From c4db57b83ab6126845e6ac862ec855b80ac99f72 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20Fra=C3=9F?=
 <christian.frass@dielinke-glauchau.de>
Date: Tue, 7 Oct 2025 16:07:09 +0200
Subject: [PATCH] [int]

---
 roles/nginx/defaults/main.json | 2 +-
 roles/nginx/tasks/main.json    | 4 +++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/roles/nginx/defaults/main.json b/roles/nginx/defaults/main.json
index 912c519..4edfc40 100644
--- a/roles/nginx/defaults/main.json
+++ b/roles/nginx/defaults/main.json
@@ -1,4 +1,4 @@
 {
 	"var_nginx_auto_reload_interval": null,
-	"var_nginx_dhparam_size": 2048
+	"var_nginx_improved_security": false
 }
diff --git a/roles/nginx/tasks/main.json b/roles/nginx/tasks/main.json
index 1edc2e2..46f353c 100644
--- a/roles/nginx/tasks/main.json
+++ b/roles/nginx/tasks/main.json
@@ -13,8 +13,9 @@
 	{
 		"name": "generate dhparams file",
 		"become": true,
+		"when": "var_nginx_improved_security",
 		"ansible.builtin.command": {
-			"cmd": "openssl dhparam -out /etc/nginx/dhparam {{var_nginx_dhparam_size | string}}"
+			"cmd": "openssl dhparam -out /etc/nginx/dhparam 4096"
 		},
 		"args": {
 			"creates": "/etc/nginx/dhparam"
@@ -22,6 +23,7 @@
 	},
 	{
 		"name": "place hardening config",
+		"when": "var_nginx_improved_security",
 		"become": true,
 		"ansible.builtin.copy": {
 			"src": "ssl-hardening.conf",