{ pkgs }:
let
  tofuSetup = ''
    tofu_setup() {
      # Ensure bucket exists
      ${pkgs.google-cloud-sdk}/bin/gcloud storage buckets describe \
        gs://fcuny-infra-tofu-state \
        --project=fcuny-infra \
        --quiet || \
      ${pkgs.google-cloud-sdk}/bin/gcloud storage buckets create \
        gs://fcuny-infra-tofu-state \
        --project=fcuny-infra \
        --uniform-bucket-level-access \
        --public-access-prevention \
        --location=us-west1 \
        --default-storage-class=STANDARD \
        --quiet

      # Setup temp directory
      TMPDIR=$(mktemp -d)
      trap 'rm -rf "$TMPDIR"' EXIT

      # Install terraform configs
      ${pkgs.coreutils}/bin/install -Dm 0644 ${
        import ../tofu/backups.nix {
          inherit pkgs;
        }
      } "$TMPDIR/backups/backups.tf.json"

      ${pkgs.coreutils}/bin/install -Dm 0644 ${
        import ../tofu/dns.nix {
          inherit pkgs;
        }
      } "$TMPDIR/cloudflare/cloudflare-dns.tf.json"

      # Initialize both workspaces
      ${pkgs.opentofu}/bin/tofu -chdir="$TMPDIR/backups" init
      ${pkgs.opentofu}/bin/tofu -chdir="$TMPDIR/cloudflare" init

      # Fetch Cloudflare API token
      CLOUDFLARE_API_TOKEN=$(${pkgs._1password-cli}/bin/op --account my.1password.com read "op://Private/mcwt3evuidhalk3dfz4tqpzdpa/credential")
    }
  '';
in
[
  (pkgs.writeScriptBin "update-deps" "nix flake update --commit-lock-file")

  (pkgs.writeShellScriptBin "gcloud-auth" ''
    set -xeuo pipefail
    ${pkgs.google-cloud-sdk}/bin/gcloud auth print-identity-token > /dev/null 2>&1 || \
    ${pkgs.google-cloud-sdk}/bin/gcloud auth login --quiet
    ${pkgs.google-cloud-sdk}/bin/gcloud auth application-default print-access-token > /dev/null 2>&1 || \
    ${pkgs.google-cloud-sdk}/bin/gcloud auth application-default login --quiet
  '')

  (pkgs.writeShellScriptBin "tofu-plan" ''
    set -xeuo pipefail

    ${tofuSetup}
    tofu_setup

    echo "=== Planning backups ==="
    ${pkgs.opentofu}/bin/tofu -chdir="$TMPDIR/backups" plan

    echo "=== Planning cloudflare ==="
    CLOUDFLARE_API_TOKEN="$CLOUDFLARE_API_TOKEN" ${pkgs.opentofu}/bin/tofu -chdir="$TMPDIR/cloudflare" plan
  '')

  (pkgs.writeShellScriptBin "tofu-apply" ''
    set -xeuo pipefail

    ${tofuSetup}
    tofu_setup

    echo "=== Applying backups ==="
    ${pkgs.opentofu}/bin/tofu -chdir="$TMPDIR/backups" apply -auto-approve

    echo "=== Applying cloudflare ==="
    CLOUDFLARE_API_TOKEN="$CLOUDFLARE_API_TOKEN" ${pkgs.opentofu}/bin/tofu -chdir="$TMPDIR/cloudflare" apply -auto-approve
  '')
]