diff --git a/checks/lints.nu b/checks/lints.nu
index b70766b..ffc2047 100644
--- a/checks/lints.nu
+++ b/checks/lints.nu
@@ -1,8 +1,10 @@
 #!/usr/bin/env nu
 
+let shell_files = ls **/*.sh | get name
 let nix_files = ls **/*.nix | where name !~ "hardware-configuration.nix|_sources" | get name
 
 let linters = [
+  ([shellcheck] ++ $shell_files)
   ([nixfmt --check --strict] ++ $nix_files)
   ([deadnix --fail] ++ $nix_files)
   ([statix check] ++ $nix_files)
diff --git a/flake.nix b/flake.nix
index 76d612f..b5228c3 100644
--- a/flake.nix
+++ b/flake.nix
@@ -37,6 +37,7 @@
     }@inputs:
     let
       system = "x86_64-linux";
+      pkgs = nixpkgs.legacyPackages.${system};
 
       vm = nixpkgs.lib.nixosSystem {
         inherit system;
@@ -96,10 +97,15 @@
       # Garbage collection root #
       ###########################
 
-      packages.${system} = {
-        default = vm.config.system.build.vm;
-      }
-      // import ./pkgs { pkgs = nixpkgs.legacyPackages.${system}; };
+      packages.${system} =
+        let
+          localPkgs = import ./pkgs { inherit pkgs; };
+        in
+        {
+          default = vm.config.system.build.vm;
+          crowdsec-hub = localPkgs.crowdsec.hub;
+          crowdsec-firewall-bouncer = localPkgs.crowdsec.firewall-bouncer;
+        };
 
       ###################
       # Utility scripts #
@@ -110,10 +116,26 @@
         run-vm = {
           type = "app";
           program =
-            (nixpkgs.legacyPackages.${system}.writeShellScript "" ''
+            (pkgs.writeShellScript "" ''
               ${vm.config.system.build.vm.outPath}/bin/run-testvm-vm
             '').outPath;
         };
+
+        update-crowdsec-packages =
+          let
+            git = pkgs.lib.getExe pkgs.git;
+            nvfetcher = pkgs.lib.getExe pkgs.nvfetcher;
+          in
+          {
+            type = "app";
+            program =
+              (pkgs.writeShellScript "update-crowdsec-packages" ''
+                cd "$(${git} rev-parse --show-toplevel)"
+                cd ./pkgs/crowdsec
+                ${nvfetcher}
+                echo 'Remember to update the vendorHash of any go packages!'
+              '').outPath;
+          };
       };
 
       ###########################
@@ -125,16 +147,16 @@
             "./keys/hosts/"
             "./keys/users/"
           ];
+          nativeBuildInputs = [ sops-nix.packages.${system}.sops-import-keys-hook ];
 
