diff --git a/nixos/doc/manual/release-notes/rl-2305.section.md b/nixos/doc/manual/release-notes/rl-2305.section.md
index c81cbc69f94e..abaefac66e3c 100644
--- a/nixos/doc/manual/release-notes/rl-2305.section.md
+++ b/nixos/doc/manual/release-notes/rl-2305.section.md
@@ -32,6 +32,8 @@ In addition to numerous new and upgraded packages, this release has the followin
 
 - [stevenblack-blocklist](https://github.com/StevenBlack/hosts), A unified hosts file with base extensions for blocking unwanted websites. Available as [networking.stevenblack](options.html#opt-networking.stevenblack.enable).
 
+- [imaginary](https://github.com/h2non/imaginary), a microservice for high-level image processing that Nextcloud can use to generate previews. Available as [services.imaginary](#opt-services.imaginary.enable).
+
 - [goeland](https://github.com/slurdge/goeland), an alternative to rss2email written in golang with many filters. Available as [services.goeland](#opt-services.goeland.enable).
 
 - [atuin](https://github.com/ellie/atuin), a sync server for shell history. Available as [services.atuin](#opt-services.atuin.enable).
diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
index 752c0213f050..74651efc0c5a 100644
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@@ -860,6 +860,7 @@
   ./services/networking/i2pd.nix
   ./services/networking/icecream/daemon.nix
   ./services/networking/icecream/scheduler.nix
+  ./services/networking/imaginary.nix
   ./services/networking/inspircd.nix
   ./services/networking/iodine.nix
   ./services/networking/iperf3.nix
diff --git a/nixos/modules/services/networking/imaginary.nix b/nixos/modules/services/networking/imaginary.nix
new file mode 100644
index 000000000000..5437da572778
--- /dev/null
+++ b/nixos/modules/services/networking/imaginary.nix
@@ -0,0 +1,110 @@
+{ lib, config, pkgs, utils, ... }:
+
+let
+  inherit (lib) mdDoc mkEnableOption mkIf mkOption types;
+
+  cfg = config.services.imaginary;
+in {
+  options.services.imaginary = {
+    enable = mkEnableOption (mdDoc "imaginary image processing microservice");
+
+    address = mkOption {
+      type = types.str;
+      default = "";
+      description = mdDoc "Bind address. Corresponds to the `-a` flag.";
+      example = "localhost";
+    };
+
+    port = mkOption {
+      type = types.port;
+      default = 8088;
+      description = mdDoc "Bind port. Corresponds to the `-p` flag.";
+    };
+
+    settings = mkOption {
+      description = mdDoc ''
+        Command line arguments passed to the imaginary executable, stripped of
+        the prefix `-`. See upstream's
+        [README](https://github.com/h2non/imaginary#command-line-usage) for all
+        options.
+      '';
+      type = types.submodule {
+        freeformType = with types; attrsOf (oneOf [
+          bool
+          int
+          (nonEmptyListOf str)
+          str
+        ]);
+
+        options = {
+          return-size = mkOption {
+            type = types.bool;
+            default = false;
+            description = mdDoc "Return the image size in the HTTP headers.";
+          };
+        };
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    assertions = [ {
+      assertion = ! lib.hasAttr "a" cfg.settings;
+      message = "Use services.imaginary.address to specify the -a flag.";
+    } {
+      assertion = ! lib.hasAttr "p" cfg.settings;
+      message = "Use services.imaginary.port to specify the -p flag.";
+    } ];
+
+    systemd.services.imaginary = {
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = rec {
+        ExecStart = let
+          args = lib.mapAttrsToList (key: val:
+            "-" + key + "=" + lib.concatStringsSep "," (map toString (lib.toList val))
+          ) (cfg.settings // { a = cfg.address; p = cfg.port; });
+        in "${pkgs.imaginary}/bin/imaginary ${utils.escapeSystemdExecArgs args}";
+        ProtectProc = "invisible";
+        BindReadOnlyPaths = lib.optional (cfg.settings ? mount) cfg.settings.mount;
+        CapabilityBoundingSet = if cfg.port < 1024 then
+          [ "CAP_NET_BIND_SERVICE" ]
+        else
+          [ "" ];
+        AmbientCapabilities = CapabilityBoundingSet;
+        NoNewPrivileges = true;
+        DynamicUser = true;
+        ProtectSystem = "strict";
+        ProtectHome = true;
+        TemporaryFileSystem = [ "/:ro" ];
+        PrivateTmp = true;
+        PrivateDevices = true;
+        PrivateUsers = cfg.port >= 1024;
+        ProtectHostname = true;
+        ProtectClock = true;
+        ProtectKernelTunables = true;
+        ProtectKernelModules = true;
+        ProtectKernelLogs = true;
+        ProtectControlGroups = true;
+        RestrictAddressFamilies = [
+          "AF_INET"
+          "AF_INET6"
+        ];
+        RestrictNamespaces = true;
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+        RestrictRealtime = true;
+        PrivateMounts = true;
+        SystemCallFilter = [
+          "@system-service"
+          "~@privileged"
+        ];
+        DevicePolicy = "closed";
+      };
+    };
+  };
+
+  meta = {
+    maintainers = with lib.maintainers; [ dotlambda ];
+  };
+}
diff --git a/pkgs/applications/networking/instant-messengers/jitsi/default.nix b/pkgs/applications/networking/instant-messengers/jitsi/default.nix
index 0ef6b2e74d7b..cb634f434d24 100644
--- a/pkgs/applications/networking/instant-messengers/jitsi/default.nix
+++ b/pkgs/applications/networking/instant-messengers/jitsi/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, lib, fetchurl, makeDesktopItem, unzip, ant, jdk8
+{ stdenv, lib, fetchFromGitHub, makeDesktopItem, unzip, ant, jdk8
 # Optional, Jitsi still runs without, but you may pass null:
 , alsa-lib, dbus, gtk2, libpulseaudio, openssl, xorg
 }:
@@ -6,11 +6,13 @@
 let jdk = jdk8; in
 stdenv.mkDerivation rec {
   pname = "jitsi";
-  version = "2.10.5550";
+  version = "2.11.5633";
 
