diff --git a/clean.sh b/clean.sh
index 2fb02222..6d0d4edb 100755
--- a/clean.sh
+++ b/clean.sh
@@ -1,6 +1,4 @@
 #!/bin/sh
 
 export ANSIBLE_NOCOWS=1
-ansible-playbook -K -i localhost, clean.yml $*
-
-rm -f ansible_inventory.ini
+ansible-playbook -K -i localhost, -e GITHUB_API_TOKEN=$GITHUB_API_TOKEN clean.yaml $*
diff --git a/clean.yaml b/clean.yaml
new file mode 100644
index 00000000..3653fd49
--- /dev/null
+++ b/clean.yaml
@@ -0,0 +1,5 @@
+---
+- import_playbook: "roles.yaml"
+  vars:
+    tasks_from_file: "clean"
+
diff --git a/clean.yml b/clean.yml
deleted file mode 100644
index b99bed94..00000000
--- a/clean.yml
+++ /dev/null
@@ -1,18 +0,0 @@
----
-# 
-
-- hosts: localhost
-  connection: local
-  pre_tasks:
-    - name: Fail if Ansible version is too old 
-      fail: 
-        msg: "Workstation requires a minimum Ansible version of {{ ansible_minimum_version }}. Please update Ansible and run workstation.sh again."
-      when: ansible_version.full is version(ansible_minimum_version, operator='lt', strict=True)
-    - name: abort execution on 32-bit environments
-      fail:
-        msg: "These playbooks are now only available on 64-bit OSes"
-      when: ansible_architecture == "i386"
-  become: yes
-  vars_files:
-    - versions.yml
-
diff --git a/install.sh b/install.sh
new file mode 100755
index 00000000..4096c671
--- /dev/null
+++ b/install.sh
@@ -0,0 +1,4 @@
+#!/bin/sh
+
+export ANSIBLE_NOCOWS=1
+ansible-playbook -K -i localhost, -e GITHUB_API_TOKEN=$GITHUB_API_TOKEN install.yaml $*
diff --git a/install.yaml b/install.yaml
new file mode 100644
index 00000000..49ee0431
--- /dev/null
+++ b/install.yaml
@@ -0,0 +1,5 @@
+---
+- import_playbook: "roles.yaml"
+  vars:
+    tasks_from_file: "main"
+
diff --git a/roles.yaml b/roles.yaml
new file mode 100644
index 00000000..2307b9a5
--- /dev/null
+++ b/roles.yaml
@@ -0,0 +1,66 @@
+---
+
+# Workstation set-up that's done system-wide (and requires root privileges)
+
+- hosts: "localhost"
+  connection: "local"
+  pre_tasks:
+    - name: "Fail if Ansible version is too old"
+      fail:
+        msg: "Workstation requires a minimum Ansible version of {{ ansible_minimum_version }}. Please update Ansible and run workstation.sh again."
+      when: "ansible_version.full is version(ansible_minimum_version, operator='lt', strict=True)"
+    - name: "abort execution on 32-bit environments"
+      fail:
+        msg: "These playbooks are now only available on 64-bit OSes"
+      when: 'ansible_architecture == "i386"'
+  become: yes
+  vars_files:
+    - "config.yaml"
+    - "versions.yaml"
+  tasks:
+    - import_role:
+        name: "setup"
+        tasks_from: "{{ tasks_from_file }}-system"
+    - import_role:
+        name: "common"
+        tasks_from: "{{ tasks_from_file }}"
+    - import_role:
+        name: "browser"
+        tasks_from: "{{ tasks_from_file }}"
+    - import_role:
+        name: "communication"
+        tasks_from: "{{ tasks_from_file }}"
+    - import_role:
+        name: "multimedia"
+        tasks_from: "{{ tasks_from_file }}"
+    - import_role:
+        name: "development"
+        tasks_from: "{{ tasks_from_file }}"
+    - import_role:
+        name: "containerization"
+        tasks_from: "{{ tasks_from_file }}"
+
+# Workstation set-up that's done as the current user
+
+- hosts: "localhost"
+  connection: "local"
+  pre_tasks:
+    - name: "Fail if Ansible version is too old"
+      fail:
+        msg: "Workstation requires a minimum Ansible version of {{ ansible_minimum_version }}. Please update Ansible and run workstation.sh again."
+      when: "ansible_version.full is version(ansible_minimum_version, operator='lt', strict=True)"
+    - name: "abort execution on 32-bit environments"
+      fail:
+        msg: "These playbooks are now only available on 64-bit OSes"
+      when: 'ansible_architecture == "i386"'
+  become: no
+  vars_files:
+    - "config.yaml"
+    - "versions.yaml"
+  tasks:
+    - import_role:
+        name: "setup"
+        tasks_from: "{{ tasks_from_file }}-user"
+    - import_role:
+        name: "asdf"
+        tasks_from: "{{ tasks_from_file }}"
diff --git a/roles/setup/tasks/clean-system.yaml b/roles/setup/tasks/clean-system.yaml
new file mode 100644
index 00000000..ab719cfd
--- /dev/null
+++ b/roles/setup/tasks/clean-system.yaml
@@ -0,0 +1,15 @@
+---
+
+# Remove the privileged ansible user which was created by earlier versions
+# of workstation (before Ansible supported local execution).
+
+- name: "remove the ansible user's privileges (sudo)"
+  file:
+    path: "/etc/sudoers.d/ansible"
+    state: "absent"
+
+- name: "remove the ansible user's account"
+  user:
+    name: "ansible"
+    state: "absent"
+    remove: yes
diff --git a/roles/setup/tasks/clean-user.yaml b/roles/setup/tasks/clean-user.yaml
new file mode 100644
index 00000000..ed97d539
--- /dev/null
+++ b/roles/setup/tasks/clean-user.yaml
@@ -0,0 +1 @@
+---
diff --git a/roles/setup/tasks/main.yaml b/roles/setup/tasks/main-system.yaml
similarity index 61%
rename from roles/setup/tasks/main.yaml
rename to roles/setup/tasks/main-system.yaml
index 0a6ce54a..fa5cd7be 100644
--- a/roles/setup/tasks/main.yaml
+++ b/roles/setup/tasks/main-system.yaml
@@ -1,5 +1,7 @@
 ---
 
