diff --git a/doc/build-helpers/trivial-build-helpers.chapter.md b/doc/build-helpers/trivial-build-helpers.chapter.md
index 8af68845202f..31b42bd77426 100644
--- a/doc/build-helpers/trivial-build-helpers.chapter.md
+++ b/doc/build-helpers/trivial-build-helpers.chapter.md
@@ -533,7 +533,6 @@ writeScript "my-file"
   Contents of File
   ''
 ```
-:::
 
 This is equivalent to:
 
@@ -546,6 +545,7 @@ writeTextFile {
   executable = true;
 }
 ```
+:::
 
 ### `writeScriptBin` {#trivial-builder-writeScriptBin}
 
diff --git a/maintainers/maintainer-list.nix b/maintainers/maintainer-list.nix
index b424321e6436..40b7cedf55bc 100644
--- a/maintainers/maintainer-list.nix
+++ b/maintainers/maintainer-list.nix
@@ -13173,6 +13173,13 @@
     githubId = 191622;
     name = "Denys Pavlov";
   };
+  meator = {
+    email = "meator.dev@gmail.com";
+    github = "meator";
+    githubId = 67633081;
+    name = "meator";
+    keys = [ { fingerprint = "7B0F 58A5 E0F1 A2EA 1157  8A73 1A14 CB34 64CB E5BF"; } ];
+  };
   meditans = {
     email = "meditans@gmail.com";
     github = "meditans";
diff --git a/nixos/doc/manual/release-notes/rl-2411.section.md b/nixos/doc/manual/release-notes/rl-2411.section.md
index 72afefaa963b..4bc221f10d75 100644
--- a/nixos/doc/manual/release-notes/rl-2411.section.md
+++ b/nixos/doc/manual/release-notes/rl-2411.section.md
@@ -43,6 +43,8 @@
 
 - [Flood](https://flood.js.org/), a beautiful WebUI for various torrent clients. Available as [services.flood](options.html#opt-services.flood).
 
+- [Firefly-iii Data Importer](https://github.com/firefly-iii/data-importer), a data importer for Firefly-III. Available as [services.firefly-iii-data-importer](options.html#opt-services.firefly-iii-data-importer)
+
 - [QGroundControl], a ground station support and configuration manager for the PX4 and APM Flight Stacks. Available as [programs.qgroundcontrol](options.html#opt-programs.qgroundcontrol.enable).
 
 - [Eintopf](https://eintopf.info), community event and calendar web application. Available as [services.eintopf](options.html#opt-services.eintopf).
diff --git a/nixos/lib/make-ext4-fs.nix b/nixos/lib/make-ext4-fs.nix
index b8e1b8d24c48..8afc5555ced4 100644
--- a/nixos/lib/make-ext4-fs.nix
+++ b/nixos/lib/make-ext4-fs.nix
@@ -58,10 +58,18 @@ pkgs.stdenv.mkDerivation {
       # Make a crude approximation of the size of the target image.
       # If the script starts failing, increase the fudge factors here.
       numInodes=$(find ./rootImage | wc -l)
-      numDataBlocks=$(du -s -c -B 4096 --apparent-size ./rootImage | tail -1 | awk '{ print int($1 * 1.10) }')
+      numDataBlocks=$(du -s -c -B 4096 --apparent-size ./rootImage | tail -1 | awk '{ print int($1 * 1.20) }')
       bytes=$((2 * 4096 * $numInodes + 4096 * $numDataBlocks))
       echo "Creating an EXT4 image of $bytes bytes (numInodes=$numInodes, numDataBlocks=$numDataBlocks)"
 
+      mebibyte=$(( 1024 * 1024 ))
+      # Round up to the nearest mebibyte.
+      # This ensures whole 512 bytes sector sizes in the disk image
+      # and helps towards aligning partitions optimally.
+      if (( bytes % mebibyte )); then
+        bytes=$(( ( bytes / mebibyte + 1) * mebibyte ))
+      fi
+
       truncate -s $bytes $img
 
       faketime -f "1970-01-01 00:00:01" fakeroot mkfs.ext4 -L ${volumeLabel} -U ${uuid} -d ./rootImage $img
diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
index b429d8709b7a..d66a7d6b9737 100644
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@@ -286,6 +286,7 @@
   ./programs/ssh.nix
   ./programs/starship.nix
   ./programs/steam.nix
+  ./programs/streamcontroller.nix
   ./programs/streamdeck-ui.nix
   ./programs/sysdig.nix
   ./programs/system-config-printer.nix
@@ -1401,6 +1402,7 @@
   ./services/web-apps/ethercalc.nix
   ./services/web-apps/filesender.nix
   ./services/web-apps/firefly-iii.nix
+  ./services/web-apps/firefly-iii-data-importer.nix
   ./services/web-apps/flarum.nix
   ./services/web-apps/fluidd.nix
   ./services/web-apps/freshrss.nix
diff --git a/nixos/modules/programs/streamcontroller.nix b/nixos/modules/programs/streamcontroller.nix
new file mode 100644
index 000000000000..2f85d37625c8
--- /dev/null
+++ b/nixos/modules/programs/streamcontroller.nix
@@ -0,0 +1,22 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  cfg = config.programs.streamcontroller;
+in
+{
+  options.programs.streamcontroller = {
+    enable = lib.mkEnableOption "StreamController";
+    package = lib.mkPackageOption pkgs "streamcontroller" { default = [ "streamcontroller" ]; };
+  };
+
+  config = lib.mkIf cfg.enable {
+    environment.systemPackages = [ cfg.package ];
+    services.udev.packages = [ cfg.package ];
+  };
+
+  meta.maintainers = with lib.maintainers; [ sifmelcara ];
+}
diff --git a/nixos/modules/services/networking/wstunnel.nix b/nixos/modules/services/networking/wstunnel.nix
index 439e1f8ea9b5..941e3e7366de 100644
--- a/nixos/modules/services/networking/wstunnel.nix
+++ b/nixos/modules/services/networking/wstunnel.nix
@@ -1,7 +1,8 @@
-{ config
-, lib
-, pkgs
-, ...
+{
+  config,
+  lib,
+  pkgs,
+  ...
 }:
 
 let
@@ -29,10 +30,9 @@ let
 
     package = lib.mkPackageOption pkgs "wstunnel" { };
 
-    autoStart =
-      lib.mkEnableOption "starting this wstunnel instance automatically" // {
-        default = true;
-      };
+    autoStart = lib.mkEnableOption "starting this wstunnel instance automatically" // {
+      default = true;
+    };
 
     extraArgs = lib.mkOption {
       description = ''
@@ -75,192 +75,198 @@ let
     };
   };
 
-  serverSubmodule = { config, ... }: {
-    options = commonOptions // {
-      listen = lib.mkOption {
-        description = ''
-          Address and port to listen on.
-          Setting the port to a value below 1024 will also give the process
-          the required `CAP_NET_BIND_SERVICE` capability.
-        '';
-        type = lib.types.submodule hostPortSubmodule;
-        default = {
-          host = "0.0.0.0";
-          port = if config.enableHTTPS then 443 else 80;
-        };
-        defaultText = lib.literalExpression ''
-          {
+  serverSubmodule =
+    { config, ... }:
+    {
+      options = commonOptions // {
+        listen = lib.mkOption {
+          description = ''
+            Address and port to listen on.
+            Setting the port to a value below 1024 will also give the process
+            the required `CAP_NET_BIND_SERVICE` capability.
+          '';
+          type = lib.types.submodule hostPortSubmodule;
+          default = {
             host = "0.0.0.0";
-            port = if enableHTTPS then 443 else 80;
-          }
-        '';
-      };
+            port = if config.enableHTTPS then 443 else 80;
+          };
+          defaultText = lib.literalExpression ''
+            {
+              host = "0.0.0.0";
+              port = if enableHTTPS then 443 else 80;
+            }
+          '';
+        };
 
-      restrictTo = lib.mkOption {
-        description = ''
-          Accepted traffic will be forwarded only to this service.
-        '';
-        type = lib.types.listOf (lib.types.submodule hostPortSubmodule);
-        default = [ ];
-        example = [{
-          host = "127.0.0.1";
-          port = 51820;
-        }];
-      };
+        restrictTo = lib.mkOption {
+          description = ''
+            Accepted traffic will be forwarded only to this service.
+          '';
+          type = lib.types.listOf (lib.types.submodule hostPortSubmodule);
+          default = [ ];
+          example = [
+            {
+              host = "127.0.0.1";
+              port = 51820;
+            }
+          ];
+        };
 
-      enableHTTPS = lib.mkOption {
-        description = "Use HTTPS for the tunnel server.";
-        type = lib.types.bool;
-        default = true;
-      };
+        enableHTTPS = lib.mkOption {
+          description = "Use HTTPS for the tunnel server.";
+          type = lib.types.bool;
+          default = true;
+        };
 
-      tlsCertificate = lib.mkOption {
-        description = ''
-          TLS certificate to use instead of the hardcoded one in case of HTTPS connections.
-          Use together with `tlsKey`.
-        '';
-        type = lib.types.nullOr lib.types.path;
-        default = null;
-        example = "/var/lib/secrets/cert.pem";
-      };
+        tlsCertificate = lib.mkOption {
+          description = ''
+            TLS certificate to use instead of the hardcoded one in case of HTTPS connections.
+            Use together with `tlsKey`.
+          '';
+          type = lib.types.nullOr lib.types.path;
+          default = null;
+          example = "/var/lib/secrets/cert.pem";
+        };
 
-      tlsKey = lib.mkOption {
-        description = ''
-          TLS key to use instead of the hardcoded on in case of HTTPS connections.
-          Use together with `tlsCertificate`.
-        '';
-        type = lib.types.nullOr lib.types.path;
-        default = null;
-        example = "/var/lib/secrets/key.pem";
-      };
+        tlsKey = lib.mkOption {
+          description = ''
+            TLS key to use instead of the hardcoded on in case of HTTPS connections.
+            Use together with `tlsCertificate`.
+          '';
+          type = lib.types.nullOr lib.types.path;
+          default = null;
+          example = "/var/lib/secrets/key.pem";
+        };
 
-      useACMEHost = lib.mkOption {
-        description = ''
-          Use a certificate generated by the NixOS ACME module for the given host.
-          Note that this will not generate a new certificate - you will need to do so with `security.acme.certs`.
-        '';
-        type = lib.types.nullOr lib.types.str;
-        default = null;
-        example = "example.com";
-      };
-    };
-  };
-
-  clientSubmodule = { config, ... }: {
-    options = commonOptions // {
-      connectTo = lib.mkOption {
-        description = "Server address and port to connect to.";
-        type = lib.types.str;
-        example = "https://wstunnel.server.com:8443";
-      };
-
-      localToRemote = lib.mkOption {
-        description = ''Listen on local and forwards traffic from remote.'';
-        type = lib.types.listOf (lib.types.str);
-        default = [ ];
-        example = [
-          "tcp://1212:google.com:443"
-          "unix:///tmp/wstunnel.sock:g.com:443"
-        ];
-      };
-
-      remoteToLocal = lib.mkOption {
-        description = "Listen on remote and forwards traffic from local. Only tcp is supported";
-        type = lib.types.listOf lib.types.str;
-        default = [ ];
-        example = [
-          "tcp://1212:google.com:443"
-          "unix://wstunnel.sock:g.com:443"
-        ];
-      };
-
-      addNetBind = lib.mkEnableOption "Whether add CAP_NET_BIND_SERVICE to the tunnel service, this should be enabled if you want to bind port < 1024";
-
-      httpProxy = lib.mkOption {
-        description = ''
-          Proxy to use to connect to the wstunnel server (`USER:PASS@HOST:PORT`).
-
-          ::: {.warning}
-          Passwords specified here will be world-readable in the Nix store!
-          To pass a password to the service, point the `environmentFile` option
-          to a file containing `PROXY_PASSWORD=<your-password-here>` and set
-          this option to `<user>:$PROXY_PASSWORD@<host>:<port>`.
-          Note however that this will also locally leak the passwords at
-          runtime via e.g. /proc/<pid>/cmdline.
-          :::
-        '';
-        type = lib.types.nullOr lib.types.str;
-        default = null;
-      };
-
-      soMark = lib.mkOption {
-        description = ''
-          Mark network packets with the SO_MARK sockoption with the specified value.
-          Setting this option will also enable the required `CAP_NET_ADMIN` capability
-          for the systemd service.
-        '';
-        type = lib.types.nullOr lib.types.ints.unsigned;
-        default = null;
-      };
-
-      upgradePathPrefix = lib.mkOption {
-        description = ''
-          Use a specific HTTP path prefix that will show up in the upgrade
-          request to the `wstunnel` server.
-          Useful when running `wstunnel` behind a reverse proxy.
-        '';
-        type = lib.types.nullOr lib.types.str;
-        default = null;
-        example = "wstunnel";
-      };
-
-      tlsSNI = lib.mkOption {
-        description = "Use this as the SNI while connecting via TLS. Useful for circumventing hostname-based firewalls.";
-        type = lib.types.nullOr lib.types.str;
-        default = null;
-      };
-
-      tlsVerifyCertificate = lib.mkOption {
-        description = "Whether to verify the TLS certificate of the server. It might be useful to set this to `false` when working with the `tlsSNI` option.";
-        type = lib.types.bool;
-        default = true;
-      };
-
-      # The original argument name `websocketPingFrequency` is a misnomer, as the frequency is the inverse of the interval.
-      websocketPingInterval = lib.mkOption {
-        description = "Frequency at which the client will send websocket ping to the server.";
-        type = lib.types.nullOr lib.types.ints.unsigned;
-        default = null;
-      };
-
-      upgradeCredentials = lib.mkOption {
-        description = ''
-          Use these credentials to authenticate during the HTTP upgrade request
-          (Basic authorization type, `USER:[PASS]`).
-
-          ::: {.warning}
-          Passwords specified here will be world-readable in the Nix store!
-          To pass a password to the service, point the `environmentFile` option
-          to a file containing `HTTP_PASSWORD=<your-password-here>` and set this
-          option to `<user>:$HTTP_PASSWORD`.
-          Note however that this will also locally leak the passwords at runtime
-          via e.g. /proc/<pid>/cmdline.
-          :::
-        '';
-        type = lib.types.nullOr lib.types.str;
-        default = null;
-      };
-
-      customHeaders = lib.mkOption {
-        description = "Custom HTTP headers to send during the upgrade request.";
-        type = lib.types.attrsOf lib.types.str;
-        default = { };
-        example = {
-          "X-Some-Header" = "some-value";
+        useACMEHost = lib.mkOption {
+          description = ''
+            Use a certificate generated by the NixOS ACME module for the given host.
+            Note that this will not generate a new certificate - you will need to do so with `security.acme.certs`.
+          '';
+          type = lib.types.nullOr lib.types.str;
+          default = null;
+          example = "example.com";
+        };
+      };
+    };
+
+  clientSubmodule =
+    { config, ... }:
+    {
+      options = commonOptions // {
+        connectTo = lib.mkOption {
+          description = "Server address and port to connect to.";
+          type = lib.types.str;
+          example = "https://wstunnel.server.com:8443";
+        };
+
+        localToRemote = lib.mkOption {
+          description = ''Listen on local and forwards traffic from remote.'';
+          type = lib.types.listOf (lib.types.str);
+          default = [ ];
+          example = [
+            "tcp://1212:google.com:443"
+            "unix:///tmp/wstunnel.sock:g.com:443"
+          ];
+        };
+
+        remoteToLocal = lib.mkOption {
+          description = "Listen on remote and forwards traffic from local. Only tcp is supported";
+          type = lib.types.listOf lib.types.str;
+          default = [ ];
+          example = [
+            "tcp://1212:google.com:443"
+            "unix://wstunnel.sock:g.com:443"
+          ];
+        };
+
+        addNetBind = lib.mkEnableOption "Whether add CAP_NET_BIND_SERVICE to the tunnel service, this should be enabled if you want to bind port < 1024";
+
+        httpProxy = lib.mkOption {
+          description = ''
+            Proxy to use to connect to the wstunnel server (`USER:PASS@HOST:PORT`).
+
+            ::: {.warning}
+            Passwords specified here will be world-readable in the Nix store!
+            To pass a password to the service, point the `environmentFile` option
+            to a file containing `PROXY_PASSWORD=<your-password-here>` and set
+            this option to `<user>:$PROXY_PASSWORD@<host>:<port>`.
+            Note however that this will also locally leak the passwords at
+            runtime via e.g. /proc/<pid>/cmdline.
+            :::
+          '';
+          type = lib.types.nullOr lib.types.str;
+          default = null;
+        };
+
+        soMark = lib.mkOption {
+          description = ''
+            Mark network packets with the SO_MARK sockoption with the specified value.
+            Setting this option will also enable the required `CAP_NET_ADMIN` capability
+            for the systemd service.
+          '';
+          type = lib.types.nullOr lib.types.ints.unsigned;
+          default = null;
+        };
+
+        upgradePathPrefix = lib.mkOption {
+          description = ''
+            Use a specific HTTP path prefix that will show up in the upgrade
+            request to the `wstunnel` server.
+            Useful when running `wstunnel` behind a reverse proxy.
+          '';
+          type = lib.types.nullOr lib.types.str;
+          default = null;
+          example = "wstunnel";
+        };
+
+        tlsSNI = lib.mkOption {
+          description = "Use this as the SNI while connecting via TLS. Useful for circumventing hostname-based firewalls.";
+          type = lib.types.nullOr lib.types.str;
+          default = null;
+        };
+
+        tlsVerifyCertificate = lib.mkOption {
+          description = "Whether to verify the TLS certificate of the server. It might be useful to set this to `false` when working with the `tlsSNI` option.";
+          type = lib.types.bool;
+          default = true;
+        };
+
+        # The original argument name `websocketPingFrequency` is a misnomer, as the frequency is the inverse of the interval.
+        websocketPingInterval = lib.mkOption {
+          description = "Frequency at which the client will send websocket ping to the server.";
+          type = lib.types.nullOr lib.types.ints.unsigned;
+          default = null;
+        };
+
+        upgradeCredentials = lib.mkOption {
+          description = ''
+            Use these credentials to authenticate during the HTTP upgrade request
+            (Basic authorization type, `USER:[PASS]`).
+
+            ::: {.warning}
+            Passwords specified here will be world-readable in the Nix store!
+            To pass a password to the service, point the `environmentFile` option
+            to a file containing `HTTP_PASSWORD=<your-password-here>` and set this
+            option to `<user>:$HTTP_PASSWORD`.
+            Note however that this will also locally leak the passwords at runtime
+            via e.g. /proc/<pid>/cmdline.
+            :::
+          '';
+          type = lib.types.nullOr lib.types.str;
+          default = null;
+        };
+
+        customHeaders = lib.mkOption {
+          description = "Custom HTTP headers to send during the upgrade request.";
+          type = lib.types.attrsOf lib.types.str;
+          default = { };
+          example = {
+            "X-Some-Header" = "some-value";
+          };
         };
       };
     };
-  };
 
