about summary refs log tree commit diff
path: root/pkgs/os-specific
diff options
context:
space:
mode:
Diffstat (limited to 'pkgs/os-specific')
-rw-r--r--pkgs/os-specific/bsd/freebsd/default.nix958
-rw-r--r--pkgs/os-specific/bsd/freebsd/evdev-proto/default.nix13
-rw-r--r--pkgs/os-specific/bsd/freebsd/lib/default.nix18
-rw-r--r--pkgs/os-specific/bsd/freebsd/package-set.nix96
-rw-r--r--pkgs/os-specific/bsd/freebsd/patches/13.1/compat-fix-typedefs-locations.patch (renamed from pkgs/os-specific/bsd/freebsd/compat-fix-typedefs-locations.patch)0
-rw-r--r--pkgs/os-specific/bsd/freebsd/patches/13.1/compat-install-dirs.patch (renamed from pkgs/os-specific/bsd/freebsd/compat-install-dirs.patch)0
-rw-r--r--pkgs/os-specific/bsd/freebsd/patches/13.1/libc-msun-arch-subdir.patch (renamed from pkgs/os-specific/bsd/freebsd/libc-msun-arch-subdir.patch)0
-rw-r--r--pkgs/os-specific/bsd/freebsd/patches/13.1/libc-no-force--lcompiler-rt.patch (renamed from pkgs/os-specific/bsd/freebsd/libc-no-force--lcompiler-rt.patch)0
-rw-r--r--pkgs/os-specific/bsd/freebsd/patches/13.1/libnetbsd-do-install.patch (renamed from pkgs/os-specific/bsd/freebsd/libnetbsd-do-install.patch)0
-rw-r--r--pkgs/os-specific/bsd/freebsd/patches/13.1/librpcsvc-include-subdir.patch (renamed from pkgs/os-specific/bsd/freebsd/librpcsvc-include-subdir.patch)0
-rw-r--r--pkgs/os-specific/bsd/freebsd/patches/13.1/mtree-Makefile.patch13
-rw-r--r--pkgs/os-specific/bsd/freebsd/patches/13.1/no-perms-BSD.include.dist.patch (renamed from pkgs/os-specific/bsd/freebsd/no-perms-BSD.include.dist.patch)0
-rw-r--r--pkgs/os-specific/bsd/freebsd/patches/13.1/sys-gnu-date.patch (renamed from pkgs/os-specific/bsd/freebsd/sys-gnu-date.patch)0
-rw-r--r--pkgs/os-specific/bsd/freebsd/patches/13.1/sys-no-explicit-intrinsics-dep.patch (renamed from pkgs/os-specific/bsd/freebsd/sys-no-explicit-intrinsics-dep.patch)0
-rw-r--r--pkgs/os-specific/bsd/freebsd/patches/14.0/bmake-no-compiler-rt.patch11
-rw-r--r--pkgs/os-specific/bsd/freebsd/patches/14.0/compat-fix-typedefs-locations.patch32
-rw-r--r--pkgs/os-specific/bsd/freebsd/patches/14.0/compat-install-dirs.patch40
-rw-r--r--pkgs/os-specific/bsd/freebsd/patches/14.0/install-bootstrap-Makefile.patch11
-rw-r--r--pkgs/os-specific/bsd/freebsd/patches/14.0/libc-msun-arch-subdir.patch11
-rw-r--r--pkgs/os-specific/bsd/freebsd/patches/14.0/libc-no-force--lcompiler-rt.patch10
-rw-r--r--pkgs/os-specific/bsd/freebsd/patches/14.0/libnetbsd-do-install.patch32
-rw-r--r--pkgs/os-specific/bsd/freebsd/patches/14.0/librpcsvc-include-subdir.patch11
-rw-r--r--pkgs/os-specific/bsd/freebsd/patches/14.0/mtree-Makefile.patch13
-rw-r--r--pkgs/os-specific/bsd/freebsd/patches/14.0/no-perms-BSD.include.dist.patch11
-rw-r--r--pkgs/os-specific/bsd/freebsd/patches/14.0/rtld-no-force--lcompiler-rt.patch10
-rw-r--r--pkgs/os-specific/bsd/freebsd/patches/14.0/sys-gnu-date.patch13
-rw-r--r--pkgs/os-specific/bsd/freebsd/patches/14.0/sys-no-explicit-intrinsics-dep.patch42
-rw-r--r--pkgs/os-specific/bsd/freebsd/pkgs/boot-install.nix10
-rw-r--r--pkgs/os-specific/bsd/freebsd/pkgs/compat/compat-setup-hook.sh (renamed from pkgs/os-specific/bsd/freebsd/compat-setup-hook.sh)0
-rw-r--r--pkgs/os-specific/bsd/freebsd/pkgs/compat/package.nix174
-rw-r--r--pkgs/os-specific/bsd/freebsd/pkgs/config.nix35
-rw-r--r--pkgs/os-specific/bsd/freebsd/pkgs/csu.nix34
-rw-r--r--pkgs/os-specific/bsd/freebsd/pkgs/ctfconvert.nix35
-rw-r--r--pkgs/os-specific/bsd/freebsd/pkgs/file2c.nix6
-rw-r--r--pkgs/os-specific/bsd/freebsd/pkgs/filterSource.nix23
-rw-r--r--pkgs/os-specific/bsd/freebsd/pkgs/freebsdSetupHook/package.nix3
-rw-r--r--pkgs/os-specific/bsd/freebsd/pkgs/freebsdSetupHook/setup-hook.sh23
-rw-r--r--pkgs/os-specific/bsd/freebsd/pkgs/gencat.nix3
-rw-r--r--pkgs/os-specific/bsd/freebsd/pkgs/include/package.nix47
-rw-r--r--pkgs/os-specific/bsd/freebsd/pkgs/install.nix67
-rw-r--r--pkgs/os-specific/bsd/freebsd/pkgs/libc/package.nix286
-rw-r--r--pkgs/os-specific/bsd/freebsd/pkgs/libcxxrt.nix11
-rw-r--r--pkgs/os-specific/bsd/freebsd/pkgs/libdwarf.nix20
-rw-r--r--pkgs/os-specific/bsd/freebsd/pkgs/libmd.nix49
-rw-r--r--pkgs/os-specific/bsd/freebsd/pkgs/libnetbsd/package.nix28
-rw-r--r--pkgs/os-specific/bsd/freebsd/pkgs/libnv.nix10
-rw-r--r--pkgs/os-specific/bsd/freebsd/pkgs/libsbuf.nix7
-rw-r--r--pkgs/os-specific/bsd/freebsd/pkgs/libspl.nix22
-rw-r--r--pkgs/os-specific/bsd/freebsd/pkgs/libutil.nix10
-rw-r--r--pkgs/os-specific/bsd/freebsd/pkgs/lorder.nix25
-rw-r--r--pkgs/os-specific/bsd/freebsd/pkgs/make.nix25
-rw-r--r--pkgs/os-specific/bsd/freebsd/pkgs/makeMinimal.nix68
-rw-r--r--pkgs/os-specific/bsd/freebsd/pkgs/mkDerivation.nix164
-rw-r--r--pkgs/os-specific/bsd/freebsd/pkgs/mkcsmapper.nix22
-rw-r--r--pkgs/os-specific/bsd/freebsd/pkgs/mkesdb.nix19
-rw-r--r--pkgs/os-specific/bsd/freebsd/pkgs/mknod.nix3
-rw-r--r--pkgs/os-specific/bsd/freebsd/pkgs/mtree.nix39
-rw-r--r--pkgs/os-specific/bsd/freebsd/pkgs/rpcgen/package.nix27
-rw-r--r--pkgs/os-specific/bsd/freebsd/pkgs/rpcgen/rpcgen-glibc-hack.patch (renamed from pkgs/os-specific/bsd/freebsd/rpcgen-glibc-hack.patch)0
-rw-r--r--pkgs/os-specific/bsd/freebsd/pkgs/sed.nix6
-rw-r--r--pkgs/os-specific/bsd/freebsd/pkgs/source.nix10
-rw-r--r--pkgs/os-specific/bsd/freebsd/pkgs/stat.nix22
-rw-r--r--pkgs/os-specific/bsd/freebsd/pkgs/statHook.nix16
-rw-r--r--pkgs/os-specific/bsd/freebsd/pkgs/sys/package.nix85
-rw-r--r--pkgs/os-specific/bsd/freebsd/pkgs/tsort.nix28
-rw-r--r--pkgs/os-specific/bsd/freebsd/pkgs/uudecode.nix6
-rw-r--r--pkgs/os-specific/bsd/freebsd/pkgs/xargs-j/package.nix9
-rw-r--r--pkgs/os-specific/bsd/freebsd/pkgs/xargs-j/xargs-j.sh (renamed from pkgs/os-specific/bsd/xargs-j.sh)0
-rw-r--r--pkgs/os-specific/bsd/freebsd/setup-hook.sh12
-rwxr-xr-xpkgs/os-specific/bsd/freebsd/update.py200
-rw-r--r--pkgs/os-specific/bsd/freebsd/versions.json233
-rw-r--r--pkgs/os-specific/bsd/lib/install-wrapper.sh30
-rw-r--r--pkgs/os-specific/bsd/netbsd/default.nix1207
-rw-r--r--pkgs/os-specific/bsd/netbsd/pkgs/cksum.nix8
-rw-r--r--pkgs/os-specific/bsd/netbsd/pkgs/column.nix7
-rw-r--r--pkgs/os-specific/bsd/netbsd/pkgs/common.nix3
-rw-r--r--pkgs/os-specific/bsd/netbsd/pkgs/compat/compat-cxx-safe-header.patch (renamed from pkgs/os-specific/bsd/netbsd/compat-cxx-safe-header.patch)0
-rw-r--r--pkgs/os-specific/bsd/netbsd/pkgs/compat/compat-dont-configure-twice.patch (renamed from pkgs/os-specific/bsd/netbsd/compat-dont-configure-twice.patch)0
-rw-r--r--pkgs/os-specific/bsd/netbsd/pkgs/compat/compat-no-force-native.patch (renamed from pkgs/os-specific/bsd/netbsd/compat-no-force-native.patch)0
-rw-r--r--pkgs/os-specific/bsd/netbsd/pkgs/compat/compat-setup-hook.sh (renamed from pkgs/os-specific/bsd/netbsd/compat-setup-hook.sh)0
-rw-r--r--pkgs/os-specific/bsd/netbsd/pkgs/compat/libbsd-overlay.pc (renamed from pkgs/os-specific/bsd/netbsd/libbsd-overlay.pc)0
-rw-r--r--pkgs/os-specific/bsd/netbsd/pkgs/compat/package.nix146
-rw-r--r--pkgs/os-specific/bsd/netbsd/pkgs/config.nix31
-rw-r--r--pkgs/os-specific/bsd/netbsd/pkgs/csu.nix49
-rw-r--r--pkgs/os-specific/bsd/netbsd/pkgs/dict.nix9
-rw-r--r--pkgs/os-specific/bsd/netbsd/pkgs/fts/fts-setup-hook.sh (renamed from pkgs/os-specific/bsd/netbsd/fts-setup-hook.sh)0
-rw-r--r--pkgs/os-specific/bsd/netbsd/pkgs/fts/package.nix48
-rw-r--r--pkgs/os-specific/bsd/netbsd/pkgs/genassym.nix7
-rw-r--r--pkgs/os-specific/bsd/netbsd/pkgs/gencat.nix7
-rw-r--r--pkgs/os-specific/bsd/netbsd/pkgs/getconf.nix7
-rw-r--r--pkgs/os-specific/bsd/netbsd/pkgs/getent/getent.patch (renamed from pkgs/os-specific/bsd/netbsd/getent.patch)0
-rw-r--r--pkgs/os-specific/bsd/netbsd/pkgs/getent/package.nix8
-rw-r--r--pkgs/os-specific/bsd/netbsd/pkgs/headers.nix17
-rw-r--r--pkgs/os-specific/bsd/netbsd/pkgs/i18n_module.nix13
-rw-r--r--pkgs/os-specific/bsd/netbsd/pkgs/include.nix54
-rw-r--r--pkgs/os-specific/bsd/netbsd/pkgs/install/install-setup-hook.sh (renamed from pkgs/os-specific/bsd/netbsd/install-setup-hook.sh)0
-rw-r--r--pkgs/os-specific/bsd/netbsd/pkgs/install/package.nix62
-rw-r--r--pkgs/os-specific/bsd/netbsd/pkgs/ld_elf_so.nix22
-rw-r--r--pkgs/os-specific/bsd/netbsd/pkgs/libarch.nix8
-rw-r--r--pkgs/os-specific/bsd/netbsd/pkgs/libc.nix103
-rw-r--r--pkgs/os-specific/bsd/netbsd/pkgs/libcrypt.nix9
-rw-r--r--pkgs/os-specific/bsd/netbsd/pkgs/libcurses.nix33
-rw-r--r--pkgs/os-specific/bsd/netbsd/pkgs/libedit.nix32
-rw-r--r--pkgs/os-specific/bsd/netbsd/pkgs/libm.nix14
-rw-r--r--pkgs/os-specific/bsd/netbsd/pkgs/libossaudio.nix8
-rw-r--r--pkgs/os-specific/bsd/netbsd/pkgs/libpci.nix15
-rw-r--r--pkgs/os-specific/bsd/netbsd/pkgs/libpthread/base.nix5
-rw-r--r--pkgs/os-specific/bsd/netbsd/pkgs/libpthread/headers.nix12
-rw-r--r--pkgs/os-specific/bsd/netbsd/pkgs/libpthread/package.nix28
-rw-r--r--pkgs/os-specific/bsd/netbsd/pkgs/libresolv.nix13
-rw-r--r--pkgs/os-specific/bsd/netbsd/pkgs/librpcsvc.nix31
-rw-r--r--pkgs/os-specific/bsd/netbsd/pkgs/librt.nix18
-rw-r--r--pkgs/os-specific/bsd/netbsd/pkgs/libterminfo.nix51
-rw-r--r--pkgs/os-specific/bsd/netbsd/pkgs/libutil.nix42
-rw-r--r--pkgs/os-specific/bsd/netbsd/pkgs/locale/locale.patch (renamed from pkgs/os-specific/bsd/netbsd/locale.patch)0
-rw-r--r--pkgs/os-specific/bsd/netbsd/pkgs/locale/package.nix9
-rw-r--r--pkgs/os-specific/bsd/netbsd/pkgs/lorder.nix25
-rw-r--r--pkgs/os-specific/bsd/netbsd/pkgs/make-rules.nix74
-rw-r--r--pkgs/os-specific/bsd/netbsd/pkgs/make.nix27
-rw-r--r--pkgs/os-specific/bsd/netbsd/pkgs/makeMinimal.nix51
-rw-r--r--pkgs/os-specific/bsd/netbsd/pkgs/man.nix17
-rw-r--r--pkgs/os-specific/bsd/netbsd/pkgs/misc.nix9
-rw-r--r--pkgs/os-specific/bsd/netbsd/pkgs/mkDerivation.nix113
-rw-r--r--pkgs/os-specific/bsd/netbsd/pkgs/mknod.nix7
-rw-r--r--pkgs/os-specific/bsd/netbsd/pkgs/mtree.nix8
-rw-r--r--pkgs/os-specific/bsd/netbsd/pkgs/nbperf.nix7
-rw-r--r--pkgs/os-specific/bsd/netbsd/pkgs/netbsdSetupHook/package.nix3
-rw-r--r--pkgs/os-specific/bsd/netbsd/pkgs/netbsdSetupHook/setup-hook.sh (renamed from pkgs/os-specific/bsd/netbsd/setup-hook.sh)1
-rw-r--r--pkgs/os-specific/bsd/netbsd/pkgs/rpcgen.nix7
-rw-r--r--pkgs/os-specific/bsd/netbsd/pkgs/stat/hook.nix17
-rw-r--r--pkgs/os-specific/bsd/netbsd/pkgs/stat/package.nix28
-rw-r--r--pkgs/os-specific/bsd/netbsd/pkgs/sys/base.nix93
-rw-r--r--pkgs/os-specific/bsd/netbsd/pkgs/sys/headers.nix49
-rw-r--r--pkgs/os-specific/bsd/netbsd/pkgs/sys/no-dynamic-linker.patch (renamed from pkgs/os-specific/bsd/netbsd/no-dynamic-linker.patch)0
-rw-r--r--pkgs/os-specific/bsd/netbsd/pkgs/sys/package.nix49
-rw-r--r--pkgs/os-specific/bsd/netbsd/pkgs/sys/sys-headers-incsdir.patch (renamed from pkgs/os-specific/bsd/netbsd/sys-headers-incsdir.patch)0
-rw-r--r--pkgs/os-specific/bsd/netbsd/pkgs/tic.nix39
-rw-r--r--pkgs/os-specific/bsd/netbsd/pkgs/tsort.nix25
-rw-r--r--pkgs/os-specific/bsd/netbsd/pkgs/uudecode.nix13
-rw-r--r--pkgs/os-specific/bsd/openbsd/default.nix49
-rw-r--r--pkgs/os-specific/bsd/openbsd/pkgs/csu.nix22
-rw-r--r--pkgs/os-specific/bsd/openbsd/pkgs/include/package.nix57
-rw-r--r--pkgs/os-specific/bsd/openbsd/pkgs/libc/disable-librebuild.patch12
-rw-r--r--pkgs/os-specific/bsd/openbsd/pkgs/libc/netbsd-make-to-lower.patch16
-rw-r--r--pkgs/os-specific/bsd/openbsd/pkgs/libc/package.nix120
-rw-r--r--pkgs/os-specific/bsd/openbsd/pkgs/lorder.nix20
-rw-r--r--pkgs/os-specific/bsd/openbsd/pkgs/make-rules/netbsd-make-sinclude.patch15
-rw-r--r--pkgs/os-specific/bsd/openbsd/pkgs/make-rules/package.nix36
-rw-r--r--pkgs/os-specific/bsd/openbsd/pkgs/mkDerivation.nix91
-rw-r--r--pkgs/os-specific/bsd/openbsd/pkgs/openbsdSetupHook/package.nix3
-rw-r--r--pkgs/os-specific/bsd/openbsd/pkgs/openbsdSetupHook/setup-hook.sh21
-rw-r--r--pkgs/os-specific/bsd/openbsd/pkgs/source.nix8
-rw-r--r--pkgs/os-specific/bsd/setup-hook.sh1
-rw-r--r--pkgs/os-specific/darwin/CoreSymbolication/default.nix46
-rw-r--r--pkgs/os-specific/darwin/apple-sdk-11.0/default.nix13
-rw-r--r--pkgs/os-specific/darwin/apple-sdk/default.nix8
-rw-r--r--pkgs/os-specific/darwin/apple-sdk/sdkRoot.nix68
-rw-r--r--pkgs/os-specific/darwin/apple-source-releases/CarbonHeaders/default.nix2
-rw-r--r--pkgs/os-specific/darwin/apple-source-releases/CommonCrypto/default.nix2
-rw-r--r--pkgs/os-specific/darwin/apple-source-releases/Csu/default.nix2
-rw-r--r--pkgs/os-specific/darwin/apple-source-releases/IOKit/default.nix2
-rw-r--r--pkgs/os-specific/darwin/apple-source-releases/Librpcsvc/default.nix2
-rw-r--r--pkgs/os-specific/darwin/apple-source-releases/Libsystem/default.nix25
-rw-r--r--pkgs/os-specific/darwin/apple-source-releases/architecture/default.nix2
-rw-r--r--pkgs/os-specific/darwin/apple-source-releases/default.nix26
-rw-r--r--pkgs/os-specific/darwin/apple-source-releases/diskdev_cmds/default.nix2
-rw-r--r--pkgs/os-specific/darwin/apple-source-releases/dyld/default.nix2
-rw-r--r--pkgs/os-specific/darwin/apple-source-releases/libauto/auto_dtrace.h129
-rw-r--r--pkgs/os-specific/darwin/apple-source-releases/libauto/default.nix86
-rw-r--r--pkgs/os-specific/darwin/apple-source-releases/libdispatch/default.nix2
-rw-r--r--pkgs/os-specific/darwin/apple-source-releases/libiconv/default.nix38
-rw-r--r--pkgs/os-specific/darwin/apple-source-releases/libplatform/default.nix17
-rw-r--r--pkgs/os-specific/darwin/apple-source-releases/libunwind/default.nix2
-rw-r--r--pkgs/os-specific/darwin/apple-source-releases/libutil/default.nix2
-rw-r--r--pkgs/os-specific/darwin/apple-source-releases/macos-11.0.1.nix2
-rw-r--r--pkgs/os-specific/darwin/apple-source-releases/objc4/pure.nix118
-rw-r--r--pkgs/os-specific/darwin/apple-source-releases/system_cmds/default.nix253
-rw-r--r--pkgs/os-specific/darwin/apple-source-releases/system_cmds/fix-implicit-declarations.patch48
-rw-r--r--pkgs/os-specific/darwin/apple-source-releases/system_cmds/meson.build545
-rw-r--r--pkgs/os-specific/darwin/apple-source-releases/system_cmds/meson.options1
-rw-r--r--pkgs/os-specific/darwin/bartender/default.nix12
-rw-r--r--pkgs/os-specific/darwin/binutils/default.nix85
-rw-r--r--pkgs/os-specific/darwin/cctools/apple.nix2
-rw-r--r--pkgs/os-specific/darwin/cctools/port.nix2
-rw-r--r--pkgs/os-specific/darwin/grandperspective/default.nix15
-rw-r--r--pkgs/os-specific/darwin/insert_dylib/default.nix22
-rw-r--r--pkgs/os-specific/darwin/moltenvk/default.nix4
-rw-r--r--pkgs/os-specific/darwin/noah/default.nix2
-rw-r--r--pkgs/os-specific/darwin/openwith/default.nix6
-rw-r--r--pkgs/os-specific/darwin/raycast/default.nix49
-rwxr-xr-xpkgs/os-specific/darwin/raycast/update.sh20
-rw-r--r--pkgs/os-specific/darwin/rectangle/default.nix4
-rw-r--r--pkgs/os-specific/darwin/sketchybar/default.nix72
-rw-r--r--pkgs/os-specific/darwin/skhd/default.nix50
-rw-r--r--pkgs/os-specific/darwin/skhd/org.nixos.skhd.plist23
-rw-r--r--pkgs/os-specific/darwin/utm/default.nix6
-rw-r--r--pkgs/os-specific/darwin/xcode/default.nix5
-rw-r--r--pkgs/os-specific/darwin/yabai/default.nix141
-rw-r--r--pkgs/os-specific/linux/akvcam/default.nix4
-rw-r--r--pkgs/os-specific/linux/anbox/default.nix2
-rw-r--r--pkgs/os-specific/linux/apfs/default.nix4
-rw-r--r--pkgs/os-specific/linux/batman-adv/version.nix10
-rw-r--r--pkgs/os-specific/linux/bcc/absolute-ausyscall.patch43
-rw-r--r--pkgs/os-specific/linux/bcc/default.nix122
-rw-r--r--pkgs/os-specific/linux/bcc/fix-deadlock-detector-import.patch14
-rw-r--r--pkgs/os-specific/linux/bcc/libbcc-path.patch11
-rw-r--r--pkgs/os-specific/linux/below/default.nix6
-rw-r--r--pkgs/os-specific/linux/bpftrace/default.nix71
-rw-r--r--pkgs/os-specific/linux/bpftune/default.nix6
-rw-r--r--pkgs/os-specific/linux/busybox/default.nix4
-rw-r--r--pkgs/os-specific/linux/cpuid/default.nix26
-rw-r--r--pkgs/os-specific/linux/cpupower-gui/default.nix4
-rw-r--r--pkgs/os-specific/linux/cpupower/default.nix1
-rw-r--r--pkgs/os-specific/linux/cryptodev/default.nix15
-rw-r--r--pkgs/os-specific/linux/cryptsetup/default.nix4
-rw-r--r--pkgs/os-specific/linux/dbus-broker/default.nix4
-rw-r--r--pkgs/os-specific/linux/dbus-broker/disable-test.patch23
-rw-r--r--pkgs/os-specific/linux/dcgm/default.nix3
-rw-r--r--pkgs/os-specific/linux/ddcci/default.nix13
-rw-r--r--pkgs/os-specific/linux/decklink/default.nix22
-rw-r--r--pkgs/os-specific/linux/device-tree/default.nix2
-rw-r--r--pkgs/os-specific/linux/digimend/default.nix13
-rw-r--r--pkgs/os-specific/linux/dmidecode/default.nix6
-rw-r--r--pkgs/os-specific/linux/dpdk-kmods/default.nix1
-rw-r--r--pkgs/os-specific/linux/drbd/driver.nix68
-rw-r--r--pkgs/os-specific/linux/drbd/utils.nix (renamed from pkgs/os-specific/linux/drbd/default.nix)15
-rw-r--r--pkgs/os-specific/linux/earlyoom/default.nix38
-rw-r--r--pkgs/os-specific/linux/earlyoom/fix-dbus-path.patch11
-rw-r--r--pkgs/os-specific/linux/ell/default.nix6
-rw-r--r--pkgs/os-specific/linux/ena/default.nix10
-rw-r--r--pkgs/os-specific/linux/ena/override-features-api-detection.patch55
-rw-r--r--pkgs/os-specific/linux/ethq/default.nix2
-rw-r--r--pkgs/os-specific/linux/evdi/default.nix8
-rw-r--r--pkgs/os-specific/linux/facetimehd/default.nix4
-rw-r--r--pkgs/os-specific/linux/ffado/default.nix4
-rw-r--r--pkgs/os-specific/linux/firmware/firmware-manager/default.nix7
-rw-r--r--pkgs/os-specific/linux/firmware/firmware-updater/default.nix25
-rw-r--r--pkgs/os-specific/linux/firmware/firmware-updater/pubspec.lock.json424
-rw-r--r--pkgs/os-specific/linux/firmware/firmware-updater/upgrade-file.patch13
-rw-r--r--pkgs/os-specific/linux/firmware/fwupd-efi/default.nix19
-rw-r--r--pkgs/os-specific/linux/firmware/ipu6-camera-bins/default.nix4
-rw-r--r--pkgs/os-specific/linux/firmware/ivsc-firmware/default.nix4
-rw-r--r--pkgs/os-specific/linux/firmware/linux-firmware/default.nix5
-rw-r--r--pkgs/os-specific/linux/firmware/linux-firmware/source.nix8
-rw-r--r--pkgs/os-specific/linux/firmware/sof-firmware/default.nix5
-rw-r--r--pkgs/os-specific/linux/fnotifystat/default.nix4
-rw-r--r--pkgs/os-specific/linux/framework-laptop-kmod/default.nix6
-rw-r--r--pkgs/os-specific/linux/fscrypt/default.nix6
-rw-r--r--pkgs/os-specific/linux/fsverity-utils/default.nix4
-rw-r--r--pkgs/os-specific/linux/fw-ectool/default.nix33
-rw-r--r--pkgs/os-specific/linux/fwts/default.nix4
-rw-r--r--pkgs/os-specific/linux/g15daemon/default.nix1
-rw-r--r--pkgs/os-specific/linux/game-devices-udev-rules/default.nix6
-rw-r--r--pkgs/os-specific/linux/google-authenticator/default.nix4
-rw-r--r--pkgs/os-specific/linux/guvcview/default.nix4
-rw-r--r--pkgs/os-specific/linux/hwdata/default.nix4
-rw-r--r--pkgs/os-specific/linux/intel-compute-runtime/default.nix4
-rw-r--r--pkgs/os-specific/linux/iproute/default.nix14
-rw-r--r--pkgs/os-specific/linux/ipu6-drivers/default.nix2
-rw-r--r--pkgs/os-specific/linux/ivsc-driver/default.nix2
-rw-r--r--pkgs/os-specific/linux/iw/default.nix31
-rw-r--r--pkgs/os-specific/linux/iwd/default.nix10
-rw-r--r--pkgs/os-specific/linux/kernel/common-config.nix56
-rw-r--r--pkgs/os-specific/linux/kernel/generic.nix58
-rw-r--r--pkgs/os-specific/linux/kernel/hardened/config.nix4
-rw-r--r--pkgs/os-specific/linux/kernel/hardened/patches.json86
-rwxr-xr-xpkgs/os-specific/linux/kernel/hardened/update.py1
-rw-r--r--pkgs/os-specific/linux/kernel/htmldocs.nix11
-rw-r--r--pkgs/os-specific/linux/kernel/kernels-org.json40
-rw-r--r--pkgs/os-specific/linux/kernel/linux-libre.nix4
-rw-r--r--pkgs/os-specific/linux/kernel/linux-rt-5.10.nix6
-rw-r--r--pkgs/os-specific/linux/kernel/linux-rt-5.15.nix6
-rw-r--r--pkgs/os-specific/linux/kernel/linux-rt-6.1.nix6
-rw-r--r--pkgs/os-specific/linux/kernel/linux-rt-6.6.nix6
-rw-r--r--pkgs/os-specific/linux/kernel/manual-config.nix43
-rw-r--r--pkgs/os-specific/linux/kernel/patches.nix23
-rw-r--r--pkgs/os-specific/linux/kernel/rust-1.77.patch792
-rwxr-xr-xpkgs/os-specific/linux/kernel/update-mainline.py7
-rw-r--r--pkgs/os-specific/linux/kernel/xanmod-kernels.nix12
-rw-r--r--pkgs/os-specific/linux/kernel/zen-kernels.nix16
-rw-r--r--pkgs/os-specific/linux/kexec-tools/default.nix4
-rw-r--r--pkgs/os-specific/linux/ksmbd-tools/default.nix4
-rw-r--r--pkgs/os-specific/linux/kvdo/default.nix4
-rw-r--r--pkgs/os-specific/linux/kvmfr/default.nix3
-rw-r--r--pkgs/os-specific/linux/kvmfr/linux-6-4-compat.patch16
-rw-r--r--pkgs/os-specific/linux/ledger-udev-rules/default.nix8
-rw-r--r--pkgs/os-specific/linux/lenovo-legion/app.nix15
-rw-r--r--pkgs/os-specific/linux/lenovo-legion/default.nix2
-rw-r--r--pkgs/os-specific/linux/libbpf/0.x.nix4
-rw-r--r--pkgs/os-specific/linux/libbpf/default.nix6
-rw-r--r--pkgs/os-specific/linux/libcap-ng/default.nix4
-rw-r--r--pkgs/os-specific/linux/libnvme/default.nix2
-rw-r--r--pkgs/os-specific/linux/libsepol/default.nix2
-rw-r--r--pkgs/os-specific/linux/libzbc/default.nix6
-rw-r--r--pkgs/os-specific/linux/libzbd/default.nix2
-rw-r--r--pkgs/os-specific/linux/lttng-modules/default.nix4
-rw-r--r--pkgs/os-specific/linux/lxc/add-meson-options.patch153
-rw-r--r--pkgs/os-specific/linux/lxc/default.nix91
-rw-r--r--pkgs/os-specific/linux/lxc/docbook-hack.patch21
-rw-r--r--pkgs/os-specific/linux/lxcfs/default.nix77
-rw-r--r--pkgs/os-specific/linux/lxcfs/no-spec.patch24
-rw-r--r--pkgs/os-specific/linux/lxcfs/pidfd.patch29
-rw-r--r--pkgs/os-specific/linux/lxcfs/skip-init.patch12
-rw-r--r--pkgs/os-specific/linux/mdadm/default.nix25
-rw-r--r--pkgs/os-specific/linux/mdadm/fix-hardcoded-mapdir.patch13
-rw-r--r--pkgs/os-specific/linux/microcode/intel.nix4
-rw-r--r--pkgs/os-specific/linux/miraclecast/default.nix11
-rw-r--r--pkgs/os-specific/linux/mm-tools/default.nix (renamed from pkgs/os-specific/linux/vm-tools/default.nix)4
-rw-r--r--pkgs/os-specific/linux/mstflint_access/default.nix6
-rw-r--r--pkgs/os-specific/linux/multipath-tools/default.nix22
-rw-r--r--pkgs/os-specific/linux/mwprocapture/default.nix6
-rw-r--r--pkgs/os-specific/linux/nct6687d/default.nix11
-rw-r--r--pkgs/os-specific/linux/ndiswrapper/default.nix4
-rw-r--r--pkgs/os-specific/linux/nftables/default.nix16
-rw-r--r--pkgs/os-specific/linux/nftables/fix-py-libnftables.patch13
-rw-r--r--pkgs/os-specific/linux/nftables/python.nix26
-rw-r--r--pkgs/os-specific/linux/nixos-rebuild/default.nix20
-rwxr-xr-xpkgs/os-specific/linux/nixos-rebuild/nixos-rebuild.sh21
-rw-r--r--pkgs/os-specific/linux/nixos-rebuild/test/repl.nix15
-rw-r--r--pkgs/os-specific/linux/nmon/default.nix4
-rw-r--r--pkgs/os-specific/linux/numworks-udev-rules/default.nix2
-rw-r--r--pkgs/os-specific/linux/nvidia-x11/default.nix45
-rw-r--r--pkgs/os-specific/linux/nvidia-x11/libxnvctrl-build-shared-3xx.patch24
-rw-r--r--pkgs/os-specific/linux/nvidia-x11/libxnvctrl-build-shared.patch21
-rw-r--r--pkgs/os-specific/linux/nvidia-x11/settings.nix15
-rw-r--r--pkgs/os-specific/linux/nvme-cli/default.nix1
-rw-r--r--pkgs/os-specific/linux/oddjob/default.nix62
-rw-r--r--pkgs/os-specific/linux/openvswitch/default.nix4
-rw-r--r--pkgs/os-specific/linux/openvswitch/generic.nix135
-rw-r--r--pkgs/os-specific/linux/openvswitch/lts.nix5
-rw-r--r--pkgs/os-specific/linux/openvswitch/patches/disable-bash-arg-completion-test.patch12
-rwxr-xr-xpkgs/os-specific/linux/openvswitch/update.nu19
-rw-r--r--pkgs/os-specific/linux/pam/default.nix13
-rw-r--r--pkgs/os-specific/linux/pam_rssh/default.nix25
-rw-r--r--pkgs/os-specific/linux/pcm/default.nix4
-rw-r--r--pkgs/os-specific/linux/piper/default.nix4
-rw-r--r--pkgs/os-specific/linux/power-profiles-daemon/default.nix21
-rw-r--r--pkgs/os-specific/linux/prl-tools/default.nix4
-rw-r--r--pkgs/os-specific/linux/r8125/default.nix4
-rw-r--r--pkgs/os-specific/linux/radeontop/default.nix2
-rw-r--r--pkgs/os-specific/linux/rdma-core/default.nix4
-rw-r--r--pkgs/os-specific/linux/restool/default.nix2
-rw-r--r--pkgs/os-specific/linux/rt-tests/default.nix4
-rw-r--r--pkgs/os-specific/linux/rtl8189es/default.nix6
-rw-r--r--pkgs/os-specific/linux/rtl8189fs/default.nix6
-rw-r--r--pkgs/os-specific/linux/rtl8192eu/default.nix8
-rw-r--r--pkgs/os-specific/linux/rtl8723ds/default.nix6
-rw-r--r--pkgs/os-specific/linux/rtl8812au/default.nix6
-rw-r--r--pkgs/os-specific/linux/rtl8821au/default.nix6
-rw-r--r--pkgs/os-specific/linux/rtl8821cu/default.nix8
-rw-r--r--pkgs/os-specific/linux/rtl8852au/default.nix52
-rw-r--r--pkgs/os-specific/linux/rtl8852bu/default.nix51
-rw-r--r--pkgs/os-specific/linux/rtl88xxau-aircrack/default.nix12
-rw-r--r--pkgs/os-specific/linux/rust-out-of-tree-module/default.nix3
-rw-r--r--pkgs/os-specific/linux/ryzen-smu/default.nix69
-rw-r--r--pkgs/os-specific/linux/sd-switch/default.nix16
-rw-r--r--pkgs/os-specific/linux/semodule-utils/default.nix2
-rw-r--r--pkgs/os-specific/linux/setools/default.nix4
-rw-r--r--pkgs/os-specific/linux/sgx/azure-dcap-client/default.nix16
-rw-r--r--pkgs/os-specific/linux/sgx/psw/default.nix42
-rw-r--r--pkgs/os-specific/linux/sgx/sdk/cppmicroservices-no-mtime.patch26
-rw-r--r--pkgs/os-specific/linux/sgx/sdk/default.nix61
-rw-r--r--pkgs/os-specific/linux/sgx/sdk/disable-downloads.patch28
-rw-r--r--pkgs/os-specific/linux/sgx/sdk/ipp-crypto.nix10
-rw-r--r--pkgs/os-specific/linux/sgx/ssl/default.nix44
-rw-r--r--pkgs/os-specific/linux/sgx/ssl/tests.nix95
-rw-r--r--pkgs/os-specific/linux/sssd/default.nix17
-rw-r--r--pkgs/os-specific/linux/sysdig/default.nix117
-rw-r--r--pkgs/os-specific/linux/systemd/default.nix33
-rw-r--r--pkgs/os-specific/linux/tailor-gui/default.nix2
-rw-r--r--pkgs/os-specific/linux/tbs/default.nix12
-rw-r--r--pkgs/os-specific/linux/tiscamera/default.nix6
-rw-r--r--pkgs/os-specific/linux/tomb/default.nix6
-rw-r--r--pkgs/os-specific/linux/tuna/default.nix4
-rw-r--r--pkgs/os-specific/linux/tuxedo-rs/default.nix6
-rw-r--r--pkgs/os-specific/linux/uhk-agent/default.nix4
-rw-r--r--pkgs/os-specific/linux/upower/default.nix9
-rw-r--r--pkgs/os-specific/linux/util-linux/default.nix21
-rw-r--r--pkgs/os-specific/linux/waydroid/default.nix4
-rw-r--r--pkgs/os-specific/linux/xf86-input-wacom/default.nix4
-rw-r--r--pkgs/os-specific/linux/xone/default.nix2
-rw-r--r--pkgs/os-specific/linux/zenmonitor/default.nix4
-rw-r--r--pkgs/os-specific/linux/zfs/2_1.nix2
-rw-r--r--pkgs/os-specific/linux/zfs/2_2.nix8
-rw-r--r--pkgs/os-specific/linux/zfs/unstable.nix8
-rw-r--r--pkgs/os-specific/solo5/default.nix78
-rw-r--r--pkgs/os-specific/windows/default.nix4
-rw-r--r--pkgs/os-specific/windows/mcfgthreads/pre_gcc_13.nix24
388 files changed, 8139 insertions, 4975 deletions
diff --git a/pkgs/os-specific/bsd/freebsd/default.nix b/pkgs/os-specific/bsd/freebsd/default.nix
index 398b2ff6fa6dc..e56c70c1d32d0 100644
--- a/pkgs/os-specific/bsd/freebsd/default.nix
+++ b/pkgs/os-specific/bsd/freebsd/default.nix
@@ -1,904 +1,64 @@
-{ stdenv, lib, stdenvNoCC
-, makeScopeWithSplicing', generateSplicesForMkScope
-, buildPackages
-, bsdSetupHook, makeSetupHook
-, fetchgit, fetchzip, coreutils, groff, mandoc, byacc, flex, which, m4, gawk, substituteAll, runtimeShell
-, zlib, expat, libmd
-, runCommand, writeShellScript, writeText, symlinkJoin
+{
+  lib,
+  makeScopeWithSplicing',
+  generateSplicesForMkScope,
+  callPackage,
+  crossLibcStdenv,
+  attributePathToSplice ? [ "freebsd" ],
+  branch ? "release/14.0.0",
 }:
 
 let
-  inherit (buildPackages.buildPackages) rsync;
-
-  version = "13.1.0";
-
-  # `BuildPackages.fetchgit` avoids some probably splicing-caused infinite
-  # recursion.
-  freebsdSrc = buildPackages.fetchgit {
-    url = "https://git.FreeBSD.org/src.git";
-    rev = "release/${version}";
-    sha256 = "14nhk0kls83xfb64d5xy14vpi6k8laswjycjg80indq9pkcr2rlv";
-  };
-
-  freebsdSetupHook = makeSetupHook {
-    name = "freebsd-setup-hook";
-  } ./setup-hook.sh;
-
-  mkBsdArch = stdenv':  {
-    x86_64 = "amd64";
-    aarch64 = "arm64";
-    i486 = "i386";
-    i586 = "i386";
-    i686 = "i386";
-  }.${stdenv'.hostPlatform.parsed.cpu.name}
-    or stdenv'.hostPlatform.parsed.cpu.name;
-
-  install-wrapper = ''
-    set -eu
-
-    args=()
-    declare -i path_args=0
-
-    while (( $# )); do
-      if (( $# == 1 )); then
-        if (( path_args > 1)) || [[ "$1" = */ ]]; then
-          mkdir -p "$1"
-        else
-          mkdir -p "$(dirname "$1")"
-        fi
-      fi
-      case $1 in
-        -C) ;;
-        -o | -g) shift ;;
-        -s) ;;
-        -m | -l)
-          # handle next arg so not counted as path arg
-          args+=("$1" "$2")
-          shift
-          ;;
-        -*) args+=("$1") ;;
-        *)
-          path_args+=1
-          args+=("$1")
-          ;;
-      esac
-      shift
-    done
-  '';
-
-in makeScopeWithSplicing' {
-  otherSplices = generateSplicesForMkScope "freebsd";
-  f = (self: let
-    inherit (self) mkDerivation;
-  in {
-  inherit freebsdSrc;
-
-  ports = fetchzip {
-    url = "https://cgit.freebsd.org/ports/snapshot/ports-dde3b2b456c3a4bdd217d0bf3684231cc3724a0a.tar.gz";
-    sha256 = "BpHqJfnGOeTE7tkFJBx0Wk8ryalmf4KNTit/Coh026E=";
-  };
-
-  # Why do we have splicing and yet do `nativeBuildInputs = with self; ...`?
-  # See note in ../netbsd/default.nix.
-
-  compatIfNeeded = lib.optional (!stdenvNoCC.hostPlatform.isFreeBSD) self.compat;
-
-  mkDerivation = lib.makeOverridable (attrs: let
-    stdenv' = if attrs.noCC or false then stdenvNoCC else stdenv;
-  in stdenv'.mkDerivation (rec {
-    pname = "${attrs.pname or (baseNameOf attrs.path)}-freebsd";
-    inherit version;
-    src = runCommand "${pname}-filtered-src" {
-      nativeBuildInputs = [ rsync ];
-    } ''
-      for p in ${lib.concatStringsSep " " ([ attrs.path ] ++ attrs.extraPaths or [])}; do
-        set -x
-        path="$out/$p"
-        mkdir -p "$(dirname "$path")"
-        src_path="${freebsdSrc}/$p"
-        if [[ -d "$src_path" ]]; then src_path+=/; fi
-        rsync --chmod="+w" -r "$src_path" "$path"
-        set +x
-      done
-    '';
-
-    extraPaths = [ ];
-
-    nativeBuildInputs = with buildPackages.freebsd; [
-      bsdSetupHook freebsdSetupHook
-      makeMinimal
-      install tsort lorder mandoc groff #statHook
-    ];
-    buildInputs = with self; compatIfNeeded;
-
-    HOST_SH = stdenv'.shell;
-
-    # Since STRIP below is the flag
-    STRIPBIN = "${stdenv.cc.bintools.targetPrefix}strip";
-
-    makeFlags = [
-      "STRIP=-s" # flag to install, not command
-    ] ++ lib.optional (!stdenv.hostPlatform.isFreeBSD) "MK_WERROR=no";
-
-    # amd64 not x86_64 for this on unlike NetBSD
-    MACHINE_ARCH = mkBsdArch stdenv';
-
-    MACHINE = mkBsdArch stdenv';
-
-    MACHINE_CPUARCH = MACHINE_ARCH;
-
-    COMPONENT_PATH = attrs.path or null;
-
-    strictDeps = true;
-
-    meta = with lib; {
-      maintainers = with maintainers; [ ericson2314 ];
-      platforms = platforms.unix;
-      license = licenses.bsd2;
+  versions = builtins.fromJSON (builtins.readFile ./versions.json);
+
+  badBranchError =
+    branch:
+    throw ''
+      Unknown FreeBSD branch ${branch}!
+      FreeBSD branches normally look like one of:
+      * `release/<major>.<minor>.0` for tagged releases without security updates
+      * `releng/<major>.<minor>` for release update branches with security updates
+      * `stable/<major>` for stable versions working towards the next minor release
+      * `main` for the latest development version
+
+      Branches can be selected by overriding the `branch` attribute on the freebsd package set.
+    '';
+
+  # `./package-set.nix` should never know the name of the package set we
+  # are constructing; just this function is allowed to know that. This
+  # is why we:
+  #
+  #  - do the splicing for cross compilation here
+  #
+  #  - construct the *anonymized* `buildFreebsd` attribute to be passed
+  #    to `./package-set.nix`.
+  callFreeBSDWithAttrs =
+    extraArgs:
+    let
+      # we do not include the branch in the splice here because the branch
+      # parameter to this file will only ever take on one value - more values
+      # are provided through overrides.
+      otherSplices = generateSplicesForMkScope attributePathToSplice;
+    in
+    makeScopeWithSplicing' {
+      inherit otherSplices;
+      f =
+        self:
+        {
+          inherit branch;
+        }
+        // callPackage ./package-set.nix (
+          {
+            sourceData = versions.${self.branch} or (throw (badBranchError self.branch));
+            versionData = self.sourceData.version;
+            buildFreebsd = otherSplices.selfBuildHost;
+            patchesRoot = ./patches + "/${self.versionData.revision}";
+          }
+          // extraArgs
+        ) self;
     };
-  } // lib.optionalAttrs stdenv'.hasCC {
-    # TODO should CC wrapper set this?
-    CPP = "${stdenv'.cc.targetPrefix}cpp";
-  } // lib.optionalAttrs stdenv'.isDarwin {
-    MKRELRO = "no";
-  } // lib.optionalAttrs (stdenv'.cc.isClang or false) {
-    HAVE_LLVM = lib.versions.major (lib.getVersion stdenv'.cc.cc);
-  } // lib.optionalAttrs (stdenv'.cc.isGNU or false) {
-    HAVE_GCC = lib.versions.major (lib.getVersion stdenv'.cc.cc);
-  } // lib.optionalAttrs (stdenv'.isx86_32) {
-    USE_SSP = "no";
-  } // lib.optionalAttrs (attrs.headersOnly or false) {
-    installPhase = "includesPhase";
-    dontBuild = true;
-  } // attrs));
-
-  ##
-  ## START BOOTSTRAPPING
-  ##
-  makeMinimal = mkDerivation rec {
-    inherit (self.make) path;
-
-    buildInputs = with self; [];
-    nativeBuildInputs = with buildPackages.netbsd; [ bsdSetupHook freebsdSetupHook ];
-
-    skipIncludesPhase = true;
-
-    makeFlags = [];
-
-    postPatch = ''
-      patchShebangs configure
-      ${self.make.postPatch}
-    '';
-
-    buildPhase = ''
-      runHook preBuild
-
-      sh ./make-bootstrap.sh
-
-      runHook postBuild
-    '';
-
-    installPhase = ''
-      runHook preInstall
-
-      install -D bmake "$out/bin/bmake"
-      ln -s "$out/bin/bmake" "$out/bin/make"
-      mkdir -p "$out/share"
-      cp -r "$BSDSRCDIR/share/mk" "$out/share/mk"
-      find "$out/share/mk" -type f -print0 |
-        while IFS= read -r -d "" f; do
-          substituteInPlace "$f" --replace 'usr/' ""
-        done
-      substituteInPlace "$out/share/mk/bsd.symver.mk" \
-        --replace '/share/mk' "$out/share/mk"
-
-      runHook postInstall
-    '';
-
-    postInstall = lib.optionalString (!stdenv.targetPlatform.isFreeBSD) ''
-      boot_mk="$BSDSRCDIR/tools/build/mk"
-      cp "$boot_mk"/Makefile.boot* "$out/share/mk"
-      replaced_mk="$out/share/mk.orig"
-      mkdir "$replaced_mk"
-      mv "$out"/share/mk/bsd.{lib,prog}.mk "$replaced_mk"
-      for m in bsd.{lib,prog}.mk; do
-        cp "$boot_mk/$m" "$out/share/mk"
-        substituteInPlace "$out/share/mk/$m" --replace '../../../share/mk' '../mk.orig'
-      done
-    '';
-
-    extraPaths = with self; make.extraPaths;
-  };
-
-  # Wrap NetBSD's install
-  boot-install = buildPackages.writeShellScriptBin "boot-install" (install-wrapper + ''
-
-    ${buildPackages.netbsd.install}/bin/xinstall "''${args[@]}"
-  '');
-
-  compat = mkDerivation rec {
-    pname = "compat";
-    path = "tools/build";
-    extraPaths = [
-      "lib/libc/db"
-      "lib/libc/stdlib" # getopt
-      "lib/libc/gen" # getcap
-      "lib/libc/locale" # rpmatch
-    ] ++ lib.optionals stdenv.hostPlatform.isLinux [
-      "lib/libc/string" # strlcpy
-      "lib/libutil"
-    ] ++ [
-      "contrib/libc-pwcache"
-      "contrib/libc-vis"
-      "sys/libkern"
-      "sys/kern/subr_capability.c"
-
-      # Take only individual headers, or else we will clobber native libc, etc.
