haproxy: set min tls version to 1.2, generate dhparam file

hosts/public-access-proxy/default.nix

@@ -155,6 +155,11 @@
     1965
   ];
 
+    security.dhparams = {
+      enable = true;
+      params.haproxy = { };
+    };
+
   # DNS records IN AAAA {www.,}c3d2.de point to this host but
   # gemini:// is served on c3d2-web only
   systemd.services.gemini-forward = {

hosts/public-access-proxy/proxy.nix

@@ -109,6 +109,10 @@ in
     services.haproxy = {
       enable = true;
       config = ''
+        global
+          ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
+          ssl-dh-param-file ${config.security.dhparams.params.nginx.path}
+
         defaults
           timeout client 30000
           timeout connect 5000