diff --git a/hosts/common/home/keyring/default.nix b/hosts/common/home/keyring/default.nix
index 7b4047a8..222a91f6 100644
--- a/hosts/common/home/keyring/default.nix
+++ b/hosts/common/home/keyring/default.nix
@@ -1,10 +1,16 @@
-{ config, sane-lib, ... }:
+{ config, pkgs, sane-lib, ... }:
 
+let
+  init-keyring = pkgs.static-nix-shell.mkBash {
+    pname = "init-keyring";
+    src = ./.;
+  };
+in
 {
   sane.user.persist.private = [ ".local/share/keyrings" ];
 
   sane.user.fs."private/.local/share/keyrings/default" = {
-    generated.script.script = builtins.readFile ./init-keyring;
+    generated.script.script = "${init-keyring}/bin/init-keyring";
     # TODO: is this `wantedBy` needed? can we inherit it?
     wantedBy = [ config.sane.fs."/home/colin/private".unit ];
     wantedBeforeBy = [ ];  # don't created this as part of `multi-user.target`
diff --git a/hosts/common/home/keyring/init-keyring b/hosts/common/home/keyring/init-keyring
index 5fb3d617..b294d744 100755
--- a/hosts/common/home/keyring/init-keyring
+++ b/hosts/common/home/keyring/init-keyring
@@ -1,4 +1,5 @@
-#!/bin/sh
+#!/usr/bin/env nix-shell
+#!nix-shell -i bash
 # initializes the default libsecret keyring (used by gnome-keyring) if not already initialized.
 # this initializes it to be plaintext/unencrypted.
 
diff --git a/hosts/modules/default.nix b/hosts/modules/default.nix
index 04ade51b..8e3a6d99 100644
--- a/hosts/modules/default.nix
+++ b/hosts/modules/default.nix
@@ -2,7 +2,7 @@
 
 {
   imports = [
-    ./derived-secrets.nix
+    ./derived-secrets
     ./gui
     ./hardware
     ./hostnames.nix
diff --git a/hosts/modules/derived-secrets.nix b/hosts/modules/derived-secrets/default.nix
similarity index 74%
rename from hosts/modules/derived-secrets.nix
rename to hosts/modules/derived-secrets/default.nix
index ba53862d..31c6552f 100644
--- a/hosts/modules/derived-secrets.nix
+++ b/hosts/modules/derived-secrets/default.nix
@@ -1,8 +1,14 @@
-{ config, lib, ... }:
+{ config, lib, pkgs, ... }:
 
 let
   inherit (builtins) toString;
   inherit (lib) mapAttrs mkOption types;
+
+  hash-path-with-salt = pkgs.static-nix-shell.mkBash {
+    pname = "hash-path-with-salt";
+    src = ./.;
+  };
+  
   cfg = config.sane.derived-secrets;
   secret = types.submodule {
     options = {
@@ -31,15 +37,7 @@ in
 
   config = {
     sane.fs = mapAttrs (path: c: {
-      generated.script.script = ''
-        echo "$1" | cat /dev/stdin /etc/ssh/host_keys/ssh_host_ed25519_key \
-          | sha512sum \
-          | cut -c 1-${toString (c.len * 2)} \
-          | tr a-z A-Z \
-          | basenc -d --base16 \
-          | basenc --${c.encoding} \
-          > "$1"
-      '';
+      generated.script.script = ''${hash-path-with-salt}/bin/hash-path-with-salt "$@"'';
       generated.script.scriptArgs = [ path ];
       generated.acl.mode = "0600";
     }) cfg;
diff --git a/hosts/modules/derived-secrets/hash-path-with-salt b/hosts/modules/derived-secrets/hash-path-with-salt
new file mode 100755
index 00000000..0b41f626
--- /dev/null
+++ b/hosts/modules/derived-secrets/hash-path-with-salt
@@ -0,0 +1,9 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -i bash
+echo "$1" | cat /dev/stdin /etc/ssh/host_keys/ssh_host_ed25519_key \
+  | sha512sum \
+  | cut -c 1-${toString (c.len * 2)} \
+  | tr a-z A-Z \
+  | basenc -d --base16 \
+  | basenc --${c.encoding} \
+  > "$1"
diff --git a/hosts/modules/roles/client/bluetooth-pairings.nix b/hosts/modules/roles/client/bluetooth-pairings.nix
index dfbd138a..97f1e6aa 100644
--- a/hosts/modules/roles/client/bluetooth-pairings.nix
+++ b/hosts/modules/roles/client/bluetooth-pairings.nix
@@ -15,11 +15,8 @@ in
     sane.fs."/var/lib/bluetooth".generated.acl.mode = "0700";
     sane.fs."/var/lib/bluetooth/.secrets.stamp" = {
       wantedBeforeBy = [ "bluetooth.service" ];
-      generated.script.script = ''
-        ${install-bluetooth}/bin/install-bluetooth $@
-        touch "/var/lib/bluetooth/.secrets.stamp"
-      '';
-      generated.script.scriptArgs = [ "/run/secrets/bt" ];
+      generated.script.script = ''${install-bluetooth}/bin/install-bluetooth "$@"'';
+      generated.script.scriptArgs = [ "/run/secrets/bt" "" "/var/lib/bluetooth/.secrets.stamp" ];
     };
   };
 }
diff --git a/hosts/modules/roles/client/install-bluetooth b/hosts/modules/roles/client/install-bluetooth
index 6b079916..764bdef2 100755
--- a/hosts/modules/roles/client/install-bluetooth
+++ b/hosts/modules/roles/client/install-bluetooth
@@ -12,6 +12,7 @@
 