+# apt - native Debian package manager
+
 - name: "upgrade existing apt packages"
   apt:
     upgrade: "yes"
@@ -7,15 +9,25 @@
     autoclean: "yes"
     autoremove: "yes"
     state: "latest"
+  tags:
+  - "packaging"
+  - "setup"
+
+# pip/pipx - install Python3 libraries and commands
 
 - name: "add the PIP package manager"
   apt:
     pkg:
     - "python3-setuptools"
     - "python3-pip"
+    - "python3-virtualenv"
+    - "pipx"
   tags:
     - "python"
     - "packaging"
+    - "setup"
+
+# flatpak - encapsulated applications with (optional) sandboxing
 
 - name: "add the flatpak package manager"
   apt:
@@ -24,6 +36,7 @@
   tags:
   - "flatpak"
   - "packaging"
+  - "setup"
 
 - name: "add the flathub remote repository"
   flatpak_remote:
@@ -32,11 +45,23 @@
   tags:
   - "flatpak"
   - "packaging"
+  - "setup"
 
 - name: "upgrade existing flatpak applications"
   command: "flatpak update --noninteractive"
-  register: update_flatpak_apps_result
+  register: "update_flatpak_apps_result"
   changed_when: "'Nothing to do.' not in update_flatpak_apps_result.stdout"
   tags:
   - "flatpak"
   - "packaging"
+  - "setup"
+
+# appimagelauncher - install daemon and desktop integration
+
+- name: "install appimagelauncher"
+  apt:
+    pkg: "appimagelauncher"
+  tags:
+  - "appimagelauncher"
+  - "packaging"
+  - "setup"
diff --git a/roles/setup/tasks/main-user.yaml b/roles/setup/tasks/main-user.yaml
new file mode 100644
index 00000000..67558a08
--- /dev/null
+++ b/roles/setup/tasks/main-user.yaml
@@ -0,0 +1,25 @@
+---
+
+# asdf - the multiple runtime version manager
+
+- name: "install asdf"
+  git:
+    repo: "https://github.com/asdf-vm/asdf.git"
+    dest: "~/.asdf"
+    # version: "{{ asdf_version }}"
+    version: "v0.12.0"
+    update: no
+  register: "install_asdf_result"
+  tags:
+  - "asdf"
+  - "packaging"
+  - "setup"
+
+- name: "update asdf to the latest version"
+  command: "~/.asdf/bin/asdf update"
+  register: "asdf_update_result"
+  changed_when: "'Previous HEAD position was' in asdf_update_result.stderr"
+  tags:
+  - "asdf"
+  - "packaging"
+  - "setup"
diff --git a/versions.yml b/versions.yaml
similarity index 70%
rename from versions.yml
rename to versions.yaml
index c63a50d3..085d551b 100644
--- a/versions.yml
+++ b/versions.yaml
@@ -9,51 +9,24 @@ ansible_minimum_version: 2.10.17
 studio_version: 2.0.0
 studio_build: 20210717-M17
 
-#asdf managed tool versions
-# act_version: latest
-# ant_version: latest
-asdf_version: v0.10.2
+# asdf - the multiple runtime version manager
+asdf_version: v0.14.1
+
+# asdf managed tool versions - only install tools that need to be available
+#                              to the user in any context.  Most tools should
+#                              be project specfic and have a local list of
+#                              tools in .tool-versions file.
 awscli_version: latest
 aws_vault_version: latest
-# bazel_version: latest
+azure_cli_version: latest
 chezmoi_version: latest
 direnv_version: latest
 github_cli_version: latest
-# golang_version: latest
-# golangci_lint_version: latest
-# gomigrate_version: latest
-# gradle_version: latest
-# grpcurl_version: latest
-# helm_version: latest
-# java_version: openjdk-17.0.2
-# jq_version: latest
-# k6_version: latest
-# k9s_version: latest
-# kind_version: latest
-# ko_version: 0.12.0
-# krew_version: latest
-# kubectl_version: latest
-# kubeseal_version: 0.18.2
-# kustomize_version: latest
-# linkerd_version: 2.12.0
-# mage_version: latest
-# make_version: latest
-# maven_version: latest
-# minikube_version: latest
-# nancy_version: latest
-# nodejs_version: latest
+jq_version: latest
+k9s_version: latest
+kubectl_version: latest
 op_cli_version: latest
-# protoc_version: latest
-# protoc_gen_version: latest
-# protoc_gen_grpc_version: latest
-# semver_version: latest
-# skaffold_version: latest
-# sops_version: latest
-# swag_version: 1.16.2
-# terraform_version: latest
-# terragrunt_version: latest
-# tflint_version: latest
-# yq_version: latest
+yq_version: latest
 
 #flatpak managed tool versions
 dbeaver: latest