diff --git a/.gitignore b/.gitignore
index 85e7c1d..ae91c4c 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,2 @@
 /.idea/
+/.vagrant/
diff --git a/README.md b/README.md
index cce68f0..d86f5a8 100644
--- a/README.md
+++ b/README.md
@@ -19,3 +19,34 @@ git config submodule.recurse true
 - setup IDP (provides login and consent screens)
 - setup demo application
 - setup setup OpenID Connect client registration application
+
+## Local development setup
+
+Make sure you have the necessary prerequisites installed (tested on Debian 11
+Bullseye) and `~/.local/bin` is in your `$PATH` variable:
+
+```shell
+sudo apt update
+sudo apt install make python3-pip python3-psycopg2 golang-go yarnpkg
+python3 -m pip install --user -U pip
+python3 -m pip install --user ansible
+export PATH=$HOME/.local/bin:$PATH
+```
+
+*Note:* It is a good idea to put the `PATH` export line into your `.bashrc` or
+`.zshenv`.
+
+Use `make` to build the web app resources and applications:
+
+```shell
+make
+```
+
+Use `ansible-playbook` to deploy Hydra, IDP, Client registration and the demo
+application:
+
+```shell
+cd deployment
+ansible-playbook 01_install_cacert_oidc.yml
+```
+
diff --git a/Vagrantfile b/Vagrantfile
new file mode 100644
index 0000000..93e3ec9
--- /dev/null
+++ b/Vagrantfile
@@ -0,0 +1,28 @@
+# -*- mode: ruby -*-
+# vi: set ft=ruby :
+
+Vagrant.configure("2") do |config|
+  config.vm.box = "generic/debian11"
+
+  config.vm.define "oidcbox"
+
+  config.vm.network "forwarded_port", guest: 4444, host: 4444, host_ip: "127.0.0.1"
+  config.vm.network "forwarded_port", guest: 3000, host: 3000, host_ip: "127.0.0.1"
+  config.vm.network "forwarded_port", guest: 4000, host: 4000, host_ip: "127.0.0.1"
+  config.vm.network "forwarded_port", guest: 5000, host: 5000, host_ip: "127.0.0.1"
+
+  config.vm.provider "libvirt" do |lv|
+    lv.memory = "2048"
+    lv.cpus = 2
+    lv.machine_virtual_size = 10
+  end
+  config.vm.provision "ansible" do |ansible|
+    ansible.playbook = "deployment/01_install_cacert_oidc.yml"
+    ansible.verbose = true
+    ansible.groups = {
+      "pgsqlserver" => ["oidcbox"],
+      "authserver" => ["oidcbox"],
+      "demoserver" => ["oidcbox"]
+    }
+  end
+end
diff --git a/deployment/playbooks/01_install_cacert_oidc.yml b/deployment/01_install_cacert_oidc.yml
similarity index 50%
rename from deployment/playbooks/01_install_cacert_oidc.yml
rename to deployment/01_install_cacert_oidc.yml
index 5032556..1b7cc20 100644
--- a/deployment/playbooks/01_install_cacert_oidc.yml
+++ b/deployment/01_install_cacert_oidc.yml
@@ -1,15 +1,29 @@
 ---
+- name: Install development tools
+  hosts: all
+  become: false
+
+  roles:
+    - prepare_devtools
+
 - name: Setup database
   hosts: pgsqlserver
   become: true
 
   pre_tasks:
 
-    - name: Install python3-psycopg2
+    - name: Install package python3-psycopg2
       ansible.builtin.package:
         name: python3-psycopg2
         state: present
 
+    # The ACL package is required to run commands as the postgres user
+    # See https://docs.ansible.com/ansible-core/2.12/user_guide/become.html#risks-of-becoming-an-unprivileged-user
+    - name: Install package acl
+      ansible.builtin.package:
+        name: acl
+        state: present
+
   roles:
     - hydra_database
 
