diff --git a/modules/features/mtls.nix b/modules/features/mtls.nix
index cbc85e4..255c13e 100644
--- a/modules/features/mtls.nix
+++ b/modules/features/mtls.nix
@@ -96,32 +96,35 @@ let
     group,
   }:
   let
-    catCmd = lib.getExe' pkgs.coreutils "cat";
-    chownCmd = lib.getExe' pkgs.coreutils "chown";
-    chmodCmd = lib.getExe' pkgs.coreutils "chmod";
-    stepCmd = lib.getExe pkgs.step-cli;
     sanArgs = lib.concatMapStringsSep " " (s: "--san \"${s}\"") san;
   in
-    pkgs.writeShellScriptBin "mtls-generate" ''
-      set -euo pipefail
-      ${stepCmd} ca certificate \
-        ${subject} ${certFile} ${keyFile} \
-        --not-before=-5m --not-after=${lifetime} \
-        --provisioner ${provisioner} \
-        ${sanArgs} \
-        "$@"
-      (umask 077; ${catCmd} ${certFile} ${keyFile} > ${bundleFile})
-      ${chownCmd} ${user}:${group} ${certFile} ${keyFile} ${bundleFile}
-      ${chmodCmd} 640 ${certFile} ${keyFile} ${bundleFile}
-      printf '\033[32m✔\033[0m \033[1mmTLS Bundle:\033[0m %s\n' ${lib.escapeShellArg bundleFile}
-    '';
+    pkgs.writeShellApplication {
+      name = "mtls-generate";
+      runtimeInputs = with pkgs; [ coreutils step-cli ];
+      text = ''
+        set -euo pipefail
+        step ca certificate ${subject} ${certFile} ${keyFile} \
+          --provisioner ${provisioner} \
+          --not-before=-5m --not-after=${lifetime} \
+          ${sanArgs} \
+          "$@"
+        (umask 077; cat ${certFile} ${keyFile} > ${bundleFile})
+        chown ${user}:${group} ${certFile} ${keyFile} ${bundleFile}
+        chmod 640 ${certFile} ${keyFile} ${bundleFile}
+        printf '\033[32m✔\033[0m \033[1mmTLS Bundle:\033[0m %s\n' ${lib.escapeShellArg bundleFile}
+      '';
+    };
   
-  mkMtlsCheckScript = { pkgs, bundleFile }: pkgs.writeShellScriptBin "mtls-check" ''
-    ${lib.getExe pkgs.openssl} x509 \
-    -noout -subject -issuer \
-    -ext subjectAltName,extendedKeyUsage \
-    -enddate -in ${bundleFile}
-  '';
+  mkMtlsCheckScript = { pkgs, bundleFile }: pkgs.writeShellApplication {
+    name = "mtls-check";
+    runtimeInputs = with pkgs; [ openssl ];
+    text = ''
+      openssl x509 -noout -in ${bundleFile} \
+        -subject -issuer \
+        -ext subjectAltName,extendedKeyUsage \
+        -enddate
+    '';
+  };
 
   mkMtlsRenewScript = {
     pkgs,
@@ -129,12 +132,7 @@ let
     systemctlArgs ? [ ],
   }:
   let
-    catCmd = lib.getExe' pkgs.coreutils "cat";
-    echoCmd = lib.getExe' pkgs.coreutils "echo";
-    chownCmd = lib.getExe' pkgs.coreutils "chown";
-    chmodCmd = lib.getExe' pkgs.coreutils "chmod";
-    stepCmd = lib.getExe pkgs.step-cli;
-    systemctlCmd = "${lib.getExe' pkgs.systemd "systemctl"} ${lib.escapeShellArgs systemctlArgs}";
+    systemctlCmd = "systemctl ${lib.escapeShellArgs systemctlArgs}";
 
     hasReloadUnits = cfg.renew.reloadUnits != [ ];
     renewReloadScript = lib.concatMapStringsSep "\n" (unit: ''
@@ -148,7 +146,10 @@ let
 
     fileOwner = "${cfg.renew.user}:${cfg.renew.group}";
   in
-    pkgs.writeShellScriptBin "mtls-renew" ''
+    pkgs.writeShellApplication {
+      name = "mtls-renew";
+      runtimeInputs = with pkgs; [ coreutils step-cli systemd ];
+      text = ''
       set -euo pipefail
 
       YELLOW_BANG="\e[33m!\e[0m"
@@ -161,33 +162,31 @@ let
         shift
         ;;
         *)
-        ${echoCmd} -e "$YELLOW_BANG Warning: ignoring unrecognized argument '$1'"
+        echo -e "$YELLOW_BANG Warning: ignoring unrecognized argument '$1'"
         exit 1
         ;;
       esac
       done
 
-      if [[ $force -eq 0 ]] && ! ${stepCmd} certificate needs-renewal "${cfg.certFile}"; then
-        ${echoCmd} "Skipping renew"
+      if [[ $force -eq 0 ]] && ! step certificate needs-renewal "${cfg.certFile}"; then
+        echo "Skipping renew"
         exit 0
       fi
 
-      ${echoCmd} "Renewing mTLS certificate"
-      ${stepCmd} ca renew --force "${cfg.certFile}" "${cfg.keyFile}"
-      (umask 077; ${catCmd} "${cfg.certFile}" "${cfg.keyFile}" > "${cfg.bundleFile}")
-      ${chownCmd} ${fileOwner} ${cfg.certFile} ${cfg.keyFile} ${cfg.bundleFile}
-      ${chmodCmd} 640 ${cfg.certFile} ${cfg.keyFile} ${cfg.bundleFile}
+      echo "Renewing mTLS certificate"
+      step ca renew --force "${cfg.certFile}" "${cfg.keyFile}"
+      (umask 077; cat "${cfg.certFile}" "${cfg.keyFile}" > "${cfg.bundleFile}")
+      chown ${fileOwner} ${cfg.certFile} ${cfg.keyFile} ${cfg.bundleFile}
+      chmod 640 ${cfg.certFile} ${cfg.keyFile} ${cfg.bundleFile}
 
       ${lib.optionalString hasReloadUnits ''
-      ${echoCmd} "Reloading units: ${lib.concatStringsSep ", " cfg.renew.reloadUnits}"
-      ${renewReloadScript}
+        echo "Reloading units: ${lib.concatStringsSep ", " cfg.renew.reloadUnits}"
+        ${renewReloadScript}
       ''}
 
-      ${lib.optionalString hasPostCommands ''
-      ${echoCmd} "Post commands:"
-      ${renewPostCommands}
-      ''}
-    '';
+      ${lib.optionalString hasPostCommands ''echo "Post commands:" ${renewPostCommands}''}
+      '';
+    };
 
   mkNixosMtlsRenewService = { pkgs, cfg, ... }:
     {
diff --git a/modules/features/shell-tools.nix b/modules/features/shell-tools.nix
index 7a1bf72..b2cbcbe 100644
--- a/modules/features/shell-tools.nix
+++ b/modules/features/shell-tools.nix
@@ -34,9 +34,7 @@
         xclip
         jq
         ripgrep
-        (writeShellScriptBin "ds" ''
-          ${lib.getExe pkgs.gdu} -x -I /snap /
-        '')
+        (writeShellScriptBin "ds" ''${lib.getExe pkgs.gdu} -x -I /snap /'')
       ];
     };
   };