diff --git a/.envrc b/.envrc
index 51aa811..a75b02f 100644
--- a/.envrc
+++ b/.envrc
@@ -3,5 +3,5 @@ if type -P lorri &>/dev/null; then
   eval "$(lorri direnv)"
   echo 'while direnv evaluated .envrc, could not find the command "lorri" []'
-  use flake
+  use nix
diff --git a/default.nix b/default.nix
index 2cccff2..fd92a90 100644
--- a/default.nix
+++ b/default.nix
@@ -1,10 +1,33 @@
-  (
-    let lock = builtins.fromJSON (builtins.readFile ./flake.lock); in
-    fetchTarball {
-      url = "${lock.nodes.flake-compat.locked.rev}.tar.gz";
-      sha256 = lock.nodes.flake-compat.locked.narHash;
-    }
-  )
-  { src = ./.; }
+  sources = import ./npins;
+  pkgs = import sources.nixpkgs {
+    overlays = [
+      (import "${sources.gomod2nix}/overlay.nix")
+    ];
+  };
+  pre-commit-hooks = import sources.pre-commit-hooks;
+  pre-commit-check = {
+    src = ./.;
+    hooks = {
+      go-mod-tidy = {
+        enable = true;
+        name = "go-mod-tidy";
+        description = "Run `go mod tidy`";
+        types_or = [ "go" "go-mod" ];
+        entry = "${pkgs.go}/bin/go mod tidy";
+        pass_filenames = false;
+      };
+      gomod2nix = {
+        enable = true;
+        name = "gomod2nix";
+        description = "Import go.mod updates to nix";
+        types_or = [ "go-sum" ];
+        entry = "${pkgs.gomod2nix}/bin/gomod2nix --outdir nix";
+        pass_filenames = false;
+      };
+    };
+  };
diff --git a/justfile b/justfile
index 22503ee..306ef26 100755
--- a/justfile
+++ b/justfile
@@ -1,9 +1,5 @@
-#! /usr/bin/env -S nix develop . --command just --justfile
-fly-system := "x86_64-linux"
-fly-registry := ""
-docker-tag := env_var_or_default("DOCKER_TAG", `date +%Y%m%d%H%M%S` + "-" + `git rev-parse --short HEAD`)
-started-at := `date +%s`
+#! /usr/bin/env nix-shell
+#! nix-shell -i "just --justfile"
     @just --list --justfile {{ justfile() }} --unsorted
@@ -11,9 +7,6 @@ default:
 	rm -r website
-    nix flake check . --print-build-logs
     nix run nixpkgs#go-licenses check ./...
@@ -21,48 +14,16 @@ check-links:
 	hyperlink website/public
+	npin update
     go get -u all
     gomod2nix --outdir nix
-    nix flake update
-watch-flake command:
-    watchexec --restart -w flake.nix -w flake.lock direnv exec . {{ command }}
     go run ./cmd/build
-nix-build what:
-    nix build .#{{ what }}
 	systemfd -s http::3000 -- modd
-docker-stream system=(arch() + "-linux"):
-    @nix build --print-out-paths .#docker-stream-{{ system }} | sh
-docker-image system=(arch() + "-linux"):
-    nix build .#docker-image-{{ system }}
-    just docker-stream {{ fly-system }}
-docker-image-fly: (docker-image fly-system)
-docker-inspect image-path="result":
-    skopeo inspect docker-archive:{{ image-path }}
-    @echo {{ fly-registry }}:{{ docker-tag }}
-stream-to-registry :
-    just docker-stream-fly | gzip --fast | skopeo copy --dest-precompute-digests docker-archive:/dev/stdin docker://{{ fly-registry }}:{{ docker-tag }}
-    skopeo copy --dest-precompute-digests docker-archive://`readlink -f result`  docker://{{ fly-registry }}:{{ docker-tag }}
-deploy-fly registry-and-tag=(fly-registry + ":" + docker-tag):
-    fly deploy --image {{ registry-and-tag }}
 deploy-vercel-preview: clean build
 	vercel pull --environment=preview
 	vercel deploy
diff --git a/npins/default.nix b/npins/default.nix
new file mode 100644
index 0000000..5e7d086
--- /dev/null
+++ b/npins/default.nix
@@ -0,0 +1,80 @@
+# Generated by npins. Do not modify; will be overwritten regularly
+  data = builtins.fromJSON (builtins.readFile ./sources.json);
+  version = data.version;
+  mkSource =
+    spec:
+    assert spec ? type;
+    let
+      path =
+        if spec.type == "Git" then
+          mkGitSource spec
+        else if spec.type == "GitRelease" then
+          mkGitSource spec
+        else if spec.type == "PyPi" then
+          mkPyPiSource spec
+        else if spec.type == "Channel" then
+          mkChannelSource spec
+        else
+          builtins.throw "Unknown source type ${spec.type}";
+    in
+    spec // { outPath = path; };
+  mkGitSource =
+    {
+      repository,
+      revision,
+      url ? null,
+      hash,
+      branch ? null,
+      ...
