconds which servers are reachable. For urgent security updates, we can patch all servers simultaneously with ansible all -m apt -a "name=openssl state=latest". This level of centralized control would be impossible without automation.

Related Services

See how we apply these technologies in our enterprise projects.

AI Enterprise Software AI Integration On-Premise Solutions Software Development

Interested?

All articles

Securvita S.r.l. — i3k.eu