   generateServerUnit = name: serverCfg: {
     name = "wstunnel-server-${name}";
@@ -270,22 +276,25 @@ let
       in
       {
         description = "wstunnel server - ${name}";
-        requires = [ "network.target" "network-online.target" ];
-        after = [ "network.target" "network-online.target" ];
+        requires = [
+          "network.target"
+          "network-online.target"
+        ];
+        after = [
+          "network.target"
+          "network-online.target"
+        ];
         wantedBy = lib.optional serverCfg.autoStart "multi-user.target";
 
         environment.RUST_LOG = serverCfg.loggingLevel;
 
         serviceConfig = {
           Type = "exec";
-          EnvironmentFile =
-            lib.optional (serverCfg.environmentFile != null) serverCfg.environmentFile;
+          EnvironmentFile = lib.optional (serverCfg.environmentFile != null) serverCfg.environmentFile;
           DynamicUser = true;
-          SupplementaryGroups =
-            lib.optional (serverCfg.useACMEHost != null) certConfig.group;
+          SupplementaryGroups = lib.optional (serverCfg.useACMEHost != null) certConfig.group;
           PrivateTmp = true;
-          AmbientCapabilities =
-            lib.optionals (serverCfg.listen.port < 1024) [ "CAP_NET_BIND_SERVICE" ];
+          AmbientCapabilities = lib.optionals (serverCfg.listen.port < 1024) [ "CAP_NET_BIND_SERVICE" ];
           NoNewPrivileges = true;
           RestrictNamespaces = "uts ipc pid user cgroup";
           ProtectSystem = "strict";
@@ -305,19 +314,16 @@ let
         script = with serverCfg; ''
           ${lib.getExe package} \
             server \
-            ${lib.cli.toGNUCommandLineShell { } (
-              lib.recursiveUpdate
-              {
-                restrict-to = map hostPortToString restrictTo;
-                tls-certificate = if useACMEHost != null
-                                  then "${certConfig.directory}/fullchain.pem"
-                                  else "${tlsCertificate}";
-                tls-private-key = if useACMEHost != null
-                                  then "${certConfig.directory}/key.pem"
-                                  else "${tlsKey}";
-              }
-              extraArgs
-            )} \
+            ${
+              lib.cli.toGNUCommandLineShell { } (
+                lib.recursiveUpdate {
+                  restrict-to = map hostPortToString restrictTo;
+                  tls-certificate =
+                    if useACMEHost != null then "${certConfig.directory}/fullchain.pem" else "${tlsCertificate}";
+                  tls-private-key = if useACMEHost != null then "${certConfig.directory}/key.pem" else "${tlsKey}";
+                } extraArgs
+              )
+            } \
             ${lib.escapeShellArg "${if enableHTTPS then "wss" else "ws"}://${hostPortToString listen}"}
         '';
       };
@@ -327,21 +333,26 @@ let
     name = "wstunnel-client-${name}";
     value = {
       description = "wstunnel client - ${name}";
-      requires = [ "network.target" "network-online.target" ];
-      after = [ "network.target" "network-online.target" ];
+      requires = [
+        "network.target"
+        "network-online.target"
+      ];
+      after = [
+        "network.target"
+        "network-online.target"
+      ];
       wantedBy = lib.optional clientCfg.autoStart "multi-user.target";
 
       environment.RUST_LOG = clientCfg.loggingLevel;
 
       serviceConfig = {
         Type = "exec";
-        EnvironmentFile =
-          lib.optional (clientCfg.environmentFile != null) clientCfg.environmentFile;
+        EnvironmentFile = lib.optional (clientCfg.environmentFile != null) clientCfg.environmentFile;
         DynamicUser = true;
         PrivateTmp = true;
         AmbientCapabilities =
-          (lib.optionals clientCfg.addNetBind [ "CAP_NET_BIND_SERVICE" ]) ++
-          (lib.optionals (clientCfg.soMark != null) [ "CAP_NET_ADMIN" ]);
+          (lib.optionals clientCfg.addNetBind [ "CAP_NET_BIND_SERVICE" ])
+          ++ (lib.optionals (clientCfg.soMark != null) [ "CAP_NET_ADMIN" ]);
         NoNewPrivileges = true;
         RestrictNamespaces = "uts ipc pid user cgroup";
         ProtectSystem = "strict";
@@ -361,22 +372,22 @@ let
       script = with clientCfg; ''
         ${lib.getExe package} \
           client \
-          ${lib.cli.toGNUCommandLineShell { } (
-            lib.recursiveUpdate
-            {
-              local-to-remote = localToRemote;
-              remote-to-local = remoteToLocal;
-              http-headers = lib.mapAttrsToList (n: v: "${n}:${v}") customHeaders;
-              http-proxy = httpProxy;
-              socket-so-mark = soMark;
-              http-upgrade-path-prefix = upgradePathPrefix;
-              tls-sni-override = tlsSNI;
-              tls-verify-certificate = tlsVerifyCertificate;
-              websocket-ping-frequency-sec = websocketPingInterval;
-              http-upgrade-credentials = upgradeCredentials;
-            }
-            extraArgs
-          )} \
+          ${
+            lib.cli.toGNUCommandLineShell { } (
+              lib.recursiveUpdate {
+                local-to-remote = localToRemote;
+                remote-to-local = remoteToLocal;
+                http-headers = lib.mapAttrsToList (n: v: "${n}:${v}") customHeaders;
+                http-proxy = httpProxy;
+                socket-so-mark = soMark;
+                http-upgrade-path-prefix = upgradePathPrefix;
+                tls-sni-override = tlsSNI;
+                tls-verify-certificate = tlsVerifyCertificate;
+                websocket-ping-frequency-sec = websocketPingInterval;
+                http-upgrade-credentials = upgradeCredentials;
+              } extraArgs
+            )
+          } \
           ${lib.escapeShellArg connectTo}
       '';
     };
@@ -399,10 +410,12 @@ in
           enableHTTPS = true;
           tlsCertificate = "/var/lib/secrets/fullchain.pem";
           tlsKey = "/var/lib/secrets/key.pem";
-          restrictTo = [{
-            host = "127.0.0.1";
-            port = 51820;
-          }];
+          restrictTo = [
+            {
+              host = "127.0.0.1";
+              port = 51820;
+            }
+          ];
         };
       };
     };
@@ -429,40 +442,39 @@ in
 
   config = lib.mkIf cfg.enable {
     systemd.services =
-      (lib.mapAttrs' generateServerUnit (lib.filterAttrs (n: v: v.enable) cfg.servers)) //
-      (lib.mapAttrs' generateClientUnit (lib.filterAttrs (n: v: v.enable) cfg.clients));
+      (lib.mapAttrs' generateServerUnit (lib.filterAttrs (n: v: v.enable) cfg.servers))
+      // (lib.mapAttrs' generateClientUnit (lib.filterAttrs (n: v: v.enable) cfg.clients));
 
     assertions =
-      (lib.mapAttrsToList
-        (name: serverCfg: {
-          assertion =
-            !(serverCfg.useACMEHost != null && serverCfg.tlsCertificate != null);
-          message = ''
-            Options services.wstunnel.servers."${name}".useACMEHost and services.wstunnel.servers."${name}".{tlsCertificate, tlsKey} are mutually exclusive.
-          '';
-        })
-        cfg.servers) ++
+      (lib.mapAttrsToList (name: serverCfg: {
+        assertion = !(serverCfg.useACMEHost != null && serverCfg.tlsCertificate != null);
+        message = ''
+          Options services.wstunnel.servers."${name}".useACMEHost and services.wstunnel.servers."${name}".{tlsCertificate, tlsKey} are mutually exclusive.
+        '';
+      }) cfg.servers)
+      ++
 
-      (lib.mapAttrsToList
-        (name: serverCfg: {
+        (lib.mapAttrsToList (name: serverCfg: {
           assertion =
-            (serverCfg.tlsCertificate == null && serverCfg.tlsKey == null) ||
-            (serverCfg.tlsCertificate != null && serverCfg.tlsKey != null);
+            (serverCfg.tlsCertificate == null && serverCfg.tlsKey == null)
+            || (serverCfg.tlsCertificate != null && serverCfg.tlsKey != null);
           message = ''
             services.wstunnel.servers."${name}".tlsCertificate and services.wstunnel.servers."${name}".tlsKey need to be set together.
           '';
-        })
-        cfg.servers) ++
+        }) cfg.servers)
+      ++
 
-      (lib.mapAttrsToList
-        (name: clientCfg: {
+        (lib.mapAttrsToList (name: clientCfg: {
           assertion = !(clientCfg.localToRemote == [ ] && clientCfg.remoteToLocal == [ ]);
           message = ''
             Either one of services.wstunnel.clients."${name}".localToRemote or services.wstunnel.clients."${name}".remoteToLocal must be set.
           '';
-        })
-        cfg.clients);
+        }) cfg.clients);
   };
 
-  meta.maintainers = with lib.maintainers; [ alyaeanyx rvdp neverbehave ];
+  meta.maintainers = with lib.maintainers; [
+    alyaeanyx
+    rvdp
+    neverbehave
+  ];
 }
diff --git a/nixos/modules/services/web-apps/firefly-iii-data-importer.nix b/nixos/modules/services/web-apps/firefly-iii-data-importer.nix
new file mode 100644
index 000000000000..5d1712a506d8
--- /dev/null
+++ b/nixos/modules/services/web-apps/firefly-iii-data-importer.nix
@@ -0,0 +1,301 @@
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}:
+
+let
+  cfg = config.services.firefly-iii-data-importer;
+
+  user = cfg.user;
+  group = cfg.group;
+
+  defaultUser = "firefly-iii-data-importer";
+  defaultGroup = "firefly-iii-data-importer";
+
+  artisan = "${cfg.package}/artisan";
+
+  env-file-values = lib.attrsets.mapAttrs' (
+    n: v: lib.attrsets.nameValuePair (lib.strings.removeSuffix "_FILE" n) v
+  ) (lib.attrsets.filterAttrs (n: v: lib.strings.hasSuffix "_FILE" n) cfg.settings);
+  env-nonfile-values = lib.attrsets.filterAttrs (n: v: !lib.strings.hasSuffix "_FILE" n) cfg.settings;
+
+  data-importer-maintenance = pkgs.writeShellScript "data-importer-maintenance.sh" ''
+    set -a
+    ${lib.strings.toShellVars env-nonfile-values}
+    ${lib.strings.concatLines (
+      lib.attrsets.mapAttrsToList (n: v: "${n}=\"$(< ${v})\"") env-file-values
+    )}
+    set +a
+    ${artisan} package:discover
+    ${artisan} cache:clear
+    ${artisan} config:cache
+  '';
+
+  commonServiceConfig = {
+    Type = "oneshot";
+    User = user;
+    Group = group;
+    StateDirectory = "firefly-iii-data-importer";
+    ReadWritePaths = [ cfg.dataDir ];
+    WorkingDirectory = cfg.package;
+    PrivateTmp = true;
+    PrivateDevices = true;
+    CapabilityBoundingSet = "";
+    AmbientCapabilities = "";
+    ProtectSystem = "strict";
+    ProtectKernelTunables = true;
+    ProtectKernelModules = true;
+    ProtectControlGroups = true;
+    ProtectClock = true;
+    ProtectHostname = true;
+    ProtectHome = "tmpfs";
+    ProtectKernelLogs = true;
+    ProtectProc = "invisible";
+    ProcSubset = "pid";
+    PrivateNetwork = false;
+    RestrictAddressFamilies = "AF_INET AF_INET6 AF_UNIX";
+    SystemCallArchitectures = "native";
+    SystemCallFilter = [
+      "@system-service @resources"
+      "~@obsolete @privileged"
+    ];
+    RestrictSUIDSGID = true;
+    RemoveIPC = true;
+    NoNewPrivileges = true;
+    RestrictRealtime = true;
+    RestrictNamespaces = true;
+    LockPersonality = true;
+    PrivateUsers = true;
+  };
+
+in
+{
+
+  options.services.firefly-iii-data-importer = {
+    enable = lib.mkEnableOption "Firefly III Data Importer";
+
+    user = lib.mkOption {
+      type = lib.types.str;
+      default = defaultUser;
+      description = "User account under which firefly-iii-data-importer runs.";
+    };
+
+    group = lib.mkOption {
+      type = lib.types.str;
+      default = if cfg.enableNginx then "nginx" else defaultGroup;
+      defaultText = "If `services.firefly-iii-data-importer.enableNginx` is true then `nginx` else ${defaultGroup}";
+      description = ''
+        Group under which firefly-iii-data-importer runs. It is best to set this to the group
+        of whatever webserver is being used as the frontend.
+      '';
+    };
+
+    dataDir = lib.mkOption {
+      type = lib.types.path;
+      default = "/var/lib/firefly-iii-data-importer";
+      description = ''
+        The place where firefly-iii data importer stores its state.
+      '';
+    };
+
+    package = lib.mkOption {
+      type = lib.types.package;
+      default = pkgs.firefly-iii-data-importer;
+      defaultText = lib.literalExpression "pkgs.firefly-iii-data-importer";
+      description = ''
+        The firefly-iii-data-importer package served by php-fpm and the webserver of choice.
+        This option can be used to point the webserver to the correct root. It
+        may also be used to set the package to a different version, say a
+        development version.
+      '';
+      apply =
+        firefly-iii-data-importer:
+        firefly-iii-data-importer.override (prev: {
+          dataDir = cfg.dataDir;
+        });
+    };
+
+    enableNginx = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      description = ''
+        Whether to enable nginx or not. If enabled, an nginx virtual host will
+        be created for access to firefly-iii data importer. If not enabled, then you may use
+        `''${config.services.firefly-iii-data-importer.package}` as your document root in
+        whichever webserver you wish to setup.
+      '';
+    };
+
+    virtualHost = lib.mkOption {
+      type = lib.types.str;
+      default = "localhost";
+      description = ''
+        The hostname at which you wish firefly-iii-data-importer to be served. If you have
+        enabled nginx using `services.firefly-iii-data-importer.enableNginx` then this will
+        be used.
+      '';
+    };
+
+    poolConfig = lib.mkOption {
+      type = lib.types.attrsOf (
+        lib.types.oneOf [
+          lib.types.str
+          lib.types.int
+          lib.types.bool
+        ]
+      );
+      default = { };
+      defaultText = lib.literalExpression ''
+        {
+          "pm" = "dynamic";
+          "pm.max_children" = 32;
+          "pm.start_servers" = 2;
+          "pm.min_spare_servers" = 2;
+          "pm.max_spare_servers" = 4;
+          "pm.max_requests" = 500;
+        }
+      '';
+      description = ''
+        Options for the Firefly III Data Importer PHP pool. See the documentation on <literal>php-fpm.conf</literal>
+        for details on configuration directives.
+      '';
+    };
+
+    settings = lib.mkOption {
+      default = { };
+      description = ''
+        Options for firefly-iii data importer configuration. Refer to
+        <https://github.com/firefly-iii/data-importer/blob/main/.env.example> for
+        details on supported values. All <option>_FILE values supported by
+        upstream are supported here.
+
+        APP_URL will be the same as `services.firefly-iii-data-importer.virtualHost` if the
+        former is unset in `services.firefly-iii-data-importer.settings`.
+      '';
+      example = lib.literalExpression ''
+        {
+          APP_ENV = "local";
+          LOG_CHANNEL = "syslog";
+          FIREFLY_III_ACCESS_TOKEN= = "/var/secrets/firefly-iii-access-token.txt";
+        }
+      '';
+      type = lib.types.submodule {
+        freeformType = lib.types.attrsOf (
+          lib.types.oneOf [
+            lib.types.str
+            lib.types.int
+            lib.types.bool
+          ]
+        );
+      };
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.phpfpm.pools.firefly-iii-data-importer = {
+      inherit user group;
+      phpPackage = cfg.package.phpPackage;
+      phpOptions = ''
+        log_errors = on
+      '';
+      settings = {
+        "listen.mode" = "0660";
+        "listen.owner" = user;
+        "listen.group" = group;
+        "pm" = lib.mkDefault "dynamic";
+        "pm.max_children" = lib.mkDefault 32;
+        "pm.start_servers" = lib.mkDefault 2;
+        "pm.min_spare_servers" = lib.mkDefault 2;
+        "pm.max_spare_servers" = lib.mkDefault 4;
+        "pm.max_requests" = lib.mkDefault 500;
+      } // cfg.poolConfig;
+    };
+
+    systemd.services.firefly-iii-data-importer-setup = {
+      requiredBy = [ "phpfpm-firefly-iii-data-importer.service" ];
+      before = [ "phpfpm-firefly-iii-data-importer.service" ];
+      serviceConfig = {
+        ExecStart = data-importer-maintenance;
+        RemainAfterExit = true;
+      } // commonServiceConfig;
+      unitConfig.JoinsNamespaceOf = "phpfpm-firefly-iii-data-importer.service";
+      restartTriggers = [ cfg.package ];
+    };
+
+    services.nginx = lib.mkIf cfg.enableNginx {
+      enable = true;
+      recommendedTlsSettings = lib.mkDefault true;
+      recommendedOptimisation = lib.mkDefault true;
+      recommendedGzipSettings = lib.mkDefault true;
+      virtualHosts.${cfg.virtualHost} = {
+        root = "${cfg.package}/public";
+        locations = {
+          "/" = {
+            tryFiles = "$uri $uri/ /index.php?$query_string";
+            index = "index.php";
+            extraConfig = ''
+              sendfile off;
+            '';
+          };
+          "~ \.php$" = {
+            extraConfig = ''
+              include ${config.services.nginx.package}/conf/fastcgi_params ;
+              fastcgi_param SCRIPT_FILENAME $request_filename;
+              fastcgi_param modHeadersAvailable true;
+              fastcgi_pass unix:${config.services.phpfpm.pools.firefly-iii-data-importer.socket};
+            '';
+          };
+        };
+      };
+    };
+
+    systemd.tmpfiles.settings."10-firefly-iii-data-importer" =
+      lib.attrsets.genAttrs
+        [
+          "${cfg.dataDir}/storage"
+          "${cfg.dataDir}/storage/app"
+          "${cfg.dataDir}/storage/app/public"
+          "${cfg.dataDir}/storage/configurations"
+          "${cfg.dataDir}/storage/conversion-routines"
+          "${cfg.dataDir}/storage/debugbar"
+          "${cfg.dataDir}/storage/framework"
+          "${cfg.dataDir}/storage/framework/cache"
+          "${cfg.dataDir}/storage/framework/sessions"
+          "${cfg.dataDir}/storage/framework/testing"
+          "${cfg.dataDir}/storage/framework/views"
+          "${cfg.dataDir}/storage/jobs"
+          "${cfg.dataDir}/storage/logs"
+          "${cfg.dataDir}/storage/submission-routines"
+          "${cfg.dataDir}/storage/uploads"
+          "${cfg.dataDir}/cache"
+        ]
+        (n: {
+          d = {
+            group = group;
+            mode = "0710";
+            user = user;
+          };
+        })
+      // {
+        "${cfg.dataDir}".d = {
+          group = group;
+          mode = "0700";
+          user = user;
+        };
+      };
+
+    users = {
+      users = lib.mkIf (user == defaultUser) {
+        ${defaultUser} = {
+          description = "Firefly-iii Data Importer service user";
+          inherit group;
+          isSystemUser = true;
+          home = cfg.dataDir;
+        };
+      };
+      groups = lib.mkIf (group == defaultGroup) { ${defaultGroup} = { }; };
+    };
+  };
+}
diff --git a/nixos/modules/services/web-apps/stirling-pdf.nix b/nixos/modules/services/web-apps/stirling-pdf.nix
index cd8638aff14d..ea7d7fbf54e5 100644
--- a/nixos/modules/services/web-apps/stirling-pdf.nix
+++ b/nixos/modules/services/web-apps/stirling-pdf.nix
@@ -47,18 +47,20 @@ in
       environment = lib.mapAttrs (_: toString) cfg.environment;
 
       # following https://github.com/Stirling-Tools/Stirling-PDF#locally
-      path = with pkgs; [
-        unpaper
-        libreoffice
-        ocrmypdf
-        poppler_utils
-        unoconv
-        opencv
-        pngquant
-        tesseract
-        python3Packages.weasyprint
-        calibre
-      ];
+      path =
+        with pkgs;
+        [
+          unpaper
+          libreoffice
+          ocrmypdf
+          poppler_utils
+          unoconv
+          opencv
+          pngquant
+          tesseract
+          python3Packages.weasyprint
+        ]
+        ++ lib.optional (cfg.environment.INSTALL_BOOK_AND_ADVANCED_HTML_OPS or "false" == "true") calibre;
 
       wantedBy = [ "multi-user.target" ];
 
diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix
index ee004f3c9825..a9217b08648a 100644
--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@@ -326,6 +326,7 @@ in {
   filesender = handleTest ./filesender.nix {};
   filesystems-overlayfs = runTest ./filesystems-overlayfs.nix;
   firefly-iii = handleTest ./firefly-iii.nix {};
+  firefly-iii-data-importer = handleTest ./firefly-iii-data-importer.nix {};
   firefox = handleTest ./firefox.nix { firefoxPackage = pkgs.firefox; };
   firefox-beta = handleTest ./firefox.nix { firefoxPackage = pkgs.firefox-beta; };
   firefox-devedition = handleTest ./firefox.nix { firefoxPackage = pkgs.firefox-devedition; };
diff --git a/nixos/tests/firefly-iii-data-importer.nix b/nixos/tests/firefly-iii-data-importer.nix
new file mode 100644
index 000000000000..aba41576d797
--- /dev/null
+++ b/nixos/tests/firefly-iii-data-importer.nix
@@ -0,0 +1,27 @@
+import ./make-test-python.nix (
+  { lib, ... }:
+
+  {
+    name = "firefly-iii-data-importer";
+    meta.maintainers = [ lib.maintainers.savyajha ];
+
+    nodes.dataImporter =
+      { ... }:
+      {
+        services.firefly-iii-data-importer = {
+          enable = true;
+          enableNginx = true;
+          settings = {
+            LOG_CHANNEL = "stdout";
+            USE_CACHE = true;
+          };
+        };
+      };
+
+    testScript = ''
+      dataImporter.wait_for_unit("phpfpm-firefly-iii-data-importer.service")
+      dataImporter.wait_for_unit("nginx.service")
+      dataImporter.succeed("curl -fvvv -Ls http://localhost/token | grep 'Firefly III Data Import Tool'")
+    '';
+  }
+)
diff --git a/nixos/tests/wstunnel.nix b/nixos/tests/wstunnel.nix
index 3bbc295568fb..7a0a8ce3496a 100644
--- a/nixos/tests/wstunnel.nix
+++ b/nixos/tests/wstunnel.nix
@@ -60,37 +60,34 @@ in
         clients.my-client = {
           autoStart = false;
           connectTo = "wss://${domain}:443";
-          localToRemote = [
-            "tcp://8080:localhost:2080"
-          ];
-          remoteToLocal = [
-            "tcp://2081:localhost:8081"
-          ];
+          localToRemote = [ "tcp://8080:localhost:2080" ];
+          remoteToLocal = [ "tcp://2081:localhost:8081" ];
         };
       };
     };
   };
 
-  testScript = /* python */ ''
-    start_all()
-    server.wait_for_unit("wstunnel-server-my-server.service")
-    client.wait_for_open_port(443, "10.0.0.1")
+  testScript = # python
+    ''
+      start_all()
+      server.wait_for_unit("wstunnel-server-my-server.service")
+      client.wait_for_open_port(443, "10.0.0.1")
 
-    client.systemctl("start wstunnel-client-my-client.service")
-    client.wait_for_unit("wstunnel-client-my-client.service")
+      client.systemctl("start wstunnel-client-my-client.service")
+      client.wait_for_unit("wstunnel-client-my-client.service")
 
-    with subtest("connection from client to server"):
-      server.succeed("nc -l 2080 >/tmp/msg &")
-      client.sleep(1)
-      client.succeed('nc -w1 localhost 8080 <<<"Hello from client"')
-      server.succeed('grep "Hello from client" /tmp/msg')
+      with subtest("connection from client to server"):
+        server.succeed("nc -l 2080 >/tmp/msg &")
+        client.sleep(1)
+        client.succeed('nc -w1 localhost 8080 <<<"Hello from client"')
+        server.succeed('grep "Hello from client" /tmp/msg')
 
-    with subtest("connection from server to client"):
-      client.succeed("nc -l 8081 >/tmp/msg &")
-      server.sleep(1)
-      server.succeed('nc -w1 localhost 2081 <<<"Hello from server"')
-      client.succeed('grep "Hello from server" /tmp/msg')
+      with subtest("connection from server to client"):
+        client.succeed("nc -l 8081 >/tmp/msg &")
+        server.sleep(1)
+        server.succeed('nc -w1 localhost 2081 <<<"Hello from server"')
+        client.succeed('grep "Hello from server" /tmp/msg')
 
-    client.systemctl("stop wstunnel-client-my-client.service")
-  '';
+      client.systemctl("stop wstunnel-client-my-client.service")
+    '';
 }
diff --git a/pkgs/applications/editors/emacs/elisp-packages/manual-packages/lspce/module.nix b/pkgs/applications/editors/emacs/elisp-packages/manual-packages/lspce/module.nix
index 198f1d9b69af..cd2ed9b87368 100644
--- a/pkgs/applications/editors/emacs/elisp-packages/manual-packages/lspce/module.nix
+++ b/pkgs/applications/editors/emacs/elisp-packages/manual-packages/lspce/module.nix
@@ -10,16 +10,16 @@ let
 in
 rustPlatform.buildRustPackage {
   pname = "lspce-module";
-  version = "1.1.0-unstable-2024-07-14";
+  version = "1.1.0-unstable-2024-07-29";
 
   src = fetchFromGitHub {
     owner = "zbelial";
     repo = "lspce";
-    rev = "fd320476df89cfd5d10f1b70303c891d3b1e3c81";
-    hash = "sha256-KnERYq/CvJhJIdQkpH/m82t9KFMapPl+CyZkYyujslU=";
+    rev = "e954e4d77aeb45deb14182631f3d5aa9bcc9e587";
+    hash = "sha256-9AUffkdgvVbHRIrHQPVl36plIfGxf3vsN9JCuFe0P6Q=";
   };
 
-  cargoHash = "sha256-I2OobRu1hc6xc4bRrIO1FImPYBbFy1jXPcTsivbbskk=";
+  cargoHash = "sha256-wrrdXX/rEVxmHdyblm4I9iHD3bPoDd1KlBe3ODeGFeM=";
 
   checkFlags = [
     # flaky test
diff --git a/pkgs/applications/editors/vscode/extensions/default.nix b/pkgs/applications/editors/vscode/extensions/default.nix
index 710a342307a2..b1ccc6c098c8 100644
--- a/pkgs/applications/editors/vscode/extensions/default.nix
+++ b/pkgs/applications/editors/vscode/extensions/default.nix
@@ -4851,8 +4851,8 @@ let
         mktplcRef = {
           name = "uiua-vscode";
           publisher = "uiua-lang";
-          version = "0.0.52";
-          hash = "sha256-zFtu3AYnDxb/aMtkpiaItQtwLpynTVbSRGuqKv3SueM=";
+          version = "0.0.53";
+          hash = "sha256-5CHAX1jGyJ2VVEBTh5G1JM8+L9paryBa2zJoTkZ+G7Q=";
         };
         meta = {
           description = "VSCode language extension for Uiua";
diff --git a/pkgs/applications/emulators/86box/default.nix b/pkgs/applications/emulators/86box/default.nix
index 5633eb64af5a..76db6f7e3a12 100644
--- a/pkgs/applications/emulators/86box/default.nix
+++ b/pkgs/applications/emulators/86box/default.nix
@@ -23,6 +23,12 @@
   libslirp,
   wayland,
   wayland-scanner,
+  libsndfile,
+  flac,
+  libogg,
+  libvorbis,
+  libopus,
+  libmpg123,
 
   enableDynarec ? with stdenv.hostPlatform; isx86 || isAarch,
   enableNewDynarec ? enableDynarec && stdenv.hostPlatform.isAarch,
@@ -34,13 +40,13 @@
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "86Box";
-  version = "4.1.1";
+  version = "4.2";
 
   src = fetchFromGitHub {
     owner = "86Box";
     repo = "86Box";
     rev = "v${finalAttrs.version}";
-    hash = "sha256-ioE0EVIXv/biXXvLqwhmtZ/RJM0nLqcE+i+CU+WXBY4=";
+    hash = "sha256-hXupMQ+i27sw3XOweZGatdRCUlp7weGR/PqCLAw/8fo=";
   };
 
   patches = [ ./darwin.patch ];
@@ -75,6 +81,12 @@ stdenv.mkDerivation (finalAttrs: {
       libslirp
       qt5.qtbase
       qt5.qttools
+      libsndfile
+      flac.dev
+      libogg.dev
+      libvorbis.dev
+      libopus.dev
+      libmpg123.dev
     ]
     ++ lib.optional stdenv.isLinux alsa-lib
     ++ lib.optional enableWayland wayland
@@ -107,7 +119,7 @@ stdenv.mkDerivation (finalAttrs: {
       owner = "86Box";
       repo = "roms";
       rev = "v${finalAttrs.version}";
-      hash = "sha256-58nNTOLund/KeDlNwzwwihjFVigs/P0K8SN07zExE2c=";
+      hash = "sha256-WdQebSBuw2Wtz8ggMnGuxGoi2EKtNub3S8JKa6ZmdU8=";
     };
     updateScript = ./update.sh;
   };
diff --git a/pkgs/applications/networking/instant-messengers/element/pin.nix b/pkgs/applications/networking/instant-messengers/element/pin.nix
index 2387b6ce5db6..ea86d807aafa 100644
--- a/pkgs/applications/networking/instant-messengers/element/pin.nix
+++ b/pkgs/applications/networking/instant-messengers/element/pin.nix
@@ -1,9 +1,9 @@
 {
-  "version" = "1.11.75";
+  "version" = "1.11.76";
   "hashes" = {
-    "desktopSrcHash" = "sha256-bO23E1xG3FfizBBAWh0kCN+5JYbiX5V/wxLlY6ljWVQ=";
+    "desktopSrcHash" = "sha256-oG1nzOSXl2vjxvxdVg2o5ssKbAqrYHS4pnLCPJsIBCQ=";
     "desktopYarnHash" = "0bl78yd7apd5qbsqyhxnwj7lwrjx5820zh22rzgn9jqkcv25jwgw";
-    "webSrcHash" = "sha256-cDayCoznbmALOiPg9FUYrfdFjzg0NV1NY9/b2KzTvMs=";
-    "webYarnHash" = "04si1x663z70nxj6nfaq7m2wcd8r4l3vdpirnjhc13wrj1kb8r8x";
+    "webSrcHash" = "sha256-1hmSdefNChRcUnwbxS00NYrEexMyg8FIL0BXdEbwm+s=";
+    "webYarnHash" = "0bnxd7kig2a5scgdsd0yhhmanf7zqi2gd2si6kgnr0v2kc0akc0b";
   };
 }
diff --git a/pkgs/applications/video/ffmpeg-normalize/default.nix b/pkgs/applications/video/ffmpeg-normalize/default.nix
deleted file mode 100644
index 9a5e4f64d497..000000000000
--- a/pkgs/applications/video/ffmpeg-normalize/default.nix
+++ /dev/null
@@ -1,30 +0,0 @@
-{ lib
-, buildPythonApplication
-, fetchPypi
-, ffmpeg
-, ffmpeg-progress-yield
-}:
-
-buildPythonApplication rec {
-  pname = "ffmpeg-normalize";
-  version = "1.26.1";
-
-  src = fetchPypi {
-    inherit pname version;
-    hash = "sha256-OwREpfWaP0tdAjMGjGpVIAQn8rlTTjSfT+0t5g/2yjQ=";
-  };
-
-  propagatedBuildInputs = [ ffmpeg ffmpeg-progress-yield ];
-
-  checkPhase = ''
-    $out/bin/ffmpeg-normalize --help > /dev/null
-  '';
-
-  meta = with lib; {
-    description = "Normalize audio via ffmpeg";
-    homepage = "https://github.com/slhck/ffmpeg-normalize";
-    license = with licenses; [ mit ];
-    maintainers = with maintainers; [ prusnak ];
-    mainProgram = "ffmpeg-normalize";
-  };
-}
diff --git a/pkgs/by-name/de/departure-mono/package.nix b/pkgs/by-name/de/departure-mono/package.nix
new file mode 100644
index 000000000000..a272a79d1ba3
--- /dev/null
+++ b/pkgs/by-name/de/departure-mono/package.nix
@@ -0,0 +1,34 @@
+{
+  lib,
+  stdenvNoCC,
+  fetchzip,
+}:
+
+stdenvNoCC.mkDerivation (finalAttrs: {
+  pname = "departure-mono";
+  version = "1.346";
+
+  src = fetchzip {
+    url = "https://departuremono.com/assets/DepartureMono-${finalAttrs.version}.zip";
+    stripRoot = false;
+    hash = "sha256-xJVVtLnukcWQKVC3QiHvrfIA3W9EYt/iiphbLYT1iMg=";
+  };
+
+  installPhase = ''
+    runHook preInstall
+
+    install -D -m 444 *.otf -t $out/share/fonts/otf
+    install -D -m 444 *.woff -t $out/share/fonts/woff
+    install -D -m 444 *.woff2 -t $out/share/fonts/woff2
+
+    runHook postInstall
+  '';
+
+  meta = {
+    description = "Departure Mono is a monospaced pixel font with a lo-fi technical vibe";
+    homepage = "https://departuremono.com/";
+    license = lib.licenses.ofl;
+    platforms = lib.platforms.all;
+    maintainers = with lib.maintainers; [ drupol ];
+  };
+})
diff --git a/pkgs/by-name/ff/ffmpeg-normalize/package.nix b/pkgs/by-name/ff/ffmpeg-normalize/package.nix
new file mode 100644
index 000000000000..bcfc78b66e9c
--- /dev/null
+++ b/pkgs/by-name/ff/ffmpeg-normalize/package.nix
@@ -0,0 +1,36 @@
+{
+  lib,
+  python3Packages,
+  fetchPypi,
+  ffmpeg,
+}:
+python3Packages.buildPythonApplication rec {
+  pname = "ffmpeg-normalize";
+  version = "1.28.3";
+
+  src = fetchPypi {
+    inherit pname version;
+    hash = "sha256-8wNPuVRQRQpFK6opgwqdKYMYmAFRqq8p/T5V9kC8QaY=";
+  };
+
+  propagatedBuildInputs = [
+    ffmpeg
+    python3Packages.ffmpeg-progress-yield
+  ];
+  dependencies = with python3Packages; [ colorlog ];
+
+  checkPhase = ''
+    $out/bin/ffmpeg-normalize --help > /dev/null
+  '';
+
+  meta = {
+    description = "Normalize audio via ffmpeg";
+    homepage = "https://github.com/slhck/ffmpeg-normalize";
+    license = lib.licenses.mit;
+    maintainers = with lib.maintainers; [
+      luftmensch-luftmensch
+      prusnak
+    ];
+    mainProgram = "ffmpeg-normalize";
+  };
+}
diff --git a/pkgs/by-name/fi/firefly-iii-data-importer/package.nix b/pkgs/by-name/fi/firefly-iii-data-importer/package.nix
new file mode 100644
index 000000000000..d647783f7381
--- /dev/null
+++ b/pkgs/by-name/fi/firefly-iii-data-importer/package.nix
@@ -0,0 +1,91 @@
+{
+  lib,
+  fetchFromGitHub,
+  stdenvNoCC,
+  nodejs,
+  fetchNpmDeps,
+  buildPackages,
+  php83,
+  nixosTests,
+  nix-update-script,
+  dataDir ? "/var/lib/firefly-iii-data-importer",
+}:
+
+let
+  pname = "firefly-iii-data-importer";
+  version = "1.5.4";
+
+  src = fetchFromGitHub {
+    owner = "firefly-iii";
+    repo = "data-importer";
+    rev = "v${version}";
+    hash = "sha256-XnPdoNtUoJpOpKVzQlFirh7u824H4xKAe2VRXfGIKeg=";
+  };
+in
+
+stdenvNoCC.mkDerivation (finalAttrs: {
+  inherit pname src version;
+
+  buildInputs = [ php83 ];
+
+  nativeBuildInputs = [
+    nodejs
+    nodejs.python
+    buildPackages.npmHooks.npmConfigHook
+    php83.composerHooks.composerInstallHook
+    php83.packages.composer-local-repo-plugin
+  ];
+
+  composerNoDev = true;
+  composerNoPlugins = true;
+  composerNoScripts = true;
+  composerStrictValidation = true;
+  strictDeps = true;
+
+  vendorHash = "sha256-EjEco8zBR787eQuPhNsRScfuPQ6eS6TIJmMJOcmZA+Q=";
+
+  npmDeps = fetchNpmDeps {
+    inherit src;
+    name = "${pname}-npm-deps";
+    hash = "sha256-VP1wM0+ca17aQU4FJ9gSbT2Np/sxb8wZ4pCJ6FV1V7w=";
+  };
+
+  composerRepository = php83.mkComposerRepository {
+    inherit (finalAttrs)
+      pname
+      src
+      vendorHash
+      version
+      ;
+    composerNoDev = true;
+    composerNoPlugins = true;
+    composerNoScripts = true;
+    composerStrictValidation = true;
+  };
+
+  preInstall = ''
+    npm run build --workspace=v2
+  '';
+
+  passthru = {
+    phpPackage = php83;
+    tests = nixosTests.firefly-iii-data-importer;
+    updateScript = nix-update-script { };
+  };
+
+  postInstall = ''
+    rm -R $out/share/php/firefly-iii-data-importer/{storage,bootstrap/cache,node_modules}
+    mv $out/share/php/firefly-iii-data-importer/* $out/
+    rm -R $out/share
+    ln -s ${dataDir}/storage $out/storage
+    ln -s ${dataDir}/cache $out/bootstrap/cache
+  '';
+
+  meta = {
+    changelog = "https://github.com/firefly-iii/data-importer/releases/tag/v${version}";
+    description = "Firefly III Data Importer can import data into Firefly III.";
+    homepage = "https://github.com/firefly-iii/data-importer";
+    license = lib.licenses.agpl3Only;
+    maintainers = [ lib.maintainers.savyajha ];
+  };
+})
diff --git a/pkgs/by-name/fm/fmtoy/package.nix b/pkgs/by-name/fm/fmtoy/package.nix
index f61570c3d36b..b110efff0436 100644
--- a/pkgs/by-name/fm/fmtoy/package.nix
+++ b/pkgs/by-name/fm/fmtoy/package.nix
@@ -1,33 +1,36 @@
-{ stdenv
-, lib
-, fetchFromGitHub
-, unstableGitUpdater
-, alsa-lib
-, libjack2
-, pkg-config
-, zlib
+{
+  stdenv,
+  lib,
+  fetchFromGitHub,
+  unstableGitUpdater,
+  alsa-lib,
+  cmake,
+  libjack2,
+  pkg-config,
+  zlib,
 }:
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "fmtoy";
-  version = "0-unstable-2024-06-07";
+  version = "0-unstable-2024-06-11";
 
   src = fetchFromGitHub {
     owner = "vampirefrog";
     repo = "fmtoy";
-    rev = "1339600e2f5a4357f7a50f5c6ad49f3c7635adec";
-    hash = "sha256-1kjUPEklZyue/DYn0jSfmXLjF22C+im6klY+S5KCvhc=";
+    rev = "17d69350dcd7e2834e69f65420e5e3a8328b7e18";
     fetchSubmodules = true;
+    hash = "sha256-to842vUWEWGSQkD09Q22whrdtZpbSlwaY5LSS208sP8=";
   };
 
   postPatch = ''
     substituteInPlace Makefile \
-      --replace 'pkg-config' "$PKG_CONFIG"
+      --replace-fail 'pkg-config' "$PKG_CONFIG"
   '';
 
   strictDeps = true;
 
   nativeBuildInputs = [
+    cmake
     pkg-config
   ];
 
@@ -37,6 +40,8 @@ stdenv.mkDerivation (finalAttrs: {
     zlib
   ];
 
+  dontUseCmakeConfigure = true;
+
   enableParallelBuilding = true;
 
   buildFlags = [
@@ -56,12 +61,12 @@ stdenv.mkDerivation (finalAttrs: {
     updateScript = unstableGitUpdater { };
   };
 
-  meta = with lib; {
+  meta = {
     description = "FM synthesiser based on emulated Yamaha YM chips (OPL, OPM and OPN series)";
     homepage = "https://github.com/vampirefrog/fmtoy";
-    license = licenses.gpl3Only;
+    license = lib.licenses.gpl3Only;
     mainProgram = "fmtoy_jack";
-    maintainers = with maintainers; [ OPNA2608 ];
-    platforms = platforms.linux;
+    maintainers = with lib.maintainers; [ OPNA2608 ];
+    platforms = lib.platforms.linux;
   };
 })
diff --git a/pkgs/by-name/fr/frankenphp/package.nix b/pkgs/by-name/fr/frankenphp/package.nix
index bbc8510d416d..da6d32c5c7b8 100644
--- a/pkgs/by-name/fr/frankenphp/package.nix
+++ b/pkgs/by-name/fr/frankenphp/package.nix
@@ -28,13 +28,13 @@ let
   pieBuild = stdenv.hostPlatform.isMusl;
 in buildGoModule rec {
   pname = "frankenphp";
-  version = "1.2.4";
+  version = "1.2.5";
 
   src = fetchFromGitHub {
     owner = "dunglas";
     repo = "frankenphp";
     rev = "v${version}";
-    hash = "sha256-ZM8/1u4wIBHUgq2x8zyDJhf+qFQz4u5fhLNLaqAv/54=";
+    hash = "sha256-X6lWbxgqj0wis/cljoNSh7AsH1zY30GTjSOAGXzUIek=";
   };
 
   sourceRoot = "${src.name}/caddy";
@@ -42,7 +42,7 @@ in buildGoModule rec {
   # frankenphp requires C code that would be removed with `go mod tidy`
   # https://github.com/golang/go/issues/26366
   proxyVendor = true;
-  vendorHash = "sha256-3Y5STb521iRois/KLQqdTxxTYdp39PTaiJEBjWrZsyw=";
+  vendorHash = "sha256-U2B0ok6TgqUPMwlnkzpPkJLG22S3VpoU80bWwZAeaJo=";
 
   buildInputs = [ phpUnwrapped brotli ] ++ phpUnwrapped.buildInputs;
   nativeBuildInputs = [ makeBinaryWrapper ] ++ lib.optionals stdenv.isDarwin [ pkg-config cctools darwin.autoSignDarwinBinariesHook ];
diff --git a/pkgs/by-name/gr/grafana-alloy/package.nix b/pkgs/by-name/gr/grafana-alloy/package.nix
index 0f44842fd596..e9eb1133f1f1 100644
--- a/pkgs/by-name/gr/grafana-alloy/package.nix
+++ b/pkgs/by-name/gr/grafana-alloy/package.nix
@@ -16,13 +16,13 @@
 
 buildGoModule rec {
   pname = "grafana-alloy";
-  version = "1.3.0";
+  version = "1.3.1";
 
   src = fetchFromGitHub {
     rev = "v${version}";
     owner = "grafana";
     repo = "alloy";
-    hash = "sha256-2OpBRSX/t6hwf1fHogrNTuDAmKArVXxwKHXuHyTXnYA=";
+    hash = "sha256-6YjQUIHZmuguzqTeaLgkrM/WdBPZu/KUXUDOmEB7rNQ=";
   };
 
   proxyVendor = true;
diff --git a/pkgs/by-name/hx/hxtools/package.nix b/pkgs/by-name/hx/hxtools/package.nix
new file mode 100644
index 000000000000..c2a560f87494
--- /dev/null
+++ b/pkgs/by-name/hx/hxtools/package.nix
@@ -0,0 +1,43 @@
+{
+  lib,
+  stdenv,
+  fetchurl,
+  pkg-config,
+  zstd,
+  libHX,
+}:
+
+stdenv.mkDerivation (finalAttrs: {
+  pname = "hxtools";
+  version = "20231224";
+
+  src = fetchurl {
+    url = "https://inai.de/files/hxtools/hxtools-${finalAttrs.version}.tar.zst";
+    hash = "sha256-TyT9bsp9qqGKQsSyWCfd2lH8ULjqJ5puMTw2TgWHV5c=";
+  };
+
+  nativeBuildInputs = [
+    pkg-config
+    zstd
+  ];
+
+  buildInputs = [
+    libHX
+  ];
+
+  strictDeps = true;
+
+  meta = {
+    homepage = "https://inai.de/projects/hxtools/";
+    description = "Collection of small tools over the years by j.eng";
+    # Taken from https://codeberg.org/jengelh/hxtools/src/branch/master/LICENSES.txt
+    license = with lib.licenses; [
+      mit
+      bsd2Patent
+      lgpl21Plus
+      gpl2Plus
+    ];
+    maintainers = with lib.maintainers; [ meator ];
+    platforms = lib.platforms.all;
+  };
+})
diff --git a/pkgs/by-name/md/md-tui/package.nix b/pkgs/by-name/md/md-tui/package.nix
index 6dc8691bff71..743616e8dc61 100644
--- a/pkgs/by-name/md/md-tui/package.nix
+++ b/pkgs/by-name/md/md-tui/package.nix
@@ -10,16 +10,16 @@
 
 rustPlatform.buildRustPackage rec {
   pname = "md-tui";
-  version = "0.8.5";
+  version = "0.8.6";
 
   src = fetchFromGitHub {
     owner = "henriklovhaug";
     repo = "md-tui";
     rev = "refs/tags/v${version}";
-    hash = "sha256-HUrL/+uXQ3753Qb5FZkftGZO+u+MsocFO3L3OzarEhg=";
+    hash = "sha256-3lNipCYhzqeAAUQZ2ajcOakNDlwSwbUUvP8Dtu6gBsI=";
   };
 
-  cargoHash = "sha256-+fqp5FtZa53EkcHtTn1hvWzjYjlQWVKPbdRC1V0mYQU=";
+  cargoHash = "sha256-3hxU6yhMbcz3PhTDylJYnqI+eYoWJlf5Y2KecoY5zPo=";
 
   nativeBuildInputs = [ pkg-config ];
 
diff --git a/pkgs/by-name/re/renode-dts2repl/package.nix b/pkgs/by-name/re/renode-dts2repl/package.nix
index d3c01cdf6ded..87a6ece3d035 100644
--- a/pkgs/by-name/re/renode-dts2repl/package.nix
+++ b/pkgs/by-name/re/renode-dts2repl/package.nix
@@ -6,14 +6,14 @@
 
 python3.pkgs.buildPythonApplication {
   pname = "renode-dts2repl";
-  version = "0-unstable-2024-08-16";
+  version = "0-unstable-2024-08-20";
   pyproject = true;
 
   src = fetchFromGitHub {
     owner = "antmicro";
     repo = "dts2repl";
-    rev = "7da612ea571bf1dafa29f37c8b382a8970e7665c";
-    hash = "sha256-SasHbPTB6uTElS0v/7X0ZuMh5qAu3F0oKOMu2S3epWQ=";
+    rev = "ca0e43957140ee0cd7795b7a42ffb04fdcb98328";
+    hash = "sha256-6SgnYFta9FgHhc6Da1ItFO/UK2UtXU14bTl+sjX0I9s=";
   };
 
   nativeBuildInputs = [
diff --git a/pkgs/by-name/rq/rquickshare/package.nix b/pkgs/by-name/rq/rquickshare/package.nix
index b738690c65c9..ae38de23828a 100644
--- a/pkgs/by-name/rq/rquickshare/package.nix
+++ b/pkgs/by-name/rq/rquickshare/package.nix
@@ -5,10 +5,10 @@
 }:
 let
   pname = "rquickshare";
-  version = "0.10.2";
+  version = "0.11.2";
   src = fetchurl {
     url = "https://github.com/Martichou/rquickshare/releases/download/v${version}/r-quick-share-main_v${version}_glibc-2.39_amd64.AppImage";
-    hash = "sha256-VbHz9bSob3XSt7ut3jAiSl1/AV+Jw+SOP1mWBI5ggYQ=";
+    hash = "sha256-7w1zybCPRg4RK5bKHoHLDUDXVDQL23ox/6wh8H9vTPg=";
   };
   appimageContents = appimageTools.extractType2 { inherit pname version src; };
 in
diff --git a/pkgs/by-name/st/streamcontroller/package.nix b/pkgs/by-name/st/streamcontroller/package.nix
new file mode 100644
index 000000000000..830bc1229052
--- /dev/null
+++ b/pkgs/by-name/st/streamcontroller/package.nix
@@ -0,0 +1,190 @@
+{
+  stdenv,
+  lib,
+  python3Packages,
+  fetchFromGitHub,
+  copyDesktopItems,
+  makeDesktopItem,
+  wrapGAppsHook4,
+  gobject-introspection,
+  libadwaita,
+  libportal,
+  libportal-gtk4,
+  xdg-desktop-portal,
+  xdg-desktop-portal-gtk,
+}:
+stdenv.mkDerivation rec {
+  pname = "streamcontroller";
+
+  # Note that the latest tagged version (1.5.0-beta.6) includes a python dependency
+  # that doesn't exist anymore, so we package an unstable version instead.
+  version = "1.5.0-beta.6-unstable-2024-08-13";
+
+  src = fetchFromGitHub {
+    repo = "StreamController";
+    owner = "StreamController";
+    rev = "dbb6460a69137af192db09d504224ae9f1127cbd";
+    hash = "sha256-+YYzHLRU5MNjF3iaKIDj9k4PVg+vnEZhbc3ZmNI7xyw=";
+  };
+
+  # The installation method documented upstream
+  # (https://streamcontroller.github.io/docs/latest/installation/) is to clone the repo,
+  # run `pip install`, then run `python3 main.py` to launch the program.
+  # Due to how the code is structured upstream, it's infeasible to use `buildPythonApplication`.
+
+  dontBuild = true;
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p $out/usr/lib/streamcontroller
+    cp -r ./* $out/usr/lib/streamcontroller/
+
+    mkdir -p $out/bin/
+
+    # Note that the implementation of main.py assumes
+    # working directory to be at the root of the project's source code
+    makeWrapper \
+      ${python3Packages.python.interpreter} \
+      $out/bin/streamcontroller \
+      --add-flags main.py \
+      --chdir $out/usr/lib/streamcontroller \
+      --prefix PYTHONPATH : "$PYTHONPATH"
+
+    mkdir -p "$out/etc/udev/rules.d"
+    cp ./udev.rules $out/etc/udev/rules.d/70-streamcontroller.rules
+
+    install -D ./flatpak/icon_256.png $out/share/icons/hicolor/256x256/apps/streamcontroller.png
+
+    runHook postInstall
+  '';
+
+  desktopItems = [
+    (makeDesktopItem {
+      name = "StreamController";
+      desktopName = "StreamController";
+      exec = "streamcontroller";
+      icon = "streamcontroller";
+      comment = "Control your Elgato Stream Decks";
+      categories = [ "Utility" ];
+    })
+  ];
+
+  nativeBuildInputs = [
+    copyDesktopItems
+    wrapGAppsHook4
+    gobject-introspection
+  ];
+
+  buildInputs =
+    [
+      libadwaita
+      libportal
+      libportal-gtk4
+      xdg-desktop-portal
+      xdg-desktop-portal-gtk
+    ]
+    ++ (with python3Packages; [
+      annotated-types
+      async-lru
+      cairocffi
+      cairosvg
+      certifi
+      cffi
+      charset-normalizer
+      click
+      colorama
+      contourpy
+      cssselect2
+      cycler
+      dbus-python
+      decorator
+      defusedxml
+      distlib
+      dnspython
+      evdev
+      filelock
+      fonttools
+      fuzzywuzzy
+      gcodepy
+      get-video-properties
+      gitdb
+      idna
+      imageio
+      imageio-ffmpeg
+      indexed-bzip2
+      jinja2
+      joblib
+      kiwisolver
+      levenshtein
+      linkify-it-py
+      loguru
+      markdown-it-py
+      markupsafe
+      matplotlib
+      mdit-py-plugins
+      mdurl
+      meson
+      meson-python
+      natsort
+      nltk
+      numpy
+      opencv4
+      packaging
+      pillow
+      platformdirs
+      plumbum
+      proglog
+      psutil
+      pulsectl
+      pycairo
+      pyclip
+      pycparser
+      pydantic
+      pydantic-core
+      pyenchant
+      pygments
+      pygobject3
+      pymongo
+      pyparsing
+      pyperclip
+      pyproject-metadata
+      pyro5
+      pyspellchecker
+      python-dateutil
+      pyudev
+      pyusb
+      pyyaml
+      rapidfuzz
+      regex
+      requests
+      requirements-parser
+      rich
+      rpyc
+      serpent
+      setproctitle
+      six
+      smmap
+      speedtest-cli
+      streamcontroller-plugin-tools
+      streamdeck
+      textual
+      tinycss2
+      tqdm
+      types-setuptools
+      typing-extensions
+      uc-micro-py
+      urllib3
+      usb-monitor
+      webencodings
+      websocket-client
+    ]);
+
+  meta = with lib; {
+    description = "Elegant Linux app for the Elgato Stream Deck with support for plugins";
+    homepage = "https://core447.com/";
+    license = licenses.gpl3;
+    mainProgram = "streamcontroller";
+    maintainers = with maintainers; [ sifmelcara ];
+    platforms = lib.platforms.linux;
+  };
+}
diff --git a/pkgs/by-name/ui/uiua/package.nix b/pkgs/by-name/ui/uiua/package.nix
index 20f50b0957a1..86c238328e3a 100644
--- a/pkgs/by-name/ui/uiua/package.nix
+++ b/pkgs/by-name/ui/uiua/package.nix
@@ -18,16 +18,16 @@ let
 in
 rustPlatform.buildRustPackage rec {
   pname = "uiua";
-  version = "0.12.2";
+  version = "0.12.3";
 
   src = fetchFromGitHub {
     owner = "uiua-lang";
     repo = "uiua";
     rev = version;
-    hash = "sha256-w/eB9EN3IrEDdwbMqj2w5YAZK/BImA/Xq2k9oRng7Zk=";
+    hash = "sha256-gI+FaiNN7Hql9HMsrl5skJuJDJv/mVarsFqslLXVvLU=";
   };
 
