diff --git a/defaults/main.yml b/defaults/main.yml
index d61e9c8..6f3cda8 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -22,3 +22,6 @@ snippet_files:
 
 
 #default_robots_file: 'robots_disallow_all.txt'
+
+
+nginx__dhparam_size: 2048
diff --git a/files/nginx/snippets/tls_parameters.snippet.conf b/files/nginx/snippets/tls_parameters.snippet.conf
index b435d6b..14f69b3 100644
--- a/files/nginx/snippets/tls_parameters.snippet.conf
+++ b/files/nginx/snippets/tls_parameters.snippet.conf
@@ -1,9 +1,9 @@
 ssl_protocols TLSv1.2 TLSv1.3;
 ssl_prefer_server_ciphers on;
 
+ssl_dhparam /etc/nginx/private/dhparam.pem;
+
 #ssl_stapling on;
 #ssl_stapling_verify on;
 #resolver 8.8.8.8 1.1.1.1 valid=300s;
 #resolver_timeout 3s;
-
-#ssl_dhparam /etc/ssl/private/site.dh;
diff --git a/tasks/nginx.yml b/tasks/nginx.yml
index ebe62a8..7eb9b0b 100644
--- a/tasks/nginx.yml
+++ b/tasks/nginx.yml
@@ -14,16 +14,29 @@
     - nginx
 
 
-#- name: Create strong dhparams
-#  openssl_dhparam:
-#    path: '/etc/nginx/dhparam.pem'
-#    size: 4096
-#  notify:
-#    - Reload nginx
-#  tags:
-#    - configuration
-#    - nginx
-#    - dhparam
+- name: Create 'private' directory
+  file:
+    path: '/etc/nginx/private'
+    state: directory
+    owner: root
+    group: root
+    mode: 'u=rwx,g=rx,o=rx'
+  tags:
+    - configuration
+    - nginx
+    - dhparam
+
+
+- name: Create new dhparam of size '{{ nginx__dhparam_size }}'
+  openssl_dhparam:
+    path: '/etc/nginx/private/dhparam.pem'
+    size: '{{ nginx__dhparam_size | mandatory }}'
+  notify:
+    - Reload nginx
+  tags:
+    - configuration
+    - nginx
+    - dhparam
 
 
 - name: Create 'sites-available' directory