diff --git a/checks/lints.nu b/checks/lints.nu
index ffc2047..b70766b 100644
--- a/checks/lints.nu
+++ b/checks/lints.nu
@@ -1,10 +1,8 @@
 #!/usr/bin/env nu
 
-let shell_files = ls **/*.sh | get name
 let nix_files = ls **/*.nix | where name !~ "hardware-configuration.nix|_sources" | get name
 
 let linters = [
-  ([shellcheck] ++ $shell_files)
   ([nixfmt --check --strict] ++ $nix_files)
   ([deadnix --fail] ++ $nix_files)
   ([statix check] ++ $nix_files)
diff --git a/flake.nix b/flake.nix
index 20cbc36..76d612f 100644
--- a/flake.nix
+++ b/flake.nix
@@ -37,7 +37,6 @@
     }@inputs:
     let
       system = "x86_64-linux";
-      pkgs = nixpkgs.legacyPackages.${system};
 
       vm = nixpkgs.lib.nixosSystem {
         inherit system;
@@ -97,15 +96,10 @@
       # Garbage collection root #
       ###########################
 
-      packages.${system} =
-        let
-          localPkgs = import ./pkgs { inherit pkgs; };
-        in
-        {
-          default = vm.config.system.build.vm;
-          crowdsec-hub = localPkgs.crowdsec.hub;
-          crowdsec-firewall-bouncer = localPkgs.crowdsec.firewall-bouncer;
-        };
+      packages.${system} = {
+        default = vm.config.system.build.vm;
+      }
+      // import ./pkgs { pkgs = nixpkgs.legacyPackages.${system}; };
 
       ###################
       # Utility scripts #
@@ -116,7 +110,7 @@
         run-vm = {
           type = "app";
           program =
-            (pkgs.writeShellScript "" ''
+            (nixpkgs.legacyPackages.${system}.writeShellScript "" ''
               ${vm.config.system.build.vm.outPath}/bin/run-testvm-vm
             '').outPath;
         };
@@ -131,16 +125,16 @@
             "./keys/hosts/"
             "./keys/users/"
           ];
-          nativeBuildInputs = [ sops-nix.packages.${system}.sops-import-keys-hook ];
 
