diff --git a/.ansible-lint b/.ansible-lint
index eb0ae7cb..cee4980f 100644
--- a/.ansible-lint
+++ b/.ansible-lint
@@ -1,6 +1,11 @@
+---
 exclude_paths:
   - tests/roles/
   - .tox/
   - .markdownlint.yaml
 skip_list:
   - var-naming[no-role-prefix]
+mock_roles:
+  - willshersystems.sshd.ansible-sshd
+mock_modules:
+  - ansible.posix.mount
diff --git a/.github/workflows/ansible-lint.yml b/.github/workflows/ansible-lint.yml
index d23fffff..58119963 100644
--- a/.github/workflows/ansible-lint.yml
+++ b/.github/workflows/ansible-lint.yml
@@ -1,12 +1,38 @@
 name: Ansible Lint  # feel free to pick your own name
 
-on: [push, pull_request]
+on: [push, pull_request, workflow_dispatch]
+
+env:
+  LSR_ROLE2COLL_NAMESPACE: willshersystems
+  LSR_ROLE2COLL_NAME: sshd
+
+permissions:
+  contents: read
 
 jobs:
   ansible-lint:
     runs-on: ubuntu-latest
     steps:
+      - name: Update pip, git
+        run: |
+          set -euxo pipefail
+          sudo apt update
+          sudo apt install -y git
       - name: checkout PR
         uses: actions/checkout@v4
-      - name: Lint Ansible playbook
-        uses: ansible/ansible-lint-action@main
+      - name: Install tox, tox-lsr
+        run: |
+          set -euxo pipefail
+          pip3 install "git+https://github.com/linux-system-roles/tox-lsr@3.2.1"
+      - name: Convert role to collection format
+        run: |
+          set -euxo pipefail
+          TOXENV=collection lsr_ci_runtox
+          coll_dir=".tox/ansible_collections/$LSR_ROLE2COLL_NAMESPACE/$LSR_ROLE2COLL_NAME"
+          # ansible-lint action requires a .git directory???
+          # https://github.com/ansible/ansible-lint/blob/main/action.yml#L45
+          mkdir -p "$coll_dir/.git"
+      - name: Run ansible-lint
+        uses: ansible/ansible-lint@v6
+        with:
+          working_directory: .tox/ansible_collections/${{ env.LSR_ROLE2COLL_NAMESPACE }}/${{ env.LSR_ROLE2COLL_NAME }}
diff --git a/.gitignore b/.gitignore
index 5d14e0b1..d9edfcdc 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,3 @@
 .vagrant
 tests/test.retry
+.tox
diff --git a/.markdownlint.yaml b/.markdownlint.yaml
index 4f8a9799..6bf4ccd9 100644
--- a/.markdownlint.yaml
+++ b/.markdownlint.yaml
@@ -1,3 +1,4 @@
+---
 # Default state for all rules
 default: true
 
diff --git a/.ostree/get_ostree_data.sh b/.ostree/get_ostree_data.sh
index cec08b0c..e9f77811 100755
--- a/.ostree/get_ostree_data.sh
+++ b/.ostree/get_ostree_data.sh
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 
 set -euo pipefail
 
diff --git a/meta/make_ostree_packages_files b/meta/make_ostree_packages_files
index 94513469..c58c2fbd 100755
--- a/meta/make_ostree_packages_files
+++ b/meta/make_ostree_packages_files
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 
 set -euo pipefail
 
diff --git a/tox.ini b/tox.ini
new file mode 100755
index 00000000..66933ff4
--- /dev/null
+++ b/tox.ini
@@ -0,0 +1,7 @@
+[lsr_config]
+lsr_enable = true
+
+[testenv]
+setenv =
+    LSR_ROLE2COLL_NAMESPACE = willshersystems
+    LSR_ROLE2COLL_NAME = sshd
diff --git a/vars/main.yml b/vars/main.yml
index 43d8171b..b6e8298a 100644
--- a/vars/main.yml
+++ b/vars/main.yml
@@ -1,3 +1,4 @@
+---
 __sshd_config_file: "/etc/ssh/sshd_config"
 __sshd_config_owner: "root"
 __sshd_config_group: "root"