diff --git a/modules/programs/ssh.nix b/modules/programs/ssh.nix
index c62f37eb6..ce7a700cd 100644
--- a/modules/programs/ssh.nix
+++ b/modules/programs/ssh.nix
@@ -8,6 +8,8 @@ let
 
   yn = flag: if flag then "yes" else "no";
 
+  unwords = builtins.concatStringsSep " ";
+
   matchBlockModule = types.submodule ({ name, ... }: {
     options = {
       host = mkOption {
@@ -24,6 +26,15 @@ let
         description = "Specifies port number to connect on remote host.";
       };
 
+      forwardAgent = mkOption {
+        default = null;
+        type = types.nullOr types.bool;
+        description = ''
+          Whether the connection to the authentication agent (if any)
+          will be forwarded to the remote machine.
+        '';
+      };
+
       forwardX11 = mkOption {
         type = types.bool;
         default = false;
@@ -81,6 +92,15 @@ let
           "Set timeout in seconds after which response will be requested.";
       };
 
+      sendEnv = mkOption {
+        type = types.listOf types.str;
+        default = [];
+        description = ''
+          Environment variables to send from the local host to the
+          server.
+        '';
+      };
+
       compression = mkOption {
         type = types.nullOr types.bool;
         default = null;
@@ -118,12 +138,14 @@ let
   matchBlockStr = cf: concatStringsSep "\n" (
     ["Host ${cf.host}"]
     ++ optional (cf.port != null)         "  Port ${toString cf.port}"
+    ++ optional (cf.forwardAgent != null) "  ForwardAgent ${yn cf.forwardAgent}"
     ++ optional cf.forwardX11             "  ForwardX11 yes"
     ++ optional cf.forwardX11Trusted      "  ForwardX11Trusted yes"
     ++ optional cf.identitiesOnly         "  IdentitiesOnly yes"
     ++ optional (cf.user != null)         "  User ${cf.user}"
     ++ optional (cf.identityFile != null) "  IdentityFile ${cf.identityFile}"
     ++ optional (cf.hostname != null)     "  HostName ${cf.hostname}"
+    ++ optional (cf.sendEnv != [])        "  SendEnv ${unwords cf.sendEnv}"
     ++ optional (cf.serverAliveInterval != 0)
          "  ServerAliveInterval ${toString cf.serverAliveInterval}"
     ++ optional (cf.compression != null)  "  Compression ${yn cf.compression}"
@@ -144,8 +166,8 @@ in
       default = false;
       type = types.bool;
       description = ''
-        Whether connection to authentication agent (if any) will be forwarded
-        to remote machine.
+        Whether the connection to the authentication agent (if any)
+        will be forwarded to the remote machine.
       '';
     };