diff --git a/production/host_vars/leptone.kde.org.yml b/production/host_vars/leptone.kde.org.yml
index 396d1cf..b41e5a5 100644
--- a/production/host_vars/leptone.kde.org.yml
+++ b/production/host_vars/leptone.kde.org.yml
@@ -1,7 +1,8 @@
---
backup_directory: backups
hetzner_backup_host: storage-box-s2
backup_apt_dependencies: [borgbackup]
backup_size_logging: yes
apache_header_table: onsuccess
+apache_allow_txt: yes
diff --git a/production/host_vars/milonia.kde.org.yml b/production/host_vars/milonia.kde.org.yml
index 385fc63..ad9c8bf 100644
--- a/production/host_vars/milonia.kde.org.yml
+++ b/production/host_vars/milonia.kde.org.yml
@@ -1,7 +1,8 @@
---
backup_directory: backups
hetzner_backup_host: storage-box-s1
backup_apt_dependencies: [borgbackup]
backup_size_logging: yes
apache_header_table: onsuccess
+apache_allow_txt: yes
diff --git a/production/host_vars/nicoda.kde.org.yml b/production/host_vars/nicoda.kde.org.yml
index cb6fa70..6e963f4 100644
--- a/production/host_vars/nicoda.kde.org.yml
+++ b/production/host_vars/nicoda.kde.org.yml
@@ -1,13 +1,14 @@
---
backup_directory: backups
hetzner_backup_host: nephilia
backup_apt_dependencies: [borgbackup]
backup_cron:
hour: 1
minute: 30
backup_size_logging: yes
allowed_ssh_users_extra: [kcoyle]
apache_header_table: onsuccess
+apache_allow_txt: yes
diff --git a/production/hosts b/production/hosts
index fa55176..51c4b0a 100644
--- a/production/hosts
+++ b/production/hosts
@@ -1,117 +1,146 @@
#zivo.kde.org
bluemchen.kde.org
cano.kde.org
seleno.kde.org
#fiesta.kde.org
recluse.kde.org
code.kde.org
ange.kde.org
stumptown.kde.org
dalca.kde.org
dalca2.kde.org ansible_host=10.150.44.2 ansible_ssh_common_args='-o ProxyCommand="ssh -W %h:%p -q root@dalca.kde.org"'
overwatch.kde.org
#overwatch-test.kde.org
library.kde.org
rosetta.kde.org
mimi.kde.org
orbi.kde.org
letterbox.kde.org
mason.kde.org
thera.kde.org
mygalo.kde.org
darwini.kde.org
arkyid.kde.org
eucten.kde.org
anepsion.kde.org
charlotte.kde.org
halono.kde.org
nephilia.kde.org
komaci.kde.org
edulis.kde.org
nicoda.kde.org
micrea.kde.org
milonia.kde.org
platna.kde.org
capona.kde.org
ctenzi.kde.org
leptone.kde.org
gallien.kde.org
nemes.kde.org
ereo.kde.org
[anongit]
mason.kde.org anongit_style=legacy
[monitored]
# Servers that are being monitored with Telegraf
overwatch.kde.org
#overwatch-test.kde.org
bluemchen.kde.org
rosetta.kde.org
library.kde.org
mimi.kde.org
orbi.kde.org
recluse.kde.org
code.kde.org
darwini.kde.org
mason.kde.org
thera.kde.org
mygalo.kde.org
anepsion.kde.org
micrea.kde.org
#fiesta.kde.org
nicoda.kde.org
edulis.kde.org
ange.kde.org
arkyid.kde.org
eucten.kde.org
seleno.kde.org
leptone.kde.org
[monitoring-server]
overwatch.kde.org
#overwatch-test.kde.org
[apache]
code.kde.org
library.kde.org
mason.kde.org
mimi.kde.org
orbi.kde.org
overwatch.kde.org
rosetta.kde.org
stumptown.kde.org
charlotte.kde.org
edulis.kde.org
gallien.kde.org
komaci.kde.org
letterbox.kde.org
mygalo.kde.org
nemes.kde.org
thera.kde.org
halono.kde.org
-#leptone.kde.org
-#milonia.kde.org
-#nicoda.kde.org
+leptone.kde.org
+milonia.kde.org
+nicoda.kde.org
platna.kde.org
+
+[ssl-group1]
+halono.kde.org
+leptone.kde.org
+milonia.kde.org
+nicoda.kde.org
+platna.kde.org
+
+[ssl-group2]
+charlotte.kde.org
+edulis.kde.org
+gallien.kde.org
+komaci.kde.org
+letterbox.kde.org
+mygalo.kde.org
+nemes.kde.org
+thera.kde.org
+
+[ssl-group3]
+bluemchen.kde.org
+code.kde.org
+darwini.kde.org
+library.kde.org
+mason.kde.org
+mimi.kde.org
+orbi.kde.org
+overwatch.kde.org
+rosetta.kde.org
+stumptown.kde.org
diff --git a/roles/apache/defaults/main.yml b/roles/apache/defaults/main.yml
index 7e0684b..095aea4 100644
--- a/roles/apache/defaults/main.yml
+++ b/roles/apache/defaults/main.yml
@@ -1,5 +1,10 @@
---
# This can be either 'always' or 'onsuccess'.
# It's used for the 'Header set' directives in secure-ssl.conf;
# the 'Header unset' directives use the opposite one.
apache_header_table: always
+
+# By default, grant-srv-www.conf blocks access to *.log and *.txt
+# (but allows robots.txt). Set this to true to only block *.log,
+# in case that particular server needs to host .txt files.
+apache_allow_txt: false
diff --git a/roles/apache/templates/grant-srv-www.conf b/roles/apache/templates/grant-srv-www.conf
index fd75fcb..a84c3a7 100644
--- a/roles/apache/templates/grant-srv-www.conf
+++ b/roles/apache/templates/grant-srv-www.conf
@@ -1,12 +1,19 @@
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
+{% if apache_allow_txt %}
+
+{% else %}
+{% endif %}
Require all denied
+{% if not apache_allow_txt %}
+{# we only need to allow robots.txt as an exception if we're blocking *.txt #}
Require all granted
+{% endif %}