diff --git a/.github/ISSUE_TEMPLATE/unreproducible_package.md b/.github/ISSUE_TEMPLATE/unreproducible_package.md
index 749976dfbecd..a868c26ca54b 100644
--- a/.github/ISSUE_TEMPLATE/unreproducible_package.md
+++ b/.github/ISSUE_TEMPLATE/unreproducible_package.md
@@ -2,7 +2,7 @@
 name: Unreproducible package
 about: A package that does not produce a bit-by-bit reproducible result each time it is built
 title: ''
-labels: '0.kind: enhancement', '6.topic: reproducible builds'
+labels: [ '0.kind: enhancement', '6.topic: reproducible builds' ]
 assignees: ''
 
 ---
diff --git a/doc/Makefile b/doc/Makefile
index f8d2d7248fab..1e54aef9bd12 100644
--- a/doc/Makefile
+++ b/doc/Makefile
@@ -11,7 +11,7 @@ pandoc_commonmark_enabled_extensions = +attributes+fenced_divs+footnotes+bracket
 pandoc_flags = --extract-media=$(pandoc_media_dir) \
 	--lua-filter=$(PANDOC_LUA_FILTERS_DIR)/diagram-generator.lua \
 	--lua-filter=build-aux/pandoc-filters/myst-reader/roles.lua \
-	--lua-filter=build-aux/pandoc-filters/link-unix-man-references.lua \
+	--lua-filter=$(PANDOC_LINK_MANPAGES_FILTER) \
 	--lua-filter=build-aux/pandoc-filters/docbook-writer/rst-roles.lua \
 	--lua-filter=build-aux/pandoc-filters/docbook-writer/labelless-link-is-xref.lua \
 	-f commonmark$(pandoc_commonmark_enabled_extensions)+smart
diff --git a/doc/build-aux/pandoc-filters/link-manpages.nix b/doc/build-aux/pandoc-filters/link-manpages.nix
new file mode 100644
index 000000000000..ee27c5d60812
--- /dev/null
+++ b/doc/build-aux/pandoc-filters/link-manpages.nix
@@ -0,0 +1,28 @@
+{ pkgs ? import ../../.. {} }:
+let
+  inherit (pkgs) lib;
+  manpageURLs = builtins.fromJSON (builtins.readFile (pkgs.path + "/doc/manpage-urls.json"));
+in pkgs.writeText "link-manpages.lua" ''
+  --[[
+  Adds links to known man pages that aren't already in a link.
+  ]]
+
+  local manpage_urls = {
+  ${lib.concatStringsSep "\n" (lib.mapAttrsToList (man: url:
+    "  [${builtins.toJSON man}] = ${builtins.toJSON url},") manpageURLs)}
+  }
+
+  traverse = 'topdown'
+
+  -- Returning false as the second value aborts processing of child elements.
+  function Link(elem)
+    return elem, false
+  end
+
+  function Code(elem)
+    local is_man_role = elem.classes:includes('interpreted-text') and elem.attributes['role'] == 'manpage'
+    if is_man_role and manpage_urls[elem.text] ~= nil then
+      return pandoc.Link(elem, manpage_urls[elem.text]), false
+    end
+  end
+''
diff --git a/doc/build-aux/pandoc-filters/link-unix-man-references.lua b/doc/build-aux/pandoc-filters/link-unix-man-references.lua
deleted file mode 100644
index b81d4a0979e7..000000000000
--- a/doc/build-aux/pandoc-filters/link-unix-man-references.lua
+++ /dev/null
@@ -1,38 +0,0 @@
---[[
-Turns a manpage reference into a link, when a mapping is defined below.
-]]
-
-local man_urls = {
-  ["nix.conf(5)"] = "https://nixos.org/manual/nix/stable/#sec-conf-file",
-
-  ["journald.conf(5)"] = "https://www.freedesktop.org/software/systemd/man/journald.conf.html",
-  ["logind.conf(5)"] = "https://www.freedesktop.org/software/systemd/man/logind.conf.html",
-  ["networkd.conf(5)"] = "https://www.freedesktop.org/software/systemd/man/networkd.conf.html",
-  ["systemd.automount(5)"] = "https://www.freedesktop.org/software/systemd/man/systemd.automount.html",
-  ["systemd.exec(5)"] = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html",
-  ["systemd.link(5)"] = "https://www.freedesktop.org/software/systemd/man/systemd.link.html",
-  ["systemd.mount(5)"] = "https://www.freedesktop.org/software/systemd/man/systemd.mount.html",
-  ["systemd.netdev(5)"] = "https://www.freedesktop.org/software/systemd/man/systemd.netdev.html",
-  ["systemd.network(5)"] = "https://www.freedesktop.org/software/systemd/man/systemd.network.html",
-  ["systemd.nspawn(5)"] = "https://www.freedesktop.org/software/systemd/man/systemd.nspawn.html",
-  ["systemd.path(5)"] = "https://www.freedesktop.org/software/systemd/man/systemd.path.html",
-  ["systemd.resource-control(5)"] = "https://www.freedesktop.org/software/systemd/man/systemd.resource-control.html",
-  ["systemd.scope(5)"] = "https://www.freedesktop.org/software/systemd/man/systemd.scope.html",
-  ["systemd.service(5)"] = "https://www.freedesktop.org/software/systemd/man/systemd.service.html",
-  ["systemd.slice(5)"] = "https://www.freedesktop.org/software/systemd/man/systemd.slice.html",
-  ["systemd.socket(5)"] = "https://www.freedesktop.org/software/systemd/man/systemd.socket.html",
-  ["systemd.timer(5)"] = "https://www.freedesktop.org/software/systemd/man/systemd.timer.html",
-  ["systemd.unit(5)"] = "https://www.freedesktop.org/software/systemd/man/systemd.unit.html",
-  ["timesyncd.conf(5)"] = "https://www.freedesktop.org/software/systemd/man/timesyncd.conf.html",
-  ["tmpfiles.d(5)"] = "https://www.freedesktop.org/software/systemd/man/tmpfiles.d.html",
-  ["systemd.time(7)"] = "https://www.freedesktop.org/software/systemd/man/systemd.time.html",
-  ["systemd-fstab-generator(8)"] = "https://www.freedesktop.org/software/systemd/man/systemd-fstab-generator.html",
-  ["systemd-networkd-wait-online.service(8)"] = "https://www.freedesktop.org/software/systemd/man/systemd-networkd-wait-online.service.html",
-}
-
-function Code(elem)
-  local is_man_role = elem.classes:includes('interpreted-text') and elem.attributes['role'] == 'manpage'
-  if is_man_role and man_urls[elem.text] ~= nil then
-    return pandoc.Link(elem, man_urls[elem.text])
-  end
-end
diff --git a/doc/contributing/contributing-to-documentation.chapter.md b/doc/contributing/contributing-to-documentation.chapter.md
index 81482523cd0e..889b4114acca 100644
--- a/doc/contributing/contributing-to-documentation.chapter.md
+++ b/doc/contributing/contributing-to-documentation.chapter.md
@@ -53,7 +53,7 @@ Additional syntax extensions are available, though not all extensions can be use
   This syntax is taken from [MyST](https://myst-parser.readthedocs.io/en/latest/using/syntax.html#targets-and-cross-referencing).
 
 - []{#ssec-contributing-markup-inline-roles}
-  If you want to link to a man page, you can use `` {manpage}`nix.conf(5)` ``, which will turn into {manpage}`nix.conf(5)`. The references will turn into links when a mapping exists in {file}`doc/build-aux/pandoc-filters/link-unix-man-references.lua`.
+  If you want to link to a man page, you can use `` {manpage}`nix.conf(5)` ``, which will turn into {manpage}`nix.conf(5)`. The references will turn into links when a mapping exists in {file}`doc/manpage-urls.json`.
 
   A few markups for other kinds of literals are also available:
 
diff --git a/doc/default.nix b/doc/default.nix
index ac382ec8519c..1d5fa4811a36 100644
--- a/doc/default.nix
+++ b/doc/default.nix
@@ -36,4 +36,5 @@ in pkgs.stdenv.mkDerivation {
 
   # Environment variables
   PANDOC_LUA_FILTERS_DIR = "${pkgs.pandoc-lua-filters}/share/pandoc/filters";
+  PANDOC_LINK_MANPAGES_FILTER = import build-aux/pandoc-filters/link-manpages.nix { inherit pkgs; };
 }
diff --git a/doc/manpage-urls.json b/doc/manpage-urls.json
new file mode 100644
index 000000000000..0ff4b762bec7
--- /dev/null
+++ b/doc/manpage-urls.json
@@ -0,0 +1,29 @@
+{
+  "nix.conf(5)": "https://nixos.org/manual/nix/stable/#sec-conf-file",
+
+  "journald.conf(5)": "https://www.freedesktop.org/software/systemd/man/journald.conf.html",
+  "logind.conf(5)": "https://www.freedesktop.org/software/systemd/man/logind.conf.html",
+  "networkd.conf(5)": "https://www.freedesktop.org/software/systemd/man/networkd.conf.html",
+  "systemd.automount(5)": "https://www.freedesktop.org/software/systemd/man/systemd.automount.html",
+  "systemd.exec(5)": "https://www.freedesktop.org/software/systemd/man/systemd.exec.html",
+  "systemd.link(5)": "https://www.freedesktop.org/software/systemd/man/systemd.link.html",
+  "systemd.mount(5)": "https://www.freedesktop.org/software/systemd/man/systemd.mount.html",
+  "systemd.netdev(5)": "https://www.freedesktop.org/software/systemd/man/systemd.netdev.html",
+  "systemd.network(5)": "https://www.freedesktop.org/software/systemd/man/systemd.network.html",
+  "systemd.nspawn(5)": "https://www.freedesktop.org/software/systemd/man/systemd.nspawn.html",
+  "systemd.path(5)": "https://www.freedesktop.org/software/systemd/man/systemd.path.html",
+  "systemd.resource-control(5)": "https://www.freedesktop.org/software/systemd/man/systemd.resource-control.html",
+  "systemd.scope(5)": "https://www.freedesktop.org/software/systemd/man/systemd.scope.html",
+  "systemd.service(5)": "https://www.freedesktop.org/software/systemd/man/systemd.service.html",
+  "systemd.slice(5)": "https://www.freedesktop.org/software/systemd/man/systemd.slice.html",
+  "systemd.socket(5)": "https://www.freedesktop.org/software/systemd/man/systemd.socket.html",
+  "systemd.timer(5)": "https://www.freedesktop.org/software/systemd/man/systemd.timer.html",
+  "systemd.unit(5)": "https://www.freedesktop.org/software/systemd/man/systemd.unit.html",
+  "systemd-system.conf(5)": "https://www.freedesktop.org/software/systemd/man/systemd-system.conf.html",
+  "systemd-user.conf(5)": "https://www.freedesktop.org/software/systemd/man/systemd-user.conf.html",
+  "timesyncd.conf(5)": "https://www.freedesktop.org/software/systemd/man/timesyncd.conf.html",
+  "tmpfiles.d(5)": "https://www.freedesktop.org/software/systemd/man/tmpfiles.d.html",
+  "systemd.time(7)": "https://www.freedesktop.org/software/systemd/man/systemd.time.html",
+  "systemd-fstab-generator(8)": "https://www.freedesktop.org/software/systemd/man/systemd-fstab-generator.html",
+  "systemd-networkd-wait-online.service(8)": "https://www.freedesktop.org/software/systemd/man/systemd-networkd-wait-online.service.html"
+}
diff --git a/lib/modules.nix b/lib/modules.nix
index c304d5b9afd3..5e6bee6aabe3 100644
--- a/lib/modules.nix
+++ b/lib/modules.nix
@@ -1113,7 +1113,6 @@ rec {
     visible = true;
     warn = false;
     use = id;
-    wrapDescription = lib.id;
   };
 
