ssh: add generic Match support for matchBlocks (#2992)

* ssh: add generic Match support for matchBlocks

Introduce conservative support for actual `Match`
blocks in ssh config.

"Conservative" means this PR doesn'tt try to process
the `match` expression and simply uses it as a string
provided by the user.

If set, `match` has precedence over `host` meaning
if both are set, `match` is used and `host` is ignored.

* Add news entry

tests/modules/programs/ssh/default.nix

@@ -2,6 +2,7 @@
   ssh-defaults = ./default-config.nix;
   ssh-includes = ./includes.nix;
   ssh-match-blocks = ./match-blocks-attrs.nix;
+  ssh-match-blocks-match-and-hosts = ./match-blocks-match-and-hosts.nix;
 
   ssh-forwards-dynamic-valid-bind-no-asserts =
     ./forwards-dynamic-valid-bind-no-asserts.nix;

tests/modules/programs/ssh/match-blocks-match-and-hosts-expected.conf

@@ -0,0 +1,19 @@
+Host * !github.com
+  Port 516
+Host abc
+  Port 2222
+Match host xyz canonical
+  Port 2223
+
+Host *
+  ForwardAgent no
+  Compression no
+  ServerAliveInterval 0
+  ServerAliveCountMax 3
+  HashKnownHosts no
+  UserKnownHostsFile ~/.ssh/known_hosts
+  ControlMaster no
+  ControlPath ~/.ssh/master-%r@%n:%p
+  ControlPersist no
+
+  

tests/modules/programs/ssh/match-blocks-match-and-hosts.nix

@@ -0,0 +1,32 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+{
+  config = {
+    programs.ssh = {
+      enable = true;
+      matchBlocks = {
+        abc = { port = 2222; };
+
+        xyz = {
+          match = "host xyz canonical";
+          port = 2223;
+        };
+
+        "* !github.com" = { port = 516; };
+      };
+    };
+
+    home.file.assertions.text = builtins.toJSON
+      (map (a: a.message) (filter (a: !a.assertion) config.assertions));
+
+    nmt.script = ''
+      assertFileExists home-files/.ssh/config
+      assertFileContent \
+        home-files/.ssh/config \
+        ${./match-blocks-match-and-hosts-expected.conf}
+      assertFileContent home-files/assertions ${./no-assertions.json}
+    '';
+  };
+}