I spent a few days of integrating a cascade of CI for several projects on gitlab.

The issue is ssh authentication. Every git repo is private.
gitlab has a hack - special user with token.

so if sources.json instead of:

{
 "private-dep": {
   "branch": "master",
   "repo": "ssh://git@gitlab.com/company/private-dep.git",
   "rev": "ed73d970fd13b009ca5829f6b8c1c936c7221032",
   "type": "git"
 },

would contain following:

"repo": "ssh://gitlab-ci-token:$CI_JOB_TOKEN@gitlab.com/company/private-dep.git",

then there is no hassle with ssh keys at all.

Some expression language (mustache?) supporting environment variables would help here a lot.

"repo": "ssh://git$([ -n "$CI_JOB_TOKEN ] && echo "lab-ci-token:$CI_JOB_TOKEN)@gitlab.com/company/private-dep.git",

That sounds like a good idea. Maybe we can even unify this with the "template" feature used in e.g. URL templates (where <foo> in a string is replaced with the value of the foo attribute).

Some expression language (mustache?) supporting environment variables would help here a lot.

I would be hesitant to bring any expression language during the nix evaluation. It would add that language as a dependency to every niv user.

Then the next idea is implement the interpreter for the expression language in nix itself. That seems like a project in itself.

My proposal to solve this problem would be to add a system of mirror to niv and upgrade the template feature to support environment variable.
In you case, the first mirror would be the regular url ssh://git@gitlab.com/company/private-dep.git and the second would be to modified url for the gitlab-ci ssh://gitlab-ci-token:<CI_JOB_TOKEN>@gitlab.com/company/private-dep.git.
The biggest uncertainty of this approach is that we need to change each fetchers to support mirrors since I don't think we can do it generically in nix.

Specifically for HTTP fetches, libcurl reads the user's ~/.netcrc file for basic auth type credentials. Maybe Git is also respecting that file?

I'm thinking in terms of addressing the underlying issue.