-          packages = nixpkgs.lib.attrValues {
-            inherit (sops-nix.packages.${system}) sops-import-keys-hook sops-init-gpg-key;
-            inherit (deploy-rs.packages.${system}) default;
-          };
-        };
-
-        minecraft = nixpkgs.legacyPackages.${system}.mkShell {
-          packages = nixpkgs.lib.attrValues { inherit (nixpkgs.legacyPackages.${system}) packwiz; };
+          packages = with pkgs; [
+            sops-nix.packages.${system}.sops-init-gpg-key
+            deploy-rs.packages.${system}.default
+            nixpkgs-fmt
+          ];
         };
       };
+
+      minecraft = nixpkgs.legacyPackages.${system}.mkShell { packages = [ pkgs.packwiz ]; };
     };
 }
diff --git a/pkgs/crowdsec/_sources/generated.json b/pkgs/crowdsec/_sources/generated.json
new file mode 100644
index 0000000..fd61141
--- /dev/null
+++ b/pkgs/crowdsec/_sources/generated.json
@@ -0,0 +1,44 @@
+{
+    "crowdsec-firewall-bouncer": {
+        "cargoLocks": null,
+        "date": null,
+        "extract": null,
+        "name": "crowdsec-firewall-bouncer",
+        "passthru": null,
+        "pinned": false,
+        "src": {
+            "deepClone": false,
+            "fetchSubmodules": false,
+            "leaveDotGit": false,
+            "name": null,
+            "owner": "crowdsecurity",
+            "repo": "cs-firewall-bouncer",
+            "rev": "v0.0.34",
+            "sha256": "sha256-lDO9pwPkbI+FDTdXBv03c0p8wbkRUiIDNl1ip3AZo2g=",
+            "sparseCheckout": [],
+            "type": "github"
+        },
+        "version": "v0.0.34"
+    },
+    "crowdsec-hub": {
+        "cargoLocks": null,
+        "date": "2025-08-17",
+        "extract": null,
+        "name": "crowdsec-hub",
+        "passthru": null,
+        "pinned": false,
+        "src": {
+            "deepClone": false,
+            "fetchSubmodules": false,
+            "leaveDotGit": false,
+            "name": null,
+            "owner": "crowdsecurity",
+            "repo": "hub",
+            "rev": "fc59f78180f3edfce76df3e77b001c454f567d3d",
+            "sha256": "sha256-Ejx3ta05SMvV/Dj7wy2iF9QYbGoRvxPB3+QuCIoTX4Q=",
+            "sparseCheckout": [],
+            "type": "github"
+        },
+        "version": "fc59f78180f3edfce76df3e77b001c454f567d3d"
+    }
+}
\ No newline at end of file
diff --git a/pkgs/crowdsec/_sources/generated.nix b/pkgs/crowdsec/_sources/generated.nix
new file mode 100644
index 0000000..b5efc4e
--- /dev/null
+++ b/pkgs/crowdsec/_sources/generated.nix
@@ -0,0 +1,27 @@
+# This file was generated by nvfetcher, please do not modify it manually.
+{ fetchgit, fetchurl, fetchFromGitHub, dockerTools }:
+{
+  crowdsec-firewall-bouncer = {
+    pname = "crowdsec-firewall-bouncer";
+    version = "v0.0.34";
+    src = fetchFromGitHub {
+      owner = "crowdsecurity";
+      repo = "cs-firewall-bouncer";
+      rev = "v0.0.34";
+      fetchSubmodules = false;
+      sha256 = "sha256-lDO9pwPkbI+FDTdXBv03c0p8wbkRUiIDNl1ip3AZo2g=";
+    };
+  };
+  crowdsec-hub = {
+    pname = "crowdsec-hub";
+    version = "fc59f78180f3edfce76df3e77b001c454f567d3d";
+    src = fetchFromGitHub {
+      owner = "crowdsecurity";
+      repo = "hub";
+      rev = "fc59f78180f3edfce76df3e77b001c454f567d3d";
+      fetchSubmodules = false;
+      sha256 = "sha256-Ejx3ta05SMvV/Dj7wy2iF9QYbGoRvxPB3+QuCIoTX4Q=";
+    };
+    date = "2025-08-17";
+  };
+}
diff --git a/pkgs/crowdsec/default.nix b/pkgs/crowdsec/default.nix
new file mode 100644
index 0000000..66faac3
--- /dev/null
+++ b/pkgs/crowdsec/default.nix
@@ -0,0 +1,9 @@
+{ pkgs }:
+let
+  sources = pkgs.callPackage ./_sources/generated.nix { };
+  callPackage = pkgs.lib.callPackageWith (pkgs // { inherit sources; });
