diff --git a/docs/maintenance.md b/docs/maintenance.md
index 44323743d84aeb3b19796dedb96aa08d024a6d6e..c703c99f9fefe27614308d7256e636048f3cb4ac 100644
--- a/docs/maintenance.md
+++ b/docs/maintenance.md
@@ -46,3 +46,12 @@ as a variable, to make sure the right file is used.
 
 This causes the regular nginx configuration to only be applied when there is no maintenance variable
 on the command line.
+
+# Adding a custom maintenance mode nginx template
+
+The maintenance role can also use a custom nginx template, if the service_nginx_template variable is
+set alongside the other vars when including the maintenance role, it will look up first on the maintenance
+role template directory and then on the calling role template directory for the specified template.
+
+Since this is a completely custom file, it is the job of this file of putting the service into maintenance
+mode. The maintenance role will provide the 503 file and create the directories.
diff --git a/roles/archweb/tasks/main.yml b/roles/archweb/tasks/main.yml
index 3384dea148dd11e678d0e2000474f44d4b200a51..4c03e5f9a1024b13d45db7d67e1f1d0ef3c9d585 100644
--- a/roles/archweb/tasks/main.yml
+++ b/roles/archweb/tasks/main.yml
@@ -7,7 +7,8 @@
     service_domain: "{{ archweb_domain }}"
     service_alternate_domains: "{{ archweb_alternate_domains }}"
     service_nginx_conf: "{{ archweb_nginx_conf }}"
-  when: maintenance is defined
+    service_nginx_template: "maintenance-nginx.d.conf.j2"
+  when: maintenance is defined and archweb_site
 
