diff --git a/.config/molecule/config.yml b/.config/molecule/config.yml
index b0a3d8d..24bf9c0 100644
--- a/.config/molecule/config.yml
+++ b/.config/molecule/config.yml
@@ -1,6 +1,8 @@
 ---
 dependency:
   name: galaxy
+  options:
+    requirements-file: requirements.molecule.yml
 
 driver:
   name: docker
@@ -9,12 +11,18 @@ provisioner:
   name: ansible
   env:
     ANSIBLE_PIPELINING: true
+  inventory:
+    group_vars:
+      all:
+        # Versions to use, can be passed in from pytest
+        step_cli_version: ${STEP_CLI_VERSION:-latest}
+        step_ca_version: ${STEP_CA_VERSION:-latest}
 
 scenario:
   test_sequence:
-    - destroy
-    - dependency
     - syntax
+    - dependency
+    - destroy
     - create
     - prepare
     - converge
diff --git a/.github/renovate.json5 b/.github/renovate.json5
index 4574387..6d4db2d 100644
--- a/.github/renovate.json5
+++ b/.github/renovate.json5
@@ -1,5 +1,14 @@
 {
     "extends": [
         "github>maxhoesel-ansible/.github:renovate-config"
-    ]
+    ],
+    "pip-compile": {
+        "fileMatch": ["^requirements\\.txt$"]
+    },
+    "pip_requirements": {
+        "enabled": false
+    },
+    "pip_setup": {
+        "enabled": false
+    }
 }
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index e7716e8..9439996 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -6,14 +6,41 @@ on:
 
 jobs:
   lint:
-    name: "CI"
+    name: Lint
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out codebase
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Set up Python 3
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+
+      - name: Install dependencies
+        run: |
+          pip3 install --upgrade pip
+          pip3 install -r requirements.txt
+
+      - name: Run ansible-lint
+        run: ansible-lint
+
+      - name: Run pre-commit
+        run: pre-commit run --all-files
+
+  molecule:
+    name: "Molecule ${{ matrix.scenario }},${{ matrix.ansible_version }}"
     runs-on: ubuntu-latest
     strategy:
-        matrix:
-            job:
-                - molecule-ansible8
-                - molecule-ansible9
-                - lint
+      matrix:
+        scenario:
+          - default
+        ansible_version:
+          - "2.16"
+          - "2.17"
+
     steps:
       - name: Check out codebase
         uses: actions/checkout@v4
@@ -24,11 +51,13 @@ jobs:
         uses: actions/setup-python@v5
         with:
           python-version: "3.12"
-      - name: Set up pip
-        run: pip3 install --upgrade pip
 
-      - name: Install tox
-        run: sudo apt update && sudo apt -y install tox
+      - name: Install dependencies
+        run: |
+          pip3 install --upgrade pip
+          pip3 install -r requirements.txt
+          pip3 install "ansible-core~=${{ matrix.ansible_version }}"
 
