diff --git a/.sops.yaml b/.sops.yaml
index c85cd92..1d859f9 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -11,7 +11,12 @@ keys:
   - &hosts:
     - &dev-vm age1rjtqzmywfr3zuzz0cn8eqnwp3x8ypzya9gcv6kvtplhudar5eayqq83ey4
     - &crayon age1pnu4tkdxfcnefntdw262k4m8wuv3qe2894s4e6w5j8yshg8vlu6q9uq5tv
-    - &blobercraft age167gn88rldpmqmjhm9nl0gv05ms4tn37jx2nxwklfvs3xymfp9y7sa8vurh
+    - &blobercraft
+    - &blobercraft
+    - &blobercraft 
+    - &blobercraft 
+    - &blobercraft 
+    # new-host marker
 creation_rules:
   - path_regex: secrets.yaml$
     key_groups:
@@ -20,3 +25,8 @@ creation_rules:
         - *dev-vm
         - *crayon
         - *blobercraft
+        - *blobercraft
+        - *blobercraft
+        - *blobercraft
+        - *blobercraft
+        # new-host ptr marker
diff --git a/Makefile b/Makefile
deleted file mode 100644
index 5b88ecc..0000000
--- a/Makefile
+++ /dev/null
@@ -1,35 +0,0 @@
-IP ?=
-HOST ?=
-init:
-ifeq ($(IP),)
-	$(error IP not set)
-endif
-ifeq ($(HOST),)
-	$(error HOST not set)
-endif
-	nix run github:nix-community/nixos-anywhere -- --flake .#$(HOST) --generate-hardware-config nixos-generate-config ./hosts/$(HOST)/hardware-configuration.nix --target-host nixos@$(IP)
-
-deploy:
-	# no impurity allowed
-ifneq ($(shell git diff),)
-	git add .
-	git commit -m "auto commit on build" -m "`PAGER=cat git diff --name-only --cached`"
-endif
-	# push flake config to a remote server(s)
-	nix run github:serokell/deploy-rs .
-
-sops:
-	# For setting up a new host: to generate a sops key from an existing ssh key
-	# just run `cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age` and then add
-	# that to the .sops.yaml file
-	sops updatekeys secrets.yaml
-
-.DEFAULT_GOAL := default
-.PHONY: default deploy init sops
-default:
-	# This is my tiny makefile to create new machines and update existing ones
-	# it requires you to have nix and sops installed to correctly setup a new
-	# system and nix to deploy to an existing one.
-	#
-	# I'm not using just cause I've already got make installed everywhere and I
-	# know how to use it.
diff --git a/flake.nix b/flake.nix
index c04931b..473f42d 100644
--- a/flake.nix
+++ b/flake.nix
@@ -63,7 +63,7 @@
           profiles.system = {
             user = "root";
             sshUser = "crown";
-            path = inputs.deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.${name};
+            path = inputs.deploy-rs.lib."x86_64-linux".activate.nixos self.nixosConfigurations.${name};
           };
         } options
       )) <| nodes;
@@ -79,6 +79,11 @@
       crayon = { hostname = "squi.bid"; };
     };
 
+    # dev shell to deploy this flake
+    devShells."x86_64-linux".default = builtins.import ./shell.nix {
+      pkgs = nixpkgs.legacyPackages."x86_64-linux";
+    };
+
     checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) inputs.deploy-rs.lib;
   };
 }
diff --git a/secrets.yaml b/secrets.yaml
index fe10e0e..2b4befe 100644
--- a/secrets.yaml
+++ b/secrets.yaml
@@ -13,38 +13,29 @@ sops:
         - recipient: age14d55nfxlzm8t2yzplxpprygxmt99javafz9a8dh5llu87aww4qlswf6g0c
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNT0IxYjhWWkZadnVmcGpz
-            VXB5U2VvTFllYWhJTkNwQmxsWkxEL2drRHcwCksrMGs4SVZoL1pJNU00TUZBeU5V
