diff --git a/docs/releasenotes.rst b/docs/releasenotes.rst
index 000e051dc88c32af2603f9ed6e8497f2e143d2ae..492a6d29a0221a7e70b90400dd3fe5f95d0c289a 100644
--- a/docs/releasenotes.rst
+++ b/docs/releasenotes.rst
@@ -5,6 +5,14 @@ Release notes
 NEXT RELEASE
 ------------
 
+**New features/improvements:**
+
+* ``common`` role
+
+  * Added parameters ``maintenance`` and ``maintenance_allowed_hosts``
+    for enabling maintenance mode. In maintenance mode only the listed
+    hosts are allowed to connect to the server.
+
 **Bug fixes:**
 
 * ``wsgi_website_`` role
diff --git a/docs/rolereference.rst b/docs/rolereference.rst
index ffd18b337b1f99fc52a00fb518f88e360cac0f6a..d70de99ba1e81e627d39bec963173bb4f4f27864 100644
--- a/docs/rolereference.rst
+++ b/docs/rolereference.rst
@@ -391,6 +391,18 @@ Parameters
   higher than ``incoming_connection_limit``), even if it would go above the
   specified connection limit.
 
+**maintenance** (boolean, optional, ``False``)
+  Specifies if maintenance mode should be enabled or not. In
+  maintenance mode incoming TCP connections are allowed only from
+  explicitly listed hosts (see ``maintenance_allowed_hosts``
+  parameter). All ports are covered by this rule, with sole exception
+  being the TCP port 22 (SSH). The SSH port is never blocked via
+  maintenance mode.
+
+**maintenance_allowed_hosts** (list, optional,  ``[]``)
+  List of hosts that should be allowed to connect to the server when
+  in maintenance mode.
+
 **ntp_servers** (list, optional, ``[]``)
   List of NTP servers to use for synchronising the time on managed
   machine using NTP. If no time synchronisation should be set-up, set
diff --git a/docs/usage.rst b/docs/usage.rst
index e5ce72418d671feff37dd1898cf1b035f7756739..bcff5b9ee1b06542777db082e9d0143961a401f7 100644
--- a/docs/usage.rst
+++ b/docs/usage.rst
@@ -511,6 +511,12 @@ Each server needs to share some common configuration in order to be functioning
 properly. This includes set-up of some shared accounts, perhaps some hardening
 etc.
 
+.. note::
+   Should you ever need to limit what hosts can connect to a server
+   for some kind of maintenance or upgrade purposes, the ``common``
+   role comes with ``maintenance`` and ``maintenance_allowed_hosts``
+   parameters. See :ref:`rolereference` for more information.
+
 Let's take care of this common configuration right away:
 
 1. Create playbook for the communications server: