diff --git a/playbooks/deploy_sshd_config.yml b/playbooks/deploy_sshd_config.yml
new file mode 100644
index 0000000..9378457
--- /dev/null
+++ b/playbooks/deploy_sshd_config.yml
@@ -0,0 +1,43 @@
+---
+- name: Deploy complete SSH server configuration
+  hosts: all
+  become: true
+  gather_facts: false
+
+  tasks:
+    - name: Deploy base /etc/ssh/sshd_config file
+      template:
+        src: templates/sshd/sshd_config.j2
+        dest: /etc/ssh/sshd_config
+        owner: root
+        group: root
+        mode: "0644"
+      notify: Reload SSH
+
+    - name: Deploy hardened global ssh config include
+      template:
+        src: templates/sshd/00-global.conf.j2
+        dest: /etc/ssh/sshd_config.d/00-global.conf
+        owner: root
+        group: root
+        mode: "0644"
+      notify: Reload SSH
+
+    - name: Deploy LAN password bypass config include
+      template:
+        src: templates/sshd/99-lan-bypass.conf.j2
+        dest: /etc/ssh/sshd_config.d/99-lan-bypass.conf
+        owner: root
+        group: root
+        mode: "0644"
+      notify: Reload SSH
+
+    - name: Validate sshd configuration syntax
+      command: sshd -t
+      changed_when: false
+
+  handlers:
+    - name: Reload SSH
+      service:
+        name: ssh
+        state: reloaded
diff --git a/playbooks/templates/sshd/00-global.conf.j2 b/playbooks/templates/sshd/00-global.conf.j2
new file mode 100644
index 0000000..0d25644
--- /dev/null
+++ b/playbooks/templates/sshd/00-global.conf.j2
@@ -0,0 +1,25 @@
+Port 22
+AddressFamily inet
+PermitRootLogin no
+
+PasswordAuthentication no
+KbdInteractiveAuthentication no
+ChallengeResponseAuthentication no
+PermitEmptyPasswords no
+
+UsePAM yes
+AllowGroups {{ ssh_access_group | default('sshusers') }}
+
+PubkeyAuthentication yes
+AuthorizedKeysFile .ssh/authorized_keys
+
+X11Forwarding no
+PrintMotd no
+PrintLastLog yes
+
+LoginGraceTime 30s
+MaxAuthTries 3
+MaxSessions 2
+
+AcceptEnv LANG LC_*
+Subsystem sftp /usr/lib/openssh/sftp-server
diff --git a/playbooks/templates/sshd/99-lan-bypass.conf.j2 b/playbooks/templates/sshd/99-lan-bypass.conf.j2
new file mode 100644
index 0000000..2130303
--- /dev/null
+++ b/playbooks/templates/sshd/99-lan-bypass.conf.j2
@@ -0,0 +1,2 @@
+Match Address 10.0.0.0/8
+    PasswordAuthentication yes
diff --git a/playbooks/templates/sshd/sshd_config.j2 b/playbooks/templates/sshd/sshd_config.j2
new file mode 100644
index 0000000..5fefd2d
--- /dev/null
+++ b/playbooks/templates/sshd/sshd_config.j2
@@ -0,0 +1,4 @@
+# Base sshd_config — managed by Ansible
+# Delegates all settings to config fragments
+
+Include /etc/ssh/sshd_config.d/*.conf