ssh: add kexAlgorithms to matchBlocks

This commit adds the option to add kexAlgorithms as an matchBlock
option with updated test case.

Author: OliverGeneser

modules/programs/ssh.nix

@@ -404,6 +404,18 @@ let
         example = "10m";
         description = "Whether control socket should remain open in the background.";
       };
+
+      kexAlgorithms = mkOption {
+        type = types.nullOr (types.listOf types.str);
+        default = null;
+        example = [
+          "[email protected]"
+          "diffie-hellman-group-exchange-sha256"
+        ];
+        description = ''
+          Specifies the available KEX (Key Exchange) algorithms.
+        '';
+      };
     };
 
     #    config.host = mkDefault dagName;
@@ -451,6 +463,9 @@ let
       ++ map (f: "  LocalForward" + addressPort f.bind + addressPort f.host) cf.localForwards
       ++ map (f: "  RemoteForward" + addressPort f.bind + addressPort f.host) cf.remoteForwards
       ++ map (f: "  DynamicForward" + addressPort f) cf.dynamicForwards
+      ++ optional (
+        cf.kexAlgorithms != null
+      ) "  KexAlgorithms ${builtins.concatStringsSep "," cf.kexAlgorithms}"
       ++ mapAttrsToList (n: v: "  ${n} ${v}") cf.extraOptions
     );
 

tests/modules/programs/ssh/match-blocks-attrs-expected.conf

@@ -13,6 +13,7 @@ Host xyz
   RemoteForward [localhost]:8081 [10.0.0.2]:80
   RemoteForward /run/user/1000/gnupg/S.gpg-agent.extra /run/user/1000/gnupg/S.gpg-agent
   DynamicForward [localhost]:2839
+  KexAlgorithms sntrup761x25519-sha512,[email protected],mlkem768x25519-sha256
 Host ordered
   Port 1
 

tests/modules/programs/ssh/match-blocks-attrs.nix

@@ -34,6 +34,11 @@
               host.address = "/run/user/1000/gnupg/S.gpg-agent";
             }
           ];
+          kexAlgorithms = [
+            "sntrup761x25519-sha512"
+            "[email protected]"
+            "mlkem768x25519-sha256"
+          ];
           dynamicForwards = [ { port = 2839; } ];
           setEnv = {
             FOO = "foo12";