diff --git a/deployment/inventory/group_vars/all.yml b/deployment/group_vars/all.yml
similarity index 100%
rename from deployment/inventory/group_vars/all.yml
rename to deployment/group_vars/all.yml
diff --git a/deployment/inventory/host_vars/localhost.yml b/deployment/host_vars/localhost.yml
similarity index 89%
rename from deployment/inventory/host_vars/localhost.yml
rename to deployment/host_vars/localhost.yml
index c5899a6..835cab3 100644
--- a/deployment/inventory/host_vars/localhost.yml
+++ b/deployment/host_vars/localhost.yml
@@ -4,8 +4,6 @@
 hydra_db_password: hydra
 hydra_db_host: localhost
 hydra_db_port: 5432
-hydra_version: "1.11.9"
-hydra_checksum: "0e38096a45ae411f70b95beaad69a5335a16cf34c4963724beef3ebce37c283c"
 hydra_tls:
   cert: "{{ hydra_home }}/etc/hydra.cacert.localhost+1.pem"
   key: "{{ hydra_home }}/etc/hydra.cacert.localhost+1-key.pem"
@@ -18,6 +16,7 @@ oidc_urls:
     host: hydra.cacert.localhost
     port: 4445
   hydra_public:
+    address: localhost
     host: auth.cacert.localhost
     port: 4444
   idp:
diff --git a/deployment/host_vars/oidcbox.yml b/deployment/host_vars/oidcbox.yml
new file mode 100644
index 0000000..ba93a1d
--- /dev/null
+++ b/deployment/host_vars/oidcbox.yml
@@ -0,0 +1,31 @@
+---
+# this is for a localhost deployment, database passwords for public servers
+# must be different random values encrypted via ansible-vault
+hydra_db_password: hydra
+hydra_db_host: localhost
+hydra_db_port: 5432
+hydra_tls:
+  cert: "{{ hydra_home }}/etc/hydra.cacert.localhost+1.pem"
+  key: "{{ hydra_home }}/etc/hydra.cacert.localhost+1-key.pem"
+# this is for a localhost deployment, secrets for public servers must be
+# different random values encrypted via ansible-vault
+hydra_system_secret: "AczA+NZ25Ye9eAreglv5bo9XcND6uwBQHVUYCvPfwXo="
+
+oidc_urls:
+  hydra_admin:
+    host: hydra.cacert.localhost
+    port: 4445
+  hydra_public:
+    host: auth.cacert.localhost
+    port: 4444
+  idp:
+    host: login.cacert.localhost
+    port: 3000
+  demoapp:
+    host: app.cacert.localhost
+    port: 4000
+  register:
+    host: register.cacert.localhost
+    port: 5000
+
+use_mkcert: true
diff --git a/deployment/roles/hydra_database/README.md b/deployment/roles/hydra_database/README.md
index f8ab874..38a8f85 100644
--- a/deployment/roles/hydra_database/README.md
+++ b/deployment/roles/hydra_database/README.md
@@ -6,7 +6,7 @@ Setup a PostgreSQL database for [ORY Hydra](https://ory.sh/hydra/).
 Requirements
 ------------
 
-The role expects a Debian system running Debian 10 or later.
+The role expects a Debian system running Debian 11 or later.
 
 Role Variables
 --------------
diff --git a/deployment/roles/hydra_database/meta/main.yml b/deployment/roles/hydra_database/meta/main.yml
index a20271f..fbaf1a6 100644
--- a/deployment/roles/hydra_database/meta/main.yml
+++ b/deployment/roles/hydra_database/meta/main.yml
@@ -1,3 +1,4 @@
+---
 galaxy_info:
   author: Jan Dittberner
   description: ORY Hydra database setup
@@ -8,7 +9,6 @@ galaxy_info:
   platforms:
     - name: Debian
       versions:
-        - buster
         - bullseye
         - bookworm
 
diff --git a/deployment/roles/hydra_server/defaults/main.yml b/deployment/roles/hydra_server/defaults/main.yml
index 6c71d8d..a1c1c9f 100644
--- a/deployment/roles/hydra_server/defaults/main.yml
+++ b/deployment/roles/hydra_server/defaults/main.yml
@@ -5,4 +5,7 @@ hydra_os_group: hydra
 hydra_os_user: hydra
 hydra_home: /srv/hydra
 
+hydra_version: "1.11.9"
+hydra_checksum: "0e38096a45ae411f70b95beaad69a5335a16cf34c4963724beef3ebce37c283c"
+
 use_mkcert: false
diff --git a/deployment/roles/hydra_server/tasks/main.yml b/deployment/roles/hydra_server/tasks/main.yml
index 72a9385..a474f50 100644
--- a/deployment/roles/hydra_server/tasks/main.yml
+++ b/deployment/roles/hydra_server/tasks/main.yml
@@ -62,10 +62,6 @@
 - name: Create Hydra key and certificate with mkcert
   block:
 
-    - name: Install mkcert CA
-      ansible.builtin.command:
-        cmd: mkcert -install
-
     - name: Create temporary directory for Hydra key and certificate
       ansible.builtin.tempfile:
         prefix: "hydra-cert."
@@ -74,7 +70,7 @@
 
     - name: Create Hydra key and certificate
       ansible.builtin.command:
-        cmd: "mkcert -cert-file {{ hydra_cert_temp_dir.path }}/hydra.pem -key-file {{ hydra_cert_temp_dir.path }}/hydra.key.pem {{ oidc_urls.hydra_admin.host }} {{ oidc_urls.hydra_public.host }}"
+        cmd: "/home/{{ ansible_user | default(ansible_env.USER) }}/.local/bin/mkcert -cert-file {{ hydra_cert_temp_dir.path }}/hydra.pem -key-file {{ hydra_cert_temp_dir.path }}/hydra.key.pem {{ oidc_urls.hydra_admin.host }} {{ oidc_urls.hydra_public.host }}"
 