   /* Transitional version of mkAliasOptionModule that uses MD docs. */
@@ -1122,6 +1121,7 @@ rec {
     visible = true;
     warn = false;
     use = id;
+    markdown = true;
   };
 
   /* mkDerivedConfig : Option a -> (a -> Definition b) -> Definition b
@@ -1144,7 +1144,7 @@ rec {
       (opt.highestPrio or defaultOverridePriority)
       (f opt.value);
 
-  doRename = { from, to, visible, warn, use, withPriority ? true, wrapDescription ? lib.mdDoc }:
+  doRename = { from, to, visible, warn, use, withPriority ? true, markdown ? false }:
     { config, options, ... }:
     let
       fromOpt = getAttrFromPath from options;
@@ -1155,7 +1155,9 @@ rec {
     {
       options = setAttrByPath from (mkOption {
         inherit visible;
-        description = wrapDescription "Alias of {option}`${showOption to}`.";
+        description = if markdown
+          then lib.mdDoc "Alias of {option}`${showOption to}`."
+          else "Alias of <option>${showOption to}</option>.";
         apply = x: use (toOf config);
       } // optionalAttrs (toType != null) {
         type = toType;
diff --git a/maintainers/scripts/db-to-md.sh b/maintainers/scripts/db-to-md.sh
index 01357d1e2412..aa2a2775b6de 100755
--- a/maintainers/scripts/db-to-md.sh
+++ b/maintainers/scripts/db-to-md.sh
@@ -41,7 +41,7 @@ pandoc_flags=(
     # - diagram-generator.lua (we do not support that in NixOS manual to limit dependencies)
     # - media extraction (was only required for diagram generator)
     # - myst-reader/roles.lua (only relevant for MyST → DocBook)
-    # - link-unix-man-references.lua (links should only be added to display output)
+    # - link-manpages.lua (links should only be added to display output)
     # - docbook-writer/rst-roles.lua (only relevant for → DocBook)
     # - docbook-writer/labelless-link-is-xref.lua (only relevant for → DocBook)
     "--lua-filter=$DIR/../../doc/build-aux/pandoc-filters/docbook-reader/citerefentry-to-rst-role.lua"
diff --git a/nixos/doc/manual/md-to-db.sh b/nixos/doc/manual/md-to-db.sh
index 6eca9f3b2c3d..4698e94f508b 100755
--- a/nixos/doc/manual/md-to-db.sh
+++ b/nixos/doc/manual/md-to-db.sh
@@ -8,6 +8,8 @@
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
 pushd "$DIR"
 
+link_manpages_filter=$(nix-build --no-out-link "$DIR/../../../doc/build-aux/pandoc-filters/link-manpages.nix")
+
 # NOTE: Keep in sync with Nixpkgs manual (/doc/Makefile).
 # TODO: Remove raw-attribute when we can get rid of DocBook altogether.
 pandoc_commonmark_enabled_extensions=+attributes+fenced_divs+footnotes+bracketed_spans+definition_lists+pipe_tables+raw_attribute
@@ -17,7 +19,7 @@ pandoc_flags=(
   # - media extraction (was only required for diagram generator)
   # - docbook-reader/citerefentry-to-rst-role.lua (only relevant for DocBook → MarkDown/rST/MyST)
   "--lua-filter=$DIR/../../../doc/build-aux/pandoc-filters/myst-reader/roles.lua"
-  "--lua-filter=$DIR/../../../doc/build-aux/pandoc-filters/link-unix-man-references.lua"
+  "--lua-filter=$link_manpages_filter"
   "--lua-filter=$DIR/../../../doc/build-aux/pandoc-filters/docbook-writer/rst-roles.lua"
   "--lua-filter=$DIR/../../../doc/build-aux/pandoc-filters/docbook-writer/html-elements.lua"
   "--lua-filter=$DIR/../../../doc/build-aux/pandoc-filters/docbook-writer/labelless-link-is-xref.lua"
diff --git a/nixos/lib/make-options-doc/default.nix b/nixos/lib/make-options-doc/default.nix
index a3436caad8f9..e2ed7bb71885 100644
--- a/nixos/lib/make-options-doc/default.nix
+++ b/nixos/lib/make-options-doc/default.nix
@@ -41,6 +41,7 @@
 # characteristics but (hopefully) indistinguishable output.
 , allowDocBook ? true
 # whether lib.mdDoc is required for descriptions to be read as markdown.
+# !!! when this is eventually flipped to true, `lib.doRename` should also default to emitting Markdown
 , markdownByDefault ? false
 }:
 
@@ -130,6 +131,8 @@ in rec {
         if baseOptionsJSON == null
         then builtins.toFile "base.json" "{}"
         else baseOptionsJSON;
+
+      MANPAGE_URLS = pkgs.path + "/doc/manpage-urls.json";
     }
     ''
       # Export list of options in different format.
diff --git a/nixos/lib/make-options-doc/mergeJSON.py b/nixos/lib/make-options-doc/mergeJSON.py
index 7b14af40c313..c4f490fc2ad8 100644
--- a/nixos/lib/make-options-doc/mergeJSON.py
+++ b/nixos/lib/make-options-doc/mergeJSON.py
@@ -1,5 +1,6 @@
 import collections
 import json
+import os
 import sys
 from typing import Any, Dict, List
 
@@ -46,6 +47,8 @@ def unpivot(options: Dict[Key, Option]) -> Dict[str, JSON]:
         result[opt.name] = opt.value
     return result
 
+manpage_urls = json.load(open(os.getenv('MANPAGE_URLS')))
+
 admonitions = {
     '.warning': 'warning',
     '.important': 'important',
@@ -119,9 +122,14 @@ class Renderer(mistune.renderers.BaseRenderer):
     def env(self, text):
         return f"<envar>{escape(text)}</envar>"
     def manpage(self, page, section):
+        man = f"{page}({section})"
         title = f"<refentrytitle>{escape(page)}</refentrytitle>"
         vol = f"<manvolnum>{escape(section)}</manvolnum>"
-        return f"<citerefentry>{title}{vol}</citerefentry>"
+        ref = f"<citerefentry>{title}{vol}</citerefentry>"
+        if man in manpage_urls:
+            return self.link(manpage_urls[man], text=ref)
+        else:
+            return ref
 
     def finalize(self, data):
         return "".join(data)
diff --git a/nixos/lib/systemd-unit-options.nix b/nixos/lib/systemd-unit-options.nix
index 9c7cb34f14b5..6c53c5e0533d 100644
--- a/nixos/lib/systemd-unit-options.nix
+++ b/nixos/lib/systemd-unit-options.nix
@@ -60,7 +60,7 @@ in rec {
         `asDropin` creates a drop-in file named `overrides.conf`.
         Mainly needed to define instances for systemd template units (e.g. `systemd-nspawn@mycontainer.service`).
 
-        See also systemd.unit(1).
+        See also {manpage}`systemd.unit(5)`.
       '';
     };
 
@@ -86,7 +86,7 @@ in rec {
 
         This option creates a `.wants` symlink in the given target that exists
         statelessly without the need for running `systemctl enable`.
-        The in systemd.unit(5) manpage described `[Install]` section however is
+        The `[Install]` section described in {manpage}`systemd.unit(5)` however is
         not supported because it is a stateful process that does not fit well
         into the NixOS design.
       '';
diff --git a/nixos/modules/services/backup/restic.nix b/nixos/modules/services/backup/restic.nix
index 869ed5d9976c..0d21b1e8d66a 100644
--- a/nixos/modules/services/backup/restic.nix
+++ b/nixos/modules/services/backup/restic.nix
@@ -132,7 +132,7 @@ in
             OnCalendar = "daily";
           };
           description = lib.mdDoc ''
-            When to run the backup. See man systemd.timer for details.
+            When to run the backup. See {manpage}`systemd.timer(5)` for details.
           '';
           example = {
             OnCalendar = "00:05";
diff --git a/nixos/modules/services/networking/kresd.nix b/nixos/modules/services/networking/kresd.nix
index 55af6abd5e01..3ad757133a60 100644
--- a/nixos/modules/services/networking/kresd.nix
+++ b/nixos/modules/services/networking/kresd.nix
@@ -79,7 +79,7 @@ in {
       example = [ "53" ];
       description = lib.mdDoc ''
         What addresses and ports the server should listen on.
-        For detailed syntax see ListenStream in man systemd.socket.
+        For detailed syntax see ListenStream in {manpage}`systemd.socket(5)`.
       '';
     };
     listenTLS = mkOption {
@@ -88,7 +88,7 @@ in {
       example = [ "198.51.100.1:853" "[2001:db8::1]:853" "853" ];
       description = lib.mdDoc ''
         Addresses and ports on which kresd should provide DNS over TLS (see RFC 7858).
-        For detailed syntax see ListenStream in man systemd.socket.
+        For detailed syntax see ListenStream in {manpage}`systemd.socket(5)`.
       '';
     };
     listenDoH = mkOption {
@@ -97,7 +97,7 @@ in {
       example = [ "198.51.100.1:443" "[2001:db8::1]:443" "443" ];
       description = lib.mdDoc ''
         Addresses and ports on which kresd should provide DNS over HTTPS/2 (see RFC 8484).
-        For detailed syntax see ListenStream in man systemd.socket.
+        For detailed syntax see ListenStream in {manpage}`systemd.socket(5)`.
       '';
     };
     instances = mkOption {
diff --git a/nixos/modules/services/security/fail2ban.nix b/nixos/modules/services/security/fail2ban.nix
index 3b124a4f0e08..8d923187941c 100644
--- a/nixos/modules/services/security/fail2ban.nix
+++ b/nixos/modules/services/security/fail2ban.nix
@@ -62,11 +62,10 @@ in
       };
 