 - name: install required packages
   pacman: name=git,python-setuptools,python-psycopg2,llvm-libs,uwsgi-plugin-python state=present
diff --git a/roles/archweb/templates/maintenance-nginx.d.conf.j2 b/roles/archweb/templates/maintenance-nginx.d.conf.j2
new file mode 100644
index 0000000000000000000000000000000000000000..7122122b535c08c628ba604dd7e853774c1122e1
--- /dev/null
+++ b/roles/archweb/templates/maintenance-nginx.d.conf.j2
@@ -0,0 +1,169 @@
+upstream archweb {
+    server unix:///run/uwsgi/archweb.sock;
+}
+
+{% if service_alternate_domains %}
+{% for domain in service_alternate_domains %}
+
+server {
+    listen       80;
+    listen       [::]:80;
+    server_name  {{ domain }};
+
+    access_log   {{ maintenance_logs_dir }}/{{ service_domain }}-access.log reduced;
+    error_log    {{ maintenance_logs_dir }}/{{ service_domain }}-error.log;
+
+    include snippets/letsencrypt.conf;
+
+    location / {
+        access_log off;
+        return 301 https://$server_name$request_uri;
+    }
+}
+
+server {
+    listen       443 ssl http2;
+    listen       [::]:443 ssl http2;
+    server_name  {{ domain }};
+
+    access_log   {{ maintenance_logs_dir }}/{{ service_domain }}-access.log reduced;
+    error_log    {{ maintenance_logs_dir }}/{{ service_domain }}-error.log;
+
+    ssl_certificate      /etc/letsencrypt/live/{{ service_domain }}/fullchain.pem;
+    ssl_certificate_key  /etc/letsencrypt/live/{{ service_domain }}/privkey.pem;
+    ssl_trusted_certificate /etc/letsencrypt/live/{{ service_domain }}/chain.pem;
+
+    location / {
+        access_log off;
+        return 301 https://{{ service_domain }};
+    }
+}
+{% endfor %}
+
+server {
+{% else %}
+
+server {
+{% endif %}
+    listen       80;
+    listen       [::]:80;
+    server_name  {{ service_domain }};
+
+    access_log   {{ maintenance_logs_dir }}/{{ service_domain }}-access.log reduced;
+    error_log    {{ maintenance_logs_dir }}/{{ service_domain }}-error.log;
+
+    include snippets/letsencrypt.conf;
+
+    location /check_network_status.txt {
+        access_log off;
+        add_header Cache-Control "max-age=0, must-revalidate";
+        return 200 'NetworkManager is online';
+    }
+
+    location / {
+        access_log off;
+        return 301 https://$server_name$request_uri;
+    }
+}
+
+server {
+    listen       443 ssl http2;
+    listen       [::]:443 ssl http2;
+    server_name  {{ service_domain }};
+
+    access_log   {{ maintenance_logs_dir }}/{{ service_domain }}-access.log reduced;
+    error_log    {{ maintenance_logs_dir }}/{{ service_domain }}-error.log;
+
+    ssl_certificate      /etc/letsencrypt/live/{{ service_domain }}/fullchain.pem;
+    ssl_certificate_key  /etc/letsencrypt/live/{{ service_domain }}/privkey.pem;
+    ssl_trusted_certificate /etc/letsencrypt/live/{{ service_domain }}/chain.pem;
+
+    error_page 503 /503.html;
+
+    location /.well-known/matrix/server {
+        add_header Content-Type application/json;
+        return 200 '{"m.server": "{{ matrix_domain }}:443"}';
+    }
+
+    location /.well-known/matrix/client {
+        add_header Content-Type application/json;
+        add_header Access-Control-Allow-Origin *;
+        return 200 '{"m.homeserver": {"base_url": "https://{{ matrix_domain }}"}, "m.identity_server": {"base_url": "https://matrix.org"} }';
+    }
+
+    location /robots.txt {
+        alias {{ archweb_dir }}/archlinux.org/robots.txt;
+    }
+
+    location /humans.txt {
+        alias {{ archweb_dir }}/archlinux.org/humans.txt;
+    }
+
+    location /google7827eadf026b4a87.html {
+        alias {{ archweb_dir }}/archlinux.org/google7827eadf026b4a87.html;
+    }
+
+    location /BingSiteAuth.xml {
+        alias {{ archweb_dir }}/archlinux.org/BingSiteAuth.xml;
+    }
+
+    location /favicon.ico {
+        alias {{ archweb_dir }}/collected_static/favicon.ico;
+    }
+
+    location /pacman {
+        alias {{ archweb_dir }}/archlinux.org/pacman/;
+    }
+
+    location /netcfg {
+        alias {{ archweb_dir }}/archlinux.org/netcfg/;
+    }
+
+    location /logos {
+        alias {{ archweb_dir }}/archlinux.org/logos/;
+    }
+
+    location ~ ^/iso/(.*\.(iso|img|tar\.gz|sfs)$) {
+        deny all;
+    }
+
+    location /iso {
+        alias {{ archweb_rsync_iso_dir }};
+    }
+
+    # Cache django's css, js and png files.
+    location /static {
+        expires 30d;
+        add_header Pragma public;
+        add_header Cache-Control "public";
+        alias {{ archweb_dir }}/collected_static;
+    }
+
+    location /img {
+        alias {{ archweb_dir }}/media/img;
+    }
+
+    location /retro {
+        alias {{ archweb_retro_dir }};
+    }
+
+    if ($remote_addr = {{ maintenance_remote_machine }}) {
+        set $maintenance_remote_machine true;
+    }
+
+    location / {
+        include uwsgi_params;
+
+        if ($maintenance_remote_machine = true) {
+            access_log   /var/log/nginx/{{ archweb_domain }}/access.log main;
+            uwsgi_pass archweb;
+            break;
+        }
+
+        return 503;
+    }
+
+    location = /503.html {
+        root {{ maintenance_http_dir }}/{{ service_domain }};
+    }
+}
diff --git a/roles/maintenance/tasks/main.yml b/roles/maintenance/tasks/main.yml
index a6cc430093b90946c1e5870cb04402a5859d0469..31e9a77afdbff3a5aceac080bea9415d39e90427 100644
--- a/roles/maintenance/tasks/main.yml
+++ b/roles/maintenance/tasks/main.yml
@@ -17,7 +17,17 @@
     group: root
     mode: 0644
   notify: reload nginx
-  when: maintenance is defined and maintenance|bool
+  when: service_nginx_template is not defined and maintenance is defined and maintenance|bool
+
+- name: set up custom nginx maintenance mode
+  template:
+    src: "{{ service_nginx_template }}"
+    dest: "{{ service_nginx_conf }}"
+    owner: root
+    group: root
+    mode: 0644
+  notify: reload nginx
+  when: service_nginx_template is defined and maintenance is defined and maintenance|bool
 
 - name: create the 503 html file
   template: