diff --git a/README.md b/README.md
index 8c83e2e8..78cf5ed5 100644
--- a/README.md
+++ b/README.md
@@ -118,6 +118,14 @@ nix build c3d2#nixosConfigurations.dhcp.config.system.build.tarball
 nixos-rebuild switch -I nixos-config=./hosts/containers/$HOST/configuration.nix --target-host "root@$HOST.hq.c3d2.de"
 ```
 
+## Checking for updates
+
+```shell
+nix run .#list-upgradable
+```
+
+Checks all hosts in the `hostRegistry.nix` that have a `system` defined.
+
 # Secrets
 
 Add your gpg-id to the .gpg-id file in secrets and let somebody reencrypt it for you.
diff --git a/flake.nix b/flake.nix
index 04744bfc..e8948cad 100644
--- a/flake.nix
+++ b/flake.nix
@@ -101,6 +101,32 @@
         in {
           inherit (pkgs) bmxd;
 
+          list-upgradable = pkgs.writeScriptBin "list-upgradable" ''
+            #! ${pkgs.runtimeShell}
+
+            NORMAL="\033[0m"
+            RED="\033[0;31m"
+            YELLOW="\033[0;33m"
+            GREEN="\033[0;32m"
+
+            ${pkgs.lib.concatMapStringsSep "\n" (name:
+              let
+                addr = getHostAddr name;
+              in nixpkgs.lib.optionalString (addr != null) ''
+                echo -n -e "${name}: $RED"
+                RUNNING=$(ssh -o PreferredAuthentications=publickey -o StrictHostKeyChecking=accept-new root@"${addr}" "readlink /run/current-system")
+                if [ $? = 0 ]; then
+                  CURRENT=$(nix eval --raw ".#nixosConfigurations.${name}.config.system.build.toplevel" 2>/dev/null)
+
+                  if [ "$RUNNING" = "$CURRENT" ]; then
+                    echo -e "$GREEN"current
+                  else
+                    echo -e "$YELLOW"outdated
+                  fi
+                fi
+                echo -n -e "$NORMAL"
+              '') (builtins.attrNames flakifiedHosts)}
+          '';
         } //
 
         builtins.foldl' (result: host: result // {