diff --git a/README.md b/README.md
index e22f5b3e..4fe2c5bf 100644
--- a/README.md
+++ b/README.md
@@ -233,7 +233,7 @@ see [Unattended-Upgrade::Automatic-Reboot](https://help.ubuntu.com/community/Aut
 and [dnf_automatic: reboot](https://dnf.readthedocs.io/en/latest/automatic.html).
 
 The reboot time scheduling is currently only supported on Debian-based distros.
-The reboot is by default scheduled randomly betweem 2:00-2:20AM, server time. The 
+The reboot is by default scheduled randomly betweem 2:00-2:20AM, server time. The
 reboot time is chosen randomly from `reboot_from_time`, adding a random time within
 `reboot_time_margin_mins` to avoid overloading hypervisors.
 
@@ -403,6 +403,32 @@ limit_nproc_soft: 512
 
 Set maximum number of processes and open files, see [limits.conf(5)](https://www.man7.org/linux/man-pages/man5/limits.conf.5.html).
 
+### ./defaults/main/logind.yml
+
+```yaml
+logind:
+  killuserprocesses: true
+  killexcludeusers:
+    - root
+  idleaction: lock
+  idleactionsec: 15min
+  removeipc: true
+```
+
+Configure [logind](https://www.freedesktop.org/software/systemd/man/latest/logind.conf.html).
+
+`killuserprocesses` takes a boolean argument. Configures whether the processes
+of a user should be killed when the user logs out.
+
+`killexcludeusers` takes a list of usernames that override the
+`killuserprocesses` setting.
+
+`idleaction` and `idleactionsec` configures the action to take when the system
+is idle and the delay after which the action configured in `idleaction` is taken.
+
+`removeipc` takes a boolean argument. If enabled, the user may not consume IPC
+resources after the last of the user's sessions terminated.
+
 ### ./defaults/main/misc.yml
 
 ```yaml
diff --git a/defaults/main/logind.yml b/defaults/main/logind.yml
new file mode 100644
index 00000000..0dcda02e
--- /dev/null
+++ b/defaults/main/logind.yml
@@ -0,0 +1,8 @@
+---
+logind:
+  killuserprocesses: true
+  killexcludeusers:
+    - root
+  idleaction: lock
+  idleactionsec: 15min
+  removeipc: true
diff --git a/molecule/custom/molecule.yml b/molecule/custom/molecule.yml
index db416fb9..e9bcc898 100644
--- a/molecule/custom/molecule.yml
+++ b/molecule/custom/molecule.yml
@@ -22,7 +22,7 @@ provisioner:
           enabled: true
           only_security: true
           reboot: false
-          reboot_from_time: "2:00"
+          reboot_from_time: 2:00
           reboot_time_margin_mins: "20"
         fallback_ntp:
           - 169.254.169.123
diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml
index 78ebc25a..c17581c2 100644
--- a/molecule/default/molecule.yml
+++ b/molecule/default/molecule.yml
@@ -69,6 +69,14 @@ provisioner:
       noble:
         disable_wireless: true
         kernel_lockdown: true
+        logind:
+          killuserprocesses: true
+          killexcludeusers:
+            - root
+            - vagrant
+          idleaction: lock
+          idleactionsec: 15min
+          removeipc: true
         sshd_admin_net:
           - 0.0.0.0/0
         sshd_allow_groups:
diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml
index dca54d89..28a8965c 100644
--- a/molecule/default/verify.yml
+++ b/molecule/default/verify.yml
@@ -1349,6 +1349,22 @@
         - ForwardToSyslog={{ 'yes' if journald_forwardtosyslog else 'no' }}
         - Compress={{ 'yes' if journald_compress else 'no' }}
 
+    - name: Verify logind settings
+      ansible.builtin.shell: |
+        set -o pipefail
+        systemd-analyze cat-config systemd/logind.conf | grep "^{{ item }}"
+      args:
+        executable: /bin/bash
+      register: journald_conf
+      failed_when: journald_conf.rc != 0
+      changed_when: journald_conf.rc != 0
+      with_items:
+        - KillUserProcesses={{ 'true' if logind.killuserprocesses else 'false' }}
+        - KillExcludeUsers={{ logind.killexcludeusers | join(' ') }}
+        - IdleAction={{ logind.idleaction }}
+        - IdleActionSec={{ logind.idleactionsec }}
+        - RemoveIPC={{ 'true' if logind.removeipc else 'false' }}
+
     - name: Verify journal permissions
       become: true
       block:
diff --git a/tasks/logindconf.yml b/tasks/logindconf.yml
index c52f24b7..0464098f 100644
--- a/tasks/logindconf.yml
+++ b/tasks/logindconf.yml
@@ -1,12 +1,22 @@
 ---
 - name: Configure systemd logind
   become: true
-  ansible.builtin.template:
-    src: "{{ logind_conf_template }}"
-    dest: /etc/systemd/logind.conf
-    backup: true
-    mode: "0644"
-    owner: root
-    group: root
-  notify:
-    - Reload systemd
+  block:
+    - name: Create logind.conf.d drop-in directory
+      ansible.builtin.file:
+        path: /etc/systemd/logind.conf.d
+        state: directory
+        mode: "0755"
+        owner: root
+        group: root
+
+    - name: Configure systemd logind
+      ansible.builtin.template:
+        src: "{{ logind_conf_template }}"
+        dest: /etc/systemd/logind.conf.d/zz-logind-hardening.conf
+        backup: true
+        mode: "0644"
+        owner: root
+        group: root
+      notify:
+        - Reload systemd
diff --git a/templates/etc/systemd/logind.conf.j2 b/templates/etc/systemd/logind.conf.j2
index b99e4c11..d64fe716 100644
--- a/templates/etc/systemd/logind.conf.j2
+++ b/templates/etc/systemd/logind.conf.j2
@@ -2,8 +2,8 @@
 # Generated by Ansible role {{ ansible_role_name }}
 
 [Login]
-KillUserProcesses=1
-KillExcludeUsers=root
-IdleAction=lock
-IdleActionSec=15min
-RemoveIPC=yes
+KillUserProcesses={{ 'true' if logind.killuserprocesses else 'false' }}
+KillExcludeUsers={{ logind.killexcludeusers | join(' ') }}
+IdleAction={{ logind.idleaction }}
+IdleActionSec={{ logind.idleactionsec }}
+RemoveIPC={{ 'true' if logind.removeipc else 'false' }}