{
  description = "Grafana Auth proxy using Tailscale Auth";

  inputs = {
    nixpkgs.url = "nixpkgs/nixos-unstable";
    utils.url = "github:numtide/flake-utils";
  };

  outputs = { self, nixpkgs, utils }:
    utils.lib.eachSystem [
      "x86_64-linux"
      "aarch64-linux"
      "x86_64-darwin"
      "aarch64-darwin"
    ] (system:
      let
        pkgs = nixpkgs.legacyPackages.${system};
        version = builtins.substring 0 8 self.lastModifiedDate;
      in {
        defaultPackage = pkgs.buildGoModule {
          pname = "grafanauth";
          inherit version;
          src = builtins.path {
            path = ./.;
            name = "grafanauth";
          };

          CGO_ENABLED = "0";

          # This hash locks the dependencies of this package. It is
          # necessary because of how Go requires network access to resolve
          # VCS.  See https://www.tweag.io/blog/2021-03-04-gomod2nix/ for
          # details. Normally one can build with a fake sha256 and rely on native Go
          # mechanisms to tell you what the hash should be or determine what
          # it should be "out-of-band" with other tooling (eg. gomod2nix).
          # To begin with it is recommended to set this, but one must
          # remeber to bump this hash when your dependencies change.
          #vendorSha256 = pkgs.lib.fakeSha256;
          vendorSha256 = "sha256-nPtSpqIXB75PYsMoULIxFRPbRxxfn2CqzVE3Mb7/1Jg=";
        };

        defaultApp = utils.lib.mkApp { drv = self.defaultPackage.${system}; };

        devShell = pkgs.mkShell {
          buildInputs = with pkgs; [ go gopls go-tools gotools ];
        };
      });
}