-  cargoHash = "sha256-/DO/jkYaInoO0nMfflDuu7E08gk9D89m9ubeubHdvd8=";
+  cargoHash = "sha256-9mdspWwuZ+dLBnhklSqi4Lg2SjJyhhfn5Ax58evtkDA=";
 
   nativeBuildInputs =
     lib.optionals stdenv.isDarwin [ rustPlatform.bindgenHook ]
diff --git a/pkgs/by-name/vg/vgm2x/package.nix b/pkgs/by-name/vg/vgm2x/package.nix
index ff2fa28e7be7..8ac19dbde93a 100644
--- a/pkgs/by-name/vg/vgm2x/package.nix
+++ b/pkgs/by-name/vg/vgm2x/package.nix
@@ -1,43 +1,47 @@
-{ stdenv
-, lib
-, fetchFromGitHub
-, unstableGitUpdater
-, libfmvoice
-, zlib
+{
+  stdenv,
+  lib,
+  fetchFromGitHub,
+  unstableGitUpdater,
+  libarchive,
+  libzip,
+  pkg-config,
 }:
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "vgm2x";
-  version = "0.0.0-unstable-2023-08-27";
+  version = "0-unstable-2024-06-18";
 
   src = fetchFromGitHub {
     owner = "vampirefrog";
     repo = "vgm2x";
-    rev = "5128055ab2b356e173b53e2afd31202a59505a39";
-    hash = "sha256-DwDcSUdfOsDlajYtzg5xM5P9QPOqLp8b0sEpE18kfzA=";
+    rev = "1c379d74d2365d4478abe25a12572f357d35d576";
+    fetchSubmodules = true;
+    hash = "sha256-lWyOyaV9dDrvGfmCE7m5M8DsxcB8bzJ35Amj3DAOVeA=";
   };
 
   postPatch = ''
-    rmdir libfmvoice
-    cp --no-preserve=all -r ${libfmvoice.src} libfmvoice
+    substituteInPlace Makefile \
+      --replace-fail 'pkg-config' "$PKG_CONFIG"
   '';
 
   strictDeps = true;
 
   enableParallelBuilding = true;
 
+  nativeBuildInputs = [ pkg-config ];
+
   buildInputs = [
-    zlib
+    libarchive
+    libzip
   ];
 
-  buildFlags = [
-    "CC=${stdenv.cc.targetPrefix}cc"
-  ];
+  buildFlags = [ "CC=${stdenv.cc.targetPrefix}cc" ];
 
   installPhase = ''
     runHook preInstall
 
-    install -Dm755 vgm2opm $out/bin/vgm2opm
+    install -Dm755 vgm2x $out/bin/vgm2x
 
     runHook postInstall
   '';
@@ -46,12 +50,12 @@ stdenv.mkDerivation (finalAttrs: {
     updateScript = unstableGitUpdater { };
   };
 
-  meta = with lib; {
+  meta = {
     description = "VGM file extraction tools";
     homepage = "https://github.com/vampirefrog/vgm2x";
-    license = licenses.gpl3Only;
-    mainProgram = "vgm2opm";
-    maintainers = with maintainers; [ OPNA2608 ];
-    platforms = platforms.all;
+    license = lib.licenses.gpl3Only;
+    mainProgram = "vgm2x";
+    maintainers = with lib.maintainers; [ OPNA2608 ];
+    platforms = lib.platforms.all;
   };
 })
diff --git a/pkgs/by-name/vi/vimcats/package.nix b/pkgs/by-name/vi/vimcats/package.nix
new file mode 100644
index 000000000000..60be4b64a402
--- /dev/null
+++ b/pkgs/by-name/vi/vimcats/package.nix
@@ -0,0 +1,38 @@
+{
+  lib,
+  fetchFromGitHub,
+  rustPlatform,
+  testers,
+  vimcats,
+}:
+
+rustPlatform.buildRustPackage rec {
+  pname = "vimcats";
+  version = "1.0.2";
+
+  src = fetchFromGitHub {
+    owner = "mrcjkb";
+    repo = "vimcats";
+    rev = "v${version}";
+    sha256 = "sha256-YZPLZgC0v5zw/+X3r0G1MZ+46c0K8J3ClFQYH5BqbUE=";
+  };
+
+  buildFeatures = [ "cli" ];
+
+  cargoHash = "sha256-gxCsB8lx9gTEsWV3uCX2TKTzxCUZ9JHo+1+voU7gKhY=";
+
+  passthru.tests.version = testers.testVersion { package = vimcats; };
+
+  meta = with lib; {
+    description = "A CLI to generate vim/nvim help doc from LuaCATS. Forked from lemmy-help";
+    longDescription = ''
+      `vimcats` is a LuaCATS parser as well as a CLI which takes that parsed tree and converts it into vim help docs.
+      It is a fork of lemmy-help that aims to support more recent LuaCATS features.
+    '';
+    homepage = "https://github.com/mrcjkb/vimcats";
+    changelog = "https://github.com/mrcjkb/vimcats/CHANGELOG.md";
+    license = with licenses; [ gpl2Plus ];
+    maintainers = with maintainers; [ mrcjkb ];
+    mainProgram = "vimcats";
+  };
+}
diff --git a/pkgs/by-name/wa/warp-terminal/package.nix b/pkgs/by-name/wa/warp-terminal/package.nix
index 8eae7a2a5dbd..71c23dc8f751 100644
--- a/pkgs/by-name/wa/warp-terminal/package.nix
+++ b/pkgs/by-name/wa/warp-terminal/package.nix
@@ -23,12 +23,17 @@ pname = "warp-terminal";
 versions = lib.importJSON ./versions.json;
 passthru.updateScript = ./update.sh;
 
+linux_arch =
+  if stdenv.hostPlatform.system == "x86_64-linux"
+    then "x86_64"
+    else "aarch64";
+
 linux = stdenv.mkDerivation (finalAttrs:  {
   inherit pname meta passthru;
-  inherit (versions.linux) version;
+  inherit (versions."linux_${linux_arch}") version;
   src = fetchurl {
-    inherit (versions.linux) hash;
-    url = "https://releases.warp.dev/stable/v${finalAttrs.version}/warp-terminal-v${finalAttrs.version}-1-x86_64.pkg.tar.zst";
+    inherit (versions."linux_${linux_arch}") hash;
+    url = "https://releases.warp.dev/stable/v${finalAttrs.version}/warp-terminal-v${finalAttrs.version}-1-${linux_arch}.pkg.tar.zst";
   };
 
   sourceRoot = ".";
@@ -100,7 +105,7 @@ meta = with lib; {
   license = licenses.unfree;
   sourceProvenance = with lib.sourceTypes; [ binaryNativeCode ];
   maintainers = with maintainers; [ emilytrau imadnyc donteatoreo johnrtitor ];
-  platforms = platforms.darwin ++ [ "x86_64-linux" ];
+  platforms = platforms.darwin ++ [ "x86_64-linux" "aarch64-linux" ];
 };
 
 in
diff --git a/pkgs/by-name/wa/warp-terminal/update.sh b/pkgs/by-name/wa/warp-terminal/update.sh
index 2c9c69dc0cec..2ea6f06b9e18 100755
--- a/pkgs/by-name/wa/warp-terminal/update.sh
+++ b/pkgs/by-name/wa/warp-terminal/update.sh
@@ -27,10 +27,14 @@ resolve_url() {
             pkg=macos
             sfx=dmg
             ;;
-        linux)
+        linux_x86_64)
             pkg=pacman
             sfx=pkg.tar.zst
             ;;
+        linux_aarch64)
+            pkg=pacman_arm64
+            sfx=pkg.tar.zst
+            ;;
         *)
             err "Unexpected download type: $1"
             ;;
@@ -64,7 +68,8 @@ sri_get() {
 }
 
 
-for sys in darwin linux; do
+for sys in darwin linux_x86_64 linux_aarch64; do
+    echo ${sys}
     url=$(resolve_url ${sys})
     version=$(get_version "${url}")
     if [[ ${version} != "$(json_get ".${sys}.version")" ]]; then
diff --git a/pkgs/by-name/wa/warp-terminal/versions.json b/pkgs/by-name/wa/warp-terminal/versions.json
index 936d8cbd3598..2ae689c98528 100644
--- a/pkgs/by-name/wa/warp-terminal/versions.json
+++ b/pkgs/by-name/wa/warp-terminal/versions.json
@@ -3,8 +3,12 @@
     "hash": "sha256-EDhj4Gb0ykFX8W2G8osusjggemcuHO7hkUKb151cQ6g=",
     "version": "0.2024.08.20.08.02.stable_00"
   },
-  "linux": {
+  "linux_x86_64": {
     "hash": "sha256-Uk5pSoAvEppjLnskLc5/ftcCaiJnXATJfCPDP2QpBo8=",
     "version": "0.2024.08.20.08.02.stable_00"
+  },
+  "linux_aarch64": {
+    "hash": "sha256-B0mUAwydIgi7Nhm/iUhEjkV3LL+qLfXZcOz6+7eDZGc=",
+    "version": "0.2024.08.20.08.02.stable_00"
   }
 }
diff --git a/pkgs/by-name/ws/wstunnel/package.nix b/pkgs/by-name/ws/wstunnel/package.nix
index 42b58649493e..9e918039c14a 100644
--- a/pkgs/by-name/ws/wstunnel/package.nix
+++ b/pkgs/by-name/ws/wstunnel/package.nix
@@ -1,13 +1,14 @@
-{ lib
-, fetchFromGitHub
-, rustPlatform
-, testers
-, wstunnel
-, nixosTests
+{
+  lib,
+  fetchFromGitHub,
+  rustPlatform,
+  nixosTests,
+  nix-update-script,
+  versionCheckHook,
 }:
 
 let
-  version = "9.7.4";
+  version = "10.0.1";
 in
 
 rustPlatform.buildRustPackage {
@@ -18,19 +19,26 @@ rustPlatform.buildRustPackage {
     owner = "erebe";
     repo = "wstunnel";
     rev = "v${version}";
-    hash = "sha256-OFm0Jk06Mxzr4F7KrMBGFqcDSuTtrMvBSK99bbOgua4=";
+    hash = "sha256-lahuuVc+fbuWMXaWvt8C6j26Mo/1o5PkBfVH+lemdv4=";
   };
 
-  cargoHash = "sha256-JMRcXuw6AKfwViOgYAgFdSwUeTo04rEkKj+t+W8wjGI=";
+  cargoHash = "sha256-gNx01LHIcAbedO2X/OwwnQWd9d0Qc6ahe84IRUyptcY=";
+
+  nativeBuildInputs = [ versionCheckHook ];
+
+  doInstallCheck = true;
 
   checkFlags = [
     # Tries to launch a test container
     "--skip=tcp::tests::test_proxy_connection"
+    "--skip=protocols::tcp::server::tests::test_proxy_connection"
   ];
 
-  passthru.tests = {
-    version = testers.testVersion { package = wstunnel; };
-    nixosTest = nixosTests.wstunnel;
+  passthru = {
+    updateScript = nix-update-script { };
+    tests = {
+      nixosTest = nixosTests.wstunnel;
+    };
   };
 
   meta = {
@@ -38,7 +46,10 @@ rustPlatform.buildRustPackage {
     homepage = "https://github.com/erebe/wstunnel";
     changelog = "https://github.com/erebe/wstunnel/releases/tag/v${version}";
     license = lib.licenses.bsd3;
-    maintainers = with lib.maintainers; [ rvdp neverbehave ];
+    maintainers = with lib.maintainers; [
+      rvdp
+      neverbehave
+    ];
     mainProgram = "wstunnel";
   };
 }
diff --git a/pkgs/data/themes/whitesur-kde/default.nix b/pkgs/data/themes/whitesur-kde/default.nix
index 9e74d8aec4cb..e009534dde2d 100644
--- a/pkgs/data/themes/whitesur-kde/default.nix
+++ b/pkgs/data/themes/whitesur-kde/default.nix
@@ -1,57 +1,59 @@
 { lib
 , stdenvNoCC
 , fetchFromGitHub
-, kdeclarative
-, plasma-framework
-, plasma-workspace
-, gitUpdater
+, plasma-desktop
+, qtsvg
+, unstableGitUpdater
 }:
 
 stdenvNoCC.mkDerivation {
   pname = "whitesur-kde";
-  version = "unstable-2023-10-06";
+  version = "2022-05-01-unstable-2024-08-07";
 
   src = fetchFromGitHub {
     owner = "vinceliuice";
     repo = "whitesur-kde";
-    rev = "2b4bcc76168bd8a4a7601188e177fa0ab485cdc8";
-    hash = "sha256-+Iooj8a7zfLhEWnjLEVoe/ebD9Vew5HZdz0wpWVZxA8=";
+    rev = "a5c704224069a9e10fce82eec3c4ba482924d7ef";
+    hash = "sha256-GGrddhmYOp2qm1rHyBnSjQIyw0pU7CNJhxUt6da8ZpQ=";
   };
 
   # Propagate sddm theme dependencies to user env otherwise sddm does
   # not find them. Putting them in buildInputs is not enough.
   propagatedUserEnvPkgs = [
-    kdeclarative.bin
-    plasma-framework
-    plasma-workspace
+    plasma-desktop
+    qtsvg
   ];
 
   postPatch = ''
-    patchShebangs install.sh
+    patchShebangs install.sh sddm/install.sh
 
     substituteInPlace install.sh \
-      --replace '$HOME/.config' $out/share \
-      --replace '$HOME/.local' $out \
-      --replace '"$HOME"/.Xresources' $out/doc/.Xresources
+      --replace-fail '[ "$UID" -eq "$ROOT_UID" ]' true \
+      --replace-fail /usr $out \
+      --replace-fail '"$HOME"/.Xresources' $out/doc/.Xresources
+
+    substituteInPlace sddm/install.sh \
+      --replace-fail '[ "$UID" -eq "$ROOT_UID" ]' true \
+      --replace-fail /usr $out \
+      --replace-fail 'REO_DIR="$(cd $(dirname $0) && pwd)"' 'REO_DIR=sddm'
 
     substituteInPlace sddm/*/Main.qml \
-      --replace /usr $out
+      --replace-fail /usr $out
   '';
 
   installPhase = ''
     runHook preInstall
 
     mkdir -p $out/doc
-
     name= ./install.sh
 
     mkdir -p $out/share/sddm/themes
-    cp -a sddm/WhiteSur $out/share/sddm/themes/
+    sddm/install.sh
 
     runHook postInstall
   '';
 
-  passthru.updateScript = gitUpdater { };
+  passthru.updateScript = unstableGitUpdater { };
 
   meta = with lib; {
     description = "MacOS big sur like theme for KDE Plasma desktop";
diff --git a/pkgs/desktops/deepin/library/dde-qt-dbus-factory/default.nix b/pkgs/desktops/deepin/library/dde-qt-dbus-factory/default.nix
index 9c14bf1379bb..bcfcef845b6e 100644
--- a/pkgs/desktops/deepin/library/dde-qt-dbus-factory/default.nix
+++ b/pkgs/desktops/deepin/library/dde-qt-dbus-factory/default.nix
@@ -2,32 +2,30 @@
   stdenv,
   lib,
   fetchFromGitHub,
-  qmake,
-  qtbase,
-  wrapQtAppsHook,
+  libsForQt5,
   python3,
   dtkcore,
 }:
 
 stdenv.mkDerivation rec {
   pname = "dde-qt-dbus-factory";
-  version = "6.0.0";
+  version = "6.0.1";
 
   src = fetchFromGitHub {
     owner = "linuxdeepin";
     repo = pname;
     rev = version;
-    hash = "sha256-9r5thJJjEZAuDT0N/m1gcr0Faa8WpZOtGKDYuZEvJis=";
+    hash = "sha256-B9SrApvjTIW2g9VayrmCsWXS9Gkg55Voi1kPP+KYp3s=";
   };
 
   nativeBuildInputs = [
-    qmake
-    wrapQtAppsHook
+    libsForQt5.qmake
+    libsForQt5.wrapQtAppsHook
     python3
   ];
 
   buildInputs = [
-    qtbase
+    libsForQt5.qtbase
     dtkcore
   ];
 
@@ -38,17 +36,16 @@ stdenv.mkDerivation rec {
 
   postPatch = ''
     substituteInPlace libdframeworkdbus/libdframeworkdbus.pro \
-     --replace "/usr" ""
-
+      --replace-fail "/usr" ""
     substituteInPlace libdframeworkdbus/DFrameworkdbusConfig.in \
-      --replace "/usr/include" "$out/include"
+      --replace-fail "/usr/include" "$out/include"
   '';
 
-  meta = with lib; {
+  meta = {
     description = "Repo of auto-generated D-Bus source code which DDE used";
     homepage = "https://github.com/linuxdeepin/dde-qt-dbus-factory";
-    license = licenses.gpl3Plus;
-    platforms = platforms.linux;
-    maintainers = teams.deepin.members;
+    license = lib.licenses.gpl3Plus;
+    platforms = lib.platforms.linux;
+    maintainers = lib.teams.deepin.members;
   };
 }
diff --git a/pkgs/development/python-modules/array-api-strict/default.nix b/pkgs/development/python-modules/array-api-strict/default.nix
index d562aac4c523..7450717251b2 100644
--- a/pkgs/development/python-modules/array-api-strict/default.nix
+++ b/pkgs/development/python-modules/array-api-strict/default.nix
@@ -6,7 +6,6 @@
   numpy,
   pytestCheckHook,
   hypothesis,
-  nix-update-script,
 }:
 
 buildPythonPackage rec {
@@ -37,13 +36,11 @@ buildPythonPackage rec {
     "test_environment_variables"
   ];
 