-            UFBRcnRFdTlxUjgvcVpSelZIU0NyVWsKLS0tICtnZm8rYnB5cWhIUVBmQzQxSWIr
-            M29ZRHIwNGZSdi9LYmp5d2xyTWdmRDgKhs6COQa3Vmosiwv7I/IjvYr10Mx83V6z
-            W2d8PPTHBlRMqPcghpG2UOFsygzP8Y6UlMpCgt25vnFLUwCPlo7ERA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvOWlGajE0Q0FQclZUdUJ2
+            RjNUcVBuckZpT1FrbzJaaFcyNXgrTklub0V3ClNIZHpyWVlmVUExK0phNlRIOCtl
+            ajhPR1M1eERIclhiWEpRelFQRi94em8KLS0tIG1wdVlmbis3OXcxOXRBbFp6b0Nw
+            QzEyaWIrdVlpcHRHSmpZQkhjN2U3OGcKXRTscSq9D73awM2CLbst8KHPXs3WFXBy
+            rM8W40zgn6wDPjy2XxB54qZg9hnsBGdAtNnY5PInjMJ5F17lgSdXaw==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1rjtqzmywfr3zuzz0cn8eqnwp3x8ypzya9gcv6kvtplhudar5eayqq83ey4
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXMUFJY2RjSHcrS2Foa2Fo
-            dUJMSmpEL0NEN1BLYlZDNlA3aUQyQUNkYWxnCnNmV0ZpWTA0ZHUrUEtBV3MyZ3U1
-            SitYaVFBZklaZ282K2plYUhlVjRVWGMKLS0tIGlOZENMbURDMWR5VEFIVEdyV3k5
-            S3hQemRLNFd6eDlQY3pvUlkzUVhRUlUKHvdPyCCb0I825u9Hx+Fz+W9ESM2Gxy+N
-            lUsxP/ngAnG52MSrxxU33PG4TXSvaaYzuGP7gOQF6hB9U79inWzFzg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtaVFIaWllNU0xR0ZHQWtZ
+            T2tsK0dkQVlTL0N6Z0UvYlRKallXeTFVbDJNCis4UWtSZ0tCZHp2aXBDaDFTeUJu
+            TWFPdlRJUFRCb3E1UWdmUUhGOU5BS0kKLS0tIEFEWVBzNUxDTzhCSndKZ0JxSFlo
+            K2ZVekRCeXVtL0FhbmpYc0dEQmo2NjAKKSg1/XSIAoVMHsnkMJHSGTzmX8eQYp77
+            hGjx4T26UxwTK8KJ8KKPFI5KWiIHzP/HHTeiJb4IhJ5G+z/npttZIA==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1pnu4tkdxfcnefntdw262k4m8wuv3qe2894s4e6w5j8yshg8vlu6q9uq5tv
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtYTkvaldVWUk1TC94REEr
-            OHNiUHlqN0l3QWFJbjZ6anZpVTN5OGtibGtNCm9DcVJ6SktQeEFWU2REU0dpRjZu
-            WnBBaDMrbnRNaVhtR3BqdjVkc2tpZEEKLS0tIHRVdW8yL1JmcDVrVkNaa2lNN2h5
-            Y0gxSjYrY3gydnBseEVlQTBSSEtJSVEKH4v1Q9kKQaj5vdV9mW2Rsl/GUbq1h/m9
-            iy6BPmjC9GNtTBJ8VuvkQSvPLD+dsMwYqhmSbTQgDpRP3sQ4a6rWkA==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age167gn88rldpmqmjhm9nl0gv05ms4tn37jx2nxwklfvs3xymfp9y7sa8vurh
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYcWVDbmhhc1FHRG5WOTEz
-            emp4Rm9YMlA3aXUvMnpDWElqRElzQjdlMzNRCjducWdqQzliZjkzaWtGdEdUbk9u
-            MlBCL0lqdWs4TVo0RW9ham5mTExTSzQKLS0tICtJWk15NG9yMWwyVjF6SE1weWFF
-            NmlybmxKYlJESGxJbFdCazZUKzVjYmMK56j3+CuRfZsbVeYfmESlD2z6GYzIFQYz
-            f/jpI+8CteDlxbGuUvW10hD7lB8az2+Z+MQX2+koy3PZBkGChPh/Yg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlV1J2bjl2K21WUlpyLzQw
+            amNRajFuNEFOOTJUdUFmdzBzK29hbFhnL2dRCml4OVZoS1llSVRoa216aWlvR0R3
+            cjgyS0pibnQ2SHBBcVlZeXo1MmVNV0UKLS0tIEh3bGt3WnVqYlVwSlI5SUJheU9z
+            MVIyWFFmVXR3SkN4dmdJUzZEOE1nRzAKXYCh0Y0pwHUO6YAhGFBuVCphmL2dOAsN
+            R/5NDRIF2ab5hf5vE8g/4jHnrttujsbNyU96Jezh8q6MO2M1afIUwA==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2025-11-09T02:00:10Z"
     mac: ENC[AES256_GCM,data:9Jg3aXMMe8Yhf3CycD+UPqlTg0E619dmOJENRe2sfwROdKxOXhiFqnuI4t262XW3IMpJdCbv3RIblklF6vPaqqJWkPqj4Jt2niF4Bq0oR+cRM+rAElYAZ6vviCWnjTjOhTD/UB2RYPFH77Ce7RQmR4c5H4D6uLaw1g3+9TLJPTE=,iv:p4mF2S1n+mTV+ny3hKbQ+tYqh+4HGURyUP9hiSdMZjs=,tag:dWCa87XTwH3mBHshUMxjiQ==,type:str]
diff --git a/shell.nix b/shell.nix
new file mode 100644
index 0000000..8147204
--- /dev/null
+++ b/shell.nix
@@ -0,0 +1,85 @@
+{
+  pkgs ?
