{
  lib,
  buildGoModule,
  fetchFromGitea,
  makeWrapper,
  gnugrep,
  iptables,
}:

buildGoModule rec {
  pname = "linux-bench";
  version = "0-unstable-2025-01-31";

#  src = fetchFromGitHub {
#    owner = "aquasecurity";
#    repo = "linux-bench";
#    rev = "ce039756a6211beca47a23220c31998a9a891ad0";
#    hash = "sha256-wprsaIe6hgH28yHkSqdHQdFyQMvObQY6hChsfBTviTA=";
#  };

  src = fetchFromGitea {
    owner = "grimmauld";
    repo = "linux-bench";
    rev = "a936791cd0f4b4c02eb6294a3156ee784bf23c6a";
    hash = "sha256-8V0PUZJgNYPM81EH14nw4JpNH4StR1u1PbM+6GVpXVk=";
    domain = "git.grimmauld.de";
  };

  nativeBuildInputs = [
    makeWrapper
  ];

  vendorHash = "sha256-dlynz7mOiN+5ndYkmCUQu/Z31AwmJ+J2S3EBjQG5nWI=";

  postInstall = ''
    wrapProgram $out/bin/linux-bench \
      --add-flags "--config-dir ${src}/cfg" \
      --prefix PATH : ${lib.makeBinPath [ gnugrep iptables ]}
  '';

  meta = {
    description = "Checks whether a Linux server according to security best practices as defined in the CIS Distribution-Independent Linux Benchmark";
    homepage = "https://github.com/aquasecurity/linux-bench";
    license = lib.licenses.asl20;
    maintainers = with lib.maintainers; [ grimmauld ];
    mainProgram = "linux-bench";
  };
}