diff --git a/roles/1password/tasks/Darwin.yaml b/roles/1password/tasks/Darwin.yaml
index f659c20..ef6237d 100644
--- a/roles/1password/tasks/Darwin.yaml
+++ b/roles/1password/tasks/Darwin.yaml
@@ -1,5 +1,9 @@
 ---
 - name: install homebrew package
   homebrew_cask:
-    name: 1password
+    name:
+      - 1password
+      - 1password-cli
     state: latest
+
+- include_tasks: zsh-completion.yaml
diff --git a/roles/1password/tasks/Debian.yaml b/roles/1password/tasks/Debian.yaml
index d4f6695..eb36487 100644
--- a/roles/1password/tasks/Debian.yaml
+++ b/roles/1password/tasks/Debian.yaml
@@ -1 +1,38 @@
-# TODO: https://support.1password.com/install-linux/#debian-or-ubuntu
+---
+- name: add apt signing key
+  become: true
+  apt_key:
+    url: https://downloads.1password.com/linux/keys/1password.asc
+    keyring: /etc/apt/trusted.gpg.d/1password-archive-keyring.gpg
+    state: present
+
+- when: ansible_machine == 'x86_64'
+  set_fact:
+    arch: amd64
+
+- assert:
+    that: arch is defined
+    fail_msg: 'Architecture not currently supported: {{ansible_machine}}'
+
+- name: add apt repository
+  become: true
+  apt_repository:
+    repo: >-
+      deb [arch={{arch}}
+      signed-by=/etc/apt/trusted.gpg.d/1password-archive-keyring.gpg]
+      https://downloads.1password.com/linux/debian/{{arch}} stable main
+
+- name: install gui package
+  when: '"WSL" not in ansible_kernel'
+  become: true
+  apt:
+    name: 1password
+    state: latest
+
+- name: install cli package
+  become: true
+  apt:
+    name: 1password-cli
+    state: latest
+
+- include_tasks: zsh-completion.yaml
diff --git a/roles/1password/tasks/Windows.yaml b/roles/1password/tasks/Windows.yaml
index f3bf586..88274ba 100644
--- a/roles/1password/tasks/Windows.yaml
+++ b/roles/1password/tasks/Windows.yaml
@@ -1,12 +1,107 @@
 ---
-- name: install chocolatey package
-  win_chocolatey:
-    name:
-      - 1password
-    state: latest
+# NOTE: The 1Password chocolatey packages are not up to date.
+
+# GUI
+- set_fact:
+    app_exe: '{{ansible_env.LOCALAPPDATA}}/1Password/app/8/1Password.exe'
+    installer_exe: '{{ansible_env.TEMP}}/1PasswordSetup-latest.exe'
+
+- name: check if already installed
+  win_stat:
+    path: '{{app_exe}}'
+  register: app_stat
+
+- name: get installed version
+  when: app_stat.stat.exists == True
+  win_command: '{{app_exe}} --version'
+  register: app_version
+  changed_when: false
+
+- when: app_stat.stat.exists == True
+  set_fact:
+    installed_version: '{{app_version.stdout.strip()}}'
+
+- name: download latest installer
+  win_get_url:
+    url: https://downloads.1password.com/win/1PasswordSetup-latest.exe
+    dest: '{{installer_exe}}'
+
+- name: get installer version
+  win_shell: |
+    (Get-ItemProperty {{installer_exe}}).VersionInfo.ProductVersion
+  register: installer_product_version
+  changed_when: false
+
+# FIXME: The [5:] is to account for a mystery "\e[6 q" prefix, not sure if this
+# is consistent across machines or some other oddity.
