{ flake-utils, hostPkgs, ... }: flake-utils.lib.eachDefaultSystem (system:
let
  createScript = name: runtimeInputs: scriptPath:
    let
      script = (hostPkgs.writeScriptBin name (builtins.readFile scriptPath)).overrideAttrs (old: {
        buildCommand = "${old.buildCommand}\n patchShebangs $out";
      });
    in
    hostPkgs.symlinkJoin {
      inherit name;
      paths = [ script ] ++ runtimeInputs;
      buildInputs = [ hostPkgs.makeWrapper ];
      postBuild = "wrapProgram $out/bin/${name} --set PATH $out/bin";
    };
in
{
  packages.bootstrap = createScript "bootstrap" (with hostPkgs; [ libsecret coreutils nixos-anywhere ]) ./bootstrap.sh;
  packages.gen-k3s-cert = createScript "create-k3s-cert" (with hostPkgs; [ openssl coreutils openssh yq ]) ./gen-k3s-cert.sh;
})