diff --git a/roles/install/defaults/main.yml b/roles/install/defaults/main.yml
new file mode 100644
index 0000000..412fcc3
--- /dev/null
+++ b/roles/install/defaults/main.yml
@@ -0,0 +1,5 @@
+---
+sce_cfg_group: sce_cfg
+sce_cfg_user: cfg
+sce_service_accounts:
+  - podman
diff --git a/roles/install/tasks/main.yml b/roles/install/tasks/main.yml
new file mode 100644
index 0000000..baf280b
--- /dev/null
+++ b/roles/install/tasks/main.yml
@@ -0,0 +1,43 @@
+---
+- name: Install Podman and dependencies for rootless operation
+  ansible.builtin.apt:
+    pkg:
+      - podman
+      # Required for rootless operation
+      - uidmap
+      # Use the newer network backend instead of the default CNI backend
+      - netavark
+      # Required for rootless networking
+      - slirp4netns
+      # Next two are required for config management
+      - systemd-container
+      - polkitd
+
+- name: Configure polkit for `machinectl` privilege escalation & config management
+  ansible.builtin.template:
+    src: machinectl.rules.j2
+    dest: /etc/polkit-1/rules.d/50-machinectl.rules
+    mode: "640"
+    owner: root
+    group: polkitd
+
+- name: Create group for managing rootless Podman environments
+  ansible.builtin.group:
+    name: "{{ sce_cfg_group }}"
+    state: present
+
+- name: Add config management (Ansible) user to the rootless Podman managing group
+  ansible.builtin.user:
+    name: "{{ sce_cfg_user }}"
+    groups: ["{{ sce_cfg_group }}"]
+    append: true
+
+- name: Create service account(s) for running rootless Podman containers under
+  ansible.builtin.user:
+    name: "{{ item }}"
+    password_lock: true
+    comment: "Rootless Podman service account"
+    # By default, subordinate id's are only allocated automatically for non-system accounts
+    system: false
+    state: present
+  loop: "{{ sce_service_accounts }}"
diff --git a/roles/install/templates/machinectl.rules.j2 b/roles/install/templates/machinectl.rules.j2
new file mode 100644
index 0000000..757a35e
--- /dev/null
+++ b/roles/install/templates/machinectl.rules.j2
@@ -0,0 +1,6 @@
+/* {{ ansible_managed }} */
+polkit.addRule(function(action, subject) {
+  if(action.id == "org.freedesktop.machine1.host-shell" && subject.isInGroup("{{ sce_cfg_group }}")) {
+    return polkit.Result.YES;
+  }
+});