diff --git a/basics.yml b/basics.yml
index 3a16e43..e5fc2db 100644
--- a/basics.yml
+++ b/basics.yml
@@ -8,6 +8,7 @@
 - hosts: nginx
   roles:
     - nginx
+    - nginx-extra
     - error-pages
   tags: nginx
 
diff --git a/roles/nginx-extra/files/snippets/autoindex.conf b/roles/nginx-extra/files/snippets/autoindex.conf
new file mode 100644
index 0000000..bc6ab74
--- /dev/null
+++ b/roles/nginx-extra/files/snippets/autoindex.conf
@@ -0,0 +1,3 @@
+autoindex on;
+autoindex_exact_size on;
+autoindex_localtime off;
diff --git a/roles/nginx-extra/files/snippets/location-acme-srv01.conf b/roles/nginx-extra/files/snippets/location-acme-srv01.conf
new file mode 100644
index 0000000..fed6e58
--- /dev/null
+++ b/roles/nginx-extra/files/snippets/location-acme-srv01.conf
@@ -0,0 +1,6 @@
+location ^~ /.well-known/acme-challenge {
+    proxy_set_header Host $host;
+    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_pass http://srv01.hamburg.freifunk.net$request_uri;
+    access_log off;
+}
diff --git a/roles/nginx-extra/files/snippets/no-unsafe-files.conf b/roles/nginx-extra/files/snippets/no-unsafe-files.conf
new file mode 100644
index 0000000..5a6df31
--- /dev/null
+++ b/roles/nginx-extra/files/snippets/no-unsafe-files.conf
@@ -0,0 +1,8 @@
+disable_symlinks if_not_owner from=$document_root;
+
+# Do not serve dotfiles.
+location ~ /\. {
+    deny all;
+    access_log off;
+    log_not_found off;
+}
diff --git a/roles/nginx-extra/tasks/main.yml b/roles/nginx-extra/tasks/main.yml
new file mode 100644
index 0000000..56dd493
--- /dev/null
+++ b/roles/nginx-extra/tasks/main.yml
@@ -0,0 +1,5 @@
+---
+- name: copy snippets
+  copy:
+    src: snippets/
+    dest: /etc/nginx/snippets/