     - name: Move Hydra certificate and key to target
       ansible.builtin.copy:
@@ -85,8 +81,8 @@
         mode: "{{ item.mode }}"
         remote_src: true
       loop:
-        - { src: hydra.pem, dest: "{{ hydra_tls.cert }}", mode: '0644' }
-        - { src: hydra.key.pem, dest: "{{ hydra_tls.key }}", mode: '0640' }
+        - {src: hydra.pem, dest: "{{ hydra_tls.cert }}", mode: '0644'}
+        - {src: hydra.key.pem, dest: "{{ hydra_tls.key }}", mode: '0640'}
       become: true
 
     - name: Remove temporary directory
diff --git a/deployment/roles/hydra_server/templates/hydra.yml.j2 b/deployment/roles/hydra_server/templates/hydra.yml.j2
index de94340..98c6dbc 100644
--- a/deployment/roles/hydra_server/templates/hydra.yml.j2
+++ b/deployment/roles/hydra_server/templates/hydra.yml.j2
@@ -4,7 +4,7 @@ serve:
     host: {{ oidc_urls.hydra_admin.address | default("localhost") }}
     port: {{ oidc_urls.hydra_admin.port | default("4445") }}
   public:
-    host: {{ oidc_urls.hydra_public.address | default("localhost") }}
+    host: {{ oidc_urls.hydra_public.address | default(ansible_default_ipv4.address) }}
     port: {{ oidc_urls.hydra_public.port | default("4444") }}
   tls:
     cert:
diff --git a/deployment/roles/prepare_devtools/README.md b/deployment/roles/prepare_devtools/README.md
new file mode 100644
index 0000000..f5bee91
--- /dev/null
+++ b/deployment/roles/prepare_devtools/README.md
@@ -0,0 +1,14 @@
+Role Name
+=========
+
+Prepare development tools for the CAcert OIDC setup.
+
+License
+-------
+
+GPL-2.0-or-later
+
+Author Information
+------------------
+
+Jan Dittberner <jandd@cacert.org>
diff --git a/deployment/roles/prepare_devtools/defaults/main.yml b/deployment/roles/prepare_devtools/defaults/main.yml
new file mode 100644
index 0000000..63680a6
--- /dev/null
+++ b/deployment/roles/prepare_devtools/defaults/main.yml
@@ -0,0 +1,3 @@
+---
+mkcert_version: v1.4.4
+mkcert_checksum: 6d31c65b03972c6dc4a14ab429f2928300518b26503f58723e532d1b0a3bbb52
diff --git a/deployment/roles/prepare_devtools/meta/main.yml b/deployment/roles/prepare_devtools/meta/main.yml
new file mode 100644
index 0000000..578ebf2
--- /dev/null
+++ b/deployment/roles/prepare_devtools/meta/main.yml
@@ -0,0 +1,19 @@
+---
+galaxy_info:
+  author: Jan Dittberner
+  description: Prepare development tools for the CAcert OIDC setup.
+  company: CAcert
+
+  license: GPL-2.0-or-later
+
+  min_ansible_version: 2.1
+
+  platforms:
+    - name: Debian
+      versions:
+        - bullseye
+        - bookworm
+
+  galaxy_tags: []
+
+dependencies: []
diff --git a/deployment/roles/prepare_devtools/tasks/main.yml b/deployment/roles/prepare_devtools/tasks/main.yml
new file mode 100644
index 0000000..7f6506f
--- /dev/null
+++ b/deployment/roles/prepare_devtools/tasks/main.yml
@@ -0,0 +1,28 @@
+---
+- name: Create .local/bin for ansible user
+  ansible.builtin.file:
+    path: "/home/{{ ansible_user | default(ansible_env.USER) }}/.local/bin"
+    state: directory
+    owner: "{{ ansible_user | default(ansible_env.USER) }}"
+    group: "{{ ansible_user | default(ansible_env.USER) }}"
+    mode: "0750"
+
+- name: Prepare mkcert
+  block:
+
+    - name: Download mkcert binary
+      ansible.builtin.get_url:
+        url: "https://github.com/FiloSottile/mkcert/releases/download/{{ mkcert_version }}/mkcert-{{ mkcert_version }}-linux-amd64"
+        dest: "/home/{{ ansible_user | default(ansible_env.USER) }}/.local/bin/mkcert"
+        checksum: "sha256:{{ mkcert_checksum }}"
+        owner: "{{ ansible_user | default(ansible_env.USER) }}"
+        group: "{{ ansible_user | default(ansible_env.USER) }}"
+        mode: "0750"
+
+    - name: Install mkcert CA
+      ansible.builtin.command:
+        cmd: "/home/{{ ansible_user | default(ansible_env.USER) }}/.local/bin/mkcert -install"
+      changed_when: false
+
+  when: use_mkcert
+  become: false