-  passthru.updateScript = nix-update-script { };
-
-  meta = with lib; {
+  meta = {
     homepage = "https://data-apis.org/array-api-strict";
     changelog = "https://github.com/data-apis/array-api-strict/releases/tag/${version}";
     description = "A strict, minimal implementation of the Python array API";
-    license = licenses.bsd3;
-    maintainers = [ maintainers.berquist ];
+    license = lib.licenses.bsd3;
+    maintainers = with lib.maintainers; [ berquist ];
   };
 }
diff --git a/pkgs/development/python-modules/craft-providers/default.nix b/pkgs/development/python-modules/craft-providers/default.nix
index 3269ff03a4de..8b91b0005ed5 100644
--- a/pkgs/development/python-modules/craft-providers/default.nix
+++ b/pkgs/development/python-modules/craft-providers/default.nix
@@ -22,7 +22,7 @@
 
 buildPythonPackage rec {
   pname = "craft-providers";
-  version = "1.24.1";
+  version = "1.24.2";
 
   pyproject = true;
 
@@ -30,7 +30,7 @@ buildPythonPackage rec {
     owner = "canonical";
     repo = "craft-providers";
     rev = "refs/tags/${version}";
-    hash = "sha256-l57Y+sdCD0/3sBK48N/3p3ns3o0LB4h9FQ35ha1AOV4=";
+    hash = "sha256-2629Xk2KB1WX3JzAupBWmKg+Ztp5FFJ0x9Xa/w+8tns=";
   };
 
   patches = [
diff --git a/pkgs/development/python-modules/griffe/default.nix b/pkgs/development/python-modules/griffe/default.nix
index c29ba160cf99..59494d65f753 100644
--- a/pkgs/development/python-modules/griffe/default.nix
+++ b/pkgs/development/python-modules/griffe/default.nix
@@ -14,7 +14,7 @@
 
 buildPythonPackage rec {
   pname = "griffe";
-  version = "1.1.0";
+  version = "1.2.0";
   pyproject = true;
 
   disabled = pythonOlder "3.8";
@@ -23,7 +23,7 @@ buildPythonPackage rec {
     owner = "mkdocstrings";
     repo = "griffe";
     rev = "refs/tags/${version}";
-    hash = "sha256-Iw5AATWVfaW5kIdTmW90aS7+nYcl/tQCrVJyRVrydHw=";
+    hash = "sha256-oxZZIfzPsGs2hhVRdWEvPhIR5JwTMAmO5VgEQHzBO90=";
   };
 
   build-system = [ pdm-backend ];
diff --git a/pkgs/development/python-modules/iterfzf/default.nix b/pkgs/development/python-modules/iterfzf/default.nix
index 099fad45d53e..07710e18466b 100644
--- a/pkgs/development/python-modules/iterfzf/default.nix
+++ b/pkgs/development/python-modules/iterfzf/default.nix
@@ -12,7 +12,7 @@
 
 buildPythonPackage rec {
   pname = "iterfzf";
-  version = "1.4.0.51.0";
+  version = "1.4.0.54.3";
   pyproject = true;
 
   disabled = pythonOlder "3.8";
@@ -21,7 +21,7 @@ buildPythonPackage rec {
     owner = "dahlia";
     repo = "iterfzf";
     rev = "refs/tags/${version}";
-    hash = "sha256-Xjk+r2PdIg+oULA5gfI129p1fNOO8RINNxP+pveiocM=";
+    hash = "sha256-DvEFCHK+1TA/TTXG//hvXXbRclBkelonA3QsB4h7eRM=";
   };
 
   postPatch = ''
diff --git a/pkgs/development/python-modules/krb5/default.nix b/pkgs/development/python-modules/krb5/default.nix
index ee520b0f0012..f64b73447ac0 100644
--- a/pkgs/development/python-modules/krb5/default.nix
+++ b/pkgs/development/python-modules/krb5/default.nix
@@ -1,5 +1,6 @@
 {
   lib,
+  stdenv,
   buildPythonPackage,
   cython,
   fetchPypi,
@@ -42,5 +43,6 @@ buildPythonPackage rec {
     homepage = "https://github.com/jborean93/pykrb5";
     license = licenses.mit;
     maintainers = teams.deshaw.members;
+    broken = stdenv.isDarwin; # TODO: figure out how to build on Darwin
   };
 }
diff --git a/pkgs/development/python-modules/posthog/default.nix b/pkgs/development/python-modules/posthog/default.nix
index 2ff4d4a8f191..cf4e6803391b 100644
--- a/pkgs/development/python-modules/posthog/default.nix
+++ b/pkgs/development/python-modules/posthog/default.nix
@@ -15,7 +15,7 @@
 }:
 let
   pname = "posthog";
-  version = "3.5.0";
+  version = "3.5.2";
 in
 buildPythonPackage {
   inherit pname version;
@@ -25,7 +25,7 @@ buildPythonPackage {
     owner = "PostHog";
     repo = "posthog-python";
     rev = "refs/tags/v${version}";
-    hash = "sha256-+nYMQxqI9RZ5vVL6KgiRLcx0JHWJTs/rZ6U6jIuaz+w=";
+    hash = "sha256-DhTX28j8RcEONEVIRoYHBk63Qw1Wff9qdQ/Ymbb9xHE=";
   };
 
   propagatedBuildInputs = [
diff --git a/pkgs/development/python-modules/pyemby/default.nix b/pkgs/development/python-modules/pyemby/default.nix
index 4233a5a817bf..5f73af3f9b25 100644
--- a/pkgs/development/python-modules/pyemby/default.nix
+++ b/pkgs/development/python-modules/pyemby/default.nix
@@ -4,26 +4,32 @@
   async-timeout,
   buildPythonPackage,
   fetchFromGitHub,
+  pythonOlder,
+  setuptools,
 }:
 
 buildPythonPackage rec {
   pname = "pyemby";
-  version = "1.9";
-  format = "setuptools";
+  version = "1.10";
+  pyproject = true;
+
+  disabled = pythonOlder "3.8";
 
   src = fetchFromGitHub {
     owner = "mezz64";
-    repo = pname;
-    rev = version;
-    hash = "sha256-4mOQLfPbRzZzpNLvekJHVKiqdGGKPhW6BpKkyRfk2Pc=";
+    repo = "pyemby";
+    rev = "refs/tags/${version}";
+    hash = "sha256-+A/SNMCUqo9TwWsQXwOKJCqmYhbilIdHYazLNQY+NkU=";
   };
 
-  propagatedBuildInputs = [
+  build-system = [ setuptools ];
+
+  dependencies = [
     aiohttp
     async-timeout
   ];
 
-  # Project has no tests
+  # Module has no tests
   doCheck = false;
 
   pythonImportsCheck = [ "pyemby" ];
@@ -31,7 +37,7 @@ buildPythonPackage rec {
   meta = with lib; {
     description = "Python library to interface with the Emby API";
     homepage = "https://github.com/mezz64/pyemby";
-    license = with licenses; [ mit ];
+    license = licenses.mit;
     maintainers = with maintainers; [ fab ];
   };
 }
diff --git a/pkgs/development/python-modules/requests-kerberos/default.nix b/pkgs/development/python-modules/requests-kerberos/default.nix
index 210e792cfbf7..ffa706fcd58b 100644
--- a/pkgs/development/python-modules/requests-kerberos/default.nix
+++ b/pkgs/development/python-modules/requests-kerberos/default.nix
@@ -1,5 +1,6 @@
 {
   lib,
+  stdenv,
   buildPythonPackage,
   cryptography,
   fetchFromGitHub,
@@ -24,11 +25,14 @@ buildPythonPackage rec {
     hash = "sha256-s1Q3zqKPSuTkiFExr+axai9Eta1xjw/cip8xzfDGR88=";
   };
 
-  propagatedBuildInputs = [
-    cryptography
-    requests
-    pyspnego
-  ] ++ pyspnego.optional-dependencies.kerberos;
+  propagatedBuildInputs =
+    [
+      cryptography
+      requests
+      pyspnego
+    ]
+    # Avoid broken Python krb5 package on Darwin
+    ++ lib.optionals (!stdenv.isDarwin) pyspnego.optional-dependencies.kerberos;
 
   nativeCheckInputs = [
     pytestCheckHook
diff --git a/pkgs/development/python-modules/streamcontroller-plugin-tools/default.nix b/pkgs/development/python-modules/streamcontroller-plugin-tools/default.nix
new file mode 100644
index 000000000000..1375f6eae785
--- /dev/null
+++ b/pkgs/development/python-modules/streamcontroller-plugin-tools/default.nix
@@ -0,0 +1,33 @@
+{
+  buildPythonPackage,
+  fetchFromGitHub,
+  lib,
+  loguru,
+  rpyc,
+}:
+buildPythonPackage rec {
+  pname = "streamcontroller-plugin-tools";
+  version = "2.0.0";
+
+  src = fetchFromGitHub {
+    owner = "StreamController";
+    repo = "streamcontroller-plugin-tools";
+    rev = version;
+    hash = "sha256-dQZPRSzHhI3X+Pf7miwJlECGFgUfp68PtvwXAmpq5/s=";
+  };
+
+  dependencies = [
+    loguru
+    rpyc
+  ];
+
+  pythonImportsCheck = [ "streamcontroller_plugin_tools" ];
+
+  meta = with lib; {
+    description = "StreamController plugin tools";
+    homepage = "https://github.com/StreamController/streamcontroller-plugin-tools";
+    license = licenses.gpl3;
+    maintainers = with maintainers; [ sifmelcara ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/pkgs/development/python-modules/unstructured/default.nix b/pkgs/development/python-modules/unstructured/default.nix
index 06f4ccc6b58d..0c87b41ba848 100644
--- a/pkgs/development/python-modules/unstructured/default.nix
+++ b/pkgs/development/python-modules/unstructured/default.nix
@@ -57,7 +57,7 @@
   grpcio,
 }:
 let
-  version = "0.15.7";
+  version = "0.15.8";
   optional-dependencies = {
     huggingflace = [
       langdetect
@@ -100,7 +100,7 @@ buildPythonPackage {
     owner = "Unstructured-IO";
     repo = "unstructured";
     rev = "refs/tags/${version}";
-    hash = "sha256-Tcb9Mv60T6WztFGKfSgfQdxegK9OAjeArmEQAVvLbEQ=";
+    hash = "sha256-smNbkSBntGRaJuzJRcp0J5vdjf/xWMqF1IaHMAKPXjw=";
   };
 
   propagatedBuildInputs = [
diff --git a/pkgs/development/python-modules/usb-monitor/default.nix b/pkgs/development/python-modules/usb-monitor/default.nix
new file mode 100644
index 000000000000..4f945341eb52
--- /dev/null
+++ b/pkgs/development/python-modules/usb-monitor/default.nix
@@ -0,0 +1,32 @@
+{
+  buildPythonPackage,
+  fetchPypi,
+  lib,
+  pyudev,
+}:
+
+buildPythonPackage rec {
+  pname = "usb-monitor";
+  version = "1.21";
+
+  src = fetchPypi {
+    inherit version;
+    pname = "usb_monitor";
+    hash = "sha256-M+BUmbNxQWcULFECexTnp55EZiJ6y3bYCEtSwqKldAk=";
+  };
+
+  dependencies = [ pyudev ];
+
+  # has no tests
+  doCheck = false;
+
+  pythonImportsCheck = [ "usbmonitor" ];
+
+  meta = {
+    description = "Cross-platform library for USB device monitoring";
+    homepage = "https://github.com/Eric-Canas/USBMonitor";
+    license = lib.licenses.mit;
+    maintainers = with lib.maintainers; [ sifmelcara ];
+    platforms = lib.platforms.linux;
+  };
+}
diff --git a/pkgs/development/ruby-modules/with-packages/Gemfile b/pkgs/development/ruby-modules/with-packages/Gemfile
index 9690544d9191..b668a9b8862a 100644
--- a/pkgs/development/ruby-modules/with-packages/Gemfile
+++ b/pkgs/development/ruby-modules/with-packages/Gemfile
@@ -149,6 +149,7 @@ gem 'slop'
 gem 'snappy'
 gem 'snmp'
 gem 'sqlite3'
+gem 'standard'
 gem 'taglib-ruby'
 gem 'thrift'
 gem 'tilt'
diff --git a/pkgs/development/tools/analysis/banana-vera/default.nix b/pkgs/development/tools/analysis/banana-vera/default.nix
index 8be5e84addf1..704b822fa45e 100644
--- a/pkgs/development/tools/analysis/banana-vera/default.nix
+++ b/pkgs/development/tools/analysis/banana-vera/default.nix
@@ -8,13 +8,13 @@
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "banana-vera";
-  version = "1.3.0-fedora38";
+  version = "1.3.0-ubuntu";
 
   src = fetchFromGitHub {
     owner = "Epitech";
     repo = "banana-vera";
     rev = "refs/tags/v${finalAttrs.version}";
-    sha256 = "sha256-sSN3trSySJe3KVyrb/hc5HUGRS4M3c4UX9SLlzBM43c";
+    sha256 = "sha256-sSN3trSySJe3KVyrb/hc5HUGRS4M3c4UX9SLlzBM43c=";
   };
 
   nativeBuildInputs = [ cmake ];
diff --git a/pkgs/servers/etebase/default.nix b/pkgs/servers/etebase/default.nix
index 2d22f510b387..e9503ecfe167 100644
--- a/pkgs/servers/etebase/default.nix
+++ b/pkgs/servers/etebase/default.nix
@@ -7,30 +7,22 @@
 , nixosTests
 }:
 
-let
-  python = python3.override {
-    self = python;
-    packageOverrides = self: super: {
-      pydantic = super.pydantic_1;
-    };
-  };
-in
-python.pkgs.buildPythonApplication rec {
+python3.pkgs.buildPythonApplication rec {
   pname = "etebase-server";
-  version = "0.13.1";
+  version = "0.14.2";
 
   src = fetchFromGitHub {
     owner = "etesync";
     repo = "server";
     rev = "refs/tags/v${version}";
-    hash = "sha256-GEieXue3Kvc4zZjfypKLmTmhNPbn/GR8g0qEqkl+wkw=";
+    hash = "sha256-W2u/d8X8luOzgy1CLNgujnwaoO1pR1QO1Ma7i4CGkdU=";
   };
 
   patches = [ ./secret.patch ];
 
   doCheck = false;
 
-  propagatedBuildInputs = with python.pkgs; [
+  propagatedBuildInputs = with python3.pkgs; [
     aiofiles
     django_4
     fastapi
@@ -56,9 +48,9 @@ python.pkgs.buildPythonApplication rec {
   '';
 
   passthru.updateScript = nix-update-script {};
-  passthru.python = python;
+  passthru.python = python3;
   # PYTHONPATH of all dependencies used by the package
-  passthru.pythonPath = python.pkgs.makePythonPath propagatedBuildInputs;
+  passthru.pythonPath = python3.pkgs.makePythonPath propagatedBuildInputs;
   passthru.tests = {
     nixosTest = nixosTests.etebase-server;
   };
diff --git a/pkgs/servers/home-automation/evcc/default.nix b/pkgs/servers/home-automation/evcc/default.nix
index c4a01449d291..4c6bff7e458e 100644
--- a/pkgs/servers/home-automation/evcc/default.nix
+++ b/pkgs/servers/home-automation/evcc/default.nix
@@ -16,16 +16,16 @@
 
 buildGo123Module rec {
   pname = "evcc";
-  version = "0.130.4";
+  version = "0.130.6";
 
   src = fetchFromGitHub {
     owner = "evcc-io";
     repo = "evcc";
     rev = version;
-    hash = "sha256-da8TIe6KcivWlP6zmNHJVdx973sEiC2S7wc5v7u0vzg=";
+    hash = "sha256-8ThvDl/dxD2YO9Z+iVhq+JQmnL8M9RdWVfHykoRIERg=";
   };
 
-  vendorHash = "sha256-ATgxPydYWPOXrk3fBKVWgFO1Vd13cTq//lDMjObjHFg=";
+  vendorHash = "sha256-L04EQwA2HYLTtYZMP2K7ubuq8IqbqHNEF9W3UmM4pOg=";
 
   npmDeps = fetchNpmDeps {
     inherit src;
diff --git a/pkgs/servers/monitoring/grafana/default.nix b/pkgs/servers/monitoring/grafana/default.nix
index 9d3a0785fe31..4eca91169012 100644
--- a/pkgs/servers/monitoring/grafana/default.nix
+++ b/pkgs/servers/monitoring/grafana/default.nix
@@ -8,7 +8,7 @@
 
 buildGoModule rec {
   pname = "grafana";
-  version = "11.1.4";
+  version = "11.2.0";
 
   subPackages = [ "pkg/cmd/grafana" "pkg/cmd/grafana-server" "pkg/cmd/grafana-cli" ];
 
@@ -16,7 +16,7 @@ buildGoModule rec {
     owner = "grafana";
     repo = "grafana";
     rev = "v${version}";
-    hash = "sha256-KK6LDq9CHSrif2LOWW20PswiDk1zLwx3/QV3Q06tzbo=";
+    hash = "sha256-SthxNf8e8LEV0LSdVR/x6UXOXy+lGAUqHtQd0bQufjY=";
   };
 
   # borrowed from: https://github.com/NixOS/nixpkgs/blob/d70d9425f49f9aba3c49e2c389fe6d42bac8c5b0/pkgs/development/tools/analysis/snyk/default.nix#L20-L22
@@ -51,16 +51,16 @@ buildGoModule rec {
     dontFixup = true;
     outputHashMode = "recursive";
     outputHash = rec {
-      x86_64-linux = "sha256-2VnhZBWLdYQhqKCxM63fCAwQXN4Zrh2wCdPBLCCUuvg=";
+      x86_64-linux = "sha256-Fo6WsgrFTp79wk+nPuUbPklneTvE+/ki0hX3IE8WR94=";
       aarch64-linux = x86_64-linux;
-      aarch64-darwin = "sha256-MZE3/PHynL6SHOxJgOG41pi2X8XeutruAOyUFY9Lmsc=";
+      aarch64-darwin = "sha256-C2zo+ykk5Zr5DDO4AB9wkc8jgn82VY8WlTR3XiqbD/0=";
       x86_64-darwin = aarch64-darwin;
     }.${stdenv.hostPlatform.system} or (throw "Unsupported system: ${stdenv.hostPlatform.system}");
   };
 
   disallowedRequisites = [ offlineCache ];
 
