diff --git a/nixos/common/openssh.nix b/nixos/common/openssh.nix
index 9f35b39f..0fcc19ee 100644
--- a/nixos/common/openssh.nix
+++ b/nixos/common/openssh.nix
@@ -11,11 +11,13 @@
 
     # Use key exchange algorithms recommended by `nixpkgs#ssh-audit`
     settings.KexAlgorithms = [
+      "mlkem768x25519-sha256"
+      "sntrup761x25519-sha512"
+      "sntrup761x25519-sha512@openssh.com"
       "curve25519-sha256"
       "curve25519-sha256@libssh.org"
       "diffie-hellman-group16-sha512"
       "diffie-hellman-group18-sha512"
-      "sntrup761x25519-sha512@openssh.com"
     ];
     # Only allow system-level authorized_keys to avoid injections.
     # We currently don't enable this when git-based software that relies on this is enabled.