diff --git a/defaults/main.yml b/defaults/main.yml
index 8ccb1b9..b59784a 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -2,24 +2,38 @@
 ### USER OPTIONS
 # Don't apply OS defaults when set to true
 sshd_skip_defaults: false
+
 # If the below is false, don't manage the service or reload the SSH
 # daemon at all
 sshd_manage_service: true
+
+# If the below is true, also install service files from the templates pointed
+# to by the `sshd_service_template_*` variables
+sshd_install_service: false
+sshd_service_template_service: sshd.service.j2
+sshd_service_template_at_service: sshd@.service.j2
+sshd_service_template_socket: sshd.socket.j2
+
 # If the below is false, don't reload the ssh daemon on change
 sshd_allow_reload: true
+
 # Empty dicts to avoid errors
 sshd: {}
 
 ### VARS DEFAULTS
 ### The following are defaults for OS specific configuration in var files in
-### this role. They should not be set by role users.
-sshd_packages: []
-sshd_config_owner: root
-sshd_config_group: root
-sshd_config_mode: "0600"
-sshd_config_file: /etc/ssh/sshd_config
-sshd_binary: /usr/sbin/sshd
-sshd_service: sshd
-sshd_sftp_server: /usr/lib/openssh/sftp-server
-sshd_defaults: {}
-sshd_os_supported: no
+### this role. They should not be set directly by role users. If you really
+### need to override them,use the corresponding, unprefixed variables (eg
+### `sshd_packages` to override __sshd_packages).
+__sshd_packages: []
+__sshd_config_owner: root
+__sshd_config_group: root
+__sshd_config_mode: "0600"
+__sshd_config_file: /etc/ssh/sshd_config
+__sshd_binary: /usr/sbin/sshd
+__sshd_service: sshd
+__sshd_sftp_server: /usr/lib/openssh/sftp-server
+
+### These variables are used by role internals and should not be used.
+__sshd_defaults: {}
+__sshd_os_supported: no
diff --git a/meta/10_top.j2 b/meta/10_top.j2
index 7499e24..040437b 100644
--- a/meta/10_top.j2
+++ b/meta/10_top.j2
@@ -21,8 +21,8 @@
 {%     set value = override %}
 {%   elif sshd[key] is defined %}
 {%     set value = sshd[key] %}
-{%   elif sshd_defaults[key] is defined and sshd_skip_defaults != true %}
-{%     set value = sshd_defaults[key] %}
+{%   elif __sshd_defaults[key] is defined and sshd_skip_defaults != true %}
+{%     set value = __sshd_defaults[key] %}
 {%   endif %}
 {{ render_option(key,value) -}}
 {% endmacro %}
diff --git a/tasks/install.yml b/tasks/install.yml
new file mode 100644
index 0000000..3a04046
--- /dev/null
+++ b/tasks/install.yml
@@ -0,0 +1,48 @@
+---
+
+- name: OS is supported
+  assert:
+    that: __sshd_os_supported == True
+
+- name: Install ssh packages
+  package:
+    name: "{{ item }}"
+    state: present
+  with_items: "{{ sshd_packages }}"
+
+- name: Configuration
+  template:
+    src: sshd_config.j2
+    dest: "{{ sshd_config_file }}"
+    owner: "{{ sshd_config_owner }}"
+    group: "{{ sshd_config_group }}"
+    mode: "{{ sshd_config_mode }}"
+    validate: "{{ sshd_binary }} -t -f %s"
+  notify: reload_sshd
+
+- name: Install systemd service files
+  block:
+    - template:
+        src: "{{ sshd_service_template_service }}"
+        dest: "/etc/systemd/system/{{ sshd_service }}.service"
+      notify: reload_sshd
+    - template:
+        src: "{{ sshd_service_template_at_service }}"
+        dest: "/etc/systemd/system/{{ sshd_service }}@.service"
+      notify: reload_sshd
+    - template:
+        src: "{{ sshd_service_template_socket }}"
+        dest: "/etc/systemd/system/{{ sshd_service }}.socket"
+      notify: reload_sshd
+  when: sshd_install_service
+
+- name: Service enabled and running
+  service:
+    name: "{{ sshd_service }}"
+    enabled: true
+    state: started
+  when: "sshd_manage_service and ansible_virtualization_type|default(None) != 'docker'"
+
+- name: Register that this role has run
+  set_fact: sshd_has_run=true
+  when: sshd_has_run is not defined
diff --git a/tasks/main.yml b/tasks/main.yml
index 30c143d..57cb12b 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -1,40 +1,5 @@
 ---
-- name: Set OS dependent variables
-  include_vars: "{{ item }}"
-  with_first_found:
-   - "{{ ansible_distribution }}_{{ ansible_distribution_major_version }}.yml"
-   - "{{ ansible_distribution }}.yml"
-   - "{{ ansible_os_family }}_{{ ansible_distribution_major_version }}.yml"
-   - "{{ ansible_os_family }}.yml"
-   - default.yml
 
-- name: OS is supported
-  assert:
-    that: sshd_os_supported == True
+- include_tasks: variables.yml
 
