diff --git a/flake.nix b/flake.nix
index 5996dee..b919304 100644
--- a/flake.nix
+++ b/flake.nix
@@ -115,22 +115,6 @@
               ${vm.config.system.build.vm.outPath}/bin/run-testvm-vm
             '').outPath;
         };
-
-        update-crowdsec-packages =
-          let
-            git = pkgs.lib.getExe pkgs.git;
-            nvfetcher = pkgs.lib.getExe pkgs.nvfetcher;
-          in
-          {
-            type = "app";
-            program =
-              (pkgs.writeShellScript "update-crowdsec-packages" ''
-                cd "$(${git} rev-parse --show-toplevel)"
-                cd ./pkgs/crowdsec
-                ${nvfetcher}
-                echo 'Remember to update the vendorHash of any go packages!'
-              '').outPath;
-          };
       };
 
       ###########################
diff --git a/pkgs/_sources/generated.json b/pkgs/_sources/generated.json
deleted file mode 100644
index fd61141..0000000
--- a/pkgs/_sources/generated.json
+++ /dev/null
@@ -1,44 +0,0 @@
-{
-    "crowdsec-firewall-bouncer": {
-        "cargoLocks": null,
-        "date": null,
-        "extract": null,
-        "name": "crowdsec-firewall-bouncer",
-        "passthru": null,
-        "pinned": false,
-        "src": {
-            "deepClone": false,
-            "fetchSubmodules": false,
-            "leaveDotGit": false,
-            "name": null,
-            "owner": "crowdsecurity",
-            "repo": "cs-firewall-bouncer",
-            "rev": "v0.0.34",
-            "sha256": "sha256-lDO9pwPkbI+FDTdXBv03c0p8wbkRUiIDNl1ip3AZo2g=",
-            "sparseCheckout": [],
-            "type": "github"
-        },
-        "version": "v0.0.34"
-    },
-    "crowdsec-hub": {
-        "cargoLocks": null,
-        "date": "2025-08-17",
-        "extract": null,
-        "name": "crowdsec-hub",
-        "passthru": null,
-        "pinned": false,
-        "src": {
-            "deepClone": false,
-            "fetchSubmodules": false,
-            "leaveDotGit": false,
-            "name": null,
-            "owner": "crowdsecurity",
-            "repo": "hub",
-            "rev": "fc59f78180f3edfce76df3e77b001c454f567d3d",
-            "sha256": "sha256-Ejx3ta05SMvV/Dj7wy2iF9QYbGoRvxPB3+QuCIoTX4Q=",
-            "sparseCheckout": [],
-            "type": "github"
-        },
-        "version": "fc59f78180f3edfce76df3e77b001c454f567d3d"
-    }
-}
\ No newline at end of file
diff --git a/pkgs/_sources/generated.nix b/pkgs/_sources/generated.nix
deleted file mode 100644
index b5efc4e..0000000
--- a/pkgs/_sources/generated.nix
+++ /dev/null
@@ -1,27 +0,0 @@
-# This file was generated by nvfetcher, please do not modify it manually.
-{ fetchgit, fetchurl, fetchFromGitHub, dockerTools }:
-{
-  crowdsec-firewall-bouncer = {
-    pname = "crowdsec-firewall-bouncer";
-    version = "v0.0.34";
-    src = fetchFromGitHub {
-      owner = "crowdsecurity";
-      repo = "cs-firewall-bouncer";
-      rev = "v0.0.34";
-      fetchSubmodules = false;
-      sha256 = "sha256-lDO9pwPkbI+FDTdXBv03c0p8wbkRUiIDNl1ip3AZo2g=";
-    };
-  };
-  crowdsec-hub = {
-    pname = "crowdsec-hub";
-    version = "fc59f78180f3edfce76df3e77b001c454f567d3d";
-    src = fetchFromGitHub {
-      owner = "crowdsecurity";
-      repo = "hub";
-      rev = "fc59f78180f3edfce76df3e77b001c454f567d3d";
-      fetchSubmodules = false;
-      sha256 = "sha256-Ejx3ta05SMvV/Dj7wy2iF9QYbGoRvxPB3+QuCIoTX4Q=";
-    };
-    date = "2025-08-17";
-  };
-}
diff --git a/pkgs/default.nix b/pkgs/default.nix
index f3a72f5..31335a6 100644
--- a/pkgs/default.nix
+++ b/pkgs/default.nix
@@ -1,7 +1,5 @@
 { pkgs }:
 pkgs.lib.packagesFromDirectoryRecursive {
-  callPackage = pkgs.lib.callPackageWith (
-    pkgs // { sources = pkgs.callPackage ./_sources/generated.nix { }; }
-  );
+  inherit (pkgs) callPackage;
   directory = ./packages;
 }
diff --git a/pkgs/nvfetcher.toml b/pkgs/nvfetcher.toml
deleted file mode 100644
index 2287dba..0000000
--- a/pkgs/nvfetcher.toml
+++ /dev/null
@@ -1,7 +0,0 @@
-[crowdsec-hub]
-src.git = "https://github.com/crowdsecurity/hub.git"
-fetch.github = "crowdsecurity/hub"
-
-[crowdsec-firewall-bouncer]
-src.github = "crowdsecurity/cs-firewall-bouncer"
-fetch.github = "crowdsecurity/cs-firewall-bouncer"
diff --git a/pkgs/packages/crowdsec-firewall-bouncer.nix b/pkgs/packages/crowdsec-firewall-bouncer.nix
index cfb062a..41bba86 100644
--- a/pkgs/packages/crowdsec-firewall-bouncer.nix
+++ b/pkgs/packages/crowdsec-firewall-bouncer.nix
@@ -1,15 +1,26 @@
 {
   lib,
-  sources,
+  fetchFromGitHub,
   buildGoModule,
   envsubst,
   coreutils,
+
+  writers,
+  nix-update,
 }:
 let
   envsubstBin = lib.getExe envsubst;
 in
-buildGoModule {
-  inherit (sources.crowdsec-firewall-bouncer) pname version src;
+buildGoModule (drv: {
+  pname = "crowdsec-firewall-bouncer";
+  version = drv.src.rev;
+
+  src = fetchFromGitHub {
+    owner = "crowdsecurity";
+    repo = "cs-firewall-bouncer";
+    rev = "0.0.34";
+    sha256 = "sha256-lDO9pwPkbI+FDTdXBv03c0p8wbkRUiIDNl1ip3AZo2g=";
+  };
 
