diff --git a/.ci/ci_lib.py b/.ci/ci_lib.py
index 9f333dde..96c85811 100644
--- a/.ci/ci_lib.py
+++ b/.ci/ci_lib.py
@@ -39,7 +39,7 @@ DISTRO_SPECS = os.environ.get(
 IMAGE_PREP_DIR = os.path.join(GIT_ROOT, 'tests/image_prep')
 IMAGE_TEMPLATE = os.environ.get(
     'MITOGEN_TEST_IMAGE_TEMPLATE',
-    'public.ecr.aws/n5z0e8q9/%(distro)s-test',
+    'ghcr.io/mitogen-hq/%(distro)s-test:2021',
 )
 TESTS_SSH_PRIVATE_KEY_FILE = os.path.join(GIT_ROOT, 'tests/data/docker/mitogen__has_sudo_pubkey.key')
 
@@ -227,7 +227,7 @@ def container_specs(
     [{'distro': 'debian11',
       'family': 'debian',
       'hostname': 'localhost',
-      'image': 'public.ecr.aws/n5z0e8q9/debian11-test',
+      'image': 'ghcr.io/mitogen-hq/debian11-test:2021',
       'index': 1,
       'name': 'target-debian11-1',
       'port': 2201,
@@ -235,7 +235,7 @@ def container_specs(
      {'distro': 'centos6',
       'family': 'centos',
       'hostname': 'localhost',
-      'image': 'public.ecr.aws/n5z0e8q9/centos6-test',
+      'image': 'ghcr.io/mitogen-hq/centos6-test:2021',
       'index': 2,
       'name': 'target-centos6-2',
       'port': 2202,
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index bbbc33e8..393a52c7 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -8,11 +8,6 @@ on:
     branches-ignore:
       - docs-master
 
-env:
-  #ANSIBLE_VERBOSITY: 3
-  #MITOGEN_LOG_LEVEL: DEBUG
-  MITOGEN_TEST_IMAGE_TEMPLATE: "ghcr.io/mitogen-hq/%(distro)s-test"
-
 # https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners/about-github-hosted-runners
 # https://github.com/actions/runner-images/blob/main/README.md#software-and-image-support
 jobs:
diff --git a/tests/ansible/hosts/group_vars/all.yml b/tests/ansible/hosts/group_vars/all.yml
index 44e660fc..fa70b89d 100644
--- a/tests/ansible/hosts/group_vars/all.yml
+++ b/tests/ansible/hosts/group_vars/all.yml
@@ -27,4 +27,3 @@ become_unpriv_available: >-
   -}}
 
 pkg_mgr_python_interpreter: python
-pkg_repos_overrides: []
diff --git a/tests/ansible/hosts/group_vars/centos8.yml b/tests/ansible/hosts/group_vars/centos8.yml
index c90dd5f4..5ab4577d 100644
--- a/tests/ansible/hosts/group_vars/centos8.yml
+++ b/tests/ansible/hosts/group_vars/centos8.yml
@@ -1,7 +1,7 @@
 ---
 pkg_mgr_python_interpreter: /usr/libexec/platform-python
 
-pkg_repos_overrides:
+package_manager_repos:
   - dest: /etc/yum.repos.d/CentOS-Linux-AppStream.repo
     content: |
       [appstream]
diff --git a/tests/ansible/hosts/group_vars/debian11.yml b/tests/ansible/hosts/group_vars/debian11.yml
new file mode 100644
index 00000000..9f62f43c
--- /dev/null
+++ b/tests/ansible/hosts/group_vars/debian11.yml
@@ -0,0 +1,5 @@
+package_manager_keys:
+  - src: debian-archive-bullseye-automatic.gpg  # Debian 11
+    dest: /etc/apt/trusted.gpg.d/debian-archive-bullseye-automatic.gpg
+  - src: debian-archive-bookworm-automatic.gpg  # Debian 12
+    dest: /etc/apt/trusted.gpg.d/debian-archive-bookworm-automatic.gpg
diff --git a/tests/ansible/hosts/group_vars/debian9.yml b/tests/ansible/hosts/group_vars/debian9.yml
index 4b180b13..e08b1ed2 100644
--- a/tests/ansible/hosts/group_vars/debian9.yml
+++ b/tests/ansible/hosts/group_vars/debian9.yml
@@ -1,4 +1,4 @@
-pkg_repos_overrides:
+package_manager_repos:
   - dest: /etc/apt/sources.list
     content: |
       deb http://archive.debian.org/debian stretch main contrib non-free
diff --git a/tests/ansible/regression/issue_776__load_plugins_called_twice.yml b/tests/ansible/regression/issue_776__load_plugins_called_twice.yml
index ef573276..d482c41c 100755
--- a/tests/ansible/regression/issue_776__load_plugins_called_twice.yml
+++ b/tests/ansible/regression/issue_776__load_plugins_called_twice.yml
@@ -10,7 +10,7 @@
   vars:
     ansible_python_interpreter: "{{ pkg_mgr_python_interpreter }}"
     package: rsync  # Chosen to exist in all tested distros/package managers
-  tasks:
+  pre_tasks:
     # The package management modules require using the same Python version
     # as the target's package manager libraries. This is sometimes in conflict
     # with Ansible requirements, e.g. Ansible 10 (ansible-core 2.17) does not
@@ -19,31 +19,13 @@
       when:
         - ansible_version.full is version('2.17', '>=', strict=True)
 