       packageFirewall = mkOption {
-        default = pkgs.iptables;
-        defaultText = literalExpression "pkgs.iptables";
+        default = config.networking.firewall.package;
+        defaultText = literalExpression "config.networking.firewall.package";
         type = types.package;
-        example = literalExpression "pkgs.nftables";
-        description = lib.mdDoc "The firewall package used by fail2ban service.";
+        description = lib.mdDoc "The firewall package used by fail2ban service. Defaults to the package for your firewall (iptables or nftables).";
       };
 
       extraPackages = mkOption {
@@ -86,24 +85,24 @@ in
       };
 
       banaction = mkOption {
-        default = "iptables-multiport";
+        default = if config.networking.nftables.enable then "nftables-multiport" else "iptables-multiport";
+        defaultText = literalExpression '' if config.networking.nftables.enable then "nftables-multiport" else "iptables-multiport" '';
         type = types.str;
-        example = "nftables-multiport";
         description = lib.mdDoc ''
           Default banning action (e.g. iptables, iptables-new, iptables-multiport,
-          iptables-ipset-proto6-allports, shorewall, etc) It is used to
+          iptables-ipset-proto6-allports, shorewall, etc). It is used to
           define action_* variables. Can be overridden globally or per
           section within jail.local file
         '';
       };
 
       banaction-allports = mkOption {
-        default = "iptables-allport";
+        default = if config.networking.nftables.enable then "nftables-allport" else "iptables-allport";
+        defaultText = literalExpression '' if config.networking.nftables.enable then "nftables-allport" else "iptables-allport" '';
         type = types.str;
-        example = "nftables-allport";
         description = lib.mdDoc ''
           Default banning action (e.g. iptables, iptables-new, iptables-multiport,
-          shorewall, etc) It is used to define action_* variables. Can be overridden
+          shorewall, etc) for "allports" jails. It is used to define action_* variables. Can be overridden
           globally or per section within jail.local file
         '';
       };
diff --git a/nixos/modules/system/boot/systemd/user.nix b/nixos/modules/system/boot/systemd/user.nix
index 46d66fe4e688..d14d0928c53e 100644
--- a/nixos/modules/system/boot/systemd/user.nix
+++ b/nixos/modules/system/boot/systemd/user.nix
@@ -46,7 +46,7 @@ in {
       type = types.lines;
       example = "DefaultCPUAccounting=yes";
       description = lib.mdDoc ''
-        Extra config options for systemd user instances. See man systemd-user.conf for
+        Extra config options for systemd user instances. See {manpage}`systemd-user.conf(5)` for
         available options.
       '';
     };
diff --git a/nixos/modules/system/etc/setup-etc.pl b/nixos/modules/system/etc/setup-etc.pl
index a048261a3df1..ea0a38308172 100644
--- a/nixos/modules/system/etc/setup-etc.pl
+++ b/nixos/modules/system/etc/setup-etc.pl
@@ -13,8 +13,12 @@ sub atomicSymlink {
     my $tmp = "$target.tmp";
     unlink $tmp;
     symlink $source, $tmp or return 0;
-    rename $tmp, $target or return 0;
-    return 1;
+    if (rename $tmp, $target) {
+        return 1;
+    } else {
+        unlink $tmp;
+        return 0;
+    }
 }
 
 
@@ -87,6 +91,12 @@ my @copied;
 
 sub link {
     my $fn = substr $File::Find::name, length($etc) + 1 or next;
+
+    # nixos-enter sets up /etc/resolv.conf as a bind mount, so skip it.
+    if ($fn eq "resolv.conf" and $ENV{'IN_NIXOS_ENTER'}) {
+        return;
+    }
+
     my $target = "/etc/$fn";
     File::Path::make_path(dirname $target);
     $created{$fn} = 1;
@@ -103,7 +113,7 @@ sub link {
     if (-e "$_.mode") {
         my $mode = read_file("$_.mode"); chomp $mode;
         if ($mode eq "direct-symlink") {
-            atomicSymlink readlink("$static/$fn"), $target or warn;
+            atomicSymlink readlink("$static/$fn"), $target or warn "could not create symlink $target";
         } else {
             my $uid = read_file("$_.uid"); chomp $uid;
             my $gid = read_file("$_.gid"); chomp $gid;
@@ -112,12 +122,15 @@ sub link {
             $gid = getgrnam $gid unless $gid =~ /^\+/;
             chown int($uid), int($gid), "$target.tmp" or warn;
             chmod oct($mode), "$target.tmp" or warn;
-            rename "$target.tmp", $target or warn;
+            unless (rename "$target.tmp", $target) {
+                warn "could not create target $target";
+                unlink "$target.tmp";
+            }
         }
         push @copied, $fn;
         print CLEAN "$fn\n";
     } elsif (-l "$_") {
-        atomicSymlink "$static/$fn", $target or warn;
+        atomicSymlink "$static/$fn", $target or warn "could not create symlink $target";
     }
 }
 
diff --git a/pkgs/applications/graphics/hugin/default.nix b/pkgs/applications/graphics/hugin/default.nix
index 389d5d4294b8..f4d424b3fc30 100644
--- a/pkgs/applications/graphics/hugin/default.nix
+++ b/pkgs/applications/graphics/hugin/default.nix
@@ -36,19 +36,13 @@
 
 stdenv.mkDerivation rec {
   pname = "hugin";
-  version = "2021.0.0";
+  version = "2022.0.0";
 
   src = fetchurl {
     url = "mirror://sourceforge/hugin/hugin-${version}.tar.bz2";
-    sha256 = "sha256-BHrqin+keESzTvJ8GdO2l+hJOdyx/bvrLCBGIbZu6tk=";
+    sha256 = "sha256-l8hWKgupp0PguVWkPf3gSLHGDNnl8u4rad4agWRuBac=";
   };
 
-  patches = [
-    # committed upstream but unreleased:
-    #   https://sourceforge.net/p/hugin/hugin/ci/edfddc6070ca6d4223d359fb4b38273a5aed2f2d
-    ./dont-crash-if-XDG_DATA_DIRS-not-set-edfddc6070ca6d4223d359fb4b38273a5aed2f2d.patch
-  ];
-
   buildInputs = [
     boost
     cairo
diff --git a/pkgs/applications/graphics/hugin/dont-crash-if-XDG_DATA_DIRS-not-set-edfddc6070ca6d4223d359fb4b38273a5aed2f2d.patch b/pkgs/applications/graphics/hugin/dont-crash-if-XDG_DATA_DIRS-not-set-edfddc6070ca6d4223d359fb4b38273a5aed2f2d.patch
deleted file mode 100644
index d38e07a595e8..000000000000
--- a/pkgs/applications/graphics/hugin/dont-crash-if-XDG_DATA_DIRS-not-set-edfddc6070ca6d4223d359fb4b38273a5aed2f2d.patch
+++ /dev/null
@@ -1,14 +0,0 @@
---- a/src/hugin_base/hugin_utils/utils.cpp	2022-12-05 22:19:26.873574924 -0800
-+++ b/src/hugin_base/hugin_utils/utils.cpp	2022-12-05 22:19:09.069575641 -0800
-@@ -472,9 +472,9 @@
- #else
- #ifdef USE_XDG_DIRS
-     char *xdgDataDir = getenv("XDG_DATA_HOME");
--    if (strlen(xdgDataDir) == 0)
-+    if (xdgDataDir == NULL || strlen(xdgDataDir) == 0)
-     {
--        // no XDG_DATA_HOME enviroment variable set
-+        // no XDG_DATA_HOME enviroment variable set or empty variable
-         // use $HOME/.local/share instead
-         const  std::string homeDir = GetHomeDir();
-         if (homeDir.empty())
diff --git a/pkgs/applications/misc/procmail/CVE-2014-3618.patch b/pkgs/applications/misc/procmail/CVE-2014-3618.patch
deleted file mode 100644
index e3aa5600e40e..000000000000
--- a/pkgs/applications/misc/procmail/CVE-2014-3618.patch
+++ /dev/null
@@ -1,18 +0,0 @@
-From http://seclists.org/oss-sec/2014/q3/495 (with whitespace corrected).
-
---- a/src/formisc.c 2013-08-04 00:13:33.000000000 -0700
-+++ b/src/formisc.c 2014-09-03 11:42:25.986002396 -0700
-@@ -84,12 +84,11 @@
- 	case '"':*target++=delim='"';start++;
-       }
-      ;{ int i;
--	do
-+	while(*start)
- 	   if((i= *target++= *start++)==delim)	 /* corresponding delimiter? */
- 	      break;
- 	   else if(i=='\\'&&*start)		    /* skip quoted character */
- 	      *target++= *start++;
--	while(*start);						/* anything? */
-       }
-      hitspc=2;
-    }
diff --git a/pkgs/applications/misc/procmail/default.nix b/pkgs/applications/misc/procmail/default.nix
index dafc73925b54..ea299d73cbb0 100644
--- a/pkgs/applications/misc/procmail/default.nix
+++ b/pkgs/applications/misc/procmail/default.nix
@@ -2,22 +2,13 @@
 
 stdenv.mkDerivation rec {
   pname = "procmail";
-  version = "3.22";
+  version = "3.24";
 
   src = fetchurl {
-    url = "ftp://ftp.fu-berlin.de/pub/unix/mail/procmail/procmail-${version}.tar.gz";
-    sha256 = "05z1c803n5cppkcq99vkyd5myff904lf9sdgynfqngfk9nrpaz08";
+    url = "https://github.com/BuGlessRB/procmail/archive/refs/tags/v${version}.tar.gz";
+    sha256 = "UU6kMzOXg+ld+TIeeUdx5Ih7mCOsVf2yRpcCz2m9OYk=";
   };
 
-  patches = [
-    ./CVE-2014-3618.patch
-    (fetchurl {
-      url = "https://sources.debian.org/data/main/p/procmail/3.22-26/debian/patches/30";
-      sha256 = "11zmz1bj0v9pay3ldmyyg7473b80h89gycrhndsgg9q50yhcqaaq";
-      name = "CVE-2017-16844";
-    })
-  ];
-
   # getline is defined differently in glibc now. So rename it.
   # Without the .PHONY target "make install" won't install anything on Darwin.
   postPatch = ''
@@ -33,7 +24,7 @@ stdenv.mkDerivation rec {
 
   meta = with lib; {
     description = "Mail processing and filtering utility";
-    homepage = "http://www.procmail.org/";
+    homepage = "https://github.com/BuGlessRB/procmail/";
     license = licenses.gpl2;
     platforms = platforms.unix;
     maintainers = with maintainers; [ gebner ];
diff --git a/pkgs/applications/misc/stylish/default.nix b/pkgs/applications/misc/stylish/default.nix
index 43fcc0bb1934..b1fed22b7ffe 100644
--- a/pkgs/applications/misc/stylish/default.nix
+++ b/pkgs/applications/misc/stylish/default.nix
@@ -1,12 +1,21 @@
-{ lib
-, stdenvNoCC
-, fetchFromGitHub
+{
+  lib,
+  stdenvNoCC,
+  fetchFromGitHub,
+  makeWrapper,
+  curl,
+  feh,
+  file,
+  jq,
+  util-linux,
+  wget,
 }:
-
 stdenvNoCC.mkDerivation rec {
   pname = "stylish";
   version = "unstable-2022-12-05";
 
