diff --git a/exprs/go-no-vendor-1.22.patch b/exprs/go-no-vendor-1.22.patch
new file mode 100644
index 0000000..bd545d5
--- /dev/null
+++ b/exprs/go-no-vendor-1.22.patch
@@ -0,0 +1,23 @@
+Starting from go1.14, go verifes that vendor/modules.txt matches the requirements
+and replacements listed in the main module go.mod file, and it is a hard failure if
+vendor/modules.txt is missing.
+
+Relax module consistency checks and switch back to pre go1.14 behaviour if
+vendor/modules.txt is missing regardless of go version requirement in go.mod.
+
+This has been ported from FreeBSD: https://reviews.freebsd.org/D24122
+See https://github.com/golang/go/issues/37948 for discussion.
+
+diff --git a/src/cmd/go/internal/modload/vendor.go b/src/cmd/go/internal/modload/vendor.go
+index b2cb44100e..05bf3829d5 100644
+--- a/src/cmd/go/internal/modload/vendor.go
++++ b/src/cmd/go/internal/modload/vendor.go
+@@ -159,7 +159,7 @@ func checkVendorConsistency(indexes []*modFileIndex, modFiles []*modfile.File, m
+ 			panic(fmt.Errorf("not in workspace mode but number of indexes is %v, not 1", len(indexes)))
+ 		}
+ 		index := indexes[0]
+-		if gover.Compare(index.goVersion, "1.14") < 0 {
++		if gover.Compare(index.goVersion, "1.14") < 0 || (os.Getenv("GO_NO_VENDOR_CHECKS") == "1" && len(vendorMeta) == 0) {
+ 			// Go versions before 1.14 did not include enough information in
+ 			// vendor/modules.txt to check for consistency.
+ 			// If we know that we're on an earlier version, relax the consistency check.
diff --git a/systems/etna/default.nix b/systems/etna/default.nix
index 3f0a702..31caf7a 100644
--- a/systems/etna/default.nix
+++ b/systems/etna/default.nix
@@ -8,16 +8,27 @@
 let
   tunnelId = "57f51ad7-25a0-45f3-b113-0b6ae0b2c3e5";
 
-  patchedBuildGoModule = pkgs.buildGoModule.override {
-    go = pkgs.buildPackages.go_1_22.overrideAttrs {
-      pname = "cloudflare-go";
-      version = "1.22.5-devel-cf";
-      src = pkgs.fetchFromGitHub {
-        owner = "cloudflare";
-        repo = "go";
-        rev = "af19da5605ca11f85776ef7af3384a02a315a52b";
-        hash = "sha256-6VT9CxlHkja+mdO1DeFoOTq7gjb3T5jcf2uf9TB/CkU=";
-      };
+  patchedCloudflared = pkgs.cloudflared.override {
+    buildGoModule = pkgs.buildGoModule.override {
+      go = pkgs.buildPackages.go_1_23.overrideAttrs (old: {
+        pname = "cloudflare-go";
+        version = "1.22.5-devel-cf";
+
+        src = pkgs.fetchFromGitHub {
+          owner = "cloudflare";
+          repo = "go";
+          rev = "af19da5605ca11f85776ef7af3384a02a315a52b";
+          hash = "sha256-6VT9CxlHkja+mdO1DeFoOTq7gjb3T5jcf2uf9TB/CkU=";
+        };
+
+        patches = map (
+          patch:
+          if (baseNameOf patch == "go_no_vendor_checks-1.23.patch") then
+            ../../exprs/go-no-vendor-1.22.patch
+          else
+            patch
+        ) old.patches;
+      });
     };
   };
 
@@ -89,7 +100,7 @@ in
 
     cloudflared = {
       enable = true;
-      package = pkgs.cloudflared.override { buildGoModule = patchedBuildGoModule; };
+      package = patchedCloudflared.overrideAttrs { meta.broken = false; };
       tunnels.${tunnelId} = {
         credentialsFile = cfTunnelSecret.path;
         default = "http_status:404";