+  # If pkgs is not defined, instantiate nixpkgs from locked commit
+  # yoinked from (github.com/EmergentMind/nix-config)
+  let
+    lock = (builtins.fromJSON (builtins.readFile ./flake.lock)).nodes.nixpkgs.locked;
+    nixpkgs = builtins.fetchTarball {
+      url = "https://github.com/${lock.owner}/${lock.repo}/archive/${lock.rev}.tar.gz";
+      sha256 = lock.narHash;
+    };
+  in
+    builtins.import nixpkgs { overlays = [ ]; },
+  ...
+}:
+pkgs.mkShell {
+  nativeBuildInputs = with pkgs.buildPackages; [
+    git
+    openssh
+    ssh-to-age
+    nixos-anywhere
+
+    (pkgs.writeShellScriptBin "-sops" "sops updatekeys secrets.yaml")
+
+    (pkgs.writeShellScriptBin "-init" ''
+    USER="root"
+    if [ -z "$1" ] || [ -z "$2" ]; then
+      echo "the 1st argument must be the ip address"
+      echo "the 2nd argument must be the new hostname (the nix flake host)"
+      echo "the 3rd argument may be the user to ssh with if unset the default is root"
+      exit 0
+    fi
+
+    IP=$1
+    HOST=$2
+    if [ -n "$3" ]; then
+      USER=$3
+    fi
+
+    # get the remote systems ssh key
+    key=$(ssh $(USER)@$(IP) 'cat /etc/ssh/ssh_host_ed25519_key.pub' | ssh-to-age)
+    if [ -z "$key" ]; then
+      echo "failed to get the remote systems ssh pubkey"
+      exit 1
+    fi
+
+    # add the new sops key to the .sops.yaml
+    sed -i '/# new-host marker/i\    - &$(HOST) $(key)' .sops.yaml
+    sed -i '/# new-host ptr marker/i\        - *$(HOST)' .sops.yaml
+
+    # update the keys
+    sops updatekeys secrets.yaml
+
+    # push the flake to the remote system
+    nixos-anywhere --\
+    --flake .#$(HOST)\
+    --build-on remote\
+    --generate-hardware-config nixos-generate-config ./hosts/$(HOST)/hardware-configuration.nix\
+    --target-host $(USER)@$(IP)
+    '')
+
+    (pkgs.writeShellScriptBin "-deploy" ''
+    # there shall be no impurity
+    if [ -n "$(git diff)" ]; then
+      git add .
+      git commit -m "auto commit on build" -m "`PAGER=cat git diff --name-only --cached`"
+    fi
+
+    # push flake config to a remote server(s)
+    nix run github:serokell/deploy-rs . # this needs to be the same version that the flake is using
+    '')
+  ];
+
+  shellHook = ''
+  cat << EOF
+  # This is my tiny nix shell to create new machines and update existing ones
+  # it requires you to have nix and sops installed to correctly setup a new
+  # system and nix to deploy to an existing one.
+  #
+  # Available commands:
+  # '-sops' -> updates your sops secret file
+  # '-init' -> initializes a new system with nix-anywhere
+  # '-deploy' -> deploys the existing flake to all nodes using deploy-rs
+  EOF
+  '';
+}