+  nativeBuildInputs = [ makeWrapper ];
+
   src = fetchFromGitHub {
     owner = "thevinter";
     repo = "styli.sh";
@@ -22,6 +31,17 @@ stdenvNoCC.mkDerivation rec {
     runHook postInstall
   '';
 
+  postInstall = ''
+    wrapProgram $out/bin/styli.sh --prefix PATH : ${lib.makeBinPath [
+      curl
+      feh
+      file
+      jq
+      util-linux
+      wget
+    ]}
+  '';
+
   meta = with lib; {
     homepage = "https://github.com/thevinter/styli.sh";
     description = "A shell script to manage wallpapers";
diff --git a/pkgs/applications/networking/feedreaders/newsboat/default.nix b/pkgs/applications/networking/feedreaders/newsboat/default.nix
index 7e06a7595903..a93391bbbb1b 100644
--- a/pkgs/applications/networking/feedreaders/newsboat/default.nix
+++ b/pkgs/applications/networking/feedreaders/newsboat/default.nix
@@ -31,7 +31,7 @@ rustPlatform.buildRustPackage rec {
     ++ lib.optionals stdenv.isDarwin [ Security Foundation libiconv gettext ];
 
   postBuild = ''
-    make prefix="$out"
+    make -j $NIX_BUILD_CORES prefix="$out"
   '';
 
   # https://github.com/NixOS/nixpkgs/pull/98471#issuecomment-703100014 . We set
@@ -44,11 +44,11 @@ rustPlatform.buildRustPackage rec {
   doCheck = true;
 
   preCheck = ''
-    make test
+    make -j $NIX_BUILD_CORES test
   '';
 
   postInstall = ''
-    make prefix="$out" install
+    make -j $NIX_BUILD_CORES prefix="$out" install
   '' + lib.optionalString stdenv.isDarwin ''
     for prog in $out/bin/*; do
       wrapProgram "$prog" --prefix DYLD_LIBRARY_PATH : "${stfl}/lib"
diff --git a/pkgs/applications/networking/irc/weechat/default.nix b/pkgs/applications/networking/irc/weechat/default.nix
index 0739b6f57645..478b28190ae6 100644
--- a/pkgs/applications/networking/irc/weechat/default.nix
+++ b/pkgs/applications/networking/irc/weechat/default.nix
@@ -36,14 +36,14 @@ let
   in
     assert lib.all (p: p.enabled -> ! (builtins.elem null p.buildInputs)) plugins;
     stdenv.mkDerivation rec {
-      version = "3.7.1";
+      version = "3.8";
       pname = "weechat";
 
       hardeningEnable = [ "pie" ];
 
       src = fetchurl {
         url = "https://weechat.org/files/src/weechat-${version}.tar.bz2";
-        hash = "sha256-ZtJi1NhE1agZWnAv6FCUeO1GDtuQnLTraA5nkwWiCqs=";
+        hash = "sha256-objxAUGvBhTkbQl4GshDP3RsCkAW4z917L9WyaVoYj4=";
       };
 
       outputs = [ "out" "man" ] ++ map (p: p.name) enabledPlugins;
diff --git a/pkgs/applications/office/gnucash/0004-exec-fq-helpers.patch b/pkgs/applications/office/gnucash/0004-exec-fq-helpers.patch
new file mode 100644
index 000000000000..289822365490
--- /dev/null
+++ b/pkgs/applications/office/gnucash/0004-exec-fq-helpers.patch
@@ -0,0 +1,23 @@
+diff --git a/gnucash/price-quotes.scm b/gnucash/price-quotes.scm
+index 8e3ff255f..a6b805fa5 100644
+--- a/gnucash/price-quotes.scm
++++ b/gnucash/price-quotes.scm
+@@ -44,7 +44,7 @@
+     (define (start-program)
+       (set! program
+         (gnc-spawn-process-async
+-         (list "perl" "-w" gnc:*finance-quote-check*) #t)))
++         (list gnc:*finance-quote-check*) #t)))
+ 
+     (define (get-sources)
+       (when program
+@@ -119,7 +119,7 @@
+ 
+     (define (start-quoter)
+       (set! quoter
+-        (gnc-spawn-process-async (list "perl" "-w" gnc:*finance-quote-helper*) #t)))
++        (gnc-spawn-process-async (list gnc:*finance-quote-helper*) #t)))
+ 
+     (define (get-quotes)
+       (when quoter
+
diff --git a/pkgs/applications/office/gnucash/default.nix b/pkgs/applications/office/gnucash/default.nix
index 9e5294c4b00d..700a94429964 100644
--- a/pkgs/applications/office/gnucash/default.nix
+++ b/pkgs/applications/office/gnucash/default.nix
@@ -72,6 +72,8 @@ stdenv.mkDerivation rec {
     ./0002-disable-gnc-fq-update.patch
     # this patch prevents the building of gnucash-valgrind
     ./0003-remove-valgrind.patch
+    # this patch makes gnucash exec the Finance::Quote helpers directly
+    ./0004-exec-fq-helpers.patch
   ];
 
   # this needs to be an environment variable and not a cmake flag to suppress
diff --git a/pkgs/applications/science/math/qalculate-qt/default.nix b/pkgs/applications/science/math/qalculate-qt/default.nix
index f55551af3803..dbcacb36be6b 100644
--- a/pkgs/applications/science/math/qalculate-qt/default.nix
+++ b/pkgs/applications/science/math/qalculate-qt/default.nix
@@ -1,4 +1,4 @@
-{ lib, stdenv, fetchFromGitHub, intltool, pkg-config, qmake, wrapQtAppsHook, libqalculate, qtbase, qttools }:
+{ lib, stdenv, fetchFromGitHub, intltool, pkg-config, qmake, wrapQtAppsHook, libqalculate, qtbase, qttools, qtsvg, qtwayland }:
 
 stdenv.mkDerivation rec {
   pname = "qalculate-qt";
@@ -8,11 +8,16 @@ stdenv.mkDerivation rec {
     owner = "qalculate";
     repo = "qalculate-qt";
     rev = "v${version}";
-    sha256 = "sha256-1MU/Wici+NQWbjoNpE9q6jKx8aKt85OAfb+ZsN/oK5w=";
+    hash = "sha256-1MU/Wici+NQWbjoNpE9q6jKx8aKt85OAfb+ZsN/oK5w=";
   };
 
   nativeBuildInputs = [ qmake intltool pkg-config wrapQtAppsHook ];
-  buildInputs = [ libqalculate qtbase qttools ];
+  buildInputs = [ libqalculate qtbase qttools qtsvg qtwayland ];
+
+  postPatch = ''
+    substituteInPlace qalculate-qt.pro\
+      --replace "LRELEASE" "${qttools.dev}/bin/lrelease"
+  '';
 
   meta = with lib; {
     description = "The ultimate desktop calculator";
diff --git a/pkgs/applications/video/glaxnimate/default.nix b/pkgs/applications/video/glaxnimate/default.nix
new file mode 100644
index 000000000000..2fdb82869f3b
--- /dev/null
+++ b/pkgs/applications/video/glaxnimate/default.nix
@@ -0,0 +1,81 @@
+{ lib
+, stdenv
+, fetchFromGitLab
+, cmake
+, zlib
+, potrace
+, ffmpeg
+, libarchive
+, python3
+, qtbase
+, qttools
+, wrapQtAppsHook
+, testers
+, qtsvg
+, qtimageformats
+# For the tests
+, glaxnimate # Call itself, for the tests
+, xvfb-run
+}:
+let
+  # TODO: try to add a python library, see toPythonModule in doc/languages-frameworks/python.section.md
+  python3WithLibs = python3.withPackages (ps: with ps; [
+    # In data/lib/python-lottie/requirements.txt
+    numpy
+    pillow
+    cairosvg
+    fonttools
+    grapheme
+    opencv4
+    pyqt5
+    qscintilla
+    # Not sure if needed, but appears in some files
+    pyyaml
+    requests
+    pybind11
+  ]);
+in
+stdenv.mkDerivation rec {
+  pname = "glaxnimate";
+  version = "0.5.1";
+
+  src = fetchFromGitLab {
+    owner = "mattbas";
+    repo = "${pname}";
+    rev = "${version}";
+    sha256 = "G4ykcOvXXnVIQZUYpRIrALtDSsGqxMvDtcmobjjtlKw=";
+    fetchSubmodules = true;
+  };
+
+  nativeBuildInputs = [
+    cmake
+    wrapQtAppsHook
+  ];
+
+  buildInputs = [
+    zlib
+    potrace
+    # Upstream asks for libav dependency, which is fulfilled by ffmpeg
+    ffmpeg
+    libarchive
+    qtbase
+    qttools
+    qtsvg
+    qtimageformats
+    python3WithLibs
+  ];
+
+  qtWrapperArgs = [ ''--prefix PATH : ${python3WithLibs}/bin'' ];
+
+  passthru.tests.version = testers.testVersion {
+    package = glaxnimate;
+    command = "${xvfb-run}/bin/xvfb-run glaxnimate --version";
+  };
+
+  meta = with lib; {
+    homepage = "https://gitlab.com/mattbas/glaxnimate";
+    description = "Simple vector animation program.";
+    license = licenses.gpl3;
+    maintainers = with maintainers; [ tobiasBora ];
+  };
+}
diff --git a/pkgs/data/fonts/dina/default.nix b/pkgs/data/fonts/dina/default.nix
index 509a37556cec..4a0612efd3e5 100644
--- a/pkgs/data/fonts/dina/default.nix
+++ b/pkgs/data/fonts/dina/default.nix
@@ -1,4 +1,4 @@
-{ lib, stdenv, fetchurl, unzip
+{ lib, stdenv, fetchzip, fontforge
 , bdftopcf, xorg
 }:
 
@@ -8,32 +8,41 @@ stdenv.mkDerivation {
 
   outputs = [ "out" "bdf" ];
 
