diff --git a/playbooks/ansible.cfg b/playbooks/ansible.cfg
new file mode 100644
index 0000000..33d5108
--- /dev/null
+++ b/playbooks/ansible.cfg
@@ -0,0 +1,10 @@
+[defaults]
+forks = 25
+gathering = smart
+fact_caching = jsonfile
+fact_caching_connection = /tmp/
+fact_caching_timeout = 3600
+inventory = hosts
+
+[ssh_connection]
+pipelining = True
diff --git a/playbooks/hosts b/playbooks/hosts
new file mode 100644
index 0000000..cf3ffca
--- /dev/null
+++ b/playbooks/hosts
@@ -0,0 +1 @@
+demo.recordsansible.org ansible_host=139.178.83.37 ansible_user=fedora ansible_python_interpreter=/usr/bin/python3
diff --git a/playbooks/live-demo.yaml b/playbooks/live-demo.yaml
new file mode 100644
index 0000000..a6ab77b
--- /dev/null
+++ b/playbooks/live-demo.yaml
@@ -0,0 +1,15 @@
+- name: Provision demo.recordsansible.org
+  hosts: demo.recordsansible.org
+  gather_facts: yes
+  vars:
+    ara_api_frontend_server: nginx
+    ara_api_frontend_vhost: api.demo.recordsansible.org.conf.j2
+    ara_api_wsgi_server: gunicorn
+    ara_api_fqdn: api.demo.recordsansible.org
+    ara_api_allowed_hosts:
+      - api.demo.recordsansible.org
+    ara_api_cors_origin_whitelist:
+      - web.demo.recordsansible.org
+      - logs.openstack.org
+  roles:
+    - ara_api
diff --git a/playbooks/templates/api.demo.recordsansible.org.conf.j2 b/playbooks/templates/api.demo.recordsansible.org.conf.j2
new file mode 100644
index 0000000..bf16372
--- /dev/null
+++ b/playbooks/templates/api.demo.recordsansible.org.conf.j2
@@ -0,0 +1,51 @@
+upstream ara_api {
+    # fail_timeout=0 means we always retry an upstream even if it failed
+    # to return a good HTTP response
+    server {{ ara_api_wsgi_bind }} fail_timeout=0;
+}
+
+server {
+    listen 80;
+    server_name {{ ara_api_fqdn }};
+    return 301 https://{{ ara_api_fqdn }}$request_uri;
+}
+
+server {
+    listen 443;
+    server_name {{ ara_api_fqdn }};
+    access_log /var/log/nginx/{{ ara_api_fqdn }}_access.log;
+    error_log  /var/log/nginx/{{ ara_api_fqdn }}_error.log;
+
+    ssl on;
+    ssl_certificate /etc/letsencrypt/live/{{ ara_api_fqdn }}/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/{{ ara_api_fqdn }}/privkey.pem;
+    ssl_session_cache   shared:SSL:10m;
+    ssl_session_timeout 10m;
+    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
+    ssl_ciphers         HIGH:!aNULL:!MD5;
+
+    # There's nothing at /, redirect it to the actual API for convenience
+    location / {
+      return 301 http://{{ ara_api_fqdn }}/api/v1/;
+    }
+
+    location /static {
+        expires 7d;
+        add_header Cache-Control "public";
+    }
+
+    # Everything, including static files, is served by the backend
+    location ~ {
+      # checks if the file exists, if not found proxy to app
+      try_files $uri @proxy_to_app;
+    }
+
+    location @proxy_to_app {
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header Host $http_host;
+
+        proxy_redirect off;
+        proxy_pass http://ara_api;
+    }
+}