-  vendorHash = "sha256-vd3hb7+lmhQPTZO/Xqi59XSPGj5sd218xQAD1bRbUz8=";
+  vendorHash = "sha256-Pmh+tSJR7l34Ncr2DexjvbWRxnWLG3rzuz4n8vpPbx0=";
 
   proxyVendor = true;
 
diff --git a/pkgs/servers/web-apps/wordpress/packages/languages.json b/pkgs/servers/web-apps/wordpress/packages/languages.json
index d2ca31b5af30..db996c40e789 100644
--- a/pkgs/servers/web-apps/wordpress/packages/languages.json
+++ b/pkgs/servers/web-apps/wordpress/packages/languages.json
@@ -1,20 +1,20 @@
 {
   "de_DE": {
     "path": "de_DE",
-    "rev": "1436223",
-    "sha256": "0yc9h1c5pqqy7n3x5ss9vxizb1qyalx2srnwkfnhgl0f103ry7hc",
-    "version": "6.5"
+    "rev": "1528320",
+    "sha256": "1q1xc9mm7kkja15i8cdwmr2i42hgahfx1ks6llqigfcl2qklsxsq",
+    "version": "6.6"
   },
   "fr_FR": {
     "path": "fr_FR",
-    "rev": "1436240",
-    "sha256": "014n9zk6adlzk2ayd5f5hm97ybn8b5l5h589576hsmv30crivqsq",
-    "version": "6.5"
+    "rev": "1531427",
+    "sha256": "1355shvbx130ps0zypa0ff7dnygdf8jsfn8h7y52bv32dbbhrjhy",
+    "version": "6.6"
   },
   "ro_RO": {
     "path": "ro_RO",
-    "rev": "1436218",
-    "sha256": "15issr2hnq9fci7kkw42aqqxj5vq154v91xy6mhppp2079g93c63",
-    "version": "6.5"
+    "rev": "1533818",
+    "sha256": "1qsyp5w43qxk1c5gjizhl4a224dcad3pz7i8p2yvl4xv0ln94sp1",
+    "version": "6.6"
   }
 }
diff --git a/pkgs/servers/web-apps/wordpress/packages/plugins.json b/pkgs/servers/web-apps/wordpress/packages/plugins.json
index fb72b5304309..dbf602c01571 100644
--- a/pkgs/servers/web-apps/wordpress/packages/plugins.json
+++ b/pkgs/servers/web-apps/wordpress/packages/plugins.json
@@ -6,10 +6,10 @@
     "version": "2.4.6"
   },
   "akismet": {
-    "path": "akismet/tags/5.3.2",
-    "rev": "3095776",
-    "sha256": "0qjn2v4hq9259pbncambxzlqywvwgcc9nbz8nqi6rj1m3za4vpyv",
-    "version": "5.3.2"
+    "path": "akismet/tags/5.3.3",
+    "rev": "3131091",
+    "sha256": "0bjsln3ybnrwmiqz9j363d7bzas3h1znjlxbclqkm38h91x7vbc7",
+    "version": "5.3.3"
   },
   "antispam-bee": {
     "path": "antispam-bee/tags/2.11.6",
@@ -24,10 +24,10 @@
     "version": "2.21.08.31"
   },
   "breeze": {
-    "path": "breeze/tags/2.1.9",
-    "rev": "3097827",
-    "sha256": "1az7p8zbcxl50swir8jqbcfp07ibkn225x0rc69sc38shsl7aaqv",
-    "version": "2.1.9"
+    "path": "breeze/tags/2.1.12",
+    "rev": "3139514",
+    "sha256": "02wzrflvrlnzv456zigkh3b31l8rrjs8sc9di1dkcxyh32cw0q9b",
+    "version": "2.1.12"
   },
   "co-authors-plus": {
     "path": "co-authors-plus/tags/3.6.1",
@@ -42,10 +42,10 @@
     "version": "3.2.1"
   },
   "cookie-notice": {
-    "path": "cookie-notice/tags/2.4.16",
-    "rev": "3062780",
-    "sha256": "0fiskqj229r9ymnhr7h1z7snyhbv3ka3lp1ysbdyl631l992lwnc",
-    "version": "2.4.16"
+    "path": "cookie-notice/tags/2.4.18",
+    "rev": "3134111",
+    "sha256": "110g3jizsyy42vrzvhhzfdnvw6gx2vv2yn2kjgy3sspphzz0vdg8",
+    "version": "2.4.18"
   },
   "disable-xml-rpc": {
     "path": "disable-xml-rpc/tags/1.0.1",
@@ -60,16 +60,16 @@
     "version": "1.4.0"
   },
   "gutenberg": {
-    "path": "gutenberg/tags/18.5.0",
-    "rev": "3098391",
-    "sha256": "16hxrm1pp44jnbnzg6rsx2wm6rbfcfyrxvaam41qvf5s9kdnds0j",
-    "version": "18.5.0"
+    "path": "gutenberg/tags/19.0.0",
+    "rev": "3135572",
+    "sha256": "121whl70w6ng08jwkzahyyjxv722wk3rggwgc20fnmzgd1kk3nhh",
+    "version": "19.0.0"
   },
   "hcaptcha-for-forms-and-more": {
-    "path": "hcaptcha-for-forms-and-more/tags/4.2.1",
-    "rev": "3098902",
-    "sha256": "0asfkd63zy6cpg3f8lg3l3cdfnlxsg6lnw2sqbcn267jdijqal51",
-    "version": "4.2.1"
+    "path": "hcaptcha-for-forms-and-more/tags/4.4.0",
+    "rev": "3129246",
+    "sha256": "0lza7vjml88l58g6f8y9rzbf04qgxzxdbvzxn4l54bix773ggakd",
+    "version": "4.4.0"
   },
   "hello-dolly": {
     "path": "hello-dolly/tags/1.7.2",
@@ -84,10 +84,10 @@
     "version": "3.0.2"
   },
   "jetpack": {
-    "path": "jetpack/tags/13.5",
-    "rev": "3098116",
-    "sha256": "12m9jyrxfpq7v7ydgp2kvn7s28s6gx0mzc9fihd1fddinvyjihqs",
-    "version": "13.5"
+    "path": "jetpack/tags/13.7",
+    "rev": "3131767",
+    "sha256": "0kxbdfb2qddppqp66vcp4a0bfysddgx06x50aax0d8mfgjammkw2",
+    "version": "13.7"
   },
   "jetpack-lite": {
     "path": "jetpack-lite/tags/3.0.3",
@@ -96,10 +96,10 @@
     "version": "3.0.3"
   },
   "lightbox-photoswipe": {
-    "path": "lightbox-photoswipe/tags/5.2.6",
-    "rev": "3065055",
-    "sha256": "1bhw5wvv722qm5a47ia2g5laj5fxr0yw61ajq03qbp0jpqry3slf",
-    "version": "5.2.6"
+    "path": "lightbox-photoswipe/tags/5.4.0",
+    "rev": "3133682",
+    "sha256": "0igbq8s67id7403yrcg1b0bfwrils9fws0d3w6mr1jq3n8mi9wns",
+    "version": "5.4.0"
   },
   "login-lockdown": {
     "path": "login-lockdown/tags/2.10",
@@ -115,20 +115,20 @@
   },
   "merge-minify-refresh": {
     "path": "merge-minify-refresh/trunk",
-    "rev": "3089082",
-    "sha256": "04li9jl0b6mf16n7619jnls20wd9ix0ggpsqkpm5s11jpwbnc9n6",
-    "version": "2.8"
+    "rev": "3126978",
+    "sha256": "1xrr7ddriagd8hh6f0n9bkfqsc32rvzb9prbrh1r1k6qr84z0pi6",
+    "version": "2.12"
   },
   "opengraph": {
-    "path": "opengraph/tags/1.11.3",
-    "rev": "3097574",
-    "sha256": "1g9lv3ffbcf2bcbwjfczry4wjzrmvpbilymhs15vx2ysjhh7jqgv",
-    "version": "1.11.3"
+    "path": "opengraph/tags/1.12.1",
+    "rev": "3120032",
+    "sha256": "12gq0dvnlng759bnkmqw83dp3ygy4zk0l5prpgbjpzw2z6dy1jq3",
+    "version": "1.12.1"
   },
   "simple-login-captcha": {
     "path": "simple-login-captcha/tags/1.3.6",
-    "rev": "3061970",
-    "sha256": "0fxvx71ncxd2gypfcl86s56qy93npw2jmzl06f6zdvrk48644f0z",
+    "rev": "3122028",
+    "sha256": "0j2gda5zsi48ra1w57v06ygyng438kjpaq67hb11mpzz8a7s0vav",
     "version": "1.3.6"
   },
   "simple-mastodon-verification": {
@@ -156,10 +156,10 @@
     "version": "1.2.3"
   },
   "webp-converter-for-media": {
-    "path": "webp-converter-for-media/tags/5.12.5",
-    "rev": "3096305",
-    "sha256": "0v8a06na42la16gq6m1mfjglnggdxpy9qnfc20xr0wi2qv5xnwf8",
-    "version": "5.12.5"
+    "path": "webp-converter-for-media/tags/5.13.1",
+    "rev": "3130708",
+    "sha256": "01hzymnr1pyiq1gr1w783fz7xk4c4hak2vn2qcfhxh6jdbb2p7b7",
+    "version": "5.13.1"
   },
   "webp-express": {
     "path": "webp-express/tags/0.25.9",
@@ -168,10 +168,10 @@
     "version": "0.25.9"
   },
   "wordpress-seo": {
-    "path": "wordpress-seo/tags/22.8",
-    "rev": "3093688",
-    "sha256": "14by3h0wk4xjh78pgsvwb9j791viky5w8h78frw905d3azhv8jnj",
-    "version": "22.8"
+    "path": "wordpress-seo/tags/23.3",
+    "rev": "3137992",
+    "sha256": "0fhyjb7ncplicn6y4xpjs0hsi5c1hzy3kdbvsixyhx95ca67wnz4",
+    "version": "23.3"
   },
   "worker": {
     "path": "worker/tags/4.9.20",
@@ -186,10 +186,10 @@
     "version": "2.0"
   },
   "wp-fastest-cache": {
-    "path": "wp-fastest-cache/tags/1.2.7",
-    "rev": "3091143",
-    "sha256": "1drmm1badk8wgqs0r3pl47fl5hsc883llcaxgsppyv4x1mzvnwi2",
-    "version": "1.2.7"
+    "path": "wp-fastest-cache/tags/1.3.0",
+    "rev": "3137836",
+    "sha256": "1zkd6smayrxp504nh5ak5d526jmhkvf95ydy03q2xvr02fn5rdrm",
+    "version": "1.3.0"
   },
   "wp-gdpr-compliance": {
     "path": "wp-gdpr-compliance/tags/2.0.22",
@@ -197,23 +197,29 @@
     "sha256": "0zgn3pg2zhqqv89rl6pqwd3p3hvspsnn47iab7xw0d79nby0nh7c",
     "version": "2.0.22"
   },
+  "wp-import-export-lite": {
+    "path": "wp-import-export-lite/trunk",
+    "rev": "3051446",
+    "sha256": "1dpb930kx09jhqzdkg683vy237pnq4hfls4hlszm5spnyfsq1z46",
+    "version": "3.9.27"
+  },
   "wp-mail-smtp": {
-    "path": "wp-mail-smtp/tags/4.0.1",
-    "rev": "3043224",
-    "sha256": "0hvcigsmlwgjnv7ha6zrj3n9yhxyak5r3937m3dp0whsl7ci0qw9",
-    "version": "4.0.1"
+    "path": "wp-mail-smtp/tags/4.1.1",
+    "rev": "3136142",
+    "sha256": "1a4qv43fyxkvjhskgbszmi75i67ymsl02qg1da73d75px3kkmxjw",
+    "version": "4.1.1"
   },
   "wp-statistics": {
-    "path": "wp-statistics/tags/14.7.2",
-    "rev": "3096387",
-    "sha256": "15gccsdw8g1d3np6xl7bzq89ydx0qkv1qxzj62r0cglzlnphli8b",
-    "version": "14.7.2"
+    "path": "wp-statistics/tags/14.9.4",
+    "rev": "3134056",
+    "sha256": "1bjm3n2w7cfxnqz8p8w0svwnkvm1rkw9m85z1vkksbwrdhbyk6qz",
+    "version": "14.9.4"
   },
   "wp-swiper": {
     "path": "wp-swiper/trunk",
-    "rev": "3093150",
-    "sha256": "1apbl3vgb996n2la15iyv0z9xfn0axcjkn721fxvi2l0bar9kmcy",
-    "version": "1.1.10"
+    "rev": "3130620",
+    "sha256": "1kn1piv7siqzhafqw4hjsc7n98j05zany1gvpbg0h5gjk40n3anm",
+    "version": "1.1.13"
   },
   "wp-user-avatars": {
     "path": "wp-user-avatars/trunk",
@@ -222,9 +228,9 @@
     "version": "1.4.1"
   },
   "wpforms-lite": {
-    "path": "wpforms-lite/tags/1.8.8.3",
-    "rev": "3077484",
-    "sha256": "03glhjxsrw6n884qkxrizbs6i4d7b1bl9m2zj7f32p0bq466hm6r",
-    "version": "1.8.8.3"
+    "path": "wpforms-lite/tags/1.9.0.4",
+    "rev": "3140326",
+    "sha256": "0qix61wxsxgcrkrwwrc1chzb54bryc2j7qiv66afsixcfwcsbglc",
+    "version": "1.9.0.4"
   }
 }
diff --git a/pkgs/servers/web-apps/wordpress/packages/themes.json b/pkgs/servers/web-apps/wordpress/packages/themes.json
index a9e5e53f14bb..de8b34eba220 100644
--- a/pkgs/servers/web-apps/wordpress/packages/themes.json
+++ b/pkgs/servers/web-apps/wordpress/packages/themes.json
@@ -1,32 +1,32 @@
 {
   "twentynineteen": {
-    "path": "twentynineteen/2.8",
-    "rev": "223028",
-    "sha256": "0mw74ww2am6gi2m7vvn44g99y3l7scwahhdni6fh0m858r81fx09",
-    "version": "2.8"
+    "path": "twentynineteen/2.9",
+    "rev": "235020",
+    "sha256": "0980471ha06dj5kcwij7rmrg2dr0cj53r72qym4sqzyfj0aj1lkx",
+    "version": "2.9"
   },
   "twentytwenty": {
-    "path": "twentytwenty/2.6",
-    "rev": "223029",
-    "sha256": "063jcwb3c4qnwp6m0dw0wfvimxnj25xvfssvibhbjlby4ibdxa6k",
-    "version": "2.6"
+    "path": "twentytwenty/2.7",
+    "rev": "235021",
+    "sha256": "0y9r1jhlbr4bxhv0a73kgkg6klgg05l6iy3shhkp130s3hlkhfg1",
+    "version": "2.7"
   },
   "twentytwentyone": {
-    "path": "twentytwentyone/2.2",
-    "rev": "223030",
-    "sha256": "15z84ccabjxy88qpyrjb41f13xvgx27gyg0ivvfh468052jkwna9",
-    "version": "2.2"
+    "path": "twentytwentyone/2.3",
+    "rev": "235022",
+    "sha256": "0nxrlim9mcdn7db5v93shlq1yxani909gwccvsly2wjv777dbakx",
+    "version": "2.3"
   },
   "twentytwentythree": {
-    "path": "twentytwentythree/1.4",
-    "rev": "223032",
-    "sha256": "12n50rffvrzl7vmcz3cbgh1i464hsp6yb9dr8p9000nf877pkq7b",
-    "version": "1.4"
+    "path": "twentytwentythree/1.5",
+    "rev": "235024",
+    "sha256": "09xaxqrrzgmmjlbbpm9jfhajfc90am4qp2dihcx4bbkczb5ahgc3",
+    "version": "1.5"
   },
   "twentytwentytwo": {
-    "path": "twentytwentytwo/1.7",
-    "rev": "223031",
-    "sha256": "1irivpi4asd6gzqjc1fw4fmff7kf8fh2n118pjfr3v8mw5hmfssp",
-    "version": "1.7"
+    "path": "twentytwentytwo/1.8",
+    "rev": "235023",
+    "sha256": "0m35rl6gxjl4idsfaqhjqzgmhspn55iy7zxa8qn5mbl0ls6b5m8q",
+    "version": "1.8"
   }
 }
diff --git a/pkgs/servers/web-apps/wordpress/packages/wordpress-plugins.json b/pkgs/servers/web-apps/wordpress/packages/wordpress-plugins.json
index 83d3b6d1edae..3ffa1b4f0dd9 100644
--- a/pkgs/servers/web-apps/wordpress/packages/wordpress-plugins.json
+++ b/pkgs/servers/web-apps/wordpress/packages/wordpress-plugins.json
@@ -32,6 +32,7 @@
 , "wp-change-email-sender": "gpl2Plus"
 , "wp-fastest-cache": "gpl2Plus"
 , "wp-gdpr-compliance": "gpl2Plus"
+, "wp-import-export-lite": "gpl3Plus"
 , "wp-mail-smtp": "gpl3Plus"
 , "wp-statistics": "gpl3Only"
 , "wp-swiper": "gpl2Plus"
diff --git a/pkgs/stdenv/linux/bootstrap-files/s390x-unknown-linux-gnu.nix b/pkgs/stdenv/linux/bootstrap-files/s390x-unknown-linux-gnu.nix
index 6c9501b33257..e8aebe6125ed 100644
--- a/pkgs/stdenv/linux/bootstrap-files/s390x-unknown-linux-gnu.nix
+++ b/pkgs/stdenv/linux/bootstrap-files/s390x-unknown-linux-gnu.nix
@@ -2,20 +2,20 @@
 # $ ./refresh-tarballs.bash --targets=s390x-unknown-linux-gnu
 #
 # Metadata:
-# - nixpkgs revision: 8ba481d65eb21a4f9e6b1e812de3f83079eb8016
+# - nixpkgs revision: 0a7eaa55ccaa5103f44a9a4e3e0b06e5314a6401
 # - hydra build: https://hydra.nixos.org/job/nixpkgs/cross-trunk/bootstrapTools.s390x-unknown-linux-gnu.build/latest
-# - resolved hydra build: https://hydra.nixos.org/build/267960435
-# - instantiated derivation: /nix/store/hqmllvbilxslp393ci4lkj66psh5iv6a-stdenv-bootstrap-tools-s390x-unknown-linux-gnu.drv
-# - output directory: /nix/store/wnr3zf16ci8ajxnv0v6w3dn8lm93gp5z-stdenv-bootstrap-tools-s390x-unknown-linux-gnu
-# - build time: Sun, 28 Jul 2024 14:47:36 +0000
+# - resolved hydra build: https://hydra.nixos.org/build/268609502
+# - instantiated derivation: /nix/store/x66rrb9wv612n37bj6iggr2vg313hs77-stdenv-bootstrap-tools-s390x-unknown-linux-gnu.drv
+# - output directory: /nix/store/ijkl5anf7mx1p3whdkxv4qs5crf6ic35-stdenv-bootstrap-tools-s390x-unknown-linux-gnu
+# - build time: Mon, 05 Aug 2024 17:28:42 +0000
 {
   bootstrapTools = import <nix/fetchurl.nix> {
-    url = "http://tarballs.nixos.org/stdenv/s390x-unknown-linux-gnu/8ba481d65eb21a4f9e6b1e812de3f83079eb8016/bootstrap-tools.tar.xz";
-    hash = "sha256-fuKIRXznA8hU8uGpxldAUNvuJBZ/xiyJUByNbpBCaH8=";
+    url = "http://tarballs.nixos.org/stdenv/s390x-unknown-linux-gnu/0a7eaa55ccaa5103f44a9a4e3e0b06e5314a6401/bootstrap-tools.tar.xz";
+    hash = "sha256-HYooNwkStp9Q1nZOw9celEiQPWwU7iSHP1iaxodBv1g=";
   };
   busybox = import <nix/fetchurl.nix> {
-    url = "http://tarballs.nixos.org/stdenv/s390x-unknown-linux-gnu/8ba481d65eb21a4f9e6b1e812de3f83079eb8016/busybox";
-    hash = "sha256-R6nAiaIOgShKiu+qcOP9apVpnuJgTAGAsJxWSHsH4/A=";
+    url = "http://tarballs.nixos.org/stdenv/s390x-unknown-linux-gnu/0a7eaa55ccaa5103f44a9a4e3e0b06e5314a6401/busybox";
+    hash = "sha256-8BUGvp0gm4v3qBemF/kTVVCsu3ydWLGRVPulBsAL+MI=";
     executable = true;
   };
 }
diff --git a/pkgs/tools/misc/viddy/default.nix b/pkgs/tools/misc/viddy/default.nix
index ece009cc6ca3..cb9f1d68e9c9 100644
--- a/pkgs/tools/misc/viddy/default.nix
+++ b/pkgs/tools/misc/viddy/default.nix
@@ -6,21 +6,21 @@
 
