{
  description = "vrnp";

  inputs = {
    nixpkgs.url = "github:nixos/nixpkgs?ref=nixos-unstable";
    gitignore = {
      url = "github:hercules-ci/gitignore.nix";
      inputs.nixpkgs.follows = "nixpkgs";
    };
  };

  outputs = { self, nixpkgs, gitignore }:
  let
    system = "x86_64-linux";
    pkgs = nixpkgs.legacyPackages.${system};

    vrnp-static = pkgs.buildGoModule {
      pname = "vrnp";
      version = "0.0.4";
      vendorHash = null;

      # For building the package, we use only the files not ignored by Git as inputs.
      # Also, flake.nix and flake.lock are not included to avoid annoying rebuilds when
      # working on them.
      src = pkgs.lib.cleanSourceWith {
        src = gitignore.lib.gitignoreSource ./.;
        filter = path: type: builtins.baseNameOf path != "flake.nix" && builtins.baseNameOf path != "flake.lock";
      };

      # Avoid linking against libc
      CGO_ENABLED = 0;
    };
  in {
    devShell.${system} = pkgs.mkShellNoCC {
      packages = [
        pkgs.go
        (pkgs.python3.withPackages (ps: with ps; [ pillow ]))
      ];
    };
    packages.${system} = {
      default = vrnp-static;
      image-name = pkgs.runCommand "vrnp-version" {} ''
        echo -n git.pbrinkmeier.de/paul/vrnp:${vrnp-static.version} > $out
      '';
      image = pkgs.dockerTools.buildImage {
        name = "git.pbrinkmeier.de/paul/vrnp";
        tag = vrnp-static.version;
        copyToRoot = pkgs.buildEnv {
          name = "vrnp-root";
          paths = [ vrnp-static pkgs.cacert ];
          pathsToLink = [ "/bin" "/etc" ];
        };
        config.Cmd = [ "${vrnp-static}/bin/vrnp" ];
      };
    };
  };
}