-
-      "sys/rpc/types.h"
-
-      # Listed in Makekfile as INC
-      "include/mpool.h"
-      "include/ndbm.h"
-      "include/err.h"
-      "include/stringlist.h"
-      "include/a.out.h"
-      "include/nlist.h"
-      "include/db.h"
-      "include/getopt.h"
-      "include/nl_types.h"
-      "include/elf.h"
-      "sys/sys/ctf.h"
-
-      # Listed in Makekfile as SYSINC
-
-      "sys/sys/capsicum.h"
-      "sys/sys/caprights.h"
-      "sys/sys/imgact_aout.h"
-      "sys/sys/nlist_aout.h"
-      "sys/sys/nv.h"
-      "sys/sys/dnv.h"
-      "sys/sys/cnv.h"
-
-      "sys/sys/elf32.h"
-      "sys/sys/elf64.h"
-      "sys/sys/elf_common.h"
-      "sys/sys/elf_generic.h"
-      "sys/${mkBsdArch stdenv}/include"
-    ] ++ lib.optionals stdenv.hostPlatform.isx86 [
-      "sys/x86/include"
-    ] ++ [
-
-      "sys/sys/queue.h"
-      "sys/sys/md5.h"
-      "sys/sys/sbuf.h"
-      "sys/sys/tree.h"
-      "sys/sys/font.h"
-      "sys/sys/consio.h"
-      "sys/sys/fnv_hash.h"
-
-      "sys/crypto/chacha20/_chacha.h"
-      "sys/crypto/chacha20/chacha.h"
-      # included too, despite ".c"
-      "sys/crypto/chacha20/chacha.c"
-
-      "sys/fs"
-      "sys/ufs"
-      "sys/sys/disk"
-
-      "lib/libcapsicum"
-      "lib/libcasper"
-    ];
-
-    patches = [
-      ./compat-install-dirs.patch
-      ./compat-fix-typedefs-locations.patch
-    ];
-
-    preBuild = ''
-      NIX_CFLAGS_COMPILE+=' -I../../include -I../../sys'
-
-      cp ../../sys/${mkBsdArch stdenv}/include/elf.h ../../sys/sys
-      cp ../../sys/${mkBsdArch stdenv}/include/elf.h ../../sys/sys/${mkBsdArch stdenv}
-    '' + lib.optionalString stdenv.hostPlatform.isx86 ''
-      cp ../../sys/x86/include/elf.h ../../sys/x86
-    '';
-
-    setupHooks = [
-      ../../../build-support/setup-hooks/role.bash
-      ./compat-setup-hook.sh
-    ];
-
-    # This one has an ifdefed `#include_next` that makes it annoying.
-    postInstall = ''
-      rm ''${!outputDev}/0-include/libelf.h
-    '';
-
-    nativeBuildInputs = with buildPackages.freebsd; [
-      bsdSetupHook freebsdSetupHook
-      makeMinimal
-      boot-install
-
-      which
-    ];
-    buildInputs = [ expat zlib ];
-
-    makeFlags = [
-      "STRIP=-s" # flag to install, not command
-      "MK_WERROR=no"
-      "HOST_INCLUDE_ROOT=${lib.getDev stdenv.cc.libc}/include"
-      "INSTALL=boot-install"
-    ];
-
-    preIncludes = ''
-      mkdir -p $out/{0,1}-include
-      cp --no-preserve=mode -r cross-build/include/common/* $out/0-include
-    '' + lib.optionalString stdenv.hostPlatform.isLinux ''
-      cp --no-preserve=mode -r cross-build/include/linux/* $out/1-include
-    '' + lib.optionalString stdenv.hostPlatform.isDarwin ''
-      cp --no-preserve=mode -r cross-build/include/darwin/* $out/1-include
-    '';
-  };
-
-  libnetbsd = mkDerivation {
-    path = "lib/libnetbsd";
-    nativeBuildInputs = with buildPackages.freebsd; [
-      bsdSetupHook freebsdSetupHook
-      makeMinimal mandoc groff
-      (if stdenv.hostPlatform == stdenv.buildPlatform
-       then boot-install
-       else install)
-    ];
-    patches = lib.optionals (!stdenv.hostPlatform.isFreeBSD) [
-      ./libnetbsd-do-install.patch
-      #./libnetbsd-define-__va_list.patch
-    ];
-    makeFlags = [
-      "STRIP=-s" # flag to install, not command
-      "MK_WERROR=no"
-    ] ++ lib.optional (stdenv.hostPlatform == stdenv.buildPlatform) "INSTALL=boot-install";
-    buildInputs = with self; compatIfNeeded;
-  };
-
-  # HACK: to ensure parent directories exist. This emulates GNU
-  # install’s -D option. No alternative seems to exist in BSD install.
-  install = let binstall = writeShellScript "binstall" (install-wrapper + ''
-
-    @out@/bin/xinstall "''${args[@]}"
-  ''); in mkDerivation {
-    path = "usr.bin/xinstall";
-    extraPaths = with self; [ mtree.path ];
-    nativeBuildInputs = with buildPackages.freebsd; [
-      bsdSetupHook freebsdSetupHook
-      makeMinimal mandoc groff
-      (if stdenv.hostPlatform == stdenv.buildPlatform
-       then boot-install
-       else install)
-    ];
-    skipIncludesPhase = true;
-    buildInputs = with self; compatIfNeeded ++ [ libmd libnetbsd ];
-    makeFlags = [
-      "STRIP=-s" # flag to install, not command
-      "MK_WERROR=no"
-      "TESTSDIR=${builtins.placeholder "test"}"
-    ] ++ lib.optional (stdenv.hostPlatform == stdenv.buildPlatform) "INSTALL=boot-install";
-    postInstall = ''
-      install -D -m 0550 ${binstall} $out/bin/binstall
-      substituteInPlace $out/bin/binstall --subst-var out
-      mv $out/bin/install $out/bin/xinstall
-      ln -s ./binstall $out/bin/install
-    '';
-    outputs = [ "out" "man" "test" ];
-  };
-
-  sed = mkDerivation {
-    path = "usr.bin/sed";
-    TESTSRC = "${freebsdSrc}/contrib/netbsd-tests";
-    MK_TESTS = "no";
-  };
-
-  # Don't add this to nativeBuildInputs directly.  Use statHook instead.
-  stat = mkDerivation {
-    path = "usr.bin/stat";
-    nativeBuildInputs = with buildPackages.freebsd; [
-      bsdSetupHook freebsdSetupHook
-      makeMinimal install mandoc groff
-    ];
-  };
-
-  # stat isn't in POSIX, and NetBSD stat supports a completely
-  # different range of flags than GNU stat, so including it in PATH
-  # breaks stdenv.  Work around that with a hook that will point
-  # NetBSD's build system and NetBSD stat without including it in
-  # PATH.
-  statHook = makeSetupHook {
-    name = "netbsd-stat-hook";
-  } (writeText "netbsd-stat-hook-impl" ''
-    makeFlagsArray+=(TOOL_STAT=${self.stat}/bin/stat)
-  '');
-
-  tsort = mkDerivation {
-    path = "usr.bin/tsort";
-    nativeBuildInputs = with buildPackages.freebsd; [
-      bsdSetupHook freebsdSetupHook
-      makeMinimal install mandoc groff
-    ];
-  };
-
-  lorder = mkDerivation rec {
-    path = "usr.bin/lorder";
-    noCC = true;
-    dontBuild = true;
-    installPhase = ''
-      mkdir -p "$out/bin" "$man/share/man"
-      mv "lorder.sh" "$out/bin/lorder"
-      chmod +x "$out/bin/lorder"
-      mv "lorder.1" "$man/share/man"
-    '';
-    nativeBuildInputs = [ bsdSetupHook freebsdSetupHook ];
-    buildInputs = [];
-    outputs = [ "out" "man" ];
-  };
-
-  ##
-  ## END BOOTSTRAPPING
-  ##
-
-  ##
-  ## START COMMAND LINE TOOLS
-  ##
-  make = mkDerivation {
-    path = "contrib/bmake";
-    version = "9.2";
-    postPatch = ''
-      # make needs this to pick up our sys make files
-      export NIX_CFLAGS_COMPILE+=" -D_PATH_DEFSYSPATH=\"$out/share/mk\""
-
-    '' + lib.optionalString stdenv.isDarwin ''
-      substituteInPlace $BSDSRCDIR/share/mk/bsd.sys.mk \
-        --replace '-Wl,--fatal-warnings' "" \
-        --replace '-Wl,--warn-shared-textrel' ""
-    '';
-    postInstall = ''
-      make -C $BSDSRCDIR/share/mk FILESDIR=$out/share/mk install
-    '';
-    extraPaths = [ "share/mk" ]
-      ++ lib.optional (!stdenv.hostPlatform.isFreeBSD) "tools/build/mk";
-  };
-  mtree = mkDerivation {
-    path = "contrib/mtree";
-    extraPaths = with self; [ mknod.path ];
-  };
-
-  mknod = mkDerivation {
-    path = "sbin/mknod";
-  };
-
-  rpcgen = mkDerivation rec {
-    path = "usr.bin/rpcgen";
-    patches = lib.optionals (stdenv.hostPlatform.libc == "glibc") [
-      # `WUNTRACED` is defined privately `bits/waitflags.h` in glibc.
-      # But instead of having a regular header guard, it has some silly
-      # non-modular logic. `stdlib.h` will include it if `sys/wait.h`
-      # hasn't yet been included (for it would first), and vice versa.
-      #
-      # The problem is that with the FreeBSD compat headers, one of
-      # those headers ends up included other headers...which ends up
-      # including the other one, this means by the first time we reach
-      # `#include `<bits/waitflags.h>`, both `_SYS_WAIT_H` and
-      # `_STDLIB_H` are already defined! Thus, we never ned up including
-      # `<bits/waitflags.h>` and defining `WUNTRACED`.
-      #
-      # This hacks around this by manually including `WUNTRACED` until
-      # the problem is fixed properly in glibc.
