diff --git a/scripts/bootstrap-machine.nix b/scripts/bootstrap-machine.nix
index 8ba25c0..48d2020 100644
--- a/scripts/bootstrap-machine.nix
+++ b/scripts/bootstrap-machine.nix
@@ -1,37 +1,48 @@
-let
-  inputs = import ../deps;
-  pkgs = import inputs.nixpkgs { };
-in
-pkgs.writeShellScriptBin "bootstrap-machine" ''
-  pushd $(git rev-parse --show-toplevel)
-  machine=$1
-  ip=$2
-  extra_args=("''${@:3}")
-  # Create a temporary directory
-  temp=$(mktemp -d)
-  # Function to cleanup temporary directory on exit
-  cleanup() {
-    rm -rf "$temp"
-  }
-  trap cleanup EXIT
+{
+  writeShellApplication,
+  rbw,
+  nixos-anywhere,
+}:
 
-  # Create the directory where sshd expects to find the host keys
-  install -d -m755 "$temp/etc/ssh"
+writeShellApplication {
+  name = "bootstrap-machine";
 
-  # Decrypt your private key from the password store and copy it to the temporary directory
-  rbw get "$machine"_ssh_host_ed25519_key -f notes > "$temp/etc/ssh/ssh_host_ed25519_key"
+  runtimeInputs = [
+    rbw
+    nixos-anywhere
+  ];
 
-  # Set the correct permissions so sshd will accept the key
-  chmod 600 "$temp/etc/ssh/ssh_host_ed25519_key"
+  text = ''
+    pushd "$(git rev-parse --show-toplevel)"
+    machine=$1
+    ip=$2
+    extra_args=("''${@:3}")
+    # Create a temporary directory
+    temp=$(mktemp -d)
+    # Function to cleanup temporary directory on exit
+    cleanup() {
+      rm -rf "$temp"
+    }
+    trap cleanup EXIT
 
-  ssh-keygen -f "$temp/etc/ssh/ssh_host_ed25519_key" -y > "$temp/etc/ssh/ssh_host_ed25519_key.pub"
+    # Create the directory where sshd expects to find the host keys
+    install -d -m755 "$temp/etc/ssh"
 
-  chmod 644 "$temp/etc/ssh/ssh_host_ed25519_key.pub"
+    # Decrypt your private key from the password store and copy it to the temporary directory
+    rbw get "$machine"_ssh_host_ed25519_key -f notes > "$temp/etc/ssh/ssh_host_ed25519_key"
 
-  mkdir -p "$temp/persistent"
+    # Set the correct permissions so sshd will accept the key
+    chmod 600 "$temp/etc/ssh/ssh_host_ed25519_key"
 
-  cp -r "$temp/etc" "$temp/persistent/etc"
+    ssh-keygen -f "$temp/etc/ssh/ssh_host_ed25519_key" -y > "$temp/etc/ssh/ssh_host_ed25519_key.pub"
 
-  nixos-anywhere --extra-files "$temp" --store-paths $(nix-build -A nixosConfigurations.\"$machine\".config.system.build.diskoScript) $(nix-build -A nixosConfigurations.\"$machine\".config.system.build.toplevel) "''${extra_args[@]}" root@"$ip"
-  popd
-''
+    chmod 644 "$temp/etc/ssh/ssh_host_ed25519_key.pub"
+
+    mkdir -p "$temp/persistent"
+
+    cp -r "$temp/etc" "$temp/persistent/etc"
+
+    nixos-anywhere --extra-files "$temp" --store-paths "$(nix-build -A nixosConfigurations.\""$machine"\".config.system.build.diskoScript)" "$(nix-build -A nixosConfigurations.\""$machine"\".config.system.build.toplevel)" "''${extra_args[@]}" root@"$ip"
+    popd
+  '';
+}
diff --git a/scripts/update-deps.nix b/scripts/update-deps.nix
new file mode 100644
index 0000000..c1203a7
--- /dev/null
+++ b/scripts/update-deps.nix
@@ -0,0 +1,11 @@
+{ writeShellApplication, npins }:
+
+writeShellApplication {
+  name = "update-deps";
+
+  runtimeInputs = [ npins ];
+
+  text = ''
+    npins update -d deps "$@"
+  '';
+}
diff --git a/shell.nix b/shell.nix
index 1a5b295..0b4358f 100644
--- a/shell.nix
+++ b/shell.nix
@@ -3,7 +3,8 @@ let
   pkgs = import inputs.unstable { };
   nixos-anywhere = pkgs.callPackage "${inputs.nixos-anywhere}/src/default.nix" { };
   agenix = pkgs.callPackage "${inputs.agenix}/pkgs/agenix.nix" { };
-  bootstrap = import scripts/bootstrap-machine.nix;
+  bootstrap = pkgs.callPackage scripts/bootstrap-machine.nix { inherit nixos-anywhere; };
+  update-deps = pkgs.callPackage scripts/update-deps.nix { };
   pre-commit-hook =
     (import (
       pkgs.applyPatches {
@@ -32,9 +33,9 @@ pkgs.mkShell {
   nativeBuildInputs = with pkgs; [
     colmena
     npins
-    nixos-anywhere
     agenix
     bootstrap
+    update-deps
     statix
     rbw
     pinentry