diff --git a/roles/nginx/cfg.schema.json b/roles/nginx/cfg.schema.json
index d557b5f..b04f70f 100644
--- a/roles/nginx/cfg.schema.json
+++ b/roles/nginx/cfg.schema.json
@@ -8,6 +8,11 @@
 			"description": "in hours",
 			"default": null
 		},
+		"dhparam_size": {
+			"nullable": false,
+			"type": "integer",
+			"default": null
+		},
 		"improved_security": {
 			"nullable": false,
 			"type": "boolean",
diff --git a/roles/nginx/defaults/main.json b/roles/nginx/defaults/main.json
index c85ab4c..21dfe39 100644
--- a/roles/nginx/defaults/main.json
+++ b/roles/nginx/defaults/main.json
@@ -1,6 +1,6 @@
 {
 	"cfg_nginx_defaults": {
 		"auto_reload_interval": null,
-		"improved_security": false
+		"dhparam_size": 2048
 	}
 }
diff --git a/roles/nginx/tasks/main.json b/roles/nginx/tasks/main.json
index e0e78cd..7743c90 100644
--- a/roles/nginx/tasks/main.json
+++ b/roles/nginx/tasks/main.json
@@ -18,10 +18,10 @@
 	},
 	{
 		"name": "generate dhparams file",
-		"when": "cfg_nginx.improved_security",
+		"when": "cfg_nginx.dhparam_size != None",
 		"become": true,
 		"ansible.builtin.command": {
-			"cmd": "openssl dhparam -out /etc/nginx/dhparam 4096"
+			"cmd": "openssl dhparam -out /etc/nginx/dhparam {{cfg_nginx.dhparam_size | string}}"
 		},
 		"args": {
 			"creates": "/etc/nginx/dhparam"
@@ -29,9 +29,8 @@
 	},
 	{
 		"name": "place hardening config",
-		"when": "cfg_nginx.improved_security",
 		"become": true,
-		"ansible.builtin.copy": {
+		"ansible.builtin.template": {
 			"src": "ssl-hardening.conf",
 			"dest": "/etc/nginx/ssl-hardening.conf"
 		}
diff --git a/roles/nginx/files/ssl-hardening.conf b/roles/nginx/templates/ssl-hardening.conf.j2
similarity index 93%
rename from roles/nginx/files/ssl-hardening.conf
rename to roles/nginx/templates/ssl-hardening.conf.j2
index 1d5f5f4..26d4e15 100644
--- a/roles/nginx/files/ssl-hardening.conf
+++ b/roles/nginx/templates/ssl-hardening.conf.j2
@@ -3,7 +3,9 @@ ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
 ssl_session_tickets off;
 
 # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
+{% if cfg_nginx.dhparam_size != None %}
 ssl_dhparam /etc/nginx/dhparam;
+{% endif %}
 
 # intermediate configuration
 ssl_protocols TLSv1.2 TLSv1.3;