{ self, ... }:
{
  perSystem =
    { pkgs, ... }:
    {
      apps.infra-bootstrap-indra =
        let
          bin = pkgs.writeShellApplication {
            name = "bootstrap-indra";
            runtimeInputs = [
              # keep-sorted start
              pkgs.git
              pkgs.nixos-anywhere
              pkgs.openssh
              pkgs.sops
              pkgs.ssh-to-age
              pkgs.yq-go
              # keep-sorted end
            ];
            text = ''
              rootdir="$(git rev-parse --show-toplevel)"

              extrafiles="$(mktemp -d)"
              trap 'rm -rf "$extrafiles"' EXIT

              keydir="$extrafiles/persist/etc/ssh"
              mkdir --parents "$keydir"

              privatekey="$keydir/ssh_host_ed25519_key"
              publickey="$privatekey.pub"

              ssh-keygen -t ed25519 -N "" -C "root@indra" -f "$privatekey"
              chmod 600 "$privatekey"
              chmod 644 "$publickey"

              agekey="$(ssh-to-age < "$publickey")"

              yq \
                --inplace \
                "(.keys | .. | select(anchor == \"indra\")) = \"$agekey\"" \
                "$rootdir/infra/.sops.yaml"
                
              sops updatekeys --yes "$rootdir/infra/modules/base/secrets.yaml"

              nixos-anywhere \
                --flake "$rootdir#indra" \
                --extra-files "$extrafiles" \
                --target-host "root@145.223.22.205"

              printf "\n\nIMPORTANT: Remember to save the changes to the .sops.yaml file!\n"
            '';
          };
        in
        {
          type = "app";
          program = "${bin}/bin/bootstrap-indra";
          meta.description = "bootstrap the indra machine by doing a fresh installation";
        };

      apps.infra-bootstrap-plato =
        let
          bin = pkgs.writeShellApplication {
            name = "bootstrap-plato";
            runtimeInputs = [
              # keep-sorted start
              pkgs.disko
              pkgs.git
              pkgs.openssh
              pkgs.sops
              pkgs.ssh-to-age
              pkgs.yq-go
              # keep-sorted end
            ];
            text = ''
              # The live installer creates its own hostid which results in the import of
              # the ZFS pool failing. Instead forcefully set the hostid as configured in Nix.
              sudo rm -rf /etc/hostid
              sudo zgenhostid -f "${self.nixosConfigurations.plato.config.networking.hostId}"

              rootdir="$(git rev-parse --show-toplevel)"

              extrafiles="$(mktemp -d)"
              trap 'rm -rf "$extrafiles"' EXIT

              keydir="$extrafiles/persist/etc/ssh"
              mkdir --parents "$keydir"

              privatekey="$keydir/ssh_host_ed25519_key"
              publickey="$privatekey.pub"

              ssh-keygen -t ed25519 -N "" -f "$privatekey"
              chmod 600 "$privatekey"
              chmod 644 "$publickey"

              agekey="$(ssh-to-age < "$publickey")"

              yq \
                --inplace \
                "(.keys | .. | select(anchor == \"plato\")) = \"$agekey\"" \
                "$rootdir/infra/.sops.yaml"
                
              sops updatekeys --yes "$rootdir/infra/modules/base/secrets.yaml"

              sudo disko-install \
                --flake "$rootdir#plato" \
                --disk main "/dev/disk/by-id/ata-CONSISTENT_SSD_S7_512GB_09092225J0987" \
                --extra-files "$keydir" "/persist/etc/ssh"
            '';
          };
        in
        {
          type = "app";
          program = "${bin}/bin/bootstrap-plato";
          meta.description = "bootstrap the plato machine by doing a fresh installation (run on the live installer after copying over the repo)";
        };
    };
}