-          packages = with pkgs; [
-            sops-nix.packages.${system}.sops-init-gpg-key
-            deploy-rs.packages.${system}.default
-            nixpkgs-fmt
-          ];
+          packages = nixpkgs.lib.attrValues {
+            inherit (sops-nix.packages.${system}) sops-import-keys-hook sops-init-gpg-key;
+            inherit (deploy-rs.packages.${system}) default;
+          };
+        };
+
+        minecraft = nixpkgs.legacyPackages.${system}.mkShell {
+          packages = nixpkgs.lib.attrValues { inherit (nixpkgs.legacyPackages.${system}) packwiz; };
         };
       };
-
-      minecraft = nixpkgs.legacyPackages.${system}.mkShell { packages = [ pkgs.packwiz ]; };
     };
 }
diff --git a/pkgs/crowdsec/default.nix b/pkgs/crowdsec/default.nix
deleted file mode 100644
index 66faac3..0000000
--- a/pkgs/crowdsec/default.nix
+++ /dev/null
@@ -1,9 +0,0 @@
-{ pkgs }:
-let
-  sources = pkgs.callPackage ./_sources/generated.nix { };
-  callPackage = pkgs.lib.callPackageWith (pkgs // { inherit sources; });
-in
-{
-  hub = callPackage ./hub.nix { };
-  firewall-bouncer = callPackage ./firewall-bouncer.nix { };
-}
diff --git a/pkgs/default.nix b/pkgs/default.nix
index 0e5de7a..31335a6 100644
--- a/pkgs/default.nix
+++ b/pkgs/default.nix
@@ -1,5 +1,5 @@
 { pkgs }:
-{
-  crowdsec = import ./crowdsec { inherit pkgs; };
-  starbound = pkgs.callPackage ./starbound { };
+pkgs.lib.packagesFromDirectoryRecursive {
+  inherit (pkgs) callPackage;
+  directory = ./packages;
 }
diff --git a/pkgs/crowdsec/firewall-bouncer.nix b/pkgs/packages/crowdsec-firewall-bouncer.nix
similarity index 100%
rename from pkgs/crowdsec/firewall-bouncer.nix
rename to pkgs/packages/crowdsec-firewall-bouncer.nix
diff --git a/pkgs/crowdsec/hub.nix b/pkgs/packages/crowdsec-hub.nix
similarity index 100%
rename from pkgs/crowdsec/hub.nix
rename to pkgs/packages/crowdsec-hub.nix
diff --git a/pkgs/starbound/default.nix b/pkgs/starbound/default.nix
deleted file mode 100644
index 26f2184..0000000
--- a/pkgs/starbound/default.nix
+++ /dev/null
@@ -1,37 +0,0 @@
-{
-  stdenv,
-  lib,
-  makeWrapper,
-  patchelf,
-  steamPackages,
-  replace-secret,
-}:
-let
-  # Use the directory in which starbound is installed so steamcmd
-  # doesn't have to be reinstalled constantly (we're using DynamicUser
-  # with StateDirectory to persist this).
-  steamcmd = steamPackages.steamcmd.override { steamRoot = "/var/lib/starbound/.steamcmd"; };
-  wrapperPath = lib.makeBinPath [
-    patchelf
-    steamcmd
-    replace-secret
-  ];
-in
-stdenv.mkDerivation {
-  name = "starbound-update-script";
-  nativeBuildInputs = [ makeWrapper ];
-  dontUnpack = true;
-  patchPhase = ''
-    interpreter="$(cat $NIX_CC/nix-support/dynamic-linker)"
-    substitute ${./launch-starbound.sh} launch-starbound --subst-var interpreter
-  '';
-  installPhase = ''
-    mkdir -p $out/bin
-    cp launch-starbound $out/bin/launch-starbound
-    chmod +x $out/bin/launch-starbound
-  '';
-  postFixup = ''
-    wrapProgram $out/bin/launch-starbound \
-        --prefix PATH : "${wrapperPath}"
-  '';
-}
diff --git a/pkgs/starbound/launch-starbound.sh b/pkgs/starbound/launch-starbound.sh
deleted file mode 100644
index 24d4db1..0000000
--- a/pkgs/starbound/launch-starbound.sh
+++ /dev/null
@@ -1,32 +0,0 @@
-#!/usr/bin/env bash
-
-set -eu
-
-if ! [[ -v STATE_DIRECTORY  &&  -v CREDENTIALS_DIRECTORY ]]; then
-    echo "Error: Runtime dir or credential not set"
-    exit 1
-fi
-
-# Update the server to the latest version
-echo "Updating/installing starbound"
-
-mkdir -p "${STATE_DIRECTORY}/.steamcmd"
-steamcmd <<EOF
-force_install_dir $STATE_DIRECTORY
-login tlater $(cat "$CREDENTIALS_DIRECTORY/steam")
-app_update 211820
-quit
-EOF
-
-echo "Updating config"
-if [ -f "$1" ]; then
-    mkdir -p ./storage
-    cp "$1" ./storage/starbound_server.config
-fi
-
-echo "Running starbound server"
-patchelf --set-interpreter '@interpreter@' ./linux/starbound_server
-# Must be run from the directory that the binary is in (why do game
-# devs do this?)
-cd linux
-./starbound_server
diff --git a/pkgs/update.nu b/pkgs/update.nu
new file mode 100644
index 0000000..0ed1bc1
--- /dev/null
+++ b/pkgs/update.nu
@@ -0,0 +1,23 @@
+use std/log
+
+let packages_with_updatescript = (
+  nix flake show --json
+  | from json
+  | $in.packages.x86_64-linux
+  | columns
+  | filter {|p| nix eval $'.#($p)' --apply 'builtins.hasAttr "updateScript"' | $in == 'true' }
+)
+
+for $package in $packages_with_updatescript {
+  log info $'Updating ($package)'
+  nix run $'.#($package).updateScript'
+}
+
+log info 'Committing changes'
+
+try {
+  git add pkgs
+  git commit -m 'update(pkgs): Update sources of all downstream packages'
+} catch {
+  log warning 'No changes to commit'
+}