diff --git a/darwin-configuration.nix b/darwin-configuration.nix
index 6ec4286..8590caf 100644
--- a/darwin-configuration.nix
+++ b/darwin-configuration.nix
@@ -4,6 +4,8 @@
     ./nixops/modules/ofborg/module.nix
   ];
 
+  system.stateVersion = 5;
+
   nixpkgs.overlays = [
     (final: prev: {
       # https://github.com/NixOS/nixpkgs/pull/198306
@@ -18,7 +20,7 @@
   programs.zsh.enable = true;
   programs.zsh.enableCompletion = false;
   programs.bash.enable = true;
-  programs.bash.enableCompletion = false;
+  programs.bash.completion.enable = false;
 
   #services.activate-system.enable = true;
   services.ofborg.enable = true;
@@ -40,6 +42,7 @@
   # depending on what modules are enabled.
   users.knownGroups = [ "ofborg" ];
   users.knownUsers = [ "ofborg" ];
+  users.users.ofborg.home = "/private/var/lib/ofborg";
 
   services.nix-daemon.enable = true;
 
@@ -48,6 +51,9 @@
   };
 
   nix.package = pkgs.nix;
+  # bash doesn't export /run/current-system/sw/bin to $PATH,
+  # which we need for nix-store
+  users.users.root.shell = "/bin/zsh";
   nix.settings.max-jobs = 4;
   nix.settings.cores = 1;
   nix.gc.automatic = true;
diff --git a/flake.lock b/flake.lock
index 529116a..18f7f1c 100644
--- a/flake.lock
+++ b/flake.lock
@@ -32,11 +32,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1704277720,
-        "narHash": "sha256-meAKNgmh3goankLGWqqpw73pm9IvXjEENJloF0coskE=",
+        "lastModified": 1730184279,
+        "narHash": "sha256-6OB+WWR6gnaWiqSS28aMJypKeK7Pjc2Wm6L0MtOrTuA=",
         "owner": "LnL7",
         "repo": "nix-darwin",
-        "rev": "0dd382b70c351f528561f71a0a7df82c9d2be9a4",
+        "rev": "b379bd4d872d159e5189053ce9a4adf86d56db4b",
         "type": "github"
       },
       "original": {
diff --git a/update-macos.sh b/update-macos.sh
new file mode 100755
index 0000000..066ad23
--- /dev/null
+++ b/update-macos.sh
@@ -0,0 +1,51 @@
+#!/usr/bin/env nix
+#! nix shell --inputs-from .# nixpkgs#bashInteractive nixpkgs#openssh nixpkgs#nix nixpkgs#jq --command bash
+
+set -euo pipefail -x
+
+targets=(
+  root@208.83.1.145
+  root@208.83.1.173
+  root@208.83.1.181
+  root@208.83.1.186
+  root@208.83.1.175
+)
+
+path=$(nix flake metadata --json | jq -r '.path')
+
+SSHOPTS=(
+  "-o" "ControlMaster=auto"
+  "-o" "ControlPath=~/.ssh/cm-%r@%h:%p"
+  "-o" "ControlPersist=60m"
+)
+
+# Establish persistent connections
+for target in "${targets[@]}"; do
+  ssh "${SSHOPTS[@]}" -Nf "$target"
+done
+
+for target in "${targets[@]}"; do
+  NIX_SSHOPTS="${SSHOPTS[*]}" nix copy --to "ssh://$target" "$path"
+done
+
+declare -A builds
+for target in "${targets[@]}"; do
+  ssh "${SSHOPTS[@]}" "$target" "darwin-rebuild build -L --flake $path" &
+  builds["$target"]=$!
+done
+
+for target in "${!builds[@]}"; do
+  wait "${builds["$target"]}" || {
+    echo "Build failed on $target"
+    exit 1
+  }
+done
+
+for target in "${targets[@]}"; do
+  ssh "${SSHOPTS[@]}" "$target" "darwin-rebuild switch -L --flake $path"
+done
+
+# Close the persistent connections
+for target in "${targets[@]}"; do
+  ssh "${SSHOPTS[@]}" -O exit "$target"
+done