-  src = fetchurl {
-    url = "http://www.donationcoder.com/Software/Jibz/Dina/downloads/Dina.zip";
-    sha256 = "1kq86lbxxgik82aywwhawmj80vsbz3hfhdyhicnlv9km7yjvnl8z";
+  src = fetchzip {
+    url = "https://www.dcmembers.com/jibsen/download/61/?wpdmdl=61";
+    hash = "sha256-JK+vnOyhAbwT825S+WKbQuWgRrfZZHfyhaMQ/6ljO8s=";
+    extension = "zip";
+    stripRoot = false;
   };
 
   nativeBuildInputs =
-    [ unzip bdftopcf xorg.mkfontscale xorg.fonttosfnt ];
-
-  postPatch = ''
-    sed -i 's/microsoft-cp1252/ISO8859-1/' *.bdf
-  '';
+    [ fontforge bdftopcf xorg.mkfontscale xorg.fonttosfnt ];
 
   buildPhase = ''
     runHook preBuild
 
     newName() {
-        test "''${1:5:1}" = i && _it=Italic || _it=
-        case ''${1:6:3} in
-            400) test -z $it && _weight=Medium ;;
-            700) _weight=Bold ;;
-        esac
-        _pt=''${1%.bdf}
-        _pt=''${_pt#*-}
-        echo "Dina$_weight$_it$_pt"
+      local name=''${1##*/}
+      test "''${name:5:1}" = i && _it=Italic || _it=
+      case ''${name:6:3} in
+          400) _weight=Medium ;;
+          700) _weight=Bold ;;
+      esac
+      _pt=''${1%.bdf}
+      _pt=''${_pt#*-}
+      echo "Dina$_weight$_it$_pt"
     }
 
+    # Re-encode the provided BDF files from CP1252 to Unicode as fonttosfnt does
+    # not support the former.
+    # We could generate the PCF and OTB files with fontforge directly, but that
+    # results in incorrect spacing in various places.
+    for f in BDF/*.bdf; do
+      basename=''${f##*/} basename=''${basename%.*}
+      fontforge -lang=ff -c "Open(\"$f\"); Reencode(\"win\", 1); Reencode(\"unicode\"); Generate(\"$basename.bdf\")"
+      mv "$basename"-*.bdf "$basename".bdf # remove the superfluous added size suffix
+    done
+
     for f in *.bdf; do
         name=$(newName "$f")
         bdftopcf -t -o "$name.pcf" "$f"
@@ -62,9 +71,8 @@ stdenv.mkDerivation {
       relatively compact to allow a lot of code on screen, while (hopefully)
       clear enough to remain readable even at high resolutions.
     '';
-    homepage = "https://www.donationcoder.com/Software/Jibz/Dina/";
-    downloadPage = "https://www.donationcoder.com/Software/Jibz/Dina/";
+    homepage = "https://www.dcmembers.com/jibsen/download/61/";
     license = licenses.free;
-    maintainers = [ maintainers.prikhi ];
+    maintainers = with maintainers; [ prikhi ncfavier ];
   };
 }
diff --git a/pkgs/development/interpreters/php/8.0.nix b/pkgs/development/interpreters/php/8.0.nix
index 3f05a546e23b..37277baae814 100644
--- a/pkgs/development/interpreters/php/8.0.nix
+++ b/pkgs/development/interpreters/php/8.0.nix
@@ -2,8 +2,8 @@
 
 let
   base = callPackage ./generic.nix (_args // {
-    version = "8.0.26";
-    hash = "sha256-bfh6+W8nWnWIns5uP+ShOr2Tp2epmShjvcDpDx6Ifuc=";
+    version = "8.0.27";
+    hash = "sha256-X9iCsUN3wVjBtVzGrOkfuMGbd8WW1YMa0ST7u8kC28g=";
   });
 
 in
diff --git a/pkgs/development/interpreters/php/8.1.nix b/pkgs/development/interpreters/php/8.1.nix
index dc1b8c8581ef..6cfda280d3ef 100644
--- a/pkgs/development/interpreters/php/8.1.nix
+++ b/pkgs/development/interpreters/php/8.1.nix
@@ -2,8 +2,8 @@
 
 let
   base = callPackage ./generic.nix (_args // {
-    version = "8.1.13";
-    hash = "sha256-k/z9+qo9CUoP2xjOCNIPINUm7j8HoUaoqOyCzgCyN8o=";
+    version = "8.1.14";
+    hash = "sha256-FMqZMz3WBKUEojaJRkhaw103nE2pbSjcUV1+tQLf+jI=";
   });
 
 in
diff --git a/pkgs/development/interpreters/php/8.2.nix b/pkgs/development/interpreters/php/8.2.nix
index 1ac48d7f0575..41627582dc83 100644
--- a/pkgs/development/interpreters/php/8.2.nix
+++ b/pkgs/development/interpreters/php/8.2.nix
@@ -2,8 +2,8 @@
 
 let
   base = callPackage ./generic.nix (_args // {
-    version = "8.2.0";
-    hash = "sha256-G/T8pmP5PZ4LSQm9bq4Fg6HOOD5/Bd8Sbyjycvof1Ro=";
+    version = "8.2.1";
+    hash = "sha256-ddb482WZPsDR2cYoHUVX5v7sWiYZSkaLiwFFnRd++yk=";
   });
 
 in
diff --git a/pkgs/development/libraries/qca-qt5/default.nix b/pkgs/development/libraries/qca-qt5/default.nix
index b85a3ad8c7a7..d10ebbdd4b77 100644
--- a/pkgs/development/libraries/qca-qt5/default.nix
+++ b/pkgs/development/libraries/qca-qt5/default.nix
@@ -26,8 +26,5 @@ stdenv.mkDerivation rec {
     maintainers = with maintainers; [ ttuegel ];
     license = licenses.lgpl21Plus;
     platforms = with platforms; unix;
-    # until macOS SDK supports Qt 5.15, 2.3.2 is the highest version of qca-qt5
-    # that works on darwin
-    broken = stdenv.isDarwin;
   };
 }
diff --git a/pkgs/development/libraries/vtk/generic.nix b/pkgs/development/libraries/vtk/generic.nix
index 1994e4ace114..327e848d89ee 100644
--- a/pkgs/development/libraries/vtk/generic.nix
+++ b/pkgs/development/libraries/vtk/generic.nix
@@ -2,7 +2,7 @@
 { stdenv, lib, fetchurl, cmake, libGLU, libGL, libX11, xorgproto, libXt, libpng, libtiff
 , fetchpatch
 , enableQt ? false, qtbase, qtx11extras, qttools, qtdeclarative, qtEnv
-, enablePython ? false, pythonInterpreter ? throw "vtk: Python support requested, but no python interpreter was given."
+, enablePython ? false, python ? throw "vtk: Python support requested, but no python interpreter was given."
 # Darwin support
 , Cocoa, CoreServices, DiskArbitration, IOKit, CFNetwork, Security, GLUT, OpenGL
 , ApplicationServices, CoreText, IOSurface, ImageIO, xpc, libobjc
@@ -11,7 +11,7 @@
 let
   inherit (lib) optionalString optionals optional;
 
-  pythonMajor = lib.substring 0 1 pythonInterpreter.pythonVersion;
+  pythonMajor = lib.substring 0 1 python.pythonVersion;
 
 in stdenv.mkDerivation rec {
   pname = "vtk${optionalString enableQt "-qvtk"}";
@@ -47,7 +47,7 @@ in stdenv.mkDerivation rec {
       OpenGL
       GLUT
     ] ++ optionals enablePython [
-      pythonInterpreter
+      python
     ];
   propagatedBuildInputs = optionals stdenv.isDarwin [ libobjc ]
     ++ optionals stdenv.isLinux [ libX11 libGL ];
@@ -89,6 +89,13 @@ in stdenv.mkDerivation rec {
     sed -i 's/fprintf(output, shift)/fprintf(output, "%s", shift)/g' ./ThirdParty/libxml2/vtklibxml2/xpath.c
   '';
 
+  postInstall = optionalString enablePython ''
+    substitute \
+      ${./vtk.egg-info} \
+      $out/lib/python${python.pythonVersion}/site-packages/vtk-${version}.egg-info \
+      --subst-var-by VTK_VER "${version}"
+  '';
+
   meta = with lib; {
     description = "Open source libraries for 3D computer graphics, image processing and visualization";
     homepage = "https://www.vtk.org/";
diff --git a/pkgs/development/libraries/vtk/vtk.egg-info b/pkgs/development/libraries/vtk/vtk.egg-info
new file mode 100644
index 000000000000..a244450ad767
--- /dev/null
+++ b/pkgs/development/libraries/vtk/vtk.egg-info
@@ -0,0 +1,4 @@
+Metadata-Version: 2.1
+Version: @VTK_VER@
+Summary: VTK is an open-source toolkit for 3D computer graphics, image processing, and visualization
+Platform: UNKNOWN
diff --git a/pkgs/development/lua-modules/generated-packages.nix b/pkgs/development/lua-modules/generated-packages.nix
index 487f854b2ce4..52fbeabf068f 100644
--- a/pkgs/development/lua-modules/generated-packages.nix
+++ b/pkgs/development/lua-modules/generated-packages.nix
@@ -2708,10 +2708,10 @@ buildLuarocksPackage {
 
   src = fetchgit ( removeAttrs (builtins.fromJSON ''{
   "url": "https://github.com/nvim-lua/plenary.nvim",
-  "rev": "4b7e52044bbb84242158d977a50c4cbcd85070c7",
-  "date": "2022-10-01T09:05:53+02:00",
-  "path": "/nix/store/hkj69cqq4qg3d98irg8wszgl7i1bg6lv-plenary.nvim",
-  "sha256": "11815h0h2mf5ym282ghk7xav90635r88qbgaflpgbyk2banl31wl",
+  "rev": "9d81624fbcedd3dd43b38d7e13a1e7b3f873d8cd",
+  "date": "2023-01-06T19:47:51+01:00",
+  "path": "/nix/store/r6a56xvn5dkrsnswpg7297ihdfc1qsgy-plenary.nvim",
+  "sha256": "0y3qn0rwlwp720517lwg35f09b30b591hprbvb6hgvn1waw2ljzc",
   "fetchLFS": false,
   "fetchSubmodules": true,
   "deepClone": false,
diff --git a/pkgs/development/ocaml-modules/toml/default.nix b/pkgs/development/ocaml-modules/toml/default.nix
index 41c52985cf99..baab042b1bf4 100644
--- a/pkgs/development/ocaml-modules/toml/default.nix
+++ b/pkgs/development/ocaml-modules/toml/default.nix
@@ -1,22 +1,18 @@
-{ lib, fetchFromGitHub, fetchpatch, buildDunePackage
+{ lib, fetchFromGitHub, buildDunePackage
 , iso8601, menhir
 }:
 
 buildDunePackage rec {
   pname = "toml";
-  version = "7.0.0";
+  version = "7.1.0";
+  minimalOCamlVersion = "4.08";
+  duneVersion = "3";
 
