diff --git a/README.md b/README.md
index 676ad72..dc06d85 100644
--- a/README.md
+++ b/README.md
@@ -190,7 +190,7 @@ defaults. This is useful if the role is used in deployment stage to make sure
 the service is able to start on the first attempt. To disable this check, set
 this to empty list.
 
-* `sshd_hostkey_owner`, `sshd_hostkey_group`, `sshd_hostkey_group`
+* `sshd_hostkey_owner`, `sshd_hostkey_group`, `sshd_hostkey_mode`
 
 Use these variables to set the ownership and permissions for the host keys from
 the above list.
@@ -273,6 +273,8 @@ for example:
             X11Forwarding: yes
 ```
 
+More example playbooks can be found in [`examples/`](examples/) directory.
+
 Template Generation
 -------------------
 
diff --git a/examples/example-root-login.yml b/examples/example-root-login.yml
new file mode 100644
index 0000000..156e629
--- /dev/null
+++ b/examples/example-root-login.yml
@@ -0,0 +1,15 @@
+---
+- hosts: all
+  tasks:
+  - name: Configure sshd to prevent root and password login except from particular subnet
+    include_role:
+      name: ansible-sshd
+    vars:
+      sshd:
+        # root login and password login is enabled only from a particular subnet
+        PermitRootLogin: no
+        PasswordAuthentication: no
+        Match:
+        - Condition: "Address 192.0.2.0/24"
+          PermitRootLogin: yes
+          PasswordAuthentication: yes