diff --git a/flake-parts/install-anywhere.nix b/flake-parts/install-anywhere.nix
deleted file mode 100644
index c0f1570..0000000
--- a/flake-parts/install-anywhere.nix
+++ /dev/null
@@ -1,62 +0,0 @@
-_: {
-  perSystem =
-    { pkgs, ... }:
-    {
-      packages.install-anywhere = pkgs.writeShellApplication {
-        name = "install-anywhere";
-
-        runtimeInputs = [
-          pkgs.sops
-          pkgs.ssh-to-age
-          pkgs.bitwarden-cli
-        ];
-
-        text = ''
-          if [[ $# -ne 2 ]]; then
-            echo "Usage: $0 <host> <destination>"
-            exit 1
-          fi
-
-          host="$1"
-          destination="$2"
-          root="$(mktemp --directory)"
-
-          impermanence="$(nix eval ".#nixosConfigurations.$host.config.custom.persistence.enable")"
-          if [ "$impermanence" = true ]; then
-            ssh_dir="$root/persist/etc/ssh"
-          else
-            ssh_dir="$root/etc/ssh"
-          fi
-
-          echo "==> Generating new SSH host keys..."
-          mkdir --parents "$ssh_dir"
-          ssh-keygen -C "root@$host" -f "$ssh_dir/ssh_host_ed25519_key" -N "" -q
-
-          echo "==> Replacing old age key with new age key..."
-          new_age_key="$(ssh-to-age -i "$ssh_dir/ssh_host_ed25519_key.pub")"
-          echo "$new_age_key" > "hosts/$host/keys/age.pub"
-
-          echo "==> Updating SOPS secrets..."
-          if ! declare -px BW_SESSION >/dev/null 2>&1; then
-            BW_SESSION="$(bw unlock --raw || bw login --raw)"
-            export BW_SESSION
-          fi
-          if ! declare -px SOPS_AGE_KEY >/dev/null 2>&1; then
-            SOPS_AGE_KEY="$(bw get notes 'admin age-key')"
-            export SOPS_AGE_KEY
-          fi
-          SOPS_CONFIG="$(nix build .#sops-config --print-out-paths)"
-          export SOPS_CONFIG
-          sops updatekeys --yes "hosts/$host/secrets.json"
-
-          echo "==> Installing system..."
-          nix run github:nix-community/nixos-anywhere -- \
-            --extra-files "$root" \
-            --flake ".#$host" \
-            --target-host "$destination"
-
-          rm -rf "$root"
-        '';
-      };
-    };
-}
diff --git a/flake-parts/nebula.nix b/flake-parts/nebula.nix
index 813c8cb..b1b9791 100644
--- a/flake-parts/nebula.nix
+++ b/flake-parts/nebula.nix
@@ -16,38 +16,5 @@ _: {
           fi
         '';
       };
-
-      packages.nebula-regen-host-cert = pkgs.writeShellApplication {
-        name = "nebula-regen-host-cert";
-        runtimeInputs = [
-          pkgs.nebula
-          pkgs.bitwarden-cli
-        ];
-        text = ''
-          if [[ $# -ne 1 ]]; then
-            echo "Usage: $0 <host>"
-            exit 1
-          fi
-
-          host="$1"
-          address="$(nix eval --raw ".#nixosConfigurations.$host.config.custom.networking.overlay.cidr")"
-          ca_cert='modules/system/services/nebula/ca.crt'
-          host_pub="$(nix eval --raw ".#nixosConfigurations.$host.config.custom.services.nebula.publicKeyPath")"
-          host_cert="$(nix eval --raw ".#nixosConfigurations.$host.config.custom.services.nebula.certificatePath")"
-          host_cert="''${host_cert#*-source/}"
-
-          if ! declare -px BW_SESSION >/dev/null 2>&1; then
-            BW_SESSION="$(bw unlock --raw || bw login --raw)"
-          fi
-
-          ca_key="$(mktemp)"
-          chmod 600 "$ca_key"
-          trap 'rm -f "$ca_key"' EXIT
-          bw get notes 'nebula ca-key' > "$ca_key"
-
-          rm -f "$host_cert"
-          nebula-cert sign -name "$host" -networks "$address" -ca-crt "$ca_cert" -ca-key "$ca_key" -in-pub "$host_pub" -out-crt "$host_cert"