-      ./rpcgen-glibc-hack.patch
-    ];
-  };
-
-  gencat = mkDerivation {
-    path = "usr.bin/gencat";
-  };
-
-  file2c = mkDerivation {
-    path = "usr.bin/file2c";
-    MK_TESTS = "no";
-  };
-
-  libnv = mkDerivation {
-    path = "lib/libnv";
-    extraPaths = [
-      "sys/contrib/libnv"
-      "sys/sys"
-    ];
-    MK_TESTS = "no";
-  };
-
-  libsbuf = mkDerivation {
-    path = "lib/libsbuf";
-    extraPaths = [
-      "sys/kern"
-    ];
-    MK_TESTS = "no";
-  };
-
-  libelf = mkDerivation {
-    path = "lib/libelf";
-    extraPaths = [
-      "contrib/elftoolchain/libelf"
-      "contrib/elftoolchain/common"
-      "sys/sys/elf32.h"
-      "sys/sys/elf64.h"
-      "sys/sys/elf_common.h"
-    ];
-    BOOTSTRAPPING = !stdenv.isFreeBSD;
-    nativeBuildInputs = with buildPackages.freebsd; [
-      bsdSetupHook freebsdSetupHook
-      makeMinimal install mandoc groff
-
-      m4
-    ];
-    MK_TESTS = "no";
-  };
-
-  libdwarf = mkDerivation {
-    path = "lib/libdwarf";
-    extraPaths = [
-      "contrib/elftoolchain/libdwarf"
-      "contrib/elftoolchain/common"
-      "sys/sys/elf32.h"
-      "sys/sys/elf64.h"
-      "sys/sys/elf_common.h"
-    ];
-    nativeBuildInputs = with buildPackages.freebsd; [
-      bsdSetupHook freebsdSetupHook
-      makeMinimal install mandoc groff
-
-      m4
-    ];
-    buildInputs = with self; compatIfNeeded ++ [
-      libelf
-    ];
-    MK_TESTS = "no";
-  };
-
-  uudecode = mkDerivation {
-    path = "usr.bin/uudecode";
-    MK_TESTS = "no";
-  };
-
-  config = mkDerivation {
-    path = "usr.sbin/config";
-    nativeBuildInputs = with buildPackages.freebsd; [
-      bsdSetupHook freebsdSetupHook
-      makeMinimal install mandoc groff
-
-      flex byacc file2c
-    ];
-    buildInputs = with self; compatIfNeeded ++ [ libnv libsbuf ];
-  };
-  ##
-  ## END COMMAND LINE TOOLS
-  ##
-
-  ##
-  ## START HEADERS
-  ##
-  include = mkDerivation {
-    path = "include";
-
-    extraPaths = [
-      "contrib/libc-vis"
-      "etc/mtree/BSD.include.dist"
-      "sys"
-    ];
-
-    nativeBuildInputs = with buildPackages.freebsd; [
-      bsdSetupHook freebsdSetupHook
-      makeMinimal
-      install
-      mandoc groff rsync /*nbperf*/ rpcgen
-
-      # HACK use NetBSD's for now
-      buildPackages.netbsd.mtree
-    ];
-
-    patches = [
-      ./no-perms-BSD.include.dist.patch
-    ];
-
-    # The makefiles define INCSDIR per subdirectory, so we have to set
-    # something else on the command line so those definitions aren't
-    # overridden.
-    postPatch = ''
-      find "$BSDSRCDIR" -name Makefile -exec \
-        sed -i -E \
-          -e 's_/usr/include_''${INCSDIR0}_' \
-          {} \;
-    '';
-
-    makeFlags = [
-      "RPCGEN_CPP=${buildPackages.stdenv.cc.cc}/bin/cpp"
-    ];
-
-    # multiple header dirs, see above
-    postConfigure = ''
-      makeFlags=''${makeFlags/INCSDIR/INCSDIR0}
-    '';
-
-    headersOnly = true;
-
-    MK_HESIOD = "yes";
-
-    meta.platforms = lib.platforms.freebsd;
-  };
-
-  ##
-  ## END HEADERS
-  ##
-
-  csu = mkDerivation {
-    path = "lib/csu";
-    extraPaths = with self; [
-      "lib/Makefile.inc"
-      "lib/libc/include/libc_private.h"
-    ];
-    nativeBuildInputs = with buildPackages.freebsd; [
-      bsdSetupHook freebsdSetupHook
-      makeMinimal
-      install
-
-      flex byacc gencat
-    ];
-    buildInputs = with self; [ include ];
-    MK_TESTS = "no";
-    meta.platforms = lib.platforms.freebsd;
-  };
-
-  libc = mkDerivation rec {
-    pname = "libc";
-    path = "lib/libc";
-    extraPaths = [
-      "etc/group"
-      "etc/master.passwd"
-      "etc/shells"
-      "lib/libmd"
-      "lib/libutil"
-      "lib/msun"
-      "sys/kern"
-      "sys/libkern"
-      "sys/sys"
-      "sys/crypto/chacha20"
-      "include/rpcsvc"
-      "contrib/jemalloc"
-      "contrib/gdtoa"
-      "contrib/libc-pwcache"
-      "contrib/libc-vis"
-      "contrib/tzcode/stdtime"
-
-      # libthr
-      "lib/libthr"
-      "lib/libthread_db"
-      "libexec/rtld-elf"
-
-      # librpcsvc
-      "lib/librpcsvc"
-
-      # librt
-      "lib/librt"
-
-      # libcrypt
-      "lib/libcrypt"
-      "lib/libmd"
-      "sys/crypto/sha2"
-    ];
-
-    patches = [
-      # Hack around broken propogating MAKEFLAGS to submake, just inline logic
-      ./libc-msun-arch-subdir.patch
-
-      # Don't force -lcompiler-rt, we don't actually call it that
-      ./libc-no-force--lcompiler-rt.patch
-
-      # Fix extra include dir to get rpcsvc headers.
-      ./librpcsvc-include-subdir.patch
-    ];
-
-    postPatch = ''
-      substituteInPlace $COMPONENT_PATH/Makefile --replace '.include <src.opts.mk>' ""
-    '';
-
-    nativeBuildInputs = with buildPackages.freebsd; [
-      bsdSetupHook freebsdSetupHook
-      makeMinimal
-      install
-
-      flex byacc gencat rpcgen
-    ];
-    buildInputs = with self; [ include csu ];
-    env.NIX_CFLAGS_COMPILE = "-B${self.csu}/lib";
-
-    # Suppress lld >= 16 undefined version errors
-    # https://github.com/freebsd/freebsd-src/commit/2ba84b4bcdd6012e8cfbf8a0d060a4438623a638
-    env.NIX_LDFLAGS = lib.optionalString (stdenv.targetPlatform.linker == "lld") "--undefined-version";
-
-    makeFlags = [
-      "STRIP=-s" # flag to install, not command
-      # lib/libc/gen/getgrent.c has sketchy cast from `void *` to enum
-      "MK_WERROR=no"
-    ];
-
-    MK_SYMVER = "yes";
-    MK_SSP = "yes";
-    MK_NLS = "yes";
-    MK_ICONV = "no"; # TODO make srctop
-    MK_NS_CACHING = "yes";
-    MK_INET6_SUPPORT = "yes";
-    MK_HESIOD = "yes";
-    MK_NIS = "yes";
-    MK_HYPERV = "yes";
-    MK_FP_LIBC = "yes";
-
-    MK_TCSH = "no";
-    MK_MALLOC_PRODUCTION = "yes";
-
-    MK_TESTS = "no";
-
-    postInstall = ''
-      pushd ${self.include}
-      find . -type d -exec mkdir -p $out/\{} \;
-      find . \( -type f -o -type l \) -exec cp -pr \{} $out/\{} \;
-      popd
-
-      pushd ${self.csu}
-      find . -type d -exec mkdir -p $out/\{} \;
-      find . \( -type f -o -type l \) -exec cp -pr \{} $out/\{} \;
-      popd
-
-      sed -i -e 's| [^ ]*/libc_nonshared.a||' $out/lib/libc.so
-
-      $CC -nodefaultlibs -lgcc -shared -o $out/lib/libgcc_s.so
-
-      NIX_CFLAGS_COMPILE+=" -B$out/lib"
-      NIX_CFLAGS_COMPILE+=" -I$out/include"
-      NIX_LDFLAGS+=" -L$out/lib"
-
-      make -C $BSDSRCDIR/lib/libthr $makeFlags
-      make -C $BSDSRCDIR/lib/libthr $makeFlags install
-
-      make -C $BSDSRCDIR/lib/msun $makeFlags
-      make -C $BSDSRCDIR/lib/msun $makeFlags install
-
-      make -C $BSDSRCDIR/lib/librpcsvc $makeFlags
-      make -C $BSDSRCDIR/lib/librpcsvc $makeFlags install
-
-      make -C $BSDSRCDIR/lib/libutil $makeFlags
-      make -C $BSDSRCDIR/lib/libutil $makeFlags install
-
-      make -C $BSDSRCDIR/lib/librt $makeFlags
-      make -C $BSDSRCDIR/lib/librt $makeFlags install
-
-      make -C $BSDSRCDIR/lib/libcrypt $makeFlags
-      make -C $BSDSRCDIR/lib/libcrypt $makeFlags install
-    '';
-
-    meta.platforms = lib.platforms.freebsd;
-  };
-
-  ##
-  ## Kernel
-  ##
-
-  libspl = mkDerivation {
-    path = "cddl/lib/libspl";
-    extraPaths = [
-      "sys/contrib/openzfs/lib/libspl"
-      "sys/contrib/openzfs/include"
-
-      "cddl/compat/opensolaris/include"
-      "sys/contrib/openzfs/module/icp/include"
-      "sys/modules/zfs"
-    ];
-    # nativeBuildInputs = with buildPackages.freebsd; [
-    #   bsdSetupHook freebsdSetupHook
-    #   makeMinimal install mandoc groff
-
-    #   flex byacc file2c
-    # ];
-    # buildInputs = with self; compatIfNeeded ++ [ libnv libsbuf ];
-    meta.license = lib.licenses.cddl;
-  };
-
-  ctfconvert = mkDerivation {
-    path = "cddl/usr.bin/ctfconvert";
-    extraPaths = [
-      "cddl/compat/opensolaris"
-      "cddl/contrib/opensolaris"
-      "sys/cddl/compat/opensolaris"
-      "sys/cddl/contrib/opensolaris"
-      "sys/contrib/openzfs"
-    ];
-    OPENSOLARIS_USR_DISTDIR = "$(SRCTOP)/cddl/contrib/opensolaris";
-    OPENSOLARIS_SYS_DISTDIR = "$(SRCTOP)/sys/cddl/contrib/opensolaris";
-    nativeBuildInputs = with buildPackages.freebsd; [
-      bsdSetupHook freebsdSetupHook
-      makeMinimal install mandoc groff
-
-      # flex byacc file2c
-    ];
-    buildInputs = with self; compatIfNeeded ++ [
-      libelf libdwarf zlib libspl
-    ];
-    meta.license = lib.licenses.cddl;
-  };
-
-  xargs-j = substituteAll {
-    name = "xargs-j";
-    shell = runtimeShell;
-    src = ../xargs-j.sh;
-    dir = "bin";
-    isExecutable = true;
-  };
-
-  sys = mkDerivation (let
-    cfg = "MINIMAL";
-  in rec {
-    path = "sys";
-
-    nativeBuildInputs = with buildPackages.freebsd; [
-      bsdSetupHook freebsdSetupHook
-      makeMinimal install mandoc groff
-
-      config rpcgen file2c gawk uudecode xargs-j
-      #ctfconvert
-    ];
-
-    patches = [
-      ./sys-gnu-date.patch
-      ./sys-no-explicit-intrinsics-dep.patch
-    ];
-
-    # --dynamic-linker /red/herring is used when building the kernel.