-  src = fetchurl {
-    url = "https://download.jitsi.org/jitsi/src/jitsi-src-${version}.zip";
-    sha256 = "11vjchc3dnzj55x7c62wsm6masvwmij1ifkds917r1qvil1nzz6d";
+  src = fetchFromGitHub {
+    owner = "jitsi";
+    repo = "jitsi";
+    rev = "refs/tags/${lib.versions.patch version}";
+    hash = "sha256-CN4o0VfHdoUteI2wyJ2hFJ9UsQ2wWUzcvrLMbR/l36M=";
   };
 
   patches = [ ./jitsi.patch ];
@@ -63,7 +65,7 @@ stdenv.mkDerivation rec {
   '';
 
   meta = with lib; {
-    homepage = "https://jitsi.org/";
+    homepage = "https://desktop.jitsi.org/";
     description = "Open Source Video Calls and Chat";
     sourceProvenance = with sourceTypes; [
       binaryBytecode
diff --git a/pkgs/applications/version-management/gfold/default.nix b/pkgs/applications/version-management/gfold/default.nix
index 92e8d9095b72..0df0669c41da 100644
--- a/pkgs/applications/version-management/gfold/default.nix
+++ b/pkgs/applications/version-management/gfold/default.nix
@@ -12,7 +12,7 @@
 
 let
   pname = "gfold";
-  version = "4.3.0";
+  version = "4.3.1";
 in
 rustPlatform.buildRustPackage {
   inherit pname version;
@@ -21,10 +21,10 @@ rustPlatform.buildRustPackage {
     owner = "nickgerace";
     repo = pname;
     rev = version;
-    sha256 = "sha256-yvMp5x1uiJGkWHnwfONx4pVotSSE6sTW4uqWpI2AFXg=";
+    sha256 = "sha256-jlUGtTtoJ3DQbs4VEDUbYyl+s9S+bLTQ+GM6OQg6MNo=";
   };
 
