{
  # Fetches a pinned upstream archive with `fetchurl`, then consumes that
  # fixed-output file from a small package and check.
  description = "Fetch a pinned upstream file with fetchurl";

  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
  };

  outputs =
    { self, nixpkgs, ... }:
    let
      system = "x86_64-linux";
      pkgs = import nixpkgs { inherit system; };

      url = "mirror://gnu/hello/hello-2.12.3.tar.gz";
      archiveName = builtins.baseNameOf url;
      archiveHash = "sha256-DV9gFUOC/uELEUocNOeF2LH0kgc64tOm97FHaHs2aqA=";
      archiveSha256 = "0d5f60154382fee10b114a1c34e785d8b1f492073ae2d3a6f7b147687b366aa0";

      helloSource = pkgs.fetchurl {
        inherit url;
        hash = archiveHash;
      };
    in
    {
      packages.${system}.default = pkgs.writeShellApplication {
        name = "show-fetched-hello-source";
        runtimeInputs = [ pkgs.gnutar ];
        text = ''
          echo "archive: ${archiveName}"
          echo "top-level entry: $(tar -tzf ${helloSource} | head -n 1)"
        '';
      };

      apps.${system}.default = {
        type = "app";
        program = "${self.packages.${system}.default}/bin/show-fetched-hello-source";
        meta.description = "Inspect the archive fetched by a fixed-output fetchurl.";
      };

      checks.${system}.archive = pkgs.runCommand "hello-source-check" { } ''
        actualHash="$(sha256sum ${helloSource} | cut -d' ' -f1)"

        if [ "$actualHash" != "${archiveSha256}" ]; then
          echo "unexpected sha256: $actualHash" >&2
          exit 1
        fi

        tar -tzf ${helloSource} > entries.txt
        grep -q '^hello-2.12.3/README$' entries.txt

        echo ok > "$out"
      '';
    };
}