-- name: Install ssh packages
-  package:
-    name: "{{ item }}"
-    state: present
-  with_items: "{{ sshd_packages }}"
-
-- name: Configuration
-  template:
-    src: sshd_config.j2
-    dest: "{{ sshd_config_file }}"
-    owner: "{{ sshd_config_owner }}"
-    group: "{{ sshd_config_group }}"
-    mode: "{{ sshd_config_mode }}"
-    validate: "{{ sshd_binary }} -t -f %s"
-  notify: reload_sshd
-
-- name: Service enabled and running
-  service:
-    name: "{{ sshd_service }}"
-    enabled: true
-    state: started
-  when: "sshd_manage_service and ansible_virtualization_type|default(None) != 'docker'"
-
-- name: Register that this role has run
-  set_fact: sshd_has_run=true
-  when: sshd_has_run is not defined
+- include_tasks: install.yml
diff --git a/tasks/variables.yml b/tasks/variables.yml
new file mode 100644
index 0000000..90ea62a
--- /dev/null
+++ b/tasks/variables.yml
@@ -0,0 +1,37 @@
+---
+
+- name: Set OS dependent variables
+  include_vars: "{{ item }}"
+  with_first_found:
+   - "{{ ansible_distribution }}_{{ ansible_distribution_major_version }}.yml"
+   - "{{ ansible_distribution }}.yml"
+   - "{{ ansible_os_family }}_{{ ansible_distribution_major_version }}.yml"
+   - "{{ ansible_os_family }}.yml"
+   - default.yml
+
+- name: Override OS defaults
+  block:
+    - set_fact:
+        sshd_packages: "{{ __sshd_packages }}"
+      when: sshd_packages is not defined
+    - set_fact:
+        sshd_config_owner: "{{ __sshd_config_owner }}"
+      when: sshd_config_owner is not defined
+    - set_fact:
+        sshd_config_group: "{{ __sshd_config_group }}"
+      when: sshd_config_group is not defined
+    - set_fact:
+        sshd_config_mode: "{{ __sshd_config_mode }}"
+      when: sshd_config_mode is not defined
+    - set_fact:
+        sshd_config_file: "{{ __sshd_config_file }}"
+      when: sshd_config_file is not defined
+    - set_fact:
+        sshd_binary: "{{ __sshd_binary }}"
+      when: sshd_binary is not defined
+    - set_fact:
+        sshd_service: "{{ __sshd_service }}"
+      when: sshd_service is not defined
+    - set_fact:
+        sshd_sftp_server: "{{ __sshd_sftp_server }}"
+      when: sshd_sftp_server is not defined
diff --git a/templates/sshd.service.j2 b/templates/sshd.service.j2
new file mode 100644
index 0000000..2f57830
--- /dev/null
+++ b/templates/sshd.service.j2
@@ -0,0 +1,17 @@
+[Unit]
+Description=OpenBSD Secure Shell server
+
+[Service]
+ExecStartPre={{ sshd_binary }} -t
+ExecStart={{ sshd_binary }} -D -f {{ sshd_config_file }}
+ExecReload={{ sshd_binary }} -t
+ExecReload=/bin/kill -HUP $MAINPID
+KillMode=process
+Restart=on-failure
+RestartPreventExitStatus=255
+Type=notify
+RuntimeDirectory={{ sshd_binary }}
+RuntimeDirectoryMode=0755
+
+[Install]
+WantedBy=multi-user.target
diff --git a/templates/sshd.socket.j2 b/templates/sshd.socket.j2
new file mode 100644
index 0000000..add4731
--- /dev/null
+++ b/templates/sshd.socket.j2
@@ -0,0 +1,11 @@
+[Unit]
+Description=OpenBSD Secure Shell server socket
+Before={{ sshd_service }}.service
+Conflicts={{sshd_service }}.service
+
+[Socket]
+ListenStream=22
+Accept=yes
+
+[Install]
+WantedBy=sockets.target
diff --git a/templates/sshd@.service.j2 b/templates/sshd@.service.j2
new file mode 100644
index 0000000..d76fdde
--- /dev/null
+++ b/templates/sshd@.service.j2
@@ -0,0 +1,9 @@
+[Unit]
+Description=OpenBSD Secure Shell server per-connection daemon
+After=auditd.service
+
+[Service]
+ExecStart=-{{ sshd_binary }} -i -f {{ sshd_config_file }}
+StandardInput=socket
+RuntimeDirectory={{ sshd_binary }}
+RuntimeDirectoryMode=0755
diff --git a/templates/sshd_config.j2 b/templates/sshd_config.j2
index a9915e7..0a9ca5d 100644
--- a/templates/sshd_config.j2
+++ b/templates/sshd_config.j2
@@ -21,8 +21,8 @@
 {%     set value = override %}
 {%   elif sshd[key] is defined %}
 {%     set value = sshd[key] %}
-{%   elif sshd_defaults[key] is defined and sshd_skip_defaults != true %}
-{%     set value = sshd_defaults[key] %}
+{%   elif __sshd_defaults[key] is defined and sshd_skip_defaults != true %}
+{%     set value = __sshd_defaults[key] %}
 {%   endif %}
 {{ render_option(key,value) -}}
 {% endmacro %}
diff --git a/vars/Debian.yml b/vars/Debian.yml
index e4777f6..9fdc27f 100644
--- a/vars/Debian.yml
+++ b/vars/Debian.yml
@@ -1,9 +1,9 @@
 ---
-sshd_service: ssh
-sshd_packages:
+__sshd_service: ssh
+__sshd_packages:
   - openssh-server
-sshd_config_mode: "0644"
-sshd_defaults:
+__sshd_config_mode: "0644"
+__sshd_defaults:
   Port: 22
   Protocol: 2
   HostKey:
@@ -33,4 +33,4 @@ sshd_defaults:
   AcceptEnv: LANG LC_*
   Subsystem: "sftp {{ sshd_sftp_server }}"
   UsePAM: yes
-sshd_os_supported: yes
+__sshd_os_supported: yes