+in
+{
+  hub = callPackage ./hub.nix { };
+  firewall-bouncer = callPackage ./firewall-bouncer.nix { };
+}
diff --git a/pkgs/crowdsec/firewall-bouncer.nix b/pkgs/crowdsec/firewall-bouncer.nix
new file mode 100644
index 0000000..cfb062a
--- /dev/null
+++ b/pkgs/crowdsec/firewall-bouncer.nix
@@ -0,0 +1,26 @@
+{
+  lib,
+  sources,
+  buildGoModule,
+  envsubst,
+  coreutils,
+}:
+let
+  envsubstBin = lib.getExe envsubst;
+in
+buildGoModule {
+  inherit (sources.crowdsec-firewall-bouncer) pname version src;
+
+  vendorHash = "sha256-SbpclloBgd9vffC0lBduGRqPOqmzQ0J91/KeDHCh0jo=";
+
+  postInstall = ''
+    mkdir -p $out/lib/systemd/system
+
+    CFG=/var/lib/crowdsec/config BIN=$out/bin/cs-firewall-bouncer ${envsubstBin} \
+      -i ./config/crowdsec-firewall-bouncer.service \
+      -o $out/lib/systemd/system/crowdsec-firewall-bouncer.service
+
+    substituteInPlace $out/lib/systemd/system/crowdsec-firewall-bouncer.service \
+      --replace-fail /bin/sleep ${coreutils}/bin/sleep
+  '';
+}
diff --git a/pkgs/crowdsec/hub.nix b/pkgs/crowdsec/hub.nix
new file mode 100644
index 0000000..1b8c9b3
--- /dev/null
+++ b/pkgs/crowdsec/hub.nix
@@ -0,0 +1 @@
+{ sources }: sources.crowdsec-hub.src
diff --git a/pkgs/crowdsec/nvfetcher.toml b/pkgs/crowdsec/nvfetcher.toml
new file mode 100644
index 0000000..2287dba
--- /dev/null
+++ b/pkgs/crowdsec/nvfetcher.toml
@@ -0,0 +1,7 @@
+[crowdsec-hub]
+src.git = "https://github.com/crowdsecurity/hub.git"
+fetch.github = "crowdsecurity/hub"
+
+[crowdsec-firewall-bouncer]
+src.github = "crowdsecurity/cs-firewall-bouncer"
+fetch.github = "crowdsecurity/cs-firewall-bouncer"
diff --git a/pkgs/default.nix b/pkgs/default.nix
index 31335a6..0e5de7a 100644
--- a/pkgs/default.nix
+++ b/pkgs/default.nix
@@ -1,5 +1,5 @@
 { pkgs }:
-pkgs.lib.packagesFromDirectoryRecursive {
-  inherit (pkgs) callPackage;
-  directory = ./packages;
+{
+  crowdsec = import ./crowdsec { inherit pkgs; };
+  starbound = pkgs.callPackage ./starbound { };
 }
diff --git a/pkgs/packages/crowdsec-firewall-bouncer.nix b/pkgs/packages/crowdsec-firewall-bouncer.nix
deleted file mode 100644
index 41bba86..0000000
--- a/pkgs/packages/crowdsec-firewall-bouncer.nix
+++ /dev/null
@@ -1,51 +0,0 @@
-{
-  lib,
-  fetchFromGitHub,
-  buildGoModule,
-  envsubst,
-  coreutils,
-
-  writers,
-  nix-update,
-}:
-let
-  envsubstBin = lib.getExe envsubst;
-in
-buildGoModule (drv: {
-  pname = "crowdsec-firewall-bouncer";
-  version = drv.src.rev;
-
-  src = fetchFromGitHub {
-    owner = "crowdsecurity";
-    repo = "cs-firewall-bouncer";
-    rev = "0.0.34";
-    sha256 = "sha256-lDO9pwPkbI+FDTdXBv03c0p8wbkRUiIDNl1ip3AZo2g=";
-  };
-
-  vendorHash = "sha256-SbpclloBgd9vffC0lBduGRqPOqmzQ0J91/KeDHCh0jo=";
-
-  postInstall = ''
-    mkdir -p $out/lib/systemd/system
-
-    CFG=/var/lib/crowdsec/config BIN=$out/bin/cs-firewall-bouncer ${envsubstBin} \
-      -i ./config/crowdsec-firewall-bouncer.service \
-      -o $out/lib/systemd/system/crowdsec-firewall-bouncer.service
-
-    substituteInPlace $out/lib/systemd/system/crowdsec-firewall-bouncer.service \
-      --replace-fail /bin/sleep ${coreutils}/bin/sleep
-  '';
-
-  passthru.updateScript =
-    writers.writeNuBin "update-crowdsec-firewall-bouncer"
-      {
-        makeWrapperArgs = [
-          "--prefix"
-          "PATH"
-          ":"
-          (lib.makeBinPath [ nix-update ])
-        ];
-      }
-      ''
-        nix-update --flake --format crowdsec-firewall-bouncer
-      '';
-})
diff --git a/pkgs/packages/crowdsec-hub.nix b/pkgs/packages/crowdsec-hub.nix
deleted file mode 100644
index e89c194..0000000
--- a/pkgs/packages/crowdsec-hub.nix
+++ /dev/null
