diff --git a/pkgs/applications/networking/cluster/fluxcd/default.nix b/pkgs/applications/networking/cluster/fluxcd/default.nix
index ea59b5ecf280..a33c261bf245 100644
--- a/pkgs/applications/networking/cluster/fluxcd/default.nix
+++ b/pkgs/applications/networking/cluster/fluxcd/default.nix
@@ -2,24 +2,25 @@
 
 let
   version = "0.17.2";
+  sha256 = "0kcdx4ldnshk4pqq37a7p08xr5cpsjrbrifk9fc3jbiw39m09mhf";
+  manifestsSha256 = "1v6md4xh4sq1vmb5a8qvb66l101fq75lmv2s4j2z3walssb5mmgj";
 
   manifests = fetchzip {
     url = "https://github.com/fluxcd/flux2/releases/download/v${version}/manifests.tar.gz";
-    sha256 = "1v6md4xh4sq1vmb5a8qvb66l101fq75lmv2s4j2z3walssb5mmgj";
+    sha256 = manifestsSha256;
     stripRoot = false;
   };
 in
 
 buildGoModule rec {
-  inherit version;
-
   pname = "fluxcd";
+  inherit version;
 
   src = fetchFromGitHub {
     owner = "fluxcd";
     repo = "flux2";
     rev = "v${version}";
-    sha256 = "0kcdx4ldnshk4pqq37a7p08xr5cpsjrbrifk9fc3jbiw39m09mhf";
+    inherit sha256;
   };
 
   vendorSha256 = "sha256-glifJ0V3RwS7E6EWZsCa88m0MK883RhPSXCsAmMggVs=";
@@ -50,6 +51,8 @@ buildGoModule rec {
     done
   '';
 
+  passthru.updateScript = ./update.sh;
+
   meta = with lib; {
     description = "Open and extensible continuous delivery solution for Kubernetes";
     longDescription = ''
diff --git a/pkgs/applications/networking/cluster/fluxcd/update.sh b/pkgs/applications/networking/cluster/fluxcd/update.sh
new file mode 100755
index 000000000000..f463370e669a
--- /dev/null
+++ b/pkgs/applications/networking/cluster/fluxcd/update.sh
@@ -0,0 +1,31 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -i bash -p curl gnugrep gnused jq
+
+set -eu -o pipefail
+
+cd $(dirname "${BASH_SOURCE[0]}")
+
+TAG=$(curl ${GITHUB_TOKEN:+" -u \":$GITHUB_TOKEN\""} --silent https://api.github.com/repos/fluxcd/flux2/releases/latest | jq -r '.tag_name')
+
+VERSION=$(echo ${TAG} | sed 's/^v//')
+
+SHA256=$(nix-prefetch-url --quiet --unpack https://github.com/fluxcd/flux2/archive/refs/tags/${TAG}.tar.gz)
+
+SPEC_SHA256=$(nix-prefetch-url --quiet --unpack https://github.com/fluxcd/flux2/releases/download/${TAG}/manifests.tar.gz)
+
+setKV () {
+  sed -i "s/$1 = \".*\"/$1 = \"$2\"/" ./default.nix
+}
+
+setKV version ${VERSION}
+setKV sha256 ${SHA256}
+setKV manifestsSha256 ${SPEC_SHA256}
+setKV vendorSha256 ""
+
+cd ../../../../../
+set +e
+VENDOR_SHA256=$(nix-build --no-out-link -A fluxcd 2>&1 | grep "got:" | cut -d':' -f2 | sed 's/ //g')
+set -e
+
+cd - > /dev/null
+setKV vendorSha256 ${VENDOR_SHA256}