   src = fetchFromGitHub {
     owner = "ocaml-toml";
     repo = "to.ml";
     rev = version;
-    sha256 = "sha256-VEZQTFPwAGShCBGbKUiNOIY1zA/JdTpXU0ZIGNWopnQ=";
-  };
-
-  # Ensure compatibility with menhir ≥ 20211215
-  patches = fetchpatch {
-    url = "https://github.com/ocaml-toml/To.ml/commit/41172b739dff43424a12f7c1f0f64939e3660648.patch";
-    sha256 = "sha256:1333xkmm9qp5m3pp4y5w17k6rvmb30v62qyra6rfk1km2v28hqqq";
+    hash = "sha256-uk14Py7lEEDJhFsRRtStXqKlJLtx0o8eS9DEIes4SHw=";
   };
 
   nativeBuildInputs = [ menhir ];
diff --git a/pkgs/development/php-packages/datadog_trace/default.nix b/pkgs/development/php-packages/datadog_trace/default.nix
index 4138be3f0651..8a9447525bba 100644
--- a/pkgs/development/php-packages/datadog_trace/default.nix
+++ b/pkgs/development/php-packages/datadog_trace/default.nix
@@ -2,19 +2,18 @@
 
 buildPecl rec {
   pname = "ddtrace";
-  version = "0.70.0";
+  version = "0.82.0";
 
   src = fetchFromGitHub {
     owner = "DataDog";
     repo = "dd-trace-php";
     rev = version;
-    sha256 = "sha256-AYRBzE0Detg/IHXYutZUfPRMtfthxdkSjqD0M+VcTpY=";
+    sha256 = "sha256-QTqZRHh57mRkg0HT9qQS13emGobB0IRqM+mdImAPgtE=";
   };
 
   buildInputs = [ curl pcre2 ];
 
   meta = with lib; {
-    broken = lib.versionOlder php.version "8.1"; # Broken on PHP older than 8.1.
     description = "Datadog Tracing PHP Client";
     homepage = "https://github.com/DataDog/dd-trace-php";
     license = licenses.apsl20;
diff --git a/pkgs/development/python-modules/doorbirdpy/default.nix b/pkgs/development/python-modules/doorbirdpy/default.nix
index 1290aaf05757..34157b639345 100644
--- a/pkgs/development/python-modules/doorbirdpy/default.nix
+++ b/pkgs/development/python-modules/doorbirdpy/default.nix
@@ -2,16 +2,20 @@
 , buildPythonPackage
 , fetchPypi
 , requests
+, pythonOlder
 }:
 
 buildPythonPackage rec {
   pname = "doorbirdpy";
-  version = "2.1.0";
+  version = "2.2.0";
+  format = "setuptools";
+
+  disabled = pythonOlder "3.7";
 
   src = fetchPypi {
     pname = "DoorBirdPy";
     inherit version;
-    sha256 = "ed0e94953cdf96111c7f73c5fcf358f65dc0ff5e47f63fc057bf18ca7512e606";
+    hash = "sha256-ZGIIko5Ac0Q4Jhz+z7FREJ4MhPF9ADDWgQFRtcZ+dWY=";
   };
 
   propagatedBuildInputs = [
@@ -21,7 +25,9 @@ buildPythonPackage rec {
   # no tests on PyPI, no tags on GitLab
   doCheck = false;
 
-  pythonImportsCheck = [ "doorbirdpy" ];
+  pythonImportsCheck = [
+    "doorbirdpy"
+  ];
 
   meta = with lib; {
     description = "Python wrapper for the DoorBird LAN API";
diff --git a/pkgs/development/python-modules/duckdb-engine/default.nix b/pkgs/development/python-modules/duckdb-engine/default.nix
index ff995c7ac1e5..04c0c84315fa 100644
--- a/pkgs/development/python-modules/duckdb-engine/default.nix
+++ b/pkgs/development/python-modules/duckdb-engine/default.nix
@@ -13,7 +13,7 @@
 
 buildPythonPackage rec {
   pname = "duckdb-engine";
-  version = "0.6.6";
+  version = "0.6.7";
   format = "pyproject";
 
   disabled = pythonOlder "3.7";
@@ -22,7 +22,7 @@ buildPythonPackage rec {
     repo = "duckdb_engine";
     owner = "Mause";
     rev = "refs/tags/v${version}";
-    hash = "sha256-OpVkMkZt5h4Rp615wx42cR/NFbv6dwsklqM8/xRswtw=";
+    hash = "sha256-ZbdrqR1apeZMnJb2hzvPyCKWl+0A9ROMZJXIshPVGW0=";
   };
 
   nativeBuildInputs = [
diff --git a/pkgs/development/python-modules/gcal-sync/default.nix b/pkgs/development/python-modules/gcal-sync/default.nix
index d2cd8b7740e1..036e62348fc8 100644
--- a/pkgs/development/python-modules/gcal-sync/default.nix
+++ b/pkgs/development/python-modules/gcal-sync/default.nix
@@ -13,7 +13,7 @@
 
 buildPythonPackage rec {
   pname = "gcal-sync";
-  version = "4.1.0";
+  version = "4.1.1";
   format = "setuptools";
 
   disabled = pythonOlder "3.9";
@@ -22,7 +22,7 @@ buildPythonPackage rec {
     owner = "allenporter";
     repo = "gcal_sync";
     rev = "refs/tags/${version}";
-    hash = "sha256-dmxqN0SE/qAu07ilBnVdV8k3hvpfUPLMtIfqlhSg20U=";
+    hash = "sha256-gRIioR0TrvxTEd572AEuWlamlEaNOoOcXNten5AAAkA=";
   };
 
   propagatedBuildInputs = [
diff --git a/pkgs/development/python-modules/ical/default.nix b/pkgs/development/python-modules/ical/default.nix
index 66e64270ad85..75b7366b3334 100644
--- a/pkgs/development/python-modules/ical/default.nix
+++ b/pkgs/development/python-modules/ical/default.nix
@@ -17,7 +17,7 @@
 
 buildPythonPackage rec {
   pname = "ical";
-  version = "4.2.8";
+  version = "4.2.9";
   format = "setuptools";
 
   disabled = pythonOlder "3.9";
@@ -26,7 +26,7 @@ buildPythonPackage rec {
     owner = "allenporter";
     repo = pname;
     rev = "refs/tags/${version}";
-    hash = "sha256-vOjsHGB1VJuBEfLAXUkvTbQSFi4mkpf9qROVZo3ZABY=";
+    hash = "sha256-p1cvs+xLin2WK2zyqQFd1vWKzt+LU2mpDSieOgA7Qf8=";
   };
 
   propagatedBuildInputs = [
diff --git a/pkgs/development/python-modules/mayavi/default.nix b/pkgs/development/python-modules/mayavi/default.nix
index 736fc1d87952..b0ddfeeefcf3 100644
--- a/pkgs/development/python-modules/mayavi/default.nix
+++ b/pkgs/development/python-modules/mayavi/default.nix
@@ -27,10 +27,6 @@ buildPythonPackage rec {
   };
 
   postPatch = ''
-    # Discovery of 'vtk' in setuptools is not working properly, due to a missing
-    # .egg-info in the vtk package. It does however import and run just fine.
-    substituteInPlace mayavi/__init__.py --replace "'vtk'" ""
-
     # building the docs fails with the usual Qt xcb error, so skip:
     substituteInPlace setup.py \
       --replace "build.build.run(self)" "build.build.run(self); return"
diff --git a/pkgs/development/python-modules/minio/default.nix b/pkgs/development/python-modules/minio/default.nix
index 9a114514969a..8fb2c749ac40 100644
--- a/pkgs/development/python-modules/minio/default.nix
+++ b/pkgs/development/python-modules/minio/default.nix
@@ -16,7 +16,7 @@
 
 buildPythonPackage rec {
   pname = "minio";
-  version = "7.1.12";
+  version = "7.1.13";
   format = "setuptools";
 
   disabled = pythonOlder "3.7";
@@ -25,7 +25,7 @@ buildPythonPackage rec {
     owner = "minio";
     repo = "minio-py";
     rev = "refs/tags/${version}";
-    hash = "sha256-9BjKoBQdkqkNK6StsiP0L3S5Dn8y53K5VghUIpIt46k=";
+    hash = "sha256-Kn/I5q079b4vqi+jL/pcVKMqGgs+PYgMoByX8ZzgZ5M=";
   };
 
   propagatedBuildInputs = [
@@ -56,6 +56,7 @@ buildPythonPackage rec {
   meta = with lib; {
     description = "Simple APIs to access any Amazon S3 compatible object storage server";
     homepage = "https://github.com/minio/minio-py";
+    changelog = "https://github.com/minio/minio-py/releases/tag/${version}";
     maintainers = with maintainers; [ peterromfeldhk ];
     license = licenses.asl20;
   };
diff --git a/pkgs/development/python-modules/notify-py/default.nix b/pkgs/development/python-modules/notify-py/default.nix
index 9184199c0acb..971a8cd5cc9e 100644
--- a/pkgs/development/python-modules/notify-py/default.nix
+++ b/pkgs/development/python-modules/notify-py/default.nix
@@ -18,17 +18,16 @@
 
 buildPythonPackage rec {
   pname = "notify-py";
-  version = "0.3.38";
+  version = "0.3.39";
+  format = "pyproject";
 
   disabled = pythonOlder "3.6";
 
-  format = "pyproject";
-
   src = fetchFromGitHub {
     owner = "ms7m";
     repo = pname;
-    rev = "v${version}";
-    hash = "sha256-wlA7a10f4PYP3dYYwZqMULQ5FMCXpOUOTxXzEEVZCsI=";
+    rev = "refs/tags/v${version}";
+    hash = "sha256-QIK5MCCOsD8SStoh7TRw+l9k28SjChwV2J/T7gMKnAs=";
   };
 
   patches = lib.optionals stdenv.isLinux [
@@ -89,6 +88,7 @@ buildPythonPackage rec {
   meta = with lib; {
     description = "Cross-platform desktop notification library for Python";
     homepage = "https://github.com/ms7m/notify-py";
+    changelog = "https://github.com/ms7m/notify-py/releases/tag/v${version}";
     license = licenses.mit;
     maintainers = with maintainers; [ austinbutler dotlambda ];
   };
diff --git a/pkgs/development/python-modules/pastescript/default.nix b/pkgs/development/python-modules/pastescript/default.nix
index 244b51f3f844..ab99f7e5852e 100644
--- a/pkgs/development/python-modules/pastescript/default.nix
+++ b/pkgs/development/python-modules/pastescript/default.nix
@@ -7,16 +7,20 @@
 , six
 , paste
 , pastedeploy
+, pythonOlder
 }:
 
 buildPythonPackage rec {
   pname = "pastescript";
-  version = "3.2.1";
+  version = "3.3.0";
+  format = "setuptools";
+
+  disabled = pythonOlder "3.7";
 
   src = fetchPypi {
     pname = "PasteScript";
     inherit version;
-    sha256 = "f3ef819785e1b284e6fc108a131bce7e740b18255d96cd2e99ee3f00fd452468";
+    hash = "sha256-3eyAGhOsZn4JTt3ij5AhLN6nvcmhjUNxsI9abvfS66I=";
   };
 
