{
  pkgs ?
  # If pkgs is not defined, instantiate nixpkgs from locked commit
  # yoinked from (github.com/EmergentMind/nix-config)
  let
    lock = (builtins.fromJSON (builtins.readFile ./flake.lock)).nodes.nixpkgs.locked;
    nixpkgs = builtins.fetchTarball {
      url = "https://github.com/${lock.owner}/${lock.repo}/archive/${lock.rev}.tar.gz";
      sha256 = lock.narHash;
    };
  in
    builtins.import nixpkgs { overlays = [ ]; },
  ...
}:
pkgs.mkShell {
  nativeBuildInputs = with pkgs.buildPackages; [
    git
    openssh
    ssh-to-age
    nixos-anywhere

    (pkgs.writeShellScriptBin "-sops" "sops updatekeys secrets.yaml")

    (pkgs.writeShellScriptBin "-init" ''
    USER="root"
    if [ -z "$1" ] || [ -z "$2" ]; then
      echo "the 1st argument must be the ip address"
      echo "the 2nd argument must be the new hostname (the nix flake host)"
      echo "the 3rd argument may be the user to ssh with if unset the default is root"
      exit 0
    fi

    IP=$1
    HOST=$2
    if [ -n "$3" ]; then
      USER=$3
    fi

    # get the remote systems ssh key
    key=$(ssh $(USER)@$(IP) 'cat /etc/ssh/ssh_host_ed25519_key.pub' | ssh-to-age)
    if [ -z "$key" ]; then
      echo "failed to get the remote systems ssh pubkey"
      exit 1
    fi

    # add the new sops key to the .sops.yaml
    sed -i '/# new-host marker/i\    - &$(HOST) $(key)' .sops.yaml
    sed -i '/# new-host ptr marker/i\        - *$(HOST)' .sops.yaml

    # update the keys
    sops updatekeys secrets.yaml

    # push the flake to the remote system
    nixos-anywhere --\
    --flake .#$(HOST)\
    --build-on remote\
    --generate-hardware-config nixos-generate-config ./hosts/$(HOST)/hardware-configuration.nix\
    --target-host $(USER)@$(IP)
    '')

    (pkgs.writeShellScriptBin "-deploy" ''
    # there shall be no impurity
    if [ -n "$(git diff)" ]; then
      git add .
      git commit -m "auto commit on build" -m "`PAGER=cat git diff --name-only --cached`"
    fi

    # push flake config to a remote server(s)
    nix run github:serokell/deploy-rs . # this needs to be the same version that the flake is using
    '')
  ];

  shellHook = ''
  cat << EOF
  # This is my tiny nix shell to create new machines and update existing ones
  # it requires you to have nix and sops installed to correctly setup a new
  # system and nix to deploy to an existing one.
  #
  # Available commands:
  # '-sops' -> updates your sops secret file
  # '-init' -> initializes a new system with nix-anywhere
  # '-deploy' -> deploys the existing flake to all nodes using deploy-rs
  EOF
  '';
}