-  cargoHash = "sha256-MBWaNjs840twU9SQLvgVcXTT0RN2QJ7PiaAohiiQu3s=";
+  cargoHash = "sha256-Mrqg0wOG3JHDdGMZMcFsifpazOukZeoMPrQh4vIfQyU=";
 
   buildInputs = lib.optionals stdenv.isDarwin [ libiconv Security ];
 
diff --git a/pkgs/development/interpreters/luau/default.nix b/pkgs/development/interpreters/luau/default.nix
index 0f88c7331140..caeef615ff68 100644
--- a/pkgs/development/interpreters/luau/default.nix
+++ b/pkgs/development/interpreters/luau/default.nix
@@ -2,13 +2,13 @@
 
 stdenv.mkDerivation rec {
   pname = "luau";
-  version = "0.560";
+  version = "0.563";
 
   src = fetchFromGitHub {
     owner = "Roblox";
     repo = "luau";
     rev = version;
-    hash = "sha256-tGZ9gy/RqkVP/pXyMd2XgdVc2oekZfpsdDgAB3+rv9s=";
+    hash = "sha256-aGduwwguzIg3kFspIa/5nDFAC836J3B10Pg63psuWto=";
   };
 
   nativeBuildInputs = [ cmake ];
diff --git a/pkgs/development/libraries/v8/8_x.nix b/pkgs/development/libraries/v8/8_x.nix
index b467bd83e2d4..d55d87f32164 100644
--- a/pkgs/development/libraries/v8/8_x.nix
+++ b/pkgs/development/libraries/v8/8_x.nix
@@ -167,6 +167,6 @@ stdenv.mkDerivation rec {
     maintainers = with maintainers; [ cstrahan proglodyte matthewbauer ];
     platforms = platforms.unix;
     license = licenses.bsd3;
-    broken = lib.versionAtLeast stdenv.cc.version "12";
+    broken = stdenv.cc.isGNU && lib.versionAtLeast stdenv.cc.version "12";
   };
 }
diff --git a/pkgs/development/python-modules/configobj/default.nix b/pkgs/development/python-modules/configobj/default.nix
index df12b6a98af1..932e434d923d 100644
--- a/pkgs/development/python-modules/configobj/default.nix
+++ b/pkgs/development/python-modules/configobj/default.nix
@@ -9,7 +9,7 @@
 
 buildPythonPackage rec {
   pname = "configobj";
-  version = "5.0.6";
+  version = "5.0.8";
   format = "setuptools";
 
   disabled = pythonOlder "3.7";
@@ -17,8 +17,8 @@ buildPythonPackage rec {
   src = fetchFromGitHub {
     owner = "DiffSK";
     repo = pname;
-    rev = "v${version}";
-    hash = "sha256-HMLYzVMnxvMpb3ORsbKy18oU/NkuRT0isK6NaUk6J3U=";
+    rev = "refs/tags/v${version}";
+    hash = "sha256-t3Q0FEBibkAM5PAG4fjXwNH/71RqSSDj/Mn27ri0iDU=";
   };
 
   propagatedBuildInputs = [
@@ -26,17 +26,21 @@ buildPythonPackage rec {
   ];
 
   nativeCheckInputs = [
-    mock
     pytestCheckHook
   ];
 
+  checkInputs = [
+    mock
+  ];
+
   pythonImportsCheck = [
     "configobj"
   ];
 
   meta = with lib; {
     description = "Config file reading, writing and validation";
-    homepage = "https://pypi.python.org/pypi/configobj";
+    homepage = "https://github.com/DiffSK/configobj";
+    changelog = "https://github.com/DiffSK/configobj/blob/v${version}/CHANGES.rst";
     license = licenses.bsd3;
     maintainers = with maintainers; [ ];
   };
diff --git a/pkgs/development/python-modules/dulwich/default.nix b/pkgs/development/python-modules/dulwich/default.nix
index ec4a1a93ca43..315c0f8763b8 100644
--- a/pkgs/development/python-modules/dulwich/default.nix
+++ b/pkgs/development/python-modules/dulwich/default.nix
@@ -17,7 +17,7 @@
 }:
 
 buildPythonPackage rec {
-  version = "0.21.0";
+  version = "0.21.2";
   pname = "dulwich";
   format = "setuptools";
 
