diff --git a/ansible/roles/zot/defaults/main.yml b/ansible/roles/zot/defaults/main.yml
new file mode 100644
index 0000000..6335fc0
--- /dev/null
+++ b/ansible/roles/zot/defaults/main.yml
@@ -0,0 +1,16 @@
+---
+zot_repo_dir: /Users/erichblume/code/3rd/zot
+zot_binary: "{{ zot_repo_dir }}/bin/zot-darwin-arm64"
+zot_data_dir: /Users/erichblume/zot
+zot_config_dir: /Users/erichblume/.config/zot
+zot_port: 5000
+zot_log_dir: /Users/erichblume/Library/Logs
+
+# Pull-through cache registries (on-demand sync)
+zot_sync_registries:
+  - name: docker.io
+    url: https://registry-1.docker.io
+  - name: ghcr.io
+    url: https://ghcr.io
+  - name: quay.io
+    url: https://quay.io
diff --git a/ansible/roles/zot/handlers/main.yml b/ansible/roles/zot/handlers/main.yml
new file mode 100644
index 0000000..0d823cb
--- /dev/null
+++ b/ansible/roles/zot/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+- name: Restart zot
+  ansible.builtin.shell: |
+    launchctl unload ~/Library/LaunchAgents/mcquack.eblume.zot.plist 2>/dev/null || true
+    launchctl load ~/Library/LaunchAgents/mcquack.eblume.zot.plist
+  changed_when: true
diff --git a/ansible/roles/zot/tasks/main.yml b/ansible/roles/zot/tasks/main.yml
new file mode 100644
index 0000000..20713b5
--- /dev/null
+++ b/ansible/roles/zot/tasks/main.yml
@@ -0,0 +1,66 @@
+---
+# Note: Zot is built from source, not installed via homebrew.
+#
+# ONE-TIME SETUP (before running ansible):
+#
+# 1. Clone zot from forge mirror (use localhost:3001 - hairpinning doesn't work):
+#    ssh indri 'git clone http://localhost:3001/eblume/zot.git ~/code/3rd/zot'
+#
+# 2. Set up Go via mise:
+#    ssh indri 'cd ~/code/3rd/zot && mise use go@1.25'
+#
+# 3. Build (creates bin/zot-darwin-arm64):
+#    ssh indri 'cd ~/code/3rd/zot && mise x -- make binary'
+#
+# 4. Run ansible to deploy config and LaunchAgent
+
+- name: Verify zot binary exists
+  ansible.builtin.stat:
+    path: "{{ zot_binary }}"
+  register: zot_binary_stat
+
+- name: Fail if zot binary not found
+  ansible.builtin.fail:
+    msg: |
+      Zot binary not found at {{ zot_binary }}.
+      Please build from source first:
+        ssh indri 'cd ~/code/3rd/zot && mise x -- make binary'
+  when: not zot_binary_stat.stat.exists
+
+- name: Ensure zot data directory exists
+  ansible.builtin.file:
+    path: "{{ zot_data_dir }}"
+    state: directory
+    mode: '0755'
+
+- name: Ensure zot config directory exists
+  ansible.builtin.file:
+    path: "{{ zot_config_dir }}"
+    state: directory
+    mode: '0755'
+
+- name: Deploy zot config
+  ansible.builtin.template:
+    src: config.json.j2
+    dest: "{{ zot_config_dir }}/config.json"
+    mode: '0644'
+  notify: Restart zot
+
+- name: Deploy zot LaunchAgent plist
+  ansible.builtin.template:
+    src: zot.plist.j2
+    dest: ~/Library/LaunchAgents/mcquack.eblume.zot.plist
+    mode: '0644'
+  notify: Restart zot
+
+- name: Check if zot LaunchAgent is loaded
+  ansible.builtin.command: launchctl list mcquack.eblume.zot
+  register: zot_launchctl_check
+  changed_when: false
+  failed_when: false
+
+- name: Load zot LaunchAgent if not loaded
+  ansible.builtin.command: launchctl load ~/Library/LaunchAgents/mcquack.eblume.zot.plist
+  when: zot_launchctl_check.rc != 0
+  changed_when: true
+  failed_when: false
diff --git a/ansible/roles/zot/templates/config.json.j2 b/ansible/roles/zot/templates/config.json.j2
new file mode 100644
index 0000000..fb5c9fa
--- /dev/null
+++ b/ansible/roles/zot/templates/config.json.j2
@@ -0,0 +1,41 @@
+{
+  "distSpecVersion": "1.1.0",
+  "storage": {
+    "rootDirectory": "{{ zot_data_dir }}",
+    "gc": true,
+    "gcDelay": "1h",
+    "gcInterval": "24h"
+  },
+  "http": {
+    "address": "0.0.0.0",
+    "port": "{{ zot_port }}"
+  },
+  "log": {
+    "level": "info"
+  },
+  "extensions": {
+    "sync": {
+      "enable": true,
+      "registries": [
+{% for registry in zot_sync_registries %}
+        {
+          "urls": ["{{ registry.url }}"],
+          "content": [{"prefix": "{{ registry.name }}/**"}],
+          "onDemand": true,
+          "tlsVerify": true
+        }{% if not loop.last %},{% endif %}
+
+{% endfor %}
+      ]
+    },
+    "search": {
+      "enable": true,
+      "cve": {
+        "updateInterval": "24h"
+      }
+    },
+    "ui": {
+      "enable": true
+    }
+  }
+}
diff --git a/ansible/roles/zot/templates/zot.plist.j2 b/ansible/roles/zot/templates/zot.plist.j2
new file mode 100644
index 0000000..25b7da1
--- /dev/null
+++ b/ansible/roles/zot/templates/zot.plist.j2
@@ -0,0 +1,24 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- {{ ansible_managed }} -->
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>Label</key>
+	<string>mcquack.eblume.zot</string>
+	<key>ProgramArguments</key>
+	<array>
+		<!-- ABSOLUTE PATH to built binary in ~/code/3rd/zot -->
+		<string>{{ zot_binary }}</string>
+		<string>serve</string>
+		<string>{{ zot_config_dir }}/config.json</string>
+	</array>
+	<key>RunAtLoad</key>
+	<true/>
+	<key>KeepAlive</key>
+	<true/>
+	<key>StandardOutPath</key>
+	<string>{{ zot_log_dir }}/mcquack.zot.out.log</string>
+	<key>StandardErrorPath</key>
+	<string>{{ zot_log_dir }}/mcquack.zot.err.log</string>
+</dict>
+</plist>