# Credit https://git.pvv.ntnu.no/oysteikt 2026

{
  openssh,
  fetchurl,
  lib
}:

openssh.overrideAttrs (prev: rec {
  # Old crypto was removed in v10.0
  version = "9.9p2";
  src = fetchurl {
    url = "mirror://openbsd/OpenSSH/portable/openssh-${version}.tar.gz";
    hash = "sha256-karbYD4IzChe3fll4RmdAlhfqU2ZTWyuW0Hhch4hVnM=";
  };

  configureFlags = prev.configureFlags ++ [
    "--enable-dsa-keys"
  ];

  # Broken patches, meant for 10.3p :p
  patches = lib.filter (x: !(lib.any (suf: lib.hasSuffix suf (baseNameOf x)) [
    "dont_create_privsep_path.patch"
    "pkcs11-fix-pinentry.patch"
    "pkcs11-tests-allow-module-path.patch"
    "ssh-agent-tests-increase-timeout.patch"
  ])) prev.patches;

  # We actually needed the `dont_create_privsep_path` one :3
  postPatch = prev.postPatch + ''
    substituteInPlace Makefile.in \
      --replace-fail '$(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH)' '''
  '';

  # Tihi
  doInstallCheck = false;
  postFixup = ''
    rm -rf $out/libexec $out/etc
    rm $out/bin/ssh-* $out/bin/sshd $out/bin/sftp
    cd $out/bin
    for filename in *; do mv {,old}"$filename"; done;
  '';
})