diff --git a/roles/ssh_hardening/defaults/main.yml b/roles/ssh_hardening/defaults/main.yml
index bae406aa..ee60fecb 100644
--- a/roles/ssh_hardening/defaults/main.yml
+++ b/roles/ssh_hardening/defaults/main.yml
@@ -6,9 +6,12 @@ network_ipv6_enable: true # sshd + ssh
 ssh_client_config_file: /etc/ssh/ssh_config # ssh
 ssh_server_config_file: /etc/ssh/sshd_config # sshd
 
-# true if sshd should be started and enabled
+# true if sshd should be started
 ssh_server_enabled: true # sshd
 
+# true if sshd should be enabled at boot
+ssh_server_service_enabled: true # sshd
+
 # true if DNS resolutions are needed, look up the remote host name,
 # defaults to false from 6.8, see: http://www.openssh.com/txt/release-6.8
 ssh_use_dns: false # sshd
diff --git a/roles/ssh_hardening/tasks/hardening.yml b/roles/ssh_hardening/tasks/hardening.yml
index 060d3f6b..59a82530 100644
--- a/roles/ssh_hardening/tasks/hardening.yml
+++ b/roles/ssh_hardening/tasks/hardening.yml
@@ -144,3 +144,8 @@
   when:
     - sshd_disable_crypto_policy | bool
     - ('crypto-policies' in ansible_facts.packages)
+
+- name: Enable or disable sshd service
+  ansible.builtin.service:
+    name: "{{ sshd_service_name }}"
+    enabled: "{{ ssh_server_service_enabled }}"