diff --git a/README.md b/README.md
index 52370d4..0e47975 100644
--- a/README.md
+++ b/README.md
@@ -66,6 +66,7 @@ Global variables apply across your Ansible project and can be supplied via inven
 | `cis` (optional)        | Adjusts the installation to be CIS level 3 conformant.     | `true`, `false (default)`                 |
 | `selinux` (optional)    | Toggle SELinux where supported.                            | `true (default)`, `false`                 |
 | `firewalld_enabled` (optional) | Toggle firewalld package/service enablement.        | `true (default)`, `false`                 |
+| `ssh_enabled` (optional) | Toggle SSH server package/service enablement.        | `true (default)`, `false`                 |
 
 ### 2.2 Hypervisor Access (virtual installs)
 
diff --git a/roles/bootstrap/vars/main.yml b/roles/bootstrap/vars/main.yml
index e6eacad..e2f6399 100644
--- a/roles/bootstrap/vars/main.yml
+++ b/roles/bootstrap/vars/main.yml
@@ -48,7 +48,7 @@ bootstrap_archlinux:
   - ncdu
   - networkmanager
   - nfs-utils
-  - openssh
+  - "{{ 'openssh' if ssh_enabled | bool else '' }}"
   - ppp
   - prometheus-node-exporter
   - python-psycopg2
@@ -82,7 +82,7 @@ bootstrap_debian11:
     - logrotate
     - lvm2
     - net-tools
-    - openssh-server
+    - "{{ 'openssh-server' if ssh_enabled | bool else '' }}"
     - python3
     - sudo
     - xfsprogs
@@ -153,7 +153,7 @@ bootstrap_debian12:
     - neofetch
     - net-tools
     - network-manager
-    - openssh-server
+    - "{{ 'openssh-server' if ssh_enabled | bool else '' }}"
     - python-is-python3
     - python3
     - ripgrep
@@ -208,7 +208,7 @@ bootstrap_debian13:
     - ncdu
     - net-tools
     - network-manager
-    - openssh-server
+    - "{{ 'openssh-server' if ssh_enabled | bool else '' }}"
     - python-is-python3
     - python3
     - ripgrep
@@ -412,7 +412,7 @@ bootstrap_ubuntu:
     - ncurses-term
     - net-tools
     - network-manager
-    - openssh-server
+    - "{{ 'openssh-server' if ssh_enabled | bool else '' }}"
     - python-is-python3
     - python3
     - ripgrep
@@ -475,7 +475,7 @@ bootstrap_ubuntu_lts:
     - ncurses-term
     - net-tools
     - network-manager
-    - openssh-server
+    - "{{ 'openssh-server' if ssh_enabled | bool else '' }}"
     - python-is-python3
     - python3
     - ripgrep
diff --git a/roles/configuration/tasks/services.yml b/roles/configuration/tasks/services.yml
index a5fc816..d540b6a 100644
--- a/roles/configuration/tasks/services.yml
+++ b/roles/configuration/tasks/services.yml
@@ -4,8 +4,9 @@
     {{ chroot_command }} /mnt systemctl enable NetworkManager
     {{ ' firewalld' if firewalld_enabled | bool else '' }}
     {{
-      ' ssh' if os | lower in ['ubuntu', 'ubuntu-lts'] else
-      (' sshd' if os | lower not in ['debian11', 'debian12', 'debian13'] else '')
+      (' ssh' if os | lower in ['ubuntu', 'ubuntu-lts'] else
+       (' sshd' if os | lower not in ['debian11', 'debian12', 'debian13'] else ''))
+      if ssh_enabled | bool else ''
     }}
     {{
       'logrotate systemd-resolved systemd-timesyncd systemd-networkd'
diff --git a/roles/global_defaults/defaults/main.yml b/roles/global_defaults/defaults/main.yml
index 1c00893..c827bac 100644
--- a/roles/global_defaults/defaults/main.yml
+++ b/roles/global_defaults/defaults/main.yml
@@ -5,6 +5,7 @@ cis: false
 selinux: true
 vmware_ssh: false
 firewalld_enabled: true
+ssh_enabled: true
 zstd_enabled: true
 swap_enabled: true
 chroot_command: "arch-chroot"