+    }:
+    assert repository ? type;
+    # At the moment, either it is a plain git repository (which has an url), or it is a GitHub/GitLab repository
+    # In the latter case, there we will always be an url to the tarball
+    if url != null then
+      (builtins.fetchTarball {
+        inherit url;
+        sha256 = hash; # FIXME: check nix version & use SRI hashes
+      })
+    else
+      assert repository.type == "Git";
+      let
+        urlToName =
+          url: rev:
+          let
+            matched = builtins.match "^.*/([^/]*)(\\.git)?$" repository.url;
+            short = builtins.substring 0 7 rev;
+            appendShort = if (builtins.match "[a-f0-9]*" rev) != null then "-${short}" else "";
+          in
+          "${if matched == null then "source" else builtins.head matched}${appendShort}";
+        name = urlToName repository.url revision;
+      in
+      builtins.fetchGit {
+        url = repository.url;
+        rev = revision;
+        inherit name;
+        # hash = hash;
+      };
+  mkPyPiSource =
+    { url, hash, ... }:
+    builtins.fetchurl {
+      inherit url;
+      sha256 = hash;
+    };
+  mkChannelSource =
+    { url, hash, ... }:
+    builtins.fetchTarball {
+      inherit url;
+      sha256 = hash;
+    };
+if version == 3 then
+  builtins.mapAttrs (_: mkSource) data.pins
+  throw "Unsupported format version ${toString version} in sources.json. Try running `npins upgrade`"
diff --git a/npins/sources.json b/npins/sources.json
new file mode 100644
index 0000000..4aaef0d
--- /dev/null
+++ b/npins/sources.json
@@ -0,0 +1,41 @@
+  "pins": {
+    "gomod2nix": {
+      "type": "Git",
+      "repository": {
+        "type": "GitHub",
+        "owner": "tweag",
+        "repo": "gomod2nix"
+      },
+      "branch": "master",
+      "revision": "31b6d2e40b36456e792cd6cf50d5a8ddd2fa59a1",
+      "url": "",
+      "hash": "0b8cmc8dk34pgcac5s1jvryfcn8kyhbzhh1i22rzv5kf00f09lhb"
+    },
+    "nixpkgs": {
+      "type": "Git",
+      "repository": {
+        "type": "GitHub",
+        "owner": "NixOS",
+        "repo": "nixpkgs"
+      },
+      "branch": "nixpkgs-unstable",
+      "revision": "e6cea36f83499eb4e9cd184c8a8e823296b50ad5",
+      "url": "",
+      "hash": "13xygz94ax0c63kn59pdlscl2pm6srqn0vfw7r4fvsmassj87mar"
+    },
+    "pre-commit-hooks": {
+      "type": "Git",
+      "repository": {
+        "type": "GitHub",
+        "owner": "cachix",
+        "repo": "pre-commit-hooks.nix"
+      },
+      "branch": "master",
+      "revision": "cc4d466cb1254af050ff7bdf47f6d404a7c646d1",
+      "url": "",
+      "hash": "1gl1bdnv533jyvj12dfyg8q5haprapswnn7hbpikb2qbnnwc2xzd"
+    }
+  },
+  "version": 3
\ No newline at end of file
diff --git a/shell.nix b/shell.nix
index d2c4c45..17cd5ce 100644
--- a/shell.nix
+++ b/shell.nix
@@ -1,3 +1,36 @@
-{ system ? builtins.currentSystem }:
+{ pkgs ? (
+    let
+      sources = import ./npins;
+    in
+    import sources.nixpkgs {
+      overlays = [
+        (import "${sources.gomod2nix}/overlay.nix")
+      ];
+    }
+  )
+  goEnv = pkgs.mkGoEnv { pwd = ./.; };
+  inherit (import ./.) pre-commit-check;
+pkgs.mkShell {
+  inherit (pre-commit-check) shellHook;
+  packages = with pkgs; [
+    goEnv
-(builtins.getFlake (toString ./.)).devShells.${system}.default
+    npins
+    gopls
+    gotools
+    go-tools
+    gci
+    hyperlink
+    systemfd
+    just
+    modd
+    skopeo
+    flyctl
+    nodePackages.vercel
+    netlify-cli
+  ];