@@ -25,7 +25,7 @@ buildPythonPackage rec {
 
   src = fetchPypi {
     inherit pname version;
-    hash = "sha256-wizAXwIKlq012U1lIPgHAnC+4KN7V1aG0JwCeYsl7YY=";
+    hash = "sha256-2GWuf9lJfWTONFpnhP8XdbATF/upYy750t/Xl48bDU8=";
   };
 
   LC_ALL = "en_US.UTF-8";
diff --git a/pkgs/servers/imaginary/default.nix b/pkgs/servers/imaginary/default.nix
index cfab6e2e9030..f4b12941f5b4 100644
--- a/pkgs/servers/imaginary/default.nix
+++ b/pkgs/servers/imaginary/default.nix
@@ -1,4 +1,10 @@
-{ lib, buildGoModule, fetchFromGitHub, pkg-config, vips }:
+{ lib
+, buildGoModule
+, fetchFromGitHub
+, fetchpatch
+, pkg-config
+, vips
+}:
 
 buildGoModule rec {
   pname = "imaginary";
@@ -11,6 +17,16 @@ buildGoModule rec {
     hash = "sha256-oEkFoZMaNNJPMisqpIneeLK/sA23gaTWJ4nqtDHkrwA=";
   };
 
+  patches = [
+    # add -return-size flag recommend by Nextcloud
+    # https://github.com/h2non/imaginary/pull/382
+    (fetchpatch {
+      name = "return-width-and-height-of-generated-images.patch";
+      url = "https://github.com/h2non/imaginary/commit/cfbf8d724cd326e835dfcb01e7224397c46037d3.patch";
+      hash = "sha256-TwZ5WU5g9LXrenpfY52jYsc6KsEt2fjDq7cPz6ILlhA=";
+    })
+  ];
+
   vendorHash = "sha256-BluY6Fz4yAKJ/A9aFuPPsgQN9N/5yd8g8rDfIZeYz5U=";
 
   buildInputs = [ vips ];
@@ -28,6 +44,6 @@ buildGoModule rec {
     changelog = "https://github.com/h2non/${pname}/releases/tag/v${version}";
     description = "Fast, simple, scalable, Docker-ready HTTP microservice for high-level image processing";
     license = licenses.mit;
-    maintainers = with maintainers; [ urandom ];
+    maintainers = with maintainers; [ dotlambda urandom ];
   };
 }
diff --git a/pkgs/tools/text/vale/default.nix b/pkgs/tools/text/vale/default.nix
index cd1147ba4c7f..1bfdfadd03a8 100644
--- a/pkgs/tools/text/vale/default.nix
+++ b/pkgs/tools/text/vale/default.nix
@@ -2,7 +2,7 @@
 
 buildGoModule rec {
   pname = "vale";
-  version = "2.22.0";
+  version = "2.23.0";
 
   subPackages = [ "cmd/vale" ];
   outputs = [ "out" "data" ];
@@ -11,10 +11,10 @@ buildGoModule rec {
     owner = "errata-ai";
     repo = "vale";
     rev = "v${version}";
-    hash = "sha256-/8npVrVyyxYLiJotCdqeGE0d9w8pOjShx1fpmRkKW9k=";
+    hash = "sha256-HvdopsSI5CZOAA+C+FJGc7WhrA2qt43cAHe9HoxO91o=";
   };
 
-  vendorHash = "sha256-7P77tR2wACRgF+8A/L/wPcq6etwzAX3pFO46FfGVTiE=";
+  vendorHash = "sha256-aH8KWvTXRlWVR/RdYlGjpZ4bOncQfLap1PVKxEnaz6A=";
 
   postInstall = ''
     mkdir -p $data/share/vale
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index 343497d6761b..261be226486d 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -16943,9 +16943,7 @@ with pkgs;
 
   adtool = callPackage ../tools/admin/adtool { };
 
-  inherit (callPackage ../development/tools/alloy {
-    jre = jre8; # TODO: remove override https://github.com/NixOS/nixpkgs/pull/89731
-  })
+  inherit (callPackage ../development/tools/alloy { })
     alloy5
     alloy6
     alloy;