diff --git a/production/host_vars/leptone.kde.org.yml b/production/host_vars/leptone.kde.org.yml
index 396d1cf..b41e5a5 100644
--- a/production/host_vars/leptone.kde.org.yml
+++ b/production/host_vars/leptone.kde.org.yml
@@ -1,7 +1,8 @@
 ---
 backup_directory: backups
 hetzner_backup_host: storage-box-s2
 backup_apt_dependencies: [borgbackup]
 backup_size_logging: yes
 
 apache_header_table: onsuccess
+apache_allow_txt: yes
diff --git a/production/host_vars/milonia.kde.org.yml b/production/host_vars/milonia.kde.org.yml
index 385fc63..ad9c8bf 100644
--- a/production/host_vars/milonia.kde.org.yml
+++ b/production/host_vars/milonia.kde.org.yml
@@ -1,7 +1,8 @@
 ---
 backup_directory: backups
 hetzner_backup_host: storage-box-s1
 backup_apt_dependencies: [borgbackup]
 backup_size_logging: yes
 
 apache_header_table: onsuccess
+apache_allow_txt: yes
diff --git a/production/host_vars/nicoda.kde.org.yml b/production/host_vars/nicoda.kde.org.yml
index cb6fa70..6e963f4 100644
--- a/production/host_vars/nicoda.kde.org.yml
+++ b/production/host_vars/nicoda.kde.org.yml
@@ -1,13 +1,14 @@
 ---
 backup_directory: backups
 hetzner_backup_host: nephilia
 backup_apt_dependencies: [borgbackup]
 backup_cron:
   hour: 1
   minute: 30
 
 backup_size_logging: yes
 
 allowed_ssh_users_extra: [kcoyle]
 
 apache_header_table: onsuccess
+apache_allow_txt: yes
diff --git a/production/hosts b/production/hosts
index fa55176..51c4b0a 100644
--- a/production/hosts
+++ b/production/hosts
@@ -1,117 +1,146 @@
 #zivo.kde.org
 
 bluemchen.kde.org
 
 cano.kde.org
 seleno.kde.org
 
 #fiesta.kde.org
 
 recluse.kde.org
 code.kde.org
 
 ange.kde.org
 
 stumptown.kde.org
 
 dalca.kde.org
 dalca2.kde.org ansible_host=10.150.44.2 ansible_ssh_common_args='-o ProxyCommand="ssh -W %h:%p -q root@dalca.kde.org"'
 
 overwatch.kde.org
 #overwatch-test.kde.org
 
 library.kde.org
 rosetta.kde.org
 
 mimi.kde.org
 
 orbi.kde.org
 
 letterbox.kde.org
 
 mason.kde.org
 thera.kde.org
 mygalo.kde.org
 
 darwini.kde.org
 
 arkyid.kde.org
 eucten.kde.org
 
 anepsion.kde.org
 charlotte.kde.org
 halono.kde.org
 
 nephilia.kde.org
 komaci.kde.org
 edulis.kde.org
 nicoda.kde.org
 
 micrea.kde.org
 milonia.kde.org
 platna.kde.org
 capona.kde.org
 
 ctenzi.kde.org
 leptone.kde.org
 gallien.kde.org
 
 nemes.kde.org
 ereo.kde.org
 
 [anongit]
 mason.kde.org anongit_style=legacy
 
 
 [monitored]
 # Servers that are being monitored with Telegraf
 overwatch.kde.org
 #overwatch-test.kde.org
 bluemchen.kde.org
 rosetta.kde.org
 library.kde.org
 mimi.kde.org
 orbi.kde.org
 recluse.kde.org
 code.kde.org
 darwini.kde.org
 mason.kde.org
 thera.kde.org
 mygalo.kde.org
 anepsion.kde.org
 micrea.kde.org
 #fiesta.kde.org
 nicoda.kde.org
 edulis.kde.org
 ange.kde.org
 arkyid.kde.org
 eucten.kde.org
 seleno.kde.org
 leptone.kde.org
 
 [monitoring-server]
 overwatch.kde.org
 #overwatch-test.kde.org
 
 [apache]
 code.kde.org
 library.kde.org
 mason.kde.org
 mimi.kde.org
 orbi.kde.org
 overwatch.kde.org
 rosetta.kde.org
 stumptown.kde.org
 charlotte.kde.org
 edulis.kde.org
 gallien.kde.org
 komaci.kde.org
 letterbox.kde.org
 mygalo.kde.org
 nemes.kde.org
 thera.kde.org
 halono.kde.org
-#leptone.kde.org
-#milonia.kde.org
-#nicoda.kde.org
+leptone.kde.org
+milonia.kde.org
+nicoda.kde.org
 platna.kde.org
+
+[ssl-group1]
+halono.kde.org
+leptone.kde.org
+milonia.kde.org
+nicoda.kde.org
+platna.kde.org
+
+[ssl-group2]
+charlotte.kde.org
+edulis.kde.org
+gallien.kde.org
+komaci.kde.org
+letterbox.kde.org
+mygalo.kde.org
+nemes.kde.org
+thera.kde.org
+
+[ssl-group3]
+bluemchen.kde.org
+code.kde.org
+darwini.kde.org
+library.kde.org
+mason.kde.org
+mimi.kde.org
+orbi.kde.org
+overwatch.kde.org
+rosetta.kde.org
+stumptown.kde.org
diff --git a/roles/apache/defaults/main.yml b/roles/apache/defaults/main.yml
index 7e0684b..095aea4 100644
--- a/roles/apache/defaults/main.yml
+++ b/roles/apache/defaults/main.yml
@@ -1,5 +1,10 @@
 ---
 # This can be either 'always' or 'onsuccess'.
 # It's used for the 'Header set' directives in secure-ssl.conf;
 # the 'Header unset' directives use the opposite one.
 apache_header_table: always
+
+# By default, grant-srv-www.conf blocks access to *.log and *.txt
+# (but allows robots.txt). Set this to true to only block *.log,
+# in case that particular server needs to host .txt files.
+apache_allow_txt: false
diff --git a/roles/apache/templates/grant-srv-www.conf b/roles/apache/templates/grant-srv-www.conf
index fd75fcb..a84c3a7 100644
--- a/roles/apache/templates/grant-srv-www.conf
+++ b/roles/apache/templates/grant-srv-www.conf
@@ -1,12 +1,19 @@
 <Directory {{apache_root_www | default("/srv/www/")}}>
         Options Indexes FollowSymLinks
         AllowOverride All
         Require all granted
 </Directory>
 
+{% if apache_allow_txt %}
+<FilesMatch "\.log$">
+{% else %}
 <FilesMatch "\.(txt|log)$">
+{% endif %}
         Require all denied
 </FilesMatch>
+{% if not apache_allow_txt %}
+{# we only need to allow robots.txt as an exception if we're blocking *.txt #}
 <FilesMatch "robots.txt$">
         Require all granted
 </FilesMatch>
+{% endif %}