   propagatedBuildInputs = [
@@ -27,9 +31,15 @@ buildPythonPackage rec {
 
   # test suite seems to unset PYTHONPATH
   doCheck = false;
-  checkInputs = [ nose pytestCheckHook ];
 
-  pythonNamespaces = [ "paste" ];
+  checkInputs = [
+    nose
+    pytestCheckHook
+  ];
+
+  pythonNamespaces = [
+    "paste"
+  ];
 
   disabledTestPaths = [
     "appsetup/testfiles"
diff --git a/pkgs/development/python-modules/pyswitchbot/default.nix b/pkgs/development/python-modules/pyswitchbot/default.nix
index 485dec0413fd..49c90630da07 100644
--- a/pkgs/development/python-modules/pyswitchbot/default.nix
+++ b/pkgs/development/python-modules/pyswitchbot/default.nix
@@ -12,7 +12,7 @@
 
 buildPythonPackage rec {
   pname = "pyswitchbot";
-  version = "0.36.2";
+  version = "0.36.3";
   format = "setuptools";
 
   disabled = pythonOlder "3.7";
@@ -21,7 +21,7 @@ buildPythonPackage rec {
     owner = "Danielhiversen";
     repo = "pySwitchbot";
     rev = "refs/tags/${version}";
-    hash = "sha256-I+OnxSQ/984aoloe/1673JDaVzG6yKOSrDvGuupAnkc=";
+    hash = "sha256-X4Ym+UmAY/O6UB26CVrqLPD03WP/3uzOJdKW/aUCwrc=";
   };
 
   propagatedBuildInputs = [
diff --git a/pkgs/development/python-modules/pyunifiprotect/default.nix b/pkgs/development/python-modules/pyunifiprotect/default.nix
index 9cf127b506dc..aa6ff3c810f6 100644
--- a/pkgs/development/python-modules/pyunifiprotect/default.nix
+++ b/pkgs/development/python-modules/pyunifiprotect/default.nix
@@ -31,7 +31,7 @@
 
 buildPythonPackage rec {
   pname = "pyunifiprotect";
-  version = "4.5.3";
+  version = "4.6.0";
   format = "pyproject";
 
   disabled = pythonOlder "3.9";
@@ -40,7 +40,7 @@ buildPythonPackage rec {
     owner = "briis";
     repo = pname;
     rev = "refs/tags/v${version}";
-    hash = "sha256-FZXnJorY7WNgDVajULZyFwJ13RBbClXK38CCyF7ASmI=";
+    hash = "sha256-D7XIq9uwb3SaVa6NW4jDFeK73zsf51EG+5EkqgGlxCo=";
   };
 
   postPatch = ''
diff --git a/pkgs/development/python-modules/ropper/default.nix b/pkgs/development/python-modules/ropper/default.nix
index 681ecfaefe3b..bf86e0e71453 100644
--- a/pkgs/development/python-modules/ropper/default.nix
+++ b/pkgs/development/python-modules/ropper/default.nix
@@ -10,7 +10,7 @@
 
 buildPythonPackage rec {
   pname = "ropper";
-  version = "1.13.7";
+  version = "1.13.8";
   format = "setuptools";
 
   disabled = pythonOlder "3.7";
@@ -19,7 +19,7 @@ buildPythonPackage rec {
     owner = "sashs";
     repo = "Ropper";
     rev = "v${version}";
-    hash = "sha256-3tWWIYqh/G/b7Z6BMua5bRvtSh4SibT6pv/NArhmqPE=";
+    hash = "sha256-agbqP5O9QEP5UKkaWI5HxAlMsCBPKNSLnAAo2WFDXS8=";
   };
 
   propagatedBuildInputs = [
@@ -36,10 +36,10 @@ buildPythonPackage rec {
   ];
 
   meta = with lib; {
-    broken = stdenv.isDarwin;
     description = "Show information about files in different file formats";
     homepage = "https://scoding.de/ropper/";
     license = licenses.bsd3;
     maintainers = with maintainers; [ bennofs ];
+    broken = stdenv.isDarwin;
   };
 }
diff --git a/pkgs/development/python-modules/soco/default.nix b/pkgs/development/python-modules/soco/default.nix
index ed25bdb37ed4..85b8d1ea2e35 100644
--- a/pkgs/development/python-modules/soco/default.nix
+++ b/pkgs/development/python-modules/soco/default.nix
@@ -16,7 +16,7 @@
 
 buildPythonPackage rec {
   pname = "soco";
-  version = "0.28.1";
+  version = "0.29.0";
   format = "setuptools";
 
   disabled = pythonOlder "3.6";
@@ -24,8 +24,8 @@ buildPythonPackage rec {
   src = fetchFromGitHub {
     owner = "SoCo";
     repo = "SoCo";
-    rev = "v${version}";
-    hash = "sha256-Po9ns+XQ8WuILKrinllm/lqZFWEBnylesCoqs+cnKs4=";
+    rev = "refs/tags/v${version}";
+    hash = "sha256-6xyJY+qgwMsOgnh+PTVCf4F442hnBwlFnW+bt/cWxGc=";
   };
 
   propagatedBuildInputs = [
@@ -52,6 +52,7 @@ buildPythonPackage rec {
   meta = with lib; {
     description = "CLI and library to control Sonos speakers";
     homepage = "http://python-soco.com/";
+    changelog = "https://github.com/SoCo/SoCo/releases/tag/v${version}";
     license = licenses.mit;
     maintainers = with maintainers; [ lovesegfault ];
   };
diff --git a/pkgs/development/python-modules/uritools/default.nix b/pkgs/development/python-modules/uritools/default.nix
index 3d1b274d0690..76678539bd9c 100644
--- a/pkgs/development/python-modules/uritools/default.nix
+++ b/pkgs/development/python-modules/uritools/default.nix
@@ -6,14 +6,14 @@
 
 buildPythonPackage rec {
   pname = "uritools";
-  version = "4.0.0";
+  version = "4.0.1";
   format = "setuptools";
 
   disabled = pythonOlder "3.7";
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "420d94c1ff4bf90c678fca9c17b8314243bbcaa992c400a95e327f7f622e1edf";
+    hash = "sha256-78XDpt4FQEhQaFqNPzTahHa1aqNRb7+O/1yHBMeigm8=";
   };
 
   pythonImportsCheck = [
@@ -23,6 +23,7 @@ buildPythonPackage rec {
   meta = with lib; {
     description = "RFC 3986 compliant, Unicode-aware, scheme-agnostic replacement for urlparse";
     homepage = "https://github.com/tkem/uritools/";
+    changelog = "https://github.com/tkem/uritools/blob/v${version}/CHANGELOG.rst";
     license = licenses.mit;
     maintainers = with maintainers; [ rvolosatovs ];
   };
diff --git a/pkgs/servers/isso/default.nix b/pkgs/servers/isso/default.nix
index a64bbd76807c..46942669ac67 100644
--- a/pkgs/servers/isso/default.nix
+++ b/pkgs/servers/isso/default.nix
@@ -63,7 +63,5 @@ with python3Packages; buildPythonApplication rec {
     homepage = "https://posativ.org/isso/";
     license = licenses.mit;
     maintainers = with maintainers; [ fgaz ];
-    # never built on aarch64-darwin since first introduction in nixpkgs
-    broken = stdenv.isDarwin && stdenv.isAarch64;
   };
 }
diff --git a/pkgs/servers/nats-server/default.nix b/pkgs/servers/nats-server/default.nix
index 08e77aaf1527..db2a6da7e5c6 100644
--- a/pkgs/servers/nats-server/default.nix
+++ b/pkgs/servers/nats-server/default.nix
@@ -6,16 +6,16 @@
 
 buildGoModule rec {
   pname = "nats-server";
-  version = "2.9.10";
+  version = "2.9.11";
 
   src = fetchFromGitHub {
     owner = "nats-io";
     repo = pname;
     rev = "v${version}";
-    hash = "sha256-r/hz80XFEOQN7bzQQTIMAeZI8H09WyiUqQl3glJz+RM=";
+    hash = "sha256-iYiQYGwvxW7GF32h+E1vg3x6sml7zGk40jbY8akmOnM=";
   };
 
-  vendorHash = "sha256-ASLy0rPuCSYGyy5Pw9fj559nxO4vPPagDKAe8wM29lo=";
+  vendorHash = "sha256-qApohNp//N/eBljpa+D2fR19rqw8Bd8wdmME9fzqDxc=";
 
   doCheck = false;
 
diff --git a/pkgs/tools/misc/goaccess/default.nix b/pkgs/tools/misc/goaccess/default.nix
index e8261182ca46..32e45bee9031 100644
--- a/pkgs/tools/misc/goaccess/default.nix
+++ b/pkgs/tools/misc/goaccess/default.nix
@@ -10,14 +10,14 @@
 }:
 
 stdenv.mkDerivation rec {
-  version = "1.6.5";
+  version = "1.7";
   pname = "goaccess";
 
   src = fetchFromGitHub {
     owner = "allinurl";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-ZXWlFg0h0PvUqX5+kR/TAkH3GvL9pHRrKueBGqx5MCY=";
+    sha256 = "sha256-5lN+57HMxPfCop2sTSldhv1TBEIaowavXvniwqnesOQ=";
   };
 
   nativeBuildInputs = [
diff --git a/pkgs/tools/networking/atftp/default.nix b/pkgs/tools/networking/atftp/default.nix
index ca06afe7bdbf..bab2ecbe619b 100644
--- a/pkgs/tools/networking/atftp/default.nix
+++ b/pkgs/tools/networking/atftp/default.nix
@@ -1,12 +1,23 @@
-{ lib, stdenv, fetchurl, readline, tcp_wrappers, pcre, makeWrapper, gcc, ps }:
+{ lib
+, stdenv
+, autoreconfHook
+, fetchurl
+, gcc
+, makeWrapper
+, pcre2
+, perl
+, ps
+, readline
+, tcp_wrappers
+}:
 
 stdenv.mkDerivation rec {
   pname = "atftp";
-  version = "0.7.5";
+  version = "0.8.0";
 
   src = fetchurl {
     url = "mirror://sourceforge/atftp/${pname}-${version}.tar.gz";
-    sha256 = "12h3sgkd25j4nfagil2jqyj1n8yxvaawj0cf01742642n57pmj4k";
+    hash = "sha256-3yqgicdnD56rQOVZjl0stqWC3FGCkm6lC01pDk438xY=";
   };
 
   # fix test script
@@ -14,19 +25,34 @@ stdenv.mkDerivation rec {
     patchShebangs .
   '';
 
-  nativeBuildInputs = [ makeWrapper ];
-  buildInputs = [ readline tcp_wrappers pcre gcc ];
+  nativeBuildInputs = [
+    autoreconfHook
+    makeWrapper
+  ];
+
+  buildInputs = [
+    gcc
+    pcre2
+    readline
+    tcp_wrappers
+  ];
+
+  checkInputs = [
+    perl
+    ps
+  ];
 
