[PL-133007] implement the D(HE)at Attack mitigation

Since restricting encryption curves might impact compatibility with various clients,
this was made an option for now with the default being on so that it can be turned off
selectively.

changelog.d/20241112_110807_phil-PL-133007_nginx-dheat-mitigation_scriv.md

@@ -0,0 +1,21 @@
+<!--
+
+A new changelog entry.
+
+Delete placeholder items that do not apply. Empty sections will be removed
+automatically during release.
+
+Leave the XX.XX as is: this is a placeholder and will be automatically filled
+correctly during the release and helps when backporting over multiple platform
+branches.
+
+-->
+
+### Impact
+
+- possibly impacts client connectivity to Nginx. Semi-official connectivity testers showed no change for popular clients and/or libraries but cannot cover every single implementation out there
+
+
+### NixOS XX.XX platform
+
+- restrict the Diffie-Hellman elliptic curves offered by Nginx to mitigate CVE-2024-41996

nixos/services/nginx/default.nix

@@ -175,6 +175,14 @@ in
   options.flyingcircus.services.nginx = with lib; {
     enable = mkEnableOption "FC-customized nginx";
 
+    disableDHEATMitigation = lib.mkOption {
+      type = types.bool;
+      default = false;
+      description = ''
+        Disable the suggested mitigations against the D(HE)at Attack
+      '';
+    };
+
     defaultListenAddresses = lib.mkOption {
       type = lib.types.listOf lib.types.str;
       default = fclib.network.fe.dualstack.addressesQuoted;
@@ -454,6 +462,12 @@ in
 
           # === Config from flyingcircus.services.nginx ===
           ${cfg.httpConfig}
+
+          ${lib.optionalString (!cfg.disableDHEATMitigation) ''
+          # mitigate the D(HE)at Attack
+          # see https://dheatattack.gitlab.io/mitigations/
+          ssl_ecdh_curve x25519:secp256r1:x448;
+          ''}
         '';
 
         eventsConfig = ''