   vendorHash = "sha256-SbpclloBgd9vffC0lBduGRqPOqmzQ0J91/KeDHCh0jo=";
 
@@ -23,4 +34,18 @@ buildGoModule {
     substituteInPlace $out/lib/systemd/system/crowdsec-firewall-bouncer.service \
       --replace-fail /bin/sleep ${coreutils}/bin/sleep
   '';
-}
+
+  passthru.updateScript =
+    writers.writeNuBin "update-crowdsec-firewall-bouncer"
+      {
+        makeWrapperArgs = [
+          "--prefix"
+          "PATH"
+          ":"
+          (lib.makeBinPath [ nix-update ])
+        ];
+      }
+      ''
+        nix-update --flake --format crowdsec-firewall-bouncer
+      '';
+})
diff --git a/pkgs/packages/crowdsec-hub.nix b/pkgs/packages/crowdsec-hub.nix
index 1b8c9b3..e89c194 100644
--- a/pkgs/packages/crowdsec-hub.nix
+++ b/pkgs/packages/crowdsec-hub.nix
@@ -1 +1,38 @@
-{ sources }: sources.crowdsec-hub.src
+{
+  lib,
+  fetchFromGitHub,
+  stdenvNoCC,
+
+  writers,
+  nix-update,
+}:
+# Using `mkDerivation` so nix-update can pick up the version
+stdenvNoCC.mkDerivation (drv: {
+  pname = "crowdsec-hub";
+  version = drv.src.rev;
+
+  src = fetchFromGitHub {
+    owner = "crowdsecurity";
+    repo = "hub";
+    rev = "fc59f78180f3edfce76df3e77b001c454f567d3d";
+    hash = "sha256-Ejx3ta05SMvV/Dj7wy2iF9QYbGoRvxPB3+QuCIoTX4Q=";
+  };
+
+  installPhase = ''
+    cp -r $src $out
+  '';
+
+  passthru.updateScript =
+    writers.writeNuBin "update-crowdsec-hub"
+      {
+        makeWrapperArgs = [
+          "--prefix"
+          "PATH"
+          ":"
+          (lib.makeBinPath [ nix-update ])
+        ];
+      }
+      ''
+        nix-update --flake --format --version=branch crowdsec-hub
+      '';
+})
diff --git a/pkgs/update.nu b/pkgs/update.nu
new file mode 100644
index 0000000..0ed1bc1
--- /dev/null
+++ b/pkgs/update.nu
@@ -0,0 +1,23 @@
+use std/log
+
+let packages_with_updatescript = (
+  nix flake show --json
+  | from json
+  | $in.packages.x86_64-linux
+  | columns
+  | filter {|p| nix eval $'.#($p)' --apply 'builtins.hasAttr "updateScript"' | $in == 'true' }
+)
+
+for $package in $packages_with_updatescript {
+  log info $'Updating ($package)'
+  nix run $'.#($package).updateScript'
+}
+
+log info 'Committing changes'
+
+try {
+  git add pkgs
+  git commit -m 'update(pkgs): Update sources of all downstream packages'
+} catch {
+  log warning 'No changes to commit'
+}