{
  nixpkgs,
  flake-utils,
  ...
}:
flake-utils.lib.eachDefaultSystem (system: let
  pkgs = nixpkgs.legacyPackages.${system};
  createScript = {
    name,
    runtimeInputs,
    scriptPath,
    extraWrapperFlags ? "",
    ...
  }: let
    script = (pkgs.writeScriptBin name (builtins.readFile scriptPath)).overrideAttrs (old: {
      buildCommand = "${old.buildCommand}\n patchShebangs $out";
    });
  in
    pkgs.symlinkJoin {
      inherit name;
      paths = [script] ++ runtimeInputs;
      buildInputs = [pkgs.makeWrapper];
      postBuild = "wrapProgram $out/bin/${name} --set PATH $out/bin ${extraWrapperFlags}";
    };
in {
  packages.gen-k3s-cert = createScript {
    name = "create-k3s-cert";
    runtimeInputs = with pkgs; [openssl coreutils openssh yq];
    scriptPath = ./gen-k3s-cert.sh;
  };
})