diff --git a/roles/ssh-keyonly/defaults/main.yml b/roles/ssh-keyonly/defaults/main.yml
new file mode 100644
index 0000000..9c6e624
--- /dev/null
+++ b/roles/ssh-keyonly/defaults/main.yml
@@ -0,0 +1,2 @@
+---
+ssh_service_name: sshd
diff --git a/roles/ssh-keyonly/tasks/main.yml b/roles/ssh-keyonly/tasks/main.yml
new file mode 100644
index 0000000..de3f210
--- /dev/null
+++ b/roles/ssh-keyonly/tasks/main.yml
@@ -0,0 +1,18 @@
+---
+- name: "Set «PermitRootLogin» to «without-password»"
+  lineinfile:
+    dest: /etc/ssh/sshd_config
+    regexp: '^#? *PermitRootLogin'
+    line: "PermitRootLogin without-password"
+    backup: yes
+  register: sshconfigchanged
+
+
+- name: Restart sshd
+  service:
+    name: "{{ ssh_service_name }}"
+    state: restarted
+    sleep: 5
+  when: sshconfigchanged is changed
+
+