+- set_fact:
+    installer_version: '{{installer_product_version.stdout.strip()[5:]}}'
+
+- name: run installer
+  when: installed_version is not defined or installed_version != installer_version
+  win_command: '{{installer_exe}}'
 
 - name: create start menu shortcut
   win_shortcut:
-    src: '{{ansible_env.LOCALAPPDATA}}/1Password/app/7/1Password.exe'
+    src: '{{app_exe}}'
     dest: '{{ansible_env.ProgramData}}/Microsoft/Windows/Start Menu/Programs/1Password.lnk'
-    icon: '{{ansible_env.LOCALAPPDATA}}/1Password/app/7/1Password.exe,0'
+    icon: '{{app_exe}},0'
+
+# CLI
+- set_fact:
+    cli_dir: '{{ansible_env.LOCALAPPDATA}}\1Password\cli'
+    cli_zip: '{{ansible_env.TEMP}}/op_windows_amd64.zip'
+- set_fact:
+    cli_exe: '{{cli_dir}}\op.exe'
+
+- name: check if op already installed
+  win_stat:
+    path: '{{cli_exe}}'
+  register: cli_stat
+
+- name: get installed op version
+  when: cli_stat.stat.exists == True
+  win_command: '{{cli_exe}} --version'
+  register: cli_version
+  changed_when: false
+
+- when: cli_stat.stat.exists == True
+  set_fact:
+    cli_installed_version: '{{cli_version.stdout.strip()}}'
+
+- name: get list of op releases
+  win_uri:
+    url: https://raw.githubusercontent.com/kbenzie/op-release-scraper/main/op-releases.json
+    return_content: true
+  register: releases
+
+- set_fact:
+    latest: '{{releases.json[0]}}'
+
+- name: download latest op zip archive
+  when: cli_installed_version is not defined or cli_installed_version != latest.version
+  win_get_url:
+    url: '{{latest.downloads.Windows.amd64}}'
+    dest: '{{cli_zip}}'
+
+- name: unzip op zip archive
+  when: cli_installed_version is not defined or cli_installed_version != latest.version
+  win_unzip:
+    src: '{{cli_zip}}'
+    dest: '{{cli_dir}}'
+
+- name: add op install directory to user PATH
+  win_path:
+    scope: user
+    name: Path
+    elements: '{{cli_dir}}'
+
+- name: get op powershell completion script
+  win_command: op completion powershell
+  register: powershell_completion_script
+  changed_when: false
+
+- name: create op powershell completion file
+  win_copy:
+    content: '{{powershell_completion_script.stdout}}'
+    dest: '{{cli_dir}}/opProfile.psm1'
diff --git a/roles/1password/tasks/zsh-completion.yaml b/roles/1password/tasks/zsh-completion.yaml
new file mode 100644
index 0000000..55f4b03
--- /dev/null
+++ b/roles/1password/tasks/zsh-completion.yaml
@@ -0,0 +1,10 @@
+---
+- name: get op zsh completion script
+  command: op completion zsh
+  register: zsh_completion_script
+  changed_when: false
+
+- name: create op zsh completion file
+  copy:
+    content: '{{zsh_completion_script.stdout}}'
+    dest: ~/.local/share/zsh/site-functions/_op
diff --git a/roles/op/tasks/Darwin.yaml b/roles/op/tasks/Darwin.yaml
deleted file mode 100644
index 52a9c70..0000000
--- a/roles/op/tasks/Darwin.yaml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-- name: install homebrew package
-  homebrew_cask:
-    name: 1password-cli
-    state: latest
diff --git a/roles/op/tasks/Debian.yaml b/roles/op/tasks/Debian.yaml
deleted file mode 100644
index 821b35c..0000000
--- a/roles/op/tasks/Debian.yaml
+++ /dev/null
@@ -1,38 +0,0 @@
----
-- name: get html of latest versions
-  uri:
-    url: https://raw.githubusercontent.com/kbenzie/op-release-scraper/main/op-releases.json
-  register: op_releases
-
-- when: ansible_machine == "x86"
-  set_fact: {op_arch: '386'}
-- when: ansible_machine == "x86_64"
-  set_fact: {op_arch: 'amd64'}
-- when: ansible_machine == "arm"
-  set_fact: {op_arch: 'arm'}
-- when: ansible_machine == "arm64"
-  set_fact: {op_arch: 'arm64'}
-
-- set_fact:
-    op_zip_url: '{{op_releases.json[0].downloads.Linux[op_arch]}}'
-
-- name: create directory for downloaded package
-  file:
-    state: directory
-    dest: ~/.local/src/op
-
-- name: download latest release package
-  get_url:
-    url: '{{op_zip_url}}'
-    dest: ~/.local/src/op/op.zip
-
-- name: extract zip package
-  unarchive:
-    src: ~/.local/src/op/op.zip
-    dest: ~/.local/src/op
-
-- name: create symbolic links
-  file:
-    src: ~/.local/src/op/op
-    dest: ~/.local/bin/op
-    state: link
diff --git a/roles/op/tasks/Windows.yaml b/roles/op/tasks/Windows.yaml
deleted file mode 100644
index 66ef6d5..0000000
--- a/roles/op/tasks/Windows.yaml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-- name: install chocolatey package
-  win_chocolatey:
-    name: op
-    state: latest
diff --git a/roles/op/tasks/main.yaml b/roles/op/tasks/main.yaml
deleted file mode 100644
index 6853678..0000000
--- a/roles/op/tasks/main.yaml
+++ /dev/null
@@ -1,2 +0,0 @@
----
-- include_tasks: '{{ansible_os_family}}.yaml'