-        '';
-      };
     };
 }
diff --git a/flake-parts/scripts.nix b/flake-parts/scripts.nix
new file mode 100644
index 0000000..62fecf0
--- /dev/null
+++ b/flake-parts/scripts.nix
@@ -0,0 +1,13 @@
+{ self, ... }:
+{
+  perSystem =
+    { pkgs, lib, ... }:
+    {
+      packages =
+        "${self}/scripts"
+        |> builtins.readDir
+        |> lib.attrNames
+        |> lib.map (name: name |> lib.removeSuffix ".nix")
+        |> self.lib.genAttrs (name: import "${self}/scripts/${name}.nix" { inherit pkgs; });
+    };
+}
diff --git a/scripts/install-anywhere.nix b/scripts/install-anywhere.nix
new file mode 100644
index 0000000..10be289
--- /dev/null
+++ b/scripts/install-anywhere.nix
@@ -0,0 +1,57 @@
+{ pkgs }:
+pkgs.writeShellApplication {
+  name = "install-anywhere";
+
+  runtimeInputs = [
+    pkgs.sops
+    pkgs.ssh-to-age
+    pkgs.bitwarden-cli
+  ];
+
+  text = ''
+    if [[ $# -ne 2 ]]; then
+      echo "Usage: $0 <host> <destination>"
+      exit 1
+    fi
+
+    host="$1"
+    destination="$2"
+    root="$(mktemp --directory)"
+
+    impermanence="$(nix eval ".#nixosConfigurations.$host.config.custom.persistence.enable")"
+    if [ "$impermanence" = true ]; then
+      ssh_dir="$root/persist/etc/ssh"
+    else
+      ssh_dir="$root/etc/ssh"
+    fi
+
+    echo "==> Generating new SSH host keys..."
+    mkdir --parents "$ssh_dir"
+    ssh-keygen -C "root@$host" -f "$ssh_dir/ssh_host_ed25519_key" -N "" -q
+
+    echo "==> Replacing old age key with new age key..."
+    new_age_key="$(ssh-to-age -i "$ssh_dir/ssh_host_ed25519_key.pub")"
+    echo "$new_age_key" > "hosts/$host/keys/age.pub"
+
+    echo "==> Updating SOPS secrets..."
+    if ! declare -px BW_SESSION >/dev/null 2>&1; then
+      BW_SESSION="$(bw unlock --raw || bw login --raw)"
+      export BW_SESSION
+    fi
+    if ! declare -px SOPS_AGE_KEY >/dev/null 2>&1; then
+      SOPS_AGE_KEY="$(bw get notes 'admin age-key')"
+      export SOPS_AGE_KEY
+    fi
+    SOPS_CONFIG="$(nix build .#sops-config --print-out-paths)"
+    export SOPS_CONFIG
+    sops updatekeys --yes "hosts/$host/secrets.json"
+
+    echo "==> Installing system..."
+    nix run github:nix-community/nixos-anywhere -- \
+      --extra-files "$root" \
+      --flake ".#$host" \
+      --target-host "$destination"
+
+    rm -rf "$root"
+  '';
+}
diff --git a/scripts/nebula-regen-host-cert.nix b/scripts/nebula-regen-host-cert.nix
new file mode 100644
index 0000000..a7ef614
--- /dev/null
+++ b/scripts/nebula-regen-host-cert.nix
@@ -0,0 +1,35 @@
+{ pkgs }:
+pkgs.writeShellApplication {
+  name = "nebula-regen-host-cert";
+
+  runtimeInputs = [
+    pkgs.nebula
+    pkgs.bitwarden-cli
+  ];
+
+  text = ''
+    if [[ $# -ne 1 ]]; then
+      echo "Usage: $0 <host>"
+      exit 1
+    fi
+
+    host="$1"
+    address="$(nix eval --raw ".#nixosConfigurations.$host.config.custom.networking.overlay.cidr")"
+    ca_cert='modules/system/services/nebula/ca.crt'
+    host_pub="$(nix eval --raw ".#nixosConfigurations.$host.config.custom.services.nebula.publicKeyPath")"
+    host_cert="$(nix eval --raw ".#nixosConfigurations.$host.config.custom.services.nebula.certificatePath")"
+    host_cert="''${host_cert#*-source/}"
+
+    if ! declare -px BW_SESSION >/dev/null 2>&1; then
+      BW_SESSION="$(bw unlock --raw || bw login --raw)"
+    fi
+
+    ca_key="$(mktemp)"
+    chmod 600 "$ca_key"
+    trap 'rm -f "$ca_key"' EXIT
+    bw get notes 'nebula ca-key' > "$ca_key"
+
+    rm -f "$host_cert"
+    nebula-cert sign -name "$host" -networks "$address" -ca-crt "$ca_cert" -ca-key "$ca_key" -in-pub "$host_pub" -out-crt "$host_cert"
+  '';
+}