+  roles:
+    - role: package_manager
+
+  tasks:
     - name: Gather facts manually
       setup:
 
-    - name: Switch to archived package repositories
-      copy:
-        dest: "{{ item.dest }}"
-        content: "{{ item.content }}"
-        mode: u=rw,go=r
-      loop: "{{ pkg_repos_overrides }}"
-      loop_control:
-        label: "{{ item.dest }}"
-
-    - name: Add signing keys
-      copy:
-        src: "{{ item.src }}"
-        dest: "/etc/apt/trusted.gpg.d/{{ item.src | basename }}"
-        mode: u=rw,go=r
-      loop:
-        - src: debian-archive-bullseye-automatic.gpg  # Debian 11
-        - src: debian-archive-bookworm-automatic.gpg  # Debian 12
-      when:
-        # Ideally this would check for Debian 11, but distribution_major_version
-        # is unpopulated sometimes.
-        - ansible_facts.distribution == "Debian"
-
     - name: Update package index
       apt:
         update_cache: true
diff --git a/tests/image_prep/_container_setup.yml b/tests/image_prep/_container_setup.yml
index 2972adda..4aa3b46d 100644
--- a/tests/image_prep/_container_setup.yml
+++ b/tests/image_prep/_container_setup.yml
@@ -1,5 +1,5 @@
-
-- hosts: all
+- name: Bootstrap containers
+  hosts: all
   strategy: linear
   gather_facts: false
   tasks:
@@ -15,7 +15,8 @@
         fi
       when: bootstrap_packages | length
 
-- hosts: all
+- name: Setup containers
+  hosts: all
   strategy: mitogen_free
   # Resource limitation, my laptop freezes doing every container concurrently
   serial: 4
@@ -30,7 +31,9 @@
         - ansible_facts.virtualization_type != "docker"
 
   roles:
+    - role: package_manager
     - role: sshd
+    - role: sshd_container
 
   tasks:
     - name: Ensure requisite apt packages are installed
diff --git a/tests/image_prep/_user_accounts.yml b/tests/image_prep/_user_accounts.yml
index 10834efc..bee89084 100644
--- a/tests/image_prep/_user_accounts.yml
+++ b/tests/image_prep/_user_accounts.yml
@@ -3,10 +3,8 @@
 #
 # WARNING: this creates non-privilged accounts with pre-set passwords!
 #
-
-- import_playbook: ../ansible/setup/report_controller.yml
-
-- hosts: all
+- name: Mitogen test users and groups
+  hosts: all
   gather_facts: true
   strategy: mitogen_free
   become: true
@@ -64,7 +62,7 @@
     - name: Create Mitogen test groups
       group:
         name: "{{ item.name }}"
-      loop: "{{ mitogen_test_groups }}"
+      with_items: "{{ mitogen_test_groups }}"
 
     - name: Create user accounts
       vars:
@@ -113,7 +111,11 @@
         state: restarted
 
     - name: Readonly homedir for one account
-      shell: "chown -R root: ~mitogen__readonly_homedir"
+      file:
+        path: ~mitogen__readonly_homedir
+        owner: root
+        recurse: true
+        state: directory
 
     - name: Slow bash profile for one account
       copy:
@@ -160,7 +162,6 @@
           Defaults>mitogen__pw_required targetpw
           Defaults>mitogen__require_tty requiretty
           Defaults>mitogen__require_tty_pw_required requiretty,targetpw
-        prepend_newline: true
         validate: '/usr/sbin/visudo -cf %s'
 
