{ pkgs }:
[
  (pkgs.writeScriptBin "update-deps" "nix flake update --commit-lock-file")

  (pkgs.writeShellScriptBin "gcloud-auth" ''
    set -xeuo pipefail
    ${pkgs.google-cloud-sdk}/bin/gcloud auth print-identity-token > /dev/null 2>&1 || \
    ${pkgs.google-cloud-sdk}/bin/gcloud auth login --quiet
    ${pkgs.google-cloud-sdk}/bin/gcloud auth application-default print-access-token > /dev/null 2>&1 || \
    ${pkgs.google-cloud-sdk}/bin/gcloud auth application-default login --quiet
  '')

  (pkgs.writeShellScriptBin "tofu-apply" ''
    set -xeuo pipefail
    ${pkgs.google-cloud-sdk}/bin/gcloud storage buckets describe \
      gs://fcuny-infra-tofu-state \
      --project=fcuny-infra \
      --quiet || \
    ${pkgs.google-cloud-sdk}/bin/gcloud storage buckets create \
      gs://fcuny-infra-tofu-state \
      --project=fcuny-infra \
      --uniform-bucket-level-access \
      --public-access-prevention \
      --location=us-west1 \
      --default-storage-class=STANDARD \
      --quiet

    TMPDIR=$(mktemp -d)
    trap 'rm -rf "$TMPDIR"' EXIT

    ${pkgs.coreutils}/bin/install -Dm 0644 ${
      import ../tofu/backups.nix {
        inherit
          pkgs
          ;
      }
    } "$TMPDIR/backups/backups.tf.json"

    ${pkgs.opentofu}/bin/tofu -chdir="$TMPDIR/backups" init
    ${pkgs.opentofu}/bin/tofu -chdir="$TMPDIR/backups" apply -auto-approve
  '')
]