diff --git a/roles/misc/dhparams/defaults/main.yml b/roles/misc/dhparams/defaults/main.yml
new file mode 100644
index 0000000..d54388e
--- /dev/null
+++ b/roles/misc/dhparams/defaults/main.yml
@@ -0,0 +1,6 @@
+---
+
+dhparams_local_path: "credentials/{{ inventory_hostname }}/dhparams"
+dhparams_remote_path: "/etc/dhparams"
+
+dhparams_size: 4096
diff --git a/roles/misc/dhparams/meta/main.yml b/roles/misc/dhparams/meta/main.yml
new file mode 100644
index 0000000..611d474
--- /dev/null
+++ b/roles/misc/dhparams/meta/main.yml
@@ -0,0 +1,3 @@
+---
+
+allow_duplicates: no
diff --git a/roles/misc/dhparams/tasks/main.yml b/roles/misc/dhparams/tasks/main.yml
new file mode 100644
index 0000000..aef69c9
--- /dev/null
+++ b/roles/misc/dhparams/tasks/main.yml
@@ -0,0 +1,16 @@
+---
+
+# Generate locally because of more randomness & faster generation
+- name: Generate dh params locally
+  command: openssl dhparam -out {{ dhparams_local_path | quote }} {{ dhparams_size }}
+  args:
+    creates: "{{ dhparams_local_path }}"
+  delegate_to: localhost
+
+- name: Upload dh params to remote
+  copy:
+    src: "{{ dhparams_local_path }}"
+    dest: "{{ dhparams_remote_path }}"
+    owner: root
+    group: root
+    mode: u=rw,g=r,o=r