     - name: Configure sudoers users
@@ -176,7 +177,6 @@
           {% for runas_user in normal_users %}
           {{ lookup('pipe', 'whoami') }} ALL = ({{ runas_user.name }}:ALL) NOPASSWD:ALL
           {% endfor %}
-        prepend_newline: true
         validate: '/usr/sbin/visudo -cf %s'
       when:
         - ansible_virtualization_type != "docker"
diff --git a/tests/image_prep/macos_localhost.yml b/tests/image_prep/macos_localhost.yml
index c046a2bc..b93bc780 100644
--- a/tests/image_prep/macos_localhost.yml
+++ b/tests/image_prep/macos_localhost.yml
@@ -5,3 +5,4 @@
   become: true
   roles:
     - role: sshd
+    - role: sshd_macos
diff --git a/tests/image_prep/roles/package_manager/defaults/main.yml b/tests/image_prep/roles/package_manager/defaults/main.yml
new file mode 100644
index 00000000..c384b19a
--- /dev/null
+++ b/tests/image_prep/roles/package_manager/defaults/main.yml
@@ -0,0 +1,2 @@
+package_manager_keys: []
+package_manager_repos: []
diff --git a/tests/ansible/regression/files/debian-archive-bookworm-automatic.gpg b/tests/image_prep/roles/package_manager/files/debian-archive-bookworm-automatic.gpg
similarity index 100%
rename from tests/ansible/regression/files/debian-archive-bookworm-automatic.gpg
rename to tests/image_prep/roles/package_manager/files/debian-archive-bookworm-automatic.gpg
diff --git a/tests/ansible/regression/files/debian-archive-bullseye-automatic.gpg b/tests/image_prep/roles/package_manager/files/debian-archive-bullseye-automatic.gpg
similarity index 100%
rename from tests/ansible/regression/files/debian-archive-bullseye-automatic.gpg
rename to tests/image_prep/roles/package_manager/files/debian-archive-bullseye-automatic.gpg
diff --git a/tests/image_prep/roles/package_manager/tasks/main.yml b/tests/image_prep/roles/package_manager/tasks/main.yml
new file mode 100644
index 00000000..f0bc8ad8
--- /dev/null
+++ b/tests/image_prep/roles/package_manager/tasks/main.yml
@@ -0,0 +1,13 @@
+- name: Add signing keys
+  copy:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    mode: u=rw,go=r
+  with_items: "{{ package_manager_keys }}"
+
+- name: Configure package repositories
+  copy:
+    dest: "{{ item.dest }}"
+    content: "{{ item.content }}"
+    mode: u=rw,go=r
+  with_items: "{{ package_manager_repos }}"
diff --git a/tests/image_prep/roles/sshd/tasks/main.yml b/tests/image_prep/roles/sshd/tasks/main.yml
index 837c7d15..8f3e7e03 100644
--- a/tests/image_prep/roles/sshd/tasks/main.yml
+++ b/tests/image_prep/roles/sshd/tasks/main.yml
@@ -9,23 +9,12 @@
     path: "{{ sshd_config_file }}"
     line: "{{ item.line }}"
     regexp: "{{ item.regexp }}"
-  loop:
+  with_items:
     - line:     Banner /etc/ssh/banner.txt
       regexp:   '^#? *Banner.*'
     - line:     MaxAuthTries {{ sshd_config__max_auth_tries }}
       regexp:   '^#? *MaxAuthTries.*'
     - line:     PermitRootLogin yes
       regexp:   '.*PermitRootLogin.*'
-  loop_control:
-    label: "{{ item.line }}"
-  register: configure_sshd_result
-
-- name: Restart sshd
-  shell: |
-    launchctl unload /System/Library/LaunchDaemons/ssh.plist
-    wait 5
-    launchctl load -w /System/Library/LaunchDaemons/ssh.plist
-  changed_when: true
-  when:
-    - ansible_facts.distribution == "MacOSX"
-    - configure_sshd_result is changed
+  notify:
+    - Restart sshd  # Handler in platform specific role
diff --git a/tests/image_prep/roles/sshd_container/handlers/main.yml b/tests/image_prep/roles/sshd_container/handlers/main.yml
new file mode 100644
index 00000000..cc7b9166
--- /dev/null
+++ b/tests/image_prep/roles/sshd_container/handlers/main.yml
@@ -0,0 +1,2 @@
+- name: Restart sshd
+  meta: noop
diff --git a/tests/image_prep/roles/sshd_macos/handlers/main.yml b/tests/image_prep/roles/sshd_macos/handlers/main.yml
new file mode 100644
index 00000000..6d4a7e21
--- /dev/null
+++ b/tests/image_prep/roles/sshd_macos/handlers/main.yml
@@ -0,0 +1,6 @@
+- name: Restart sshd
+  shell: |
+    launchctl unload /System/Library/LaunchDaemons/ssh.plist
+    wait 5
+    launchctl load -w /System/Library/LaunchDaemons/ssh.plist
+  changed_when: true
diff --git a/tests/testlib.py b/tests/testlib.py
index 05779dc0..e4fa25b8 100644
--- a/tests/testlib.py
+++ b/tests/testlib.py
@@ -57,7 +57,7 @@ DISTRO_SPECS = os.environ.get(
 )
 IMAGE_TEMPLATE = os.environ.get(
     'MITOGEN_TEST_IMAGE_TEMPLATE',
-    'public.ecr.aws/n5z0e8q9/%(distro)s-test',
+    'ghcr.io/mitogen-hq/%(distro)s-test:2021',
 )
 
 TESTS_DIR =                     os.path.join(os.path.dirname(__file__))
diff --git a/tox.ini b/tox.ini
index bd2d65e9..ddb8c88d 100644
--- a/tox.ini
+++ b/tox.ini
@@ -100,6 +100,7 @@ passenv =
     HOME
     MITOGEN_*
 setenv =
+    ANSIBLE_ROLES_PATH = {toxinidir}/tests/image_prep/roles
     # See also azure-pipelines.yml
     ANSIBLE_STRATEGY = mitogen_linear
     NOCOVERAGE_ERASE = 1