{
  description = "eBPF sandbox";

  inputs = {
    nixpkgs.url = "github:nixos/nixpkgs?ref=nixos-unstable";
    flake-utils.url = "github:numtide/flake-utils";
  };

  outputs = inputs: inputs.flake-utils.lib.eachDefaultSystem (system:
    let
      pkgs = inputs.nixpkgs.legacyPackages.${system};

      mkEbpfProg = name: src: pkgs.clangStdenv.mkDerivation {
        name = "ebpf-${name}";
        inherit src;
        hardeningDisable = [ "stackprotector" "zerocallusedregs" ];
        dontFixup = true;
        buildInputs = with pkgs; [ libbpf ];

        buildPhase = ''
          clang -O2 -target bpf -g -c ${src}/main.c -o $out
        '';
      };
    in
    {
      packages = {
        dropworld = mkEbpfProg "dropworld" ./dropworld;
        tcpfilter = mkEbpfProg "tcpfilter" ./tcpfilter;
      };

      devShells.default = pkgs.mkShell {
        buildInputs = with pkgs; [bpftools bpftop];
      };
    }
  );
}