   # Expects pre-GCC5 inline semantics
   NIX_CFLAGS_COMPILE = "-std=gnu89";
 
   doCheck = true;
-  checkInputs = [ ps ];
 
-  meta = {
+  meta = with lib; {
     description = "Advanced tftp tools";
-    maintainers = [ lib.maintainers.raskin ];
-    platforms = lib.platforms.linux;
-    license = lib.licenses.gpl2Plus;
+    changelog = "https://sourceforge.net/p/atftp/code/ci/v${version}/tree/Changelog";
+    homepage = "https://sourceforge.net/projects/atftp/";
+    license = licenses.gpl2Plus;
+    maintainers = with maintainers; [ raskin ];
+    platforms = platforms.linux;
   };
 }
diff --git a/pkgs/tools/networking/driftnet/default.nix b/pkgs/tools/networking/driftnet/default.nix
index 1f489b7fbc71..4f077a4bc95e 100644
--- a/pkgs/tools/networking/driftnet/default.nix
+++ b/pkgs/tools/networking/driftnet/default.nix
@@ -1,47 +1,38 @@
-{ stdenv
-, lib
-, fetchFromGitHub
-, fetchpatch
+{ lib
+, stdenv
 , autoreconfHook
 , cairo
+, fetchFromGitHub
 , giflib
 , glib
 , gtk2-x11
 , libjpeg
 , libpcap
 , libpng
-, libwebsockets
-, pkg-config
 , libuv
+, libwebsockets
+, libwebp
 , openssl
+, pkg-config
 }:
 
 stdenv.mkDerivation rec {
   pname = "driftnet";
-  version = "1.3.0";
+  version = "1.4.0";
 
   src = fetchFromGitHub {
     owner = "deiv";
     repo = "driftnet";
-    rev = "v${version}";
-    sha256 = "0kd22aqb25kf54jjv3ml8wy8xm7lmbf0xz1wfp31m08cbzsbizib";
+    rev = "refs/tags/v${version}";
+    hash = "sha256-szmezYnszlRanq8pMD0CIGA+zTYGSwSHcDaZ2Gx1KCA=";
   };
 
-  # https://github.com/deiv/driftnet/pull/33
-  # remove on version bump from 1.3.0
-  patches = [
-    (fetchpatch {
-      name = "fix-darwin-build";
-      url = "https://github.com/deiv/driftnet/pull/33/commits/bef5f3509ab5710161e9e21ea960a997eada534f.patch";
-      sha256 = "1b7p9fkgp7dxv965l7q7y632s80h3nnrkaqnak2h0hakwv0i4pvm";
-    })
-    # https://github.com/deiv/driftnet/issues/37
-    ./libwebsockets-4.3.0.patch
-  ];
-
   enableParallelBuilding = true;
 
-  nativeBuildInputs = [ pkg-config autoreconfHook ];
+  nativeBuildInputs = [
+    pkg-config
+    autoreconfHook
+  ];
 
   buildInputs = [
     cairo
@@ -51,16 +42,18 @@ stdenv.mkDerivation rec {
     libjpeg
     libpcap
     libpng
-    libwebsockets
-    openssl
     libuv
+    libwebsockets
+    libwebp
+    openssl
   ];
 
   meta = with lib; {
     description = "Watches network traffic, and picks out and displays JPEG and GIF images for display";
     homepage = "https://github.com/deiv/driftnet";
+    changelog = "https://github.com/deiv/driftnet/releases/tag/v${version}";
+    license = licenses.gpl2Plus;
     maintainers = with maintainers; [ offline ];
     platforms = platforms.linux ++ platforms.darwin;
-    license = licenses.gpl2Plus;
   };
 }
diff --git a/pkgs/tools/networking/siege/default.nix b/pkgs/tools/networking/siege/default.nix
index b8b70d861e81..6a1ce2f4a028 100644
--- a/pkgs/tools/networking/siege/default.nix
+++ b/pkgs/tools/networking/siege/default.nix
@@ -7,11 +7,11 @@
 
 stdenv.mkDerivation rec {
   pname = "siege";
-  version = "4.1.5";
+  version = "4.1.6";
 
   src = fetchurl {
     url = "http://download.joedog.org/siege/${pname}-${version}.tar.gz";
-    hash = "sha256-B235/Nt/Y8Rtb2YazCzMhAWTeunK5JCrip14qdLnuMs=";
+    hash = "sha256-MJ1Ym/yBm28V0uXoWRs8DG9pNiT1Bg7qwGek2ad1fek=";
   };
 
   NIX_LDFLAGS = lib.optionalString stdenv.isLinux [
@@ -35,6 +35,7 @@ stdenv.mkDerivation rec {
   meta = with lib; {
     description = "HTTP load tester";
     homepage = "https://www.joedog.org/siege-home/";
+    changelog = "https://github.com/JoeDog/siege/blob/v${version}/ChangeLog";
     license = licenses.gpl2Plus;
     maintainers = with maintainers; [ raskin ];
     platforms = platforms.unix;
diff --git a/pkgs/tools/networking/traceroute/default.nix b/pkgs/tools/networking/traceroute/default.nix
index eeb96936aeab..46a52b11b961 100644
--- a/pkgs/tools/networking/traceroute/default.nix
+++ b/pkgs/tools/networking/traceroute/default.nix
@@ -1,25 +1,33 @@
-{ lib, stdenv, fetchurl }:
+{ lib
+, stdenv
+, fetchurl
+}:
 
 stdenv.mkDerivation rec {
   pname = "traceroute";
-  version = "2.1.0";
+  version = "2.1.1";
 
   src = fetchurl {
     url = "mirror://sourceforge/traceroute/${pname}-${version}.tar.gz";
-    sha256 = "3669d22a34d3f38ed50caba18cd525ba55c5c00d5465f2d20d7472e5d81603b6";
+    sha256 = "sha256-j8jVBG6FXXWIYHuzGfW4LjuhPpHV1GNoYyYuY4a7r3Y=";
   };
 
-  makeFlags = [ "prefix=$(out)" "LDFLAGS=-lm" "env=yes" ];
+  makeFlags = [
+    "prefix=$(out)"
+    "LDFLAGS=-lm"
+    "env=yes"
+  ];
 
   preConfigure = ''
     sed -i 's@LIBS := \(.*\) -lm \(.*\)@LIBS := \1 \2@' Make.rules
   '';
 
   meta = with lib; {
-    homepage = "http://traceroute.sourceforge.net/";
     description = "Tracks the route taken by packets over an IP network";
-    license = lib.licenses.gpl2;
-    maintainers = [ maintainers.koral ];
+    homepage = "http://traceroute.sourceforge.net/";
+    changelog = "https://sourceforge.net/projects/traceroute/files/traceroute/traceroute-${version}/";
+    license = licenses.gpl2Plus;
+    maintainers = with maintainers; [ koral ];
     platforms = platforms.linux;
   };
 }
diff --git a/pkgs/tools/security/trufflehog/default.nix b/pkgs/tools/security/trufflehog/default.nix
index 76ccda498b47..39cd2d2f6c6f 100644
--- a/pkgs/tools/security/trufflehog/default.nix
+++ b/pkgs/tools/security/trufflehog/default.nix
@@ -5,13 +5,13 @@
 
 buildGoModule rec {
   pname = "trufflehog";
-  version = "3.21.0";
+  version = "3.23.1";
 
   src = fetchFromGitHub {
     owner = "trufflesecurity";
     repo = "trufflehog";
     rev = "refs/tags/v${version}";
-    hash = "sha256-rse5uyQ7EUBhs0IyC92B/Z7YCeNIXTlZEqrlcjFekgA=";
+    hash = "sha256-dCjFMcLFOoAiOXRp0jhBTqYembLLsvDWMetGjRF083k=";
   };
 
   vendorHash = "sha256-KyyJ7hUWF29L8oB9GkJ918/BQoLMsz+tStT2T9Azunk=";
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index d4e42bac24e9..e0aabf7a24d2 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -3117,6 +3117,8 @@ with pkgs;
 
   glasstty-ttf = callPackage ../data/fonts/glasstty-ttf { };
 
+  glaxnimate = libsForQt5.callPackage ../applications/video/glaxnimate { };
+
   gmid = callPackage ../servers/gemini/gmid { };
 
   gmni = callPackage ../applications/networking/browsers/gmni { };
@@ -11032,7 +11034,7 @@ with pkgs;
 
   qalculate-gtk = callPackage ../applications/science/math/qalculate-gtk { };
 
-  qalculate-qt = libsForQt5.callPackage ../applications/science/math/qalculate-qt { };
+  qalculate-qt = qt6Packages.callPackage ../applications/science/math/qalculate-qt { };
 
   qastools = libsForQt5.callPackage ../tools/audio/qastools { };
 
diff --git a/pkgs/top-level/php-packages.nix b/pkgs/top-level/php-packages.nix
index 8b4463bde3bc..70af04bd96af 100644
--- a/pkgs/top-level/php-packages.nix
+++ b/pkgs/top-level/php-packages.nix
@@ -137,8 +137,7 @@ lib.makeScope pkgs.newScope (self: with self; {
       checkPhase = ''
         runHook preCheck
 
-        NO_INTERACTON=yes SKIP_PERF_SENSITIVE=yes make test
-
+        NO_INTERACTION=yes SKIP_PERF_SENSITIVE=yes make test
         runHook postCheck
       '';
 
@@ -414,6 +413,14 @@ lib.makeScope pkgs.newScope (self: with self; {
             valgrind.dev
           ];
           zendExtension = true;
+          patches = [ ] ++ lib.optionals (lib.versionAtLeast php.version "8.1") [
+            (fetchpatch {
+              # See https://github.com/php/php-src/pull/10266
+              name = "avoid-opcache-test-failures.patch";
+              url = "https://github.com/PHP/php-src/commit/9216d14b3abfc727b0668592b48699440137aa74.patch";
+              sha256 = "sha256-/U6LMn/QGM8BXlh+Etl1z97v3qZFiWL2G3ZopNYShGU=";
+            })
+          ];
           # Tests launch the builtin webserver.
           __darwinAllowLocalNetworking = true;
         }
diff --git a/pkgs/top-level/python-packages.nix b/pkgs/top-level/python-packages.nix
index c829f96f7b86..22b9f25bc400 100644
--- a/pkgs/top-level/python-packages.nix
+++ b/pkgs/top-level/python-packages.nix
@@ -11947,7 +11947,7 @@ self: super: with self; {
   vt-py = callPackage ../development/python-modules/vt-py { };
 
   vtk = toPythonModule (pkgs.vtk_9.override {
-    pythonInterpreter = python;
+    inherit python;
     enablePython = true;
   });