Generate dhparams for SSL

Timeline.org

@@ -42,18 +42,17 @@
 *** IN-PROGRESS Nginx [2/5] [40%]
     - [X] Radicale reverse proxy
     - [X] Syncthing reverse proxy
-    - [ ] Wallabag vhost
     - [ ] Gitea vhost
     - [ ] Miniflux vhost
 *** TODO PHP [0/1] [0%]
     - [ ] Php-fpm
 *** TODO PostgreSQL [0/1] [0%]
     - [ ] Restore DBs
-*** DONE ACME [2/3] [66%]
+*** DONE ACME [3/3] [100%]
     CLOSED: [2019-11-10 Sun 21:47]
     - [X] Obtain certs
     - [X] Automatic renewal
-    - [ ] Generate dhparam
+    - [X] Generate dhparam
 *** TODO Wallabag
 *** TODO Miniflux
 *** TODO Hugo [0/2] [0%]

modules/webstack.nix

@@ -6,6 +6,7 @@
     nginx
     php
     postgresql_11
+    libressl
   ];
 
   services.nginx = {
@@ -16,7 +17,7 @@
     recommendedOptimisation = true;
     sslCiphers = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!AES128";
     sslProtocols = "TLSv1.2 TLSv1.3";
-    #sslDhparam = "/var/lib/dhparams";
+    sslDhparam = "/var/lib/dhparams/nginx.pem";
     commonHttpConfig = ''
       # Add HSTS header with preloading to HTTPS requests.
       # Adding this header to HTTP requests is discouraged
@@ -72,6 +73,9 @@
     };
   };
 
-  security.dhparams.enable = true;
+  security.dhparams = {
+    enable = true;
+    params = { nginx.bits = 2048; };
+  };
 
 }