@@ -1,38 +0,0 @@
-{
-  lib,
-  fetchFromGitHub,
-  stdenvNoCC,
-
-  writers,
-  nix-update,
-}:
-# Using `mkDerivation` so nix-update can pick up the version
-stdenvNoCC.mkDerivation (drv: {
-  pname = "crowdsec-hub";
-  version = drv.src.rev;
-
-  src = fetchFromGitHub {
-    owner = "crowdsecurity";
-    repo = "hub";
-    rev = "fc59f78180f3edfce76df3e77b001c454f567d3d";
-    hash = "sha256-Ejx3ta05SMvV/Dj7wy2iF9QYbGoRvxPB3+QuCIoTX4Q=";
-  };
-
-  installPhase = ''
-    cp -r $src $out
-  '';
-
-  passthru.updateScript =
-    writers.writeNuBin "update-crowdsec-hub"
-      {
-        makeWrapperArgs = [
-          "--prefix"
-          "PATH"
-          ":"
-          (lib.makeBinPath [ nix-update ])
-        ];
-      }
-      ''
-        nix-update --flake --format --version=branch crowdsec-hub
-      '';
-})
diff --git a/pkgs/starbound/default.nix b/pkgs/starbound/default.nix
new file mode 100644
index 0000000..26f2184
--- /dev/null
+++ b/pkgs/starbound/default.nix
@@ -0,0 +1,37 @@
+{
+  stdenv,
+  lib,
+  makeWrapper,
+  patchelf,
+  steamPackages,
+  replace-secret,
+}:
+let
+  # Use the directory in which starbound is installed so steamcmd
+  # doesn't have to be reinstalled constantly (we're using DynamicUser
+  # with StateDirectory to persist this).
+  steamcmd = steamPackages.steamcmd.override { steamRoot = "/var/lib/starbound/.steamcmd"; };
+  wrapperPath = lib.makeBinPath [
+    patchelf
+    steamcmd
+    replace-secret
+  ];
+in
+stdenv.mkDerivation {
+  name = "starbound-update-script";
+  nativeBuildInputs = [ makeWrapper ];
+  dontUnpack = true;
+  patchPhase = ''
+    interpreter="$(cat $NIX_CC/nix-support/dynamic-linker)"
+    substitute ${./launch-starbound.sh} launch-starbound --subst-var interpreter
+  '';
+  installPhase = ''
+    mkdir -p $out/bin
+    cp launch-starbound $out/bin/launch-starbound
+    chmod +x $out/bin/launch-starbound
+  '';
+  postFixup = ''
+    wrapProgram $out/bin/launch-starbound \
+        --prefix PATH : "${wrapperPath}"
+  '';
+}
diff --git a/pkgs/starbound/launch-starbound.sh b/pkgs/starbound/launch-starbound.sh
new file mode 100644
index 0000000..24d4db1
--- /dev/null
+++ b/pkgs/starbound/launch-starbound.sh
@@ -0,0 +1,32 @@
+#!/usr/bin/env bash
+
+set -eu
+
+if ! [[ -v STATE_DIRECTORY  &&  -v CREDENTIALS_DIRECTORY ]]; then
+    echo "Error: Runtime dir or credential not set"
+    exit 1
+fi
+
+# Update the server to the latest version
+echo "Updating/installing starbound"
+
+mkdir -p "${STATE_DIRECTORY}/.steamcmd"
+steamcmd <<EOF
+force_install_dir $STATE_DIRECTORY
+login tlater $(cat "$CREDENTIALS_DIRECTORY/steam")
+app_update 211820
+quit
+EOF
+
+echo "Updating config"
+if [ -f "$1" ]; then
+    mkdir -p ./storage
+    cp "$1" ./storage/starbound_server.config
+fi
+
+echo "Running starbound server"
+patchelf --set-interpreter '@interpreter@' ./linux/starbound_server
+# Must be run from the directory that the binary is in (why do game
+# devs do this?)
+cd linux
+./starbound_server
diff --git a/pkgs/update.nu b/pkgs/update.nu
deleted file mode 100644
index 0ed1bc1..0000000
--- a/pkgs/update.nu
+++ /dev/null
@@ -1,23 +0,0 @@
-use std/log
-
-let packages_with_updatescript = (
-  nix flake show --json
-  | from json
-  | $in.packages.x86_64-linux
-  | columns
-  | filter {|p| nix eval $'.#($p)' --apply 'builtins.hasAttr "updateScript"' | $in == 'true' }
-)
-
-for $package in $packages_with_updatescript {
-  log info $'Updating ($package)'
-  nix run $'.#($package).updateScript'
-}
-
-log info 'Committing changes'
-
-try {
-  git add pkgs
-  git commit -m 'update(pkgs): Update sources of all downstream packages'
-} catch {
-  log warning 'No changes to commit'
-}