{
  build,
  config,
  hostName,
  lib,
  nixpkgsPath,
  profile,
  writeShellApplication,
  coreutils,
  nix,
  systemd,
}:
writeShellApplication {
  name = "${hostName}-switch";
  runtimeInputs = [
    coreutils
  ];
  text = ''
    # shellcheck disable=SC2027
    # shellcheck disable=SC2035
    # shellcheck disable=SC2086
    set -eux
    shopt -s globstar

    chmod -R g-rwx,o-rwx ./**/*.gpg
    trap 'git reset ./**/*.gpg' EXIT
    git rm -rf --cached --ignore-unmatch ./**/*.gpg # prevent copying to /nix/store

    nix-store --add-root hosts/${hostName}.nixpkgs --indirect --realise ${nixpkgsPath}
    nix-store --add-root hosts/${hostName}.root --indirect --realise ${build.toplevel}

    nix copy --to ssh://${config.install.target}"?''${targetStore-}"${lib.optionalString config.install.substituteOnDestination " --substitute-on-destination"} ${build.toplevel}

    if ssh ${config.install.target} set -x ';' \
      systemctl reset-failed nixos-fallback '2>/dev/null' ';' \
      test "''${NO_NIXOS_FALLBACK:+set}" '||' \
      systemd-run -u nixos-fallback --description=nixos-fallback /bin/sh -xc '''\'''
        PATH=${
          lib.makeBinPath [
            coreutils
            nix
            systemd
          ]
        }
        sleep $((10 * 60))
        ${profile}/bin/switch-to-configuration switch
        systemctl reboot
      '\'''' '&&' \
      ${build.toplevel}/bin/switch-to-configuration test
    then
      ssh ${config.install.target} -o ControlPath=none set -x ';' \
        systemctl stop nixos-fallback.service ';' \
        nix-env --profile ${profile} --set '${build.toplevel}' ';' \
        ${build.toplevel}/bin/switch-to-configuration boot '&&' \
        nix-env --delete-generations 7d --profile ${profile}
    else
      tput rev
      echo WARNING: switch-to-configuration was not registered at boot
      tput sgr0
      ssh ${config.install.target} -o ControlPath=none set -x ';' \
        systemctl stop nixos-fallback.service
      false
    fi
  '';
}