diff --git a/nixos/modules/security/dhparams.nix b/nixos/modules/security/dhparams.nix
index beac125fc6e0..e2b84c3e3b38 100644
--- a/nixos/modules/security/dhparams.nix
+++ b/nixos/modules/security/dhparams.nix
@@ -4,13 +4,15 @@ let
   inherit (lib) mkOption types;
   cfg = config.security.dhparams;
 
+  bitType = types.addCheck types.int (b: b >= 16) // {
+    name = "bits";
+    description = "integer of at least 16 bits";
+  };
+
   paramsSubmodule = { name, config, ... }: {
     options.bits = mkOption {
-      type = types.addCheck types.int (b: b >= 16) // {
-        name = "bits";
-        description = "integer of at least 16 bits";
-      };
-      default = 2048;
+      type = bitType;
+      default = cfg.defaultBitSize;
       description = ''
         The bit size for the prime that is used during a Diffie-Hellman
         key exchange.
@@ -70,6 +72,11 @@ in {
           existing ones won't be cleaned up. Of course this only applies if
           <option>security.dhparams.stateful</option> is
           <literal>true</literal>.</para></warning>
+
+          <note><title>For module implementers:</title><para>It's recommended
+          to not set a specific bit size here, so that users can easily
+          override this by setting
+          <option>security.dhparams.defaultBitSize</option>.</para></note>
         '';
       };
 
@@ -89,6 +96,16 @@ in {
         '';
       };
 
+      defaultBitSize = mkOption {
+        type = bitType;
+        default = 2048;
+        description = ''
+          This allows to override the default bit size for all of the
+          Diffie-Hellman parameters set in
+          <option>security.dhparams.params</option>.
+        '';
+      };
+
       path = mkOption {
         type = types.str;
         default = "/var/lib/dhparams";
diff --git a/nixos/tests/dhparams.nix b/nixos/tests/dhparams.nix
index da75391e4ce5..d11dfeec5d0c 100644
--- a/nixos/tests/dhparams.nix
+++ b/nixos/tests/dhparams.nix
@@ -54,6 +54,13 @@ in import ./make-test.nix {
     security.dhparams.params.bar2.bits = 19;
   };
 
+  nodes.generation5 = {
+    imports = [ common ];
+    security.dhparams.defaultBitSize = 30;
+    security.dhparams.params.foo3 = {};
+    security.dhparams.params.bar3 = {};
+  };
+
   testScript = { nodes, ... }: let
     getParamPath = gen: name: let
       node = "generation${toString gen}";
@@ -126,5 +133,12 @@ in import ./make-test.nix {
         'expr match ${getParamPath 4 "bar2"} ${builtins.storeDir}',
       );
     };
+
+    ${switchToGeneration 5}
+
+    subtest "check whether defaultBitSize works as intended", sub {
+      ${assertParamBits 5 "foo3" 30}
+      ${assertParamBits 5 "bar3" 30}
+    };
   '';
 }