-      - name: Run Tox
-        run: tox -e ${{ matrix.job }}
+      - name: Run scenario
+        run: |
+          molecule test -s ${{ matrix.scenario }}
diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml
index f90d928..884831b 100644
--- a/molecule/default/molecule.yml
+++ b/molecule/default/molecule.yml
@@ -1,6 +1,17 @@
 ---
 platforms:
-  - name: postfix-nullclient-ubuntu-222
+  - name: postfix-nullclient-ubuntu-24
+    image: "geerlingguy/docker-ubuntu2404-ansible"
+    groups:
+      - ubuntu
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:rw
+    cgroupns_mode: host
+    privileged: true
+    override_command: false
+    pre_build_image: true
+
+  - name: postfix-nullclient-ubuntu-22
     image: "geerlingguy/docker-ubuntu2204-ansible"
     groups:
       - ubuntu
diff --git a/requirements.in b/requirements.in
new file mode 100644
index 0000000..a6eae2b
--- /dev/null
+++ b/requirements.in
@@ -0,0 +1,15 @@
+# Include a version of ansible-core for IDE hints and the default pytest version
+# It is also needed for docs generation.
+#
+# This installed version can be overriden by running pytest with the --ansible-version command.
+# Ideally pytest would install another venv just for the test, but the pytest-virtualenv package
+# is ancient and incompatible with python 3.12.
+ansible-core==2.17.0
+
+# Linting & Formatting
+ansible-lint==24.6.0
+pre-commit==3.7.1
+
+# Requirements for running the tests for this role
+molecule==24.2.1
+molecule-plugins[docker]==23.5.3
diff --git a/requirements.molecule.yml b/requirements.molecule.yml
new file mode 100644
index 0000000..ffc5795
--- /dev/null
+++ b/requirements.molecule.yml
@@ -0,0 +1,5 @@
+# Requirements for running molecule testing scenarios
+# These are not the collection runtime requirements
+collections:
+  - name: community.docker
+    version: "==3.4.8"
diff --git a/requirements.txt b/requirements.txt
index bdf128c..421fce7 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,5 +1,163 @@
-# Requirements for running the tests for this role
+#
+# This file is autogenerated by pip-compile with Python 3.12
+# by the following command:
+#
+#    pip-compile requirements.in
+#
+ansible-compat==24.6.1
+    # via
+    #   ansible-lint
+    #   molecule
+ansible-core==2.17.0
+    # via
+    #   -r requirements.in
+    #   ansible-compat
+    #   ansible-lint
+    #   molecule
+ansible-lint==24.6.0
+    # via -r requirements.in
+attrs==23.2.0
+    # via
+    #   jsonschema
+    #   referencing
+black==24.4.2
+    # via ansible-lint
+bracex==2.4
+    # via wcmatch
+certifi==2024.6.2
+    # via requests
+cffi==1.16.0
+    # via cryptography
+cfgv==3.4.0
+    # via pre-commit
+charset-normalizer==3.3.2
+    # via requests
+click==8.1.7
+    # via
+    #   black
+    #   click-help-colors
+    #   molecule
+click-help-colors==0.9.4
+    # via molecule
+cryptography==42.0.8
+    # via ansible-core
+distlib==0.3.8
+    # via virtualenv
+distro==1.9.0
+    # via selinux
+docker==7.1.0
+    # via molecule-plugins
+enrich==1.2.7
+    # via molecule
+filelock==3.14.0
+    # via
+    #   ansible-lint
+    #   virtualenv
+identify==2.5.36
+    # via pre-commit
+idna==3.7
+    # via requests
+importlib-metadata==7.1.0
+    # via ansible-lint
+jinja2==3.1.4
+    # via
+    #   ansible-core
+    #   molecule
+jsonschema==4.22.0
+    # via
+    #   ansible-compat
+    #   ansible-lint
+    #   molecule
+jsonschema-specifications==2023.12.1
+    # via jsonschema
+markdown-it-py==3.0.0
+    # via rich
+markupsafe==2.1.5
+    # via jinja2
+mdurl==0.1.2
+    # via markdown-it-py
 molecule==24.2.1
+    # via
+    #   -r requirements.in
+    #   molecule-plugins
 molecule-plugins[docker]==23.5.3
-ansible-lint==24.5.0
-tox==4.12.1
+    # via -r requirements.in
+mypy-extensions==1.0.0
+    # via black
+nodeenv==1.9.1
+    # via pre-commit
+packaging==24.0
+    # via
+    #   ansible-compat
+    #   ansible-core
+    #   ansible-lint
+    #   black
+    #   molecule
+pathspec==0.12.1
+    # via
+    #   ansible-lint
+    #   black
+    #   yamllint
+platformdirs==4.2.2
+    # via
+    #   black
+    #   virtualenv
+pluggy==1.5.0
+    # via molecule
+pre-commit==3.7.1
+    # via -r requirements.in
+pycparser==2.22
+    # via cffi
+pygments==2.18.0
+    # via rich
+pyyaml==6.0.1
+    # via
+    #   ansible-compat
+    #   ansible-core
+    #   ansible-lint
+    #   molecule
+    #   pre-commit
+    #   yamllint
+referencing==0.35.1
+    # via
+    #   jsonschema
+    #   jsonschema-specifications
+requests==2.31.0
+    # via
+    #   docker
+    #   molecule-plugins
+resolvelib==1.0.1
+    # via ansible-core
+rich==13.7.1
+    # via
+    #   ansible-lint
+    #   enrich
+    #   molecule
+rpds-py==0.18.1
+    # via
+    #   jsonschema
+    #   referencing
+ruamel-yaml==0.18.6
+    # via ansible-lint
+ruamel-yaml-clib==0.2.8
+    # via ruamel-yaml
+selinux==0.3.0
+    # via molecule-plugins
+subprocess-tee==0.4.1
+    # via
+    #   ansible-compat
+    #   ansible-lint
+urllib3==2.2.1
+    # via
+    #   docker
+    #   requests
+virtualenv==20.26.2
+    # via pre-commit
+wcmatch==8.5.2
+    # via
+    #   ansible-lint
+    #   molecule
+yamllint==1.35.1
+    # via ansible-lint
+zipp==3.19.2
+    # via importlib-metadata
diff --git a/scripts/setup.sh b/scripts/setup.sh
new file mode 100755
index 0000000..a16ce52
--- /dev/null
+++ b/scripts/setup.sh
@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+set -eu
+set -e pipefail
+
+printf "Creating project-specific virtualenv in .venv..."
+python3 -m venv .venv
+printf "OK\n"
+
+source .venv/bin/activate
+
+printf "Installing development requirements..."
+python3 -m pip install --upgrade pip --quiet
+python3 -m pip install --quiet -r requirements.txt --upgrade
+python3 -m piptools sync --pip-args "--quiet" # ensure contents stay synced with lockfile
+
+printf "OK\n"
+
+printf "Installing pre-commit hook..."
+pre-commit install > /dev/null
+printf "OK\n"
+
+printf "Development venv initialized!\n"
+printf "To activate it, run:\n\n"
+printf "source .venv/bin/activate\n"
diff --git a/scripts/update_requirements.sh b/scripts/update_requirements.sh
new file mode 100755
index 0000000..d8e7186
--- /dev/null
+++ b/scripts/update_requirements.sh
@@ -0,0 +1,2 @@
+#!/usr/bin/env bash
+pip-compile -U requirements.in
diff --git a/tox.ini b/tox.ini
deleted file mode 100644
index ebef2f0..0000000
--- a/tox.ini
+++ /dev/null
@@ -1,23 +0,0 @@
-[tox]
-skipsdist = True
-requires =
-    tox>=4
-env_list =
-    molecule-ansible{8,9},lint
-
-[testenv]
-deps =
-    -r requirements.txt
-    molecule-ansible8: ansible>=8,<9
-    molecule-ansible9: ansible>=9,<10
-passenv =
-    HOME
-setenv =
-    PY_COLORS = 1
-    ANSIBLE_FORCE_COLOR = 1
-
-[testenv:molecule-ansible{8,9}]
-commands = molecule test
-
-[testenv:lint]
-commands = ansible-lint