I recently packaged fq (written in Go) in Nixpkgs[0] and it was a breeze. You just have to specify the vendor and source hashes (which can be done automatically), and you get reproducibility for free (at least in the build environment.)
What is the proper automated way to get vendorSha256? Currently I always set it to lib.fakeSha256 first, then run the build and obtain the hash from the error message.
To speed things up a little, you can evaluate exactly what you need in the REPL to trigger the error. You can even paste the Nix expression with the fake sha in and it'll be quicker than evaluating your entire build.
There's probably a CLI out there that fetches it a la nix-prefetch-url/git/etc
