4 changed files with 11 additions and 5 deletions
--- a/roles/nginx/cfg.schema.json
+++ b/roles/nginx/cfg.schema.json
@ -8,6 +8,11 @@
 			"description": "in hours",
 			"default": null
 		},
+		"dhparam_size": {
+			"nullable": false,
+			"type": "integer",
+			"default": null
+		},
 		"improved_security": {
 			"nullable": false,
 			"type": "boolean",
--- a/roles/nginx/defaults/main.json
+++ b/roles/nginx/defaults/main.json
@ -1,6 +1,6 @@
 {
 	"cfg_nginx_defaults": {
 		"auto_reload_interval": null,
-		"improved_security": false
+		"dhparam_size": 2048
 	}
 }
--- a/roles/nginx/tasks/main.json
+++ b/roles/nginx/tasks/main.json
@ -18,10 +18,10 @@
 	},
 	{
 		"name": "generate dhparams file",
-		"when": "cfg_nginx.improved_security",
+		"when": "cfg_nginx.dhparam_size != None",
 		"become": true,
 		"ansible.builtin.command": {
-			"cmd": "openssl dhparam -out /etc/nginx/dhparam 4096"
+			"cmd": "openssl dhparam -out /etc/nginx/dhparam {{cfg_nginx.dhparam_size | string}}"
 		},
 		"args": {
 			"creates": "/etc/nginx/dhparam"
@ -29,9 +29,8 @@
 	},
 	{
 		"name": "place hardening config",
-		"when": "cfg_nginx.improved_security",
 		"become": true,
-		"ansible.builtin.copy": {
+		"ansible.builtin.template": {
 			"src": "ssl-hardening.conf",
 			"dest": "/etc/nginx/ssl-hardening.conf"
 		}
--- a/roles/nginx/templates/ssl-hardening.conf.j2
+++ b/roles/nginx/templates/ssl-hardening.conf.j2
@ -3,7 +3,9 @@ ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
 ssl_session_tickets off;

 # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
+{% if cfg_nginx.dhparam_size != None %}
 ssl_dhparam /etc/nginx/dhparam;
+{% endif %}

 # intermediate configuration
 ssl_protocols TLSv1.2 TLSv1.3;