 rustPlatform.buildRustPackage rec {
   pname = "viddy";
-  version = "1.0.1";
+  version = "1.0.2";
 
   src = fetchFromGitHub {
     owner = "sachaos";
     repo = "viddy";
     rev = "v${version}";
-    hash = "sha256-HFqkWJu1whShwEsSUZe5orWTNYyY3oZ6tBzAJF3SFDw=";
+    hash = "sha256-Rb4IBguyRLiwUR9dDKOagWSUjov0OzxiiuSg7epjCv0=";
   };
 
-  cargoHash = "sha256-oEzsJoVD9aSvphchm21dlmkwePMDSaxD7eoR850NbRk=";
+  cargoHash = "sha256-Lr/sl0IcoVGb22y5BQrGIUVx8Ny+bQg1MqUBRPqF1nk=";
 
   # requires nightly features
   env.RUSTC_BOOTSTRAP = 1;
 
-  env.VERGEN_BUILD_DATE = "2024-08-24"; # managed via the update script
+  env.VERGEN_BUILD_DATE = "2024-08-26"; # managed via the update script
   env.VERGEN_GIT_DESCRIBE = "Nixpkgs";
 
   passthru.updateScript.command = [ ./update.sh ];
diff --git a/pkgs/tools/system/osquery/default.nix b/pkgs/tools/system/osquery/default.nix
index 8413c2e9f33a..e97e03180d32 100644
--- a/pkgs/tools/system/osquery/default.nix
+++ b/pkgs/tools/system/osquery/default.nix
@@ -9,48 +9,20 @@
 , stdenv
 , stdenvNoCC
 , ninja
+, nix-prefetch-git
 , autoPatchelfHook
-, writeShellApplication
 , jq
 , removeReferencesTo
 , nixosTests
 , file
+, writers
 }:
 
 let
 
-  version = "5.12.2";
+  info = builtins.fromJSON (builtins.readFile ./info.json);
 
-  opensslVersion = "3.2.1";
-
-  opensslSha256 = "83c7329fe52c850677d75e5d0b0ca245309b97e8ecbcfdc1dfdc4ab9fac35b39";
-
-  src = fetchFromGitHub {
-    owner = "osquery";
-    repo = "osquery";
-    rev = version;
-    fetchSubmodules = true;
-    hash = "sha256-PJrGAqDxo5l6jtQdpTqraR195G6kaLQ2ik08WtlWEmk=";
-  };
-
-  extractOpensslInfo = writeShellApplication {
-    name = "extractOpensslInfo";
-    text = ''
-      if [ $# -ne 1 ]; then
-        echo "Usage: $0 <osquery-source-directory>"
-        exit 1
-      fi
-      opensslCmake="$1"/libraries/cmake/formula/openssl/CMakeLists.txt
-      version=$(gawk 'match($0, /OPENSSL_VERSION "(.*)"/, a) {print a[1]}' < "$opensslCmake")
-      sha256=$(gawk 'match($0, /OPENSSL_ARCHIVE_SHA256 "(.*)"/, a) {print a[1]}' < "$opensslCmake")
-      echo "{\"version\": \"$version\", \"sha256\": \"$sha256\"}"
-    '';
-  };
-
-  opensslSrc = fetchurl {
-    url = "https://www.openssl.org/source/openssl-${opensslVersion}.tar.gz";
-    sha256 = opensslSha256;
-  };
+  opensslSrc = fetchurl info.openssl;
 
   toolchain = import ./toolchain-bin.nix { inherit stdenv lib fetchzip file; };
 
@@ -60,7 +32,9 @@ stdenvNoCC.mkDerivation rec {
 
   pname = "osquery";
 
-  inherit src version;
+  version = info.osquery.rev;
+
+  src = fetchFromGitHub info.osquery;
 
   patches = [
     ./Remove-git-reset.patch
@@ -73,7 +47,6 @@ stdenvNoCC.mkDerivation rec {
     python3
     ninja
     autoPatchelfHook
-    extractOpensslInfo
     jq
     removeReferencesTo
   ];
@@ -83,23 +56,6 @@ stdenvNoCC.mkDerivation rec {
   '';
 
   configurePhase = ''
-    expectedOpensslVersion=$(extractOpensslInfo . | jq -r .version)
-    expectedOpensslSha256=$(extractOpensslInfo . | jq -r .sha256)
-
-    if [ "$expectedOpensslVersion" != "${opensslVersion}" ]; then
-      echo "openssl version mismatch: expected=$expectedOpensslVersion actual=${opensslVersion}"
-      opensslMismatch=1
-    fi
-
-    if [ "$expectedOpensslSha256" != "${opensslSha256}" ]; then
-      echo "openssl sha256 mismatch: expected=$expectedOpensslSha256 actual=${opensslSha256}"
-      opensslMismatch=1
-    fi
-
-    if [ -n "$opensslMismatch" ]; then
-      exit 1
-    fi
-
     mkdir build
     cd build
     cmake .. \
@@ -120,10 +76,14 @@ stdenvNoCC.mkDerivation rec {
   '';
 
   passthru = {
-    inherit extractOpensslInfo opensslSrc toolchain;
+    inherit opensslSrc toolchain;
     tests = {
       inherit (nixosTests) osquery;
     };
+    updateScript = writers.writePython3
+      "osquery-update"
+      { makeWrapperArgs = "--prefix PATH : ${lib.makeBinPath [ nix-prefetch-git ]}"; }
+      (builtins.readFile ./update.py);
   };
 
   meta = with lib; {
diff --git a/pkgs/tools/system/osquery/info.json b/pkgs/tools/system/osquery/info.json
new file mode 100644
index 000000000000..c9a20c1e0f03
--- /dev/null
+++ b/pkgs/tools/system/osquery/info.json
@@ -0,0 +1,13 @@
+{
+    "openssl": {
+        "hash": "sha256-g8cyn+UshQZ3115dCwyiRTCbl+jsvP3B39xKufrDWzk=",
+        "url": "https://www.openssl.org/source/openssl-3.2.1.tar.gz"
+    },
+    "osquery": {
+        "fetchSubmodules": true,
+        "hash": "sha256-PJrGAqDxo5l6jtQdpTqraR195G6kaLQ2ik08WtlWEmk=",
+        "owner": "osquery",
+        "repo": "osquery",
+        "rev": "5.12.2"
+    }
+}
diff --git a/pkgs/tools/system/osquery/update.py b/pkgs/tools/system/osquery/update.py
new file mode 100644
index 000000000000..d593154e78a8
--- /dev/null
+++ b/pkgs/tools/system/osquery/update.py
@@ -0,0 +1,109 @@
+import base64
+import json
+import re
+import subprocess
+import sys
+import urllib.request
+
+OWNER = 'osquery'
+REPO = 'osquery'
+OPENSSL_VERSION_PAT = re.compile(r'^set\(OPENSSL_VERSION "(.*)"\)')
+OPENSSL_SHA256_PAT = re.compile(r'^set\(OPENSSL_ARCHIVE_SHA256 "(.*)"\)')
+INFO_PATH = 'pkgs/tools/system/osquery/info.json'
+
+
+def download_str(url):
+    return urllib.request.urlopen(url).read().decode('utf-8')
+
+
+def get_latest_tag():
+    latest_url = f'https://api.github.com/repos/{OWNER}/{REPO}/releases/latest'
+    return json.loads(download_str(latest_url))['tag_name']
+
+
+def read_info():
+    with open(INFO_PATH, 'r') as f:
+        return json.load(f)
+
+
+def write_info(info):
+    with open(INFO_PATH, 'w') as f:
+        json.dump(info, f, indent=4, sort_keys=True)
+        f.write('\n')
+
+
+def sha256_hex_to_sri(hex):
+    return 'sha256-' + base64.b64encode(bytes.fromhex(hex)).decode()
+
+
+def openssl_info_from_cmake(cmake):
+    version = None
+    sha256 = None
+    for line in cmake.splitlines():
+        if version is None:
+            m = OPENSSL_VERSION_PAT.match(line)
+            if m is not None:
+                version = m.group(1)
+        if sha256 is None:
+            m = OPENSSL_SHA256_PAT.match(line)
+            if m is not None:
+                sha256 = m.group(1)
+        if version is not None and sha256 is not None:
+            break
+
+    if version is None or sha256 is None:
+        raise Exception('Failed to extract openssl fetch info')
+
+    return {
+        'url': f'https://www.openssl.org/source/openssl-{version}.tar.gz',
+        'hash': sha256_hex_to_sri(sha256)
+    }
+
+
+def openssl_info_for_rev(rev):
+    url = f'https://raw.githubusercontent.com/{OWNER}/{REPO}/{rev}/libraries/cmake/formula/openssl/CMakeLists.txt'  # noqa: E501
+    return openssl_info_from_cmake(download_str(url))
+
+
+force = len(sys.argv) == 2 and sys.argv[1] == '--force'
+
+latest_tag = get_latest_tag()
+print(f'osquery_latest_tag: {latest_tag}')
+
+if not force:
+    old_info = read_info()
+    if latest_tag == old_info['osquery']['rev']:
+        print('latest tag matches existing rev. exiting')
+        sys.exit(0)
+
+openssl_fetch_info = openssl_info_for_rev(latest_tag)
+print(f'openssl_info: {openssl_fetch_info}')
+
+prefetch = json.loads(subprocess.check_output([
+    'nix-prefetch-git',
+    '--fetch-submodules',
+    '--quiet',
+    f'https://github.com/{OWNER}/{REPO}',
+    latest_tag
+]))
+
+prefetch_hash = prefetch['hash']
+
+github_fetch_info = {
+    'owner': OWNER,
+    'repo': REPO,
+    'rev': latest_tag,
+    'hash': prefetch_hash,
+    'fetchSubmodules': True
+}
+
+print(f'osquery_hash: {prefetch_hash}')
+
+new_info = {
+    'osquery': github_fetch_info,
+    'openssl': openssl_fetch_info
+}
+
+print(f'osquery_info: {new_info}')
+
+write_info(new_info)
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index 36ca8c973586..0e24635340fa 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -20001,8 +20001,6 @@ with pkgs;
 
   ffmpegthumbnailer = callPackage ../development/libraries/ffmpegthumbnailer { };
 
-  ffmpeg-normalize = python3Packages.callPackage ../applications/video/ffmpeg-normalize { };
-
   ffms = callPackage ../development/libraries/ffms { };
 
   fftw = callPackage ../development/libraries/fftw { };
@@ -28567,7 +28565,7 @@ with pkgs;
 
   whitesur-icon-theme = callPackage ../data/icons/whitesur-icon-theme { };
 
-  whitesur-kde = libsForQt5.callPackage ../data/themes/whitesur-kde { };
+  whitesur-kde = kdePackages.callPackage ../data/themes/whitesur-kde { };
 
   wireless-regdb = callPackage ../data/misc/wireless-regdb { };
 
diff --git a/pkgs/top-level/python-packages.nix b/pkgs/top-level/python-packages.nix
index 5fe05b0aa8c3..f44c9acb97a3 100644
--- a/pkgs/top-level/python-packages.nix
+++ b/pkgs/top-level/python-packages.nix
@@ -15174,6 +15174,8 @@ self: super: with self; {
 
   strct = callPackage ../development/python-modules/strct { };
 
+  streamcontroller-plugin-tools = callPackage ../development/python-modules/streamcontroller-plugin-tools { };
+
   streamdeck = callPackage ../development/python-modules/streamdeck { };
 
   streaming-form-data = callPackage ../development/python-modules/streaming-form-data { };
@@ -17168,6 +17170,8 @@ self: super: with self; {
 
   usb-devices = callPackage ../development/python-modules/usb-devices { };
 
+  usb-monitor = callPackage ../development/python-modules/usb-monitor { };
+
   usbrelay-py = callPackage ../os-specific/linux/usbrelay/python.nix { };
 
   usbtmc = callPackage ../development/python-modules/usbtmc { };
diff --git a/pkgs/top-level/release-cuda.nix b/pkgs/top-level/release-cuda.nix
index 032820fd923c..f655114737e9 100644
--- a/pkgs/top-level/release-cuda.nix
+++ b/pkgs/top-level/release-cuda.nix
@@ -13,6 +13,7 @@
 */
 
 let
+  lib = import ../../lib;
   ensureList = x: if builtins.isList x then x else [ x ];
   allowUnfreePredicate =
     p:
@@ -53,11 +54,11 @@ assert builtins.elem variant [
 ];
 
 let
-  release-lib = import ./release-lib.nix (
-    { inherit supportedSystems nixpkgsArgs; } // builtins.removeAttrs args [ "variant" ]
+  mkReleaseLib = import ./release-lib.nix;
+  release-lib = mkReleaseLib (
+    { inherit supportedSystems nixpkgsArgs; } // lib.intersectAttrs (lib.functionArgs mkReleaseLib) args
   );
 
-  inherit (release-lib) lib;
   inherit (release-lib)
     linux
     mapTestOn
diff --git a/pkgs/top-level/ruby-packages.nix b/pkgs/top-level/ruby-packages.nix
index 101dd8cf8c4d..16cbd080d740 100644
--- a/pkgs/top-level/ruby-packages.nix
+++ b/pkgs/top-level/ruby-packages.nix
@@ -2078,6 +2078,16 @@
     };
     version = "5.1.1";
   };
+  lint_roller = {
+    groups = ["default"];
+    platforms = [];
+    source = {
+      remotes = ["https://rubygems.org"];
+      sha256 = "11yc0d84hsnlvx8cpk4cbj6a4dz9pk0r1k29p0n1fz9acddq831c";
+      type = "gem";
+    };
+    version = "1.1.0";
+  };
   liquid = {
     groups = ["default"];
     platforms = [];
@@ -3223,10 +3233,10 @@
     platforms = [];
     source = {
       remotes = ["https://rubygems.org"];
-      sha256 = "0daamn13fbm77rdwwa4w6j6221iq6091asivgdhk6n7g398frcdf";
+      sha256 = "13bif1z20kqq8aaglj7352qpfkzbd8p8rd7lak335szxziqrn8rs";
       type = "gem";
     };
-    version = "1.62.1";
+    version = "1.65.1";
   };
   rubocop-ast = {
     dependencies = ["parser"];
@@ -3641,6 +3651,39 @@
     };
     version = "1.7.3";
   };
+  standard = {
+    dependencies = ["language_server-protocol" "lint_roller" "rubocop" "standard-custom" "standard-performance"];
+    groups = ["default"];
+    platforms = [];
+    source = {
+      remotes = ["https://rubygems.org"];
+      sha256 = "0whz1l232xsf5fq5gxcbandmws8fx37h389n4q4ky1x1p7c7md2n";
+      type = "gem";
+    };
+    version = "1.40.0";
+  };
+  standard-custom = {
+    dependencies = ["lint_roller" "rubocop"];
+    groups = ["default"];
+    platforms = [];
+    source = {
+      remotes = ["https://rubygems.org"];
+      sha256 = "0av55ai0nv23z5mhrwj1clmxpgyngk7vk6rh58d4y1ws2y2dqjj2";
+      type = "gem";
+    };
+    version = "1.0.2";
+  };
+  standard-performance = {
+    dependencies = ["lint_roller" "rubocop-performance"];
+    groups = ["default"];
+    platforms = [];
+    source = {
+      remotes = ["https://rubygems.org"];
+      sha256 = "1551dwjwyqy7rckjgcb25k51k6wndn8m37mmbpanr0k4b6v757yy";
+      type = "gem";
+    };
+    version = "1.4.0";
+  };
   stringio = {
     groups = ["default"];
     platforms = [];