Operation Zero is the silence before automation.
It’s a self-contained Ghost Automation project.
It provides hardened, reproducible machine configurations using Ansible. Every role is designed for security, minimalism, and validation.
The goal: any bare machine can be turned into the part of the Ghost Infrastructure with one playbook.
playbooks/ → Entry point playbooks roles/ → Modular roles (ds-*) scripts/ → Scripts handling automation steps ansible.cfg → Ansible configuration
| Role | Purpose |
|---|---|
ds-basepackages | Install basic, initial packages. |
ds-users | Create users, groups, and deploy SSH keys. Set the initial password. |
ds-sudo | Manage sudoers safely with validation. |
ds-ssh | Configure SSH access for users. |
ds-firewall | Manage firewall rules (default deny input, explicit allow). |
Each role ships with its own README.org describing variables, structure, and usage.
play-operation-zero.yml- Base playbook to provision a host with all DeadSwitch roles.
Example usage:
ansible-playbook -i inventories/hosts.yml playbooks/play-configure-machine.ymlThis playbook runs the baseline:
- ds-basepackages - ds-users - ds-sudo - ds-ssh - ds-firewall
Inventories must be organized as:
hosts.yml→ main inventory of target machinesgroup_vars/→ group-level variableshost_vars/→ host-specific variables
Use Ansible Vault or SOPS for secrets.
Example inventories/hosts.yml:
ghost-infra:
hosts:
ghost-comms:
ansible_host: 192.168.122.100
ansible_user: switch
ansible_ssh_private_key_file: /usr/share/keys/ghost_automation- Use Python virtual environment (
.venv) for isolation. - Run
ansible-lintandyamllintbefore commits. - Future: Molecule scenarios for each role (test each role in isolation).
- Sudo configurations validated with
visudo. - Groups are created before being assigned to users.
- SSH hardening applied cautiously to prevent lockouts.
- Firewall is deny-first, require explicit allow.
- Principle: secure by default, flexible by variable.
MIT.
[Fear the Silence. Fear the Switch.]