 srcdir="$1"
 destdir="$2"
+stamp="$3"
 
 if [ "x$destdir" = "x" ]
 then
@@ -36,3 +37,8 @@ do
     touch "$condir/attributes"
   fi
 done
+
+if [ "x$stamp" != "x" ]
+then
+  touch "$stamp"
+fi
diff --git a/hosts/modules/roles/client/install-iwd b/hosts/modules/roles/client/install-iwd
index 7f3361b0..e7b3ae1f 100755
--- a/hosts/modules/roles/client/install-iwd
+++ b/hosts/modules/roles/client/install-iwd
@@ -10,6 +10,7 @@
 
 src_dir="$1"
 dest_dir="$2"
+stamp="$3"
 for f in $(ls "$src_dir")
 do
         if [ -f "$src_dir/$f" ]; then
@@ -21,3 +22,4 @@ do
                 chmod 600 "$dest_dir/$ssid.psk"
         fi
 done
+touch "$stamp"
diff --git a/hosts/modules/roles/client/wifi-pairings.nix b/hosts/modules/roles/client/wifi-pairings.nix
index 6623a8e4..8931e08d 100644
--- a/hosts/modules/roles/client/wifi-pairings.nix
+++ b/hosts/modules/roles/client/wifi-pairings.nix
@@ -12,11 +12,8 @@ in
     sane.fs."/var/lib/iwd/.secrets.psk.stamp" = {
       wantedBeforeBy = [ "iwd.service" ];
       generated.acl.mode = "0600";
-      generated.script.script = ''
-        ${install-iwd}/bin/install-iwd $@
-        touch "/var/lib/iwd/.secrets.psk.stamp"
-      '';
-      generated.script.scriptArgs = [ "/run/secrets/net" "/var/lib/iwd" ];
+      generated.script.script = ''${install-iwd}/bin/install-iwd "$@"'';
+      generated.script.scriptArgs = [ "/run/secrets/net" "/var/lib/iwd" "/var/lib/iwd/.secrets.psk.stamp" ];
     };
   };
 }
diff --git a/modules/persist/stores/crypt.nix b/modules/persist/stores/crypt.nix
index 24af5f38..b785bfff 100644
--- a/modules/persist/stores/crypt.nix
+++ b/modules/persist/stores/crypt.nix
@@ -41,8 +41,8 @@ lib.mkIf config.sane.persist.enable
 
   # let sane.fs know how to initialize the gocryptfs store,
   # and that it MUST do so
-  sane.fs."${underlying}/gocryptfs.conf".generated = {
-    script.script = ''
+  sane.fs."${underlying}/gocryptfs.conf".generated = let
+    script = pkgs.writeShellScript "init-gocryptfs-store" ''
       backing="$1"
       passfile="$2"
       # clear the backing store
@@ -50,16 +50,20 @@ lib.mkIf config.sane.persist.enable
       rm -rf "''${backing:?}"/*
       ${pkgs.gocryptfs}/bin/gocryptfs -quiet -passfile "$passfile" -init "$backing"
     '';
+  in {
+    script.script = ''${script} "$@"'';
     script.scriptArgs = [ underlying key ];
     # we need the key in order to initialize the store
     depends = [ config.sane.fs."${key}".unit ];
   };
 
   # let sane.fs know how to generate the key for gocryptfs
-  sane.fs."${key}".generated = {
-    script.script = ''
+  sane.fs."${key}".generated = let
+    script = pkgs.writeShellScript "gen-random-gocryptfs-key" ''
       dd if=/dev/random bs=128 count=1 | base64 --wrap=0 > "$1"
     '';
+  in {
+    script.script = ''${script} "$@"'';
     script.scriptArgs = [ key ];
     # no need for anyone else to be able to read the key
     acl.mode = "0400";