diff --git a/CHANGELOG.md b/CHANGELOG.md
index 762f4c3c..31b66e69 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -58,6 +58,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
 * postgresql: fix task "update apt cache" for PGDG repo
 * postgresql: fix file postgresql.pref.j2 for exclude package
 * lxc-php: Change lxc container in bookworm for php82
+* evolinux-base: include files under `sshd_config.d`
 
 ### Fixed
 
diff --git a/evolinux-base/tasks/root.yml b/evolinux-base/tasks/root.yml
index 183def7c..5db27cfb 100644
--- a/evolinux-base/tasks/root.yml
+++ b/evolinux-base/tasks/root.yml
@@ -101,6 +101,16 @@
     - evolinux_root_disable_ssh | bool
     - ansible_distribution_major_version is version('11', '<=')
 
+- name: files under /etc/ssh/sshd_config.d are included (Debian >= 12)
+  ansible.builtin.lineinfile:
+    path: /etc/ssh/sshd_config
+    line: "Include /etc/ssh/sshd_config.d/*.conf"
+    insertbefore: BOF
+  notify: reload ssh
+  when:
+    - evolinux_root_disable_ssh | bool
+    - ansible_distribution_major_version is version('12', '>=')
+
 - name: disable SSH access for root (Debian >= 12)
   ansible.builtin.replace:
     path: /etc/ssh/sshd_config.d/z-evolinux-defaults.conf
diff --git a/evolinux-base/tasks/ssh.included-files.yml b/evolinux-base/tasks/ssh.included-files.yml
index 87e9de5e..bb3538d6 100644
--- a/evolinux-base/tasks/ssh.included-files.yml
+++ b/evolinux-base/tasks/ssh.included-files.yml
@@ -3,6 +3,13 @@
     msg: "Warning: empty 'evolinux_ssh_password_auth_addresses' variable, some configuration elements won't be set!"
   when: evolinux_ssh_password_auth_addresses == []
 
+- name: files under /etc/ssh/sshd_config.d are included
+  ansible.builtin.lineinfile:
+    path: /etc/ssh/sshd_config
+    line: "Include /etc/ssh/sshd_config.d/*.conf"
+    insertbefore: BOF
+  notify: reload ssh
+
 - name: add SSH server configuration template
   ansible.builtin.template:
     src: sshd/defaults.j2