Your infrastructure. Your data.
Deploy with Ansible + systemd. Native services with process isolation, multi-host GPU fleet support, and automated bootstrapping.
Ansible + systemd deployment
Native systemd services deployed across your infrastructure with Ansible — no containers, no orchestrator.
Ansible + systemd
Native systemd services with process isolation. Multi-host deployment across your GPU fleet.
- ✓ Systemd hardening with filesystem sandboxing
- ✓ Multi-host: spread services across machines
- ✓ Quick rsync deploys — no image rebuilds
- ✓ Automated admin bootstrap on first deploy
$ make deploy-staging
$ make deploy-prod
Deploy in minutes
From zero to a running stack on your own hardware.
Define your inventory
Add hosts to inventory/hosts.yml. Configure per-host variables like GPU capabilities, Ollama models, and feature flags.
Run the playbook
ansible-playbook playbooks/site.yml --limit your-host. Ansible installs dependencies, syncs source, deploys systemd units, and starts services.
Admin account bootstrapped
The auth role automatically creates your initial admin account. Idempotent — subsequent deploys skip it.
Open the dashboard
Navigate to http://your-host:10090. Log in with your bootstrapped credentials. All services are running and connected.
Systemd process isolation
Every service runs in a hardened sandbox. Read-only filesystem, private tmp, no privilege escalation.
ProtectSystem=strict
Read-only filesystem. Services can only write to explicitly allowed paths.
ProtectHome=read-only
No home directory writes. Source code and config are mounted read-only.
PrivateTmp=true
Each service gets its own /tmp. No cross-service temp file leaks.
NoNewPrivileges=true
Processes cannot gain new capabilities after startup.
ReadWritePaths
Per-service filesystem access. Executor only writes to projects/ and workspace/.
MemoryMax
Per-service memory limits prevent runaway processes from affecting the host.
Multi-host GPU fleet
Spread services across machines. Each host runs what it's best at.
| Host Group | Purpose | Example |
|---|---|---|
| iter_core | API gateway, orchestrator, dashboard | Primary server |
| iter_llm | Ollama LLM inference | All GPU machines |
| iter_vision | PaddleOCR + VLM analysis | GPU with VRAM for vision models |
| iter_voice | Whisper STT + Piper TTS | Any GPU host |
| iter_forge | Stable Diffusion image generation | High-VRAM GPU host |
Override any service URL per-host. Vision running on elroy? Set iter_vision_url: "http://elroy:10098" in the host vars.
13 Ansible roles
Each role handles one service. Deploy the full stack or just the parts you need.
common
Directories, venv, config
iter-auth
JWT auth + bootstrap
iter-mcp-tools
MCP tool server
chromadb
Vector store (RAG)
iter-agent-server
API gateway
iter-executor
Command execution
iter-operator
Orchestration pipeline
iter-dashboard
React web UI
iter-docs
Documentation server
iter-vision
OCR + screenshots
iter-voice
STT + TTS
ollama
LLM inference
forge
Stable Diffusion
Feature flags per host
Enable capabilities based on available hardware. Defaults to off — enable what you need.
# host_vars/george.yml
iter_features:
vision: true # PaddleOCR + VLM
voice: true # Whisper + Piper
image_gen: true # Stable Diffusion
vector_search: false # ChromaDB RAG
liaison: false # Liaison agent
Privacy by design
No cloud dependency
Everything runs on your network. LLM inference, vector search, voice, vision, and image generation are all local.
Secrets stay local
JWT secrets and service tokens are deployed as mode-0600 env files. Use Ansible Vault for encryption at rest.
Audit everything
Auth events, LLM interactions, orchestration runs, and file changes are logged with structured event trails.
Related features
Auth, Teams & Orgs
JWT authentication with multi-tenant organizations and role-based access control.
Multi-Model Routing
Route tasks across your GPU fleet with capability-based model selection and fallback chains.
Safety Review
8-point pre-execution check and post-execution verification before any code runs.