From 9d0c9e5bdf2f786effb22ef6bdf57a917755aa5f Mon Sep 17 00:00:00 2001
From: coolneng <akasroua@gmail.com>
Date: Thu, 14 Nov 2019 00:31:39 +0100
Subject: [PATCH] Generate dhparams for SSL

---
 Timeline.org         | 5 ++---
 modules/webstack.nix | 8 ++++++--
 2 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/Timeline.org b/Timeline.org
index 4b682c8..d1a8ed4 100644
--- a/Timeline.org
+++ b/Timeline.org
@@ -42,18 +42,17 @@
 *** IN-PROGRESS Nginx [2/5] [40%]
     - [X] Radicale reverse proxy
     - [X] Syncthing reverse proxy
-    - [ ] Wallabag vhost
     - [ ] Gitea vhost
     - [ ] Miniflux vhost
 *** TODO PHP [0/1] [0%]
     - [ ] Php-fpm
 *** TODO PostgreSQL [0/1] [0%]
     - [ ] Restore DBs
-*** DONE ACME [2/3] [66%]
+*** DONE ACME [3/3] [100%]
     CLOSED: [2019-11-10 Sun 21:47]
     - [X] Obtain certs
     - [X] Automatic renewal
-    - [ ] Generate dhparam
+    - [X] Generate dhparam
 *** TODO Wallabag
 *** TODO Miniflux
 *** TODO Hugo [0/2] [0%]
diff --git a/modules/webstack.nix b/modules/webstack.nix
index 97f895a..c4355cb 100644
--- a/modules/webstack.nix
+++ b/modules/webstack.nix
@@ -6,6 +6,7 @@
     nginx
     php
     postgresql_11
+    libressl
   ];
 
   services.nginx = {
@@ -16,7 +17,7 @@
     recommendedOptimisation = true;
     sslCiphers = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!AES128";
     sslProtocols = "TLSv1.2 TLSv1.3";
-    #sslDhparam = "/var/lib/dhparams";
+    sslDhparam = "/var/lib/dhparams/nginx.pem";
     commonHttpConfig = ''
       # Add HSTS header with preloading to HTTPS requests.
       # Adding this header to HTTP requests is discouraged
@@ -72,6 +73,9 @@
     };
   };
 
-  security.dhparams.enable = true;
+  security.dhparams = {
+    enable = true;
+    params = { nginx.bits = 2048; };
+  };
 
 }