A complete Go development environment for Nix.
Toolchains, tools, and builders — pure, reproducible, and auto-updated.
- 100+ Go versions — from 1.17 to latest, including release candidates, updated within 4 hours of a new release on go.dev.
- No stale
vendorHash— dependencies are pinned per-module with NAR hashes. Change a dep, re-rungovendor. No hash archaeology. - Workspace support — build multi-module
go.workmonorepos reproducibly. NeitherbuildGoModulenor gomod2nix can do this. - Go tools pinned to your toolchain — govulncheck, gopls, golangci-lint, and more, updated within 6 hours of release and version-locked to your selected Go version with a clear error if incompatible.
- Private modules — standard Go authentication via
.netrc, no custom infrastructure required.
nix run github:purpleclay/go-overlay -- version
# go version go1.26.2 linux/amd64The template bootstraps a new project with a dev shell, builder, and drift detection pre-configured:
nix flake new -t github:purpleclay/go-overlay my-app
cd my-app && nix developThe workspace template bootstraps a minimal multi-module monorepo with a dev shell, builder, and drift detection pre-configured:
nix flake new -t github:purpleclay/go-overlay#workspace my-monorepo
cd my-monorepo && nix developAdd go-overlay to your flake.nix inputs and apply the overlay:
{
inputs = {
nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
flake-utils.url = "github:numtide/flake-utils";
go-overlay.url = "github:purpleclay/go-overlay";
};
outputs = { nixpkgs, flake-utils, go-overlay, ... }:
flake-utils.lib.eachDefaultSystem (system:
let
pkgs = import nixpkgs {
inherit system;
overlays = [ go-overlay.overlays.default ];
};
in { ... }
);
}Tip
Not using flakes? See the traditional Nix installation guide.
govendor generates and maintains the dependency manifest used during builds:
devShells.default = pkgs.mkShell {
buildInputs = [
go-overlay.packages.${system}.govendor
];
};govendorThis creates a govendor.toml with NAR hashes for all dependencies. Commit it to your repository.
Important
Re-run govendor whenever you add, remove, or upgrade a dependency. Use govendor --check in CI to catch drift before it reaches production.
Create a default.nix file to define your package:
{ pkgs, go }:
pkgs.buildGoApplication {
inherit go;
pname = "my-app";
version = "0.1.0";
src = ./.;
modules = ./govendor.toml;
}Then wire it into your flake.nix outputs:
let
go = pkgs.go-bin.fromGoMod ./go.mod;
in {
packages.default = pkgs.callPackage ./default.nix { inherit go; };
}Tip
fromGoMod auto-selects the Go version from your go.mod. For other version selection options, see the reference guide.
And then build it:
nix buildThat's it. No stale vendorHash to fix after every dependency change. 👋
Not sure how to configure a specific feature? Each example is a self-contained, buildable project — find the pattern you need and use it as a starting point.
| Example | Features |
|---|---|
| hello-world | stdlib-only, no manifest |
| http-chi-server | External deps, modules |
| cobra-cli | ldflags, subPackages, doCheck, version injection |
| cross-compile | GOOS, GOARCH, CGO_ENABLED |
| build-tags | tags parameter |
| local-replaces | Local replace directives, localReplaces |
| oapi-codegen | tool directive, preBuild code generation |
| sqlc-codegen | nativeBuildInputs, preBuild code generation |
| vendored | Committed vendor/ directory |
| go-workspace | buildGoWorkspace, go.work, subPackages |
| go-workspace-inferred | buildGoWorkspace, inferred go.work |
| go-workspace-vendored | buildGoWorkspace, committed vendor/ |
| wasm-build | mkVendorEnv + stdenv.mkDerivation |
| nixpkgs-build-go-module | buildGoModule.override with go-overlay toolchain |
Build or run any example directly:
# pattern: nix build .#example-<name>
nix build .#example-cobra-cli
nix run .#example-cobra-cliEvery Go toolchain derivation includes version-locked tools — gopls, golangci-lint, govulncheck, delve, and more — pinned to your selected Go version and updated within 6 hours of a new release.
Add them all to your dev shell with a single attribute:
let
go = pkgs.go-bin.fromGoMod ./go.mod;
in {
devShells.default = pkgs.mkShell {
buildInputs = [
go.withDefaultTools
];
};
}For selecting specific tools or pinning versions, see the Go Tools reference.
Use cachix/git-hooks.nix to check for manifest drift on commit:
let
pre-commit-check = git-hooks.lib.${system}.run {
src = ./.;
hooks.govendor = {
enable = true;
name = "govendor";
entry = "${go-overlay.packages.${system}.govendor}/bin/govendor --check";
files = "(^|/)go\\.(mod|work)$";
pass_filenames = true;
};
};
in {
devShells.default = pkgs.mkShell {
inherit (pre-commit-check) shellHook;
buildInputs = pre-commit-check.enabledPackages;
};
}Private modules require two things: bypassing the public proxy, and credentials to authenticate with the private host. Set GOPRIVATE to route around the proxy and netrcFile to provide credentials:
Tip
GOPRIVATE implicitly sets GONOPROXY and GONOSUMDB — you only need to set all three explicitly if you require different values for each.
{ pkgs, go }:
pkgs.buildGoApplication {
inherit go;
pname = "myapp";
version = "1.0.0";
src = ./.;
modules = ./govendor.toml;
netrcFile = "${builtins.getEnv "HOME"}/.netrc";
GOPRIVATE = "<your-private-host>/*";
}Note
builtins.getEnv "HOME" reads the host environment to locate ~/.netrc — this is why --impure is required. The file contents are read at eval time and passed into the build sandbox. Credentials are not stored in the repo. If you prefer to keep a .netrc inside the source root, consider encrypting it with git-crypt or sops-nix.
nix build --impureCaution
The .netrc contents are embedded in the derivation, which is stored in the Nix store. The Nix store is world-readable by default.
- reference.md — Full option tables for all builder functions, library functions, and traditional Nix installation.
- govendor-toml-v2.md —
govendor.tomlschema reference. - migrating.md — Migration guides from gomod2nix and buildGoModule.
The go-overlay logo was generated using Google Gemini. The Go gopher was originally designed by Renee French and is licensed under CC BY 4.0. The Nix snowflake is a trademark of the NixOS Foundation. This project is not affiliated with the Go project, the NixOS Foundation, or Google.