diff --git a/roles/ssh/handlers/main.yml b/roles/ssh/handlers/main.yml
new file mode 100644
index 0000000..822887e
--- /dev/null
+++ b/roles/ssh/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+- name: restart ssh
+  service:
+    name: ssh
+    state: restarted
diff --git a/roles/ssh/tasks/main.yml b/roles/ssh/tasks/main.yml
new file mode 100644
index 0000000..b957770
--- /dev/null
+++ b/roles/ssh/tasks/main.yml
@@ -0,0 +1,19 @@
+---
+- name: Configure SSH access
+  tags: [ssh, server]
+  become: true
+  block:
+    - name: Remove any PermitRootLogin instruction
+      lineinfile:
+        dest: /etc/ssh/sshd_config
+        regexp: "^PermitRootLogin"
+        state: absent
+      notify: restart ssh
+
+    - name: Disable SSH root login
+      lineinfile:
+        dest: /etc/ssh/sshd_config
+        regexp: "^PermitRootLogin"
+        line: "PermitRootLogin prohibit-password"
+        state: present
+      notify: restart ssh