diff --git a/tasks/firewall.yml b/tasks/firewall.yml
index ba1fae6..ad5dbda 100644
--- a/tasks/firewall.yml
+++ b/tasks/firewall.yml
@@ -65,16 +65,3 @@
     ip_version: ipv6
     state: saved
     path: /etc/iptables/rules.v6
-
-- name: Disable SSH password authentication
-  when: disable_ssh_password_auth
-  ansible.builtin.lineinfile:
-    path: /etc/ssh/sshd_config
-    regexp: '^#PasswordAuthentication yes'
-    line: 'PasswordAuthentication no'
-
-- name: Restart ssh
-  when: disable_ssh_password_auth
-  ansible.builtin.service:
-    name: ssh
-    state: restarted
diff --git a/tasks/main.yml b/tasks/main.yml
index a705f30..cf19627 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -3,5 +3,9 @@
   ansible.builtin.include_tasks: firewall.yml
   when: use_predefined_iptables
 
+- name: Disable SSH password auth
+  ansible.builtin.include_tasks: ssh-config.yml
+  when: disable_ssh_password_auth
+
 - name: Prepare configs
   ansible.builtin.include_tasks: provision.yml
diff --git a/tasks/ssh-config.yml b/tasks/ssh-config.yml
new file mode 100644
index 0000000..8d60aa3
--- /dev/null
+++ b/tasks/ssh-config.yml
@@ -0,0 +1,11 @@
+---
+- name: Disable SSH password authentication
+  ansible.builtin.lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: '^#PasswordAuthentication yes'
+    line: 'PasswordAuthentication no'
+
+- name: Restart ssh
+  ansible.builtin.service:
+    name: ssh
+    state: restarted