diff --git a/roles/toolbox/README.md b/roles/toolbox/README.md
new file mode 100644
index 0000000000000000000000000000000000000000..aa50307c8c8f5c3f633759801cbfd19ec60abde1
--- /dev/null
+++ b/roles/toolbox/README.md
@@ -0,0 +1,17 @@
+# Toolbox
+
+Install Podman and Toolbox.
+
+## Supported distros
+
+- Debian Buster
+- Debian Bullseye
+- Debian Sid
+- Ubuntu Bionic
+- Ubuntu Focal
+- ElementaryOS Hera
+- ElementaryOS Odin
+
+Debian Bullseye and Sid have Podman in the Debian repos, the rest don't so the
+Kubic repos are used. Toolbox isn't packaged yet, so
+[toolbox-build](https://git.shore.co.il/shore/toolbox-build) is used.
diff --git a/roles/toolbox/tasks/main.yml b/roles/toolbox/tasks/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..5104f2dfe41fa2b84383c3057ebf3605099361e8
--- /dev/null
+++ b/roles/toolbox/tasks/main.yml
@@ -0,0 +1,55 @@
+---
+- name: Install Podman from the Kubic repository
+  # yamllint disable-line rule:line-length
+  when: ansible_distribution_release is in ["buster", "bionic", "focal", "hera", "odin"]
+  block:
+    - name: Assertions
+      assert:
+        that:
+          - toolbox_podman_repo_base_url is defined
+
+    - name: APT install prerequisites
+      apt:
+        cache_valid_time: 3600
+        name:
+          - apt-transport-https
+        state: present
+        update_cache: true
+
+    - name: Add the Podman repo key
+      apt_key:
+        state: present
+        url: |-
+          {{ toolbox_podman_repo_base_url }}/Release.key
+
+    - name: Add the Podman repo
+      apt_repository:
+        repo: |-
+          deb {{ toolbox_podman_repo_base_url }} /
+        state: present
+        update_cache: true
+
+    - name: Install newer libseccomp2 from the backports repository
+      when: ansible_distribution_release == "buster"
+      apt:
+        cache_valid_time: 3600
+        default_release: buster-backports
+        name:
+          - libseccomp2
+        state: present
+        update_cache: true
+
+- name: APT install Podman
+  apt:
+    cache_valid_time: 3600
+    name:
+      - podman
+    state: present
+    update_cache: true
+
+- name: Install Toolbox
+  unarchive:
+    dest: /
+    remote_src: true
+    # yamllint disable-line rule:line-length
+    src: https://git.shore.co.il/shore/toolbox-build/-/jobs/artifacts/master/raw/toolbox.tar.gz?job=build
diff --git a/roles/toolbox/vars/main.yml b/roles/toolbox/vars/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..a1257de40a5c8b8bbdf2cdbf6651e199e4cf7234
--- /dev/null
+++ b/roles/toolbox/vars/main.yml
@@ -0,0 +1,15 @@
+---
+# Hera and Odin are ElementaryOS releases based on Ubuntu Bionic and Focal
+# respectively.
+toolbox_podman_repo_base_url_mapping:
+  # yamllint disable-line rule:line-length
+  bionic: &bionic https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_18.04/
+  # yamllint disable-line rule:line-length
+  buster: https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/Debian_10/
+  # yamllint disable-line rule:line-length
+  focal: &focal https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_20.04/
+  hera: *bionic
+  odin: *focal
+
+toolbox_podman_repo_base_url: |-
+  {{ toolbox_podman_repo_base_url_mapping[ansible_distribution_release] }}
diff --git a/toolbox.yaml b/toolbox.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..933c425777882299fe3c95fb4c8338896571ca35
--- /dev/null
+++ b/toolbox.yaml
@@ -0,0 +1,8 @@
+---
+- hosts:
+    - ns4
+    - localhost
+  roles:
+    - toolbox
+  become: true
+  become_user: root