diff --git a/hosts/jabber/default.nix b/hosts/jabber/default.nix
index 909ba91c..fbe914c6 100644
--- a/hosts/jabber/default.nix
+++ b/hosts/jabber/default.nix
@@ -38,17 +38,23 @@ in
     };
   };
 
-  security.acme.certs."${domain}" = {
-    extraDomainNames = [
-      "chat.c3d2.de"
-      "*.${domain}"
-    ];
-    # DynDNS method
-    dnsProvider = "rfc2136";
-    credentialsFile = config.sops.secrets."acme/credentials-file".path;
-    reloadServices = [ "prosody" ];
-    # Make keys accessible by putting them in prosody's group
-    inherit (config.services.prosody) group;
+  security = {
+    acme.certs."${domain}" = {
+      extraDomainNames = [
+        "chat.c3d2.de"
+        "*.${domain}"
+      ];
+      # DynDNS method
+      dnsProvider = "rfc2136";
+      credentialsFile = config.sops.secrets."acme/credentials-file".path;
+      reloadServices = [ "prosody" ];
+      # Make keys accessible by putting them in prosody's group
+      inherit (config.services.prosody) group;
+    };
+    dhparams = {
+      enable = true;
+      params.prosody = { };
+    };
   };
 
   services = {
@@ -111,17 +117,7 @@ in
       ssl = {
         key = "/var/lib/acme/${domain}/key.pem";
         cert = "/var/lib/acme/${domain}/fullchain.pem";
-        # Some TLS hardening we've had on the old setup, probably to
-        # defend against downgrading attacks.
-        extraOptions.options = [
-          "no_sslv2"
-          "no_sslv3"
-          "no_ticket"
-          "no_compression"
-          "cipher_server_preference"
-          "single_dh_use"
-          "single_ecdh_use"
-        ];
+        dhparam = config.security.dhparams.params.nginx.path;
       };
 
       c2sRequireEncryption = true;