private.nix

{ fetchgit, writeScript, openssh, stdenv, config}:

with stdenv.lib;

let
    gitConf = config.fetchGitPrivate or {};
    hosts = mapAttrsToList (host: attrs: attrs // { host = host; identityFileInternal = "identity_host_${host}"; }) (gitConf.hosts or {});
    identities = imap (i: attrs: attrs // { identityFileInternal = "identity_${toString i}"; } ) (gitConf.identities or []);
in
  args: derivation ((fetchgit args).drvAttrs // {
  GIT_SSH = writeScript "fetchgit-ssh" ''
    #! ${stdenv.shell} -e
    tmpTemplate="''${TMPDIR:-/tmp}/git-checkout-tmp-XXXXXXXX"
    tmpPath="$(mktemp -d $tmpTemplate)"
    # shellcheck disable=SC2064
    trap "rm -rf \"$tmpPath\"" EXIT 
    sshConfig=$tmpPath/ssh_config
    chmod 0700 $tmpPath

    # Copy identity files and fix permissions
    ${concatMapStrings (item: ''
      cp ${item.identityFile} $tmpPath/${item.identityFileInternal}
      chmod 0600 $tmpPath/${item.identityFileInternal}
    '') (filter (h: h ? identityFile) hosts ++ identities) }
    cat >$sshConfig <<EOF
    StrictHostKeyChecking no
    UserKnownHostsFile /dev/null

    # Common identities from config.fetchGitPrivate.identities
    ${concatMapStrings (item: ''
      IdentityFile $tmpPath/${item.identityFileInternal}
    '') identities}

    # Per host definitions
    ${concatMapStrings (item: ''
      Host ${item.host}
        HostName ${item.hostName}
        Port ${toString item.port}
        ${optionalString (item ? identityFile) "IdentityFile $tmpPath/${item.identityFileInternal}"}
    '') hosts}
    EOF
    # not exec, because we perform some cleanup in trap
    ${openssh}/bin/ssh -F $sshConfig "$@"
  '';
})