-    NIX_ENFORCE_PURITY = 0;
-
-    AWK = "${buildPackages.gawk}/bin/awk";
-
-    CWARNEXTRA = "-Wno-error=shift-negative-value -Wno-address-of-packed-member";
-
-    MK_CTF = "no";
-
-    KODIR = "${builtins.placeholder "out"}/kernel";
-    KMODDIR = "${builtins.placeholder "out"}/kernel";
-    DTBDIR = "${builtins.placeholder"out"}/dbt";
-
-    KERN_DEBUGDIR = "${builtins.placeholder "out"}/debug";
-    KERN_DEBUGDIR_KODIR = "${KERN_DEBUGDIR}/kernel";
-    KERN_DEBUGDIR_KMODDIR = "${KERN_DEBUGDIR}/kernel";
-
-    skipIncludesPhase = true;
-
-    configurePhase = ''
-      runHook preConfigure
-
-      for f in conf/kmod.mk contrib/dev/acpica/acpica_prep.sh; do
-        substituteInPlace "$f" --replace 'xargs -J' 'xargs-j '
-      done
-
-      for f in conf/*.mk; do
-        substituteInPlace "$f" --replace 'KERN_DEBUGDIR}''${' 'KERN_DEBUGDIR_'
-      done
-
-      cd ${mkBsdArch stdenv}/conf
-      sed -i ${cfg} \
-        -e 's/WITH_CTF=1/WITH_CTF=0/' \
-        -e '/KDTRACE/d'
-      config ${cfg}
-
-      runHook postConfigure
-    '';
-    preBuild = ''
-      cd ../compile/${cfg}
-    '';
-  });
-
-});
+in
+{
+  freebsd = callFreeBSDWithAttrs { };
+  freebsdCross = callFreeBSDWithAttrs { stdenv = crossLibcStdenv; };
 }
diff --git a/pkgs/os-specific/bsd/freebsd/evdev-proto/default.nix b/pkgs/os-specific/bsd/freebsd/evdev-proto/default.nix
index b6dab0d8bdfc5..6696d12912e68 100644
--- a/pkgs/os-specific/bsd/freebsd/evdev-proto/default.nix
+++ b/pkgs/os-specific/bsd/freebsd/evdev-proto/default.nix
@@ -1,4 +1,11 @@
-{ lib, stdenv, linuxHeaders, freebsd, runCommandCC, buildPackages }:
+{
+  lib,
+  stdenv,
+  linuxHeaders,
+  freebsd,
+  runCommandCC,
+  buildPackages,
+}:
 
 stdenv.mkDerivation {
   pname = "evdev-proto";
@@ -28,12 +35,12 @@ stdenv.mkDerivation {
   TOUCH = "touch";
   XARGS = "xargs";
 
-  ABI_FILE = runCommandCC "abifile" {} "$CC -shared -o $out";
+  ABI_FILE = runCommandCC "abifile" { } "$CC -shared -o $out";
   CLEAN_FETCH_ENV = true;
   INSTALL_AS_USER = true;
   NO_CHECKSUM = true;
   NO_MTREE = true;
-  SRC_BASE = freebsd.freebsdSrc;
+  SRC_BASE = freebsd.source;
 
   preUnpack = ''
     export MAKE_JOBS_NUMBER="$NIX_BUILD_CORES"
diff --git a/pkgs/os-specific/bsd/freebsd/lib/default.nix b/pkgs/os-specific/bsd/freebsd/lib/default.nix
new file mode 100644
index 0000000000000..d022f7cfa14c6
--- /dev/null
+++ b/pkgs/os-specific/bsd/freebsd/lib/default.nix
@@ -0,0 +1,18 @@
+{ version }:
+
+{
+  inherit version;
+
+  mkBsdArch =
+    stdenv':
+    {
+      x86_64 = "amd64";
+      aarch64 = "arm64";
+      i486 = "i386";
+      i586 = "i386";
+      i686 = "i386";
+    }
+    .${stdenv'.hostPlatform.parsed.cpu.name} or stdenv'.hostPlatform.parsed.cpu.name;
+
+  install-wrapper = builtins.readFile ../../lib/install-wrapper.sh;
+}
diff --git a/pkgs/os-specific/bsd/freebsd/package-set.nix b/pkgs/os-specific/bsd/freebsd/package-set.nix
new file mode 100644
index 0000000000000..4ff6cb2102490
--- /dev/null
+++ b/pkgs/os-specific/bsd/freebsd/package-set.nix
@@ -0,0 +1,96 @@
+{
+  stdenv,
+  lib,
+  stdenvNoCC,
+  fetchzip,
+  sourceData,
+  versionData,
+  buildFreebsd,
+  patchesRoot,
+}:
+
+self:
+
+lib.packagesFromDirectoryRecursive {
+  callPackage = self.callPackage;
+  directory = ./pkgs;
+}
+// {
+  inherit sourceData patchesRoot versionData;
+  patches = ./patches + "/${self.versionData.revision}";
+
+  # Keep the crawled portion of Nixpkgs finite.
+  buildFreebsd = lib.dontRecurseIntoAttrs buildFreebsd;
+
+  ports = fetchzip {
+    url = "https://cgit.freebsd.org/ports/snapshot/ports-dde3b2b456c3a4bdd217d0bf3684231cc3724a0a.tar.gz";
+    sha256 = "BpHqJfnGOeTE7tkFJBx0Wk8ryalmf4KNTit/Coh026E=";
+  };
+
+  compatIsNeeded = !stdenvNoCC.hostPlatform.isFreeBSD;
+  compatIfNeeded = lib.optional self.compatIsNeeded self.compat;
+  freebsd-lib = import ./lib {
+    version = lib.concatStringsSep "." (
+      map toString (
+        lib.filter (x: x != null) [
+          self.versionData.major
+          self.versionData.minor
+          self.versionData.patch or null
+        ]
+      )
+    );
+  };
+
+  # The manual callPackages below should in principle be unnecessary, but are
+  # necessary. See note in ../netbsd/default.nix
+
+  compat = self.callPackage ./pkgs/compat/package.nix {
+    inherit stdenv;
+    inherit (buildFreebsd) makeMinimal;
+  };
+
+  csu = self.callPackage ./pkgs/csu.nix {
+    inherit (buildFreebsd) makeMinimal install gencat;
+    inherit (self) include;
+  };
+
+  include = self.callPackage ./pkgs/include/package.nix { inherit (buildFreebsd) rpcgen mtree; };
+
+  install = self.callPackage ./pkgs/install.nix {
+    inherit (buildFreebsd) makeMinimal;
+    inherit (self) libmd libnetbsd;
+  };
+
+  libc = self.callPackage ./pkgs/libc/package.nix {
+    inherit (buildFreebsd)
+      makeMinimal
+      install
+      gencat
+      rpcgen
+      mkcsmapper
+      mkesdb
+      ;
+    inherit (self) csu include;
+  };
+
+  libnetbsd = self.callPackage ./pkgs/libnetbsd/package.nix { inherit (buildFreebsd) makeMinimal; };
+
+  libmd = self.callPackage ./pkgs/libmd.nix { inherit (buildFreebsd) makeMinimal; };
+
+  mkDerivation = self.callPackage ./pkgs/mkDerivation.nix {
+    inherit stdenv;
+    inherit (buildFreebsd)
+      freebsdSetupHook
+      makeMinimal
+      install
+      tsort
+      lorder
+      ;
+  };
+
+  makeMinimal = self.callPackage ./pkgs/makeMinimal.nix { inherit (self) make; };
+
+  mtree = self.callPackage ./pkgs/mtree.nix { inherit (self) libnetbsd libmd; };
+
+  tsort = self.callPackage ./pkgs/tsort.nix { inherit (buildFreebsd) makeMinimal install; };
+}
diff --git a/pkgs/os-specific/bsd/freebsd/compat-fix-typedefs-locations.patch b/pkgs/os-specific/bsd/freebsd/patches/13.1/compat-fix-typedefs-locations.patch
index 3336a2504e584..3336a2504e584 100644
--- a/pkgs/os-specific/bsd/freebsd/compat-fix-typedefs-locations.patch
+++ b/pkgs/os-specific/bsd/freebsd/patches/13.1/compat-fix-typedefs-locations.patch
diff --git a/pkgs/os-specific/bsd/freebsd/compat-install-dirs.patch b/pkgs/os-specific/bsd/freebsd/patches/13.1/compat-install-dirs.patch
index 9bb2bea32ee98..9bb2bea32ee98 100644
--- a/pkgs/os-specific/bsd/freebsd/compat-install-dirs.patch
+++ b/pkgs/os-specific/bsd/freebsd/patches/13.1/compat-install-dirs.patch
diff --git a/pkgs/os-specific/bsd/freebsd/libc-msun-arch-subdir.patch b/pkgs/os-specific/bsd/freebsd/patches/13.1/libc-msun-arch-subdir.patch
index 4a69e85a986a0..4a69e85a986a0 100644
--- a/pkgs/os-specific/bsd/freebsd/libc-msun-arch-subdir.patch
+++ b/pkgs/os-specific/bsd/freebsd/patches/13.1/libc-msun-arch-subdir.patch
diff --git a/pkgs/os-specific/bsd/freebsd/libc-no-force--lcompiler-rt.patch b/pkgs/os-specific/bsd/freebsd/patches/13.1/libc-no-force--lcompiler-rt.patch
index 60176fb73cf76..60176fb73cf76 100644
--- a/pkgs/os-specific/bsd/freebsd/libc-no-force--lcompiler-rt.patch
+++ b/pkgs/os-specific/bsd/freebsd/patches/13.1/libc-no-force--lcompiler-rt.patch
diff --git a/pkgs/os-specific/bsd/freebsd/libnetbsd-do-install.patch b/pkgs/os-specific/bsd/freebsd/patches/13.1/libnetbsd-do-install.patch
index a7bd032d2be54..a7bd032d2be54 100644
--- a/pkgs/os-specific/bsd/freebsd/libnetbsd-do-install.patch
+++ b/pkgs/os-specific/bsd/freebsd/patches/13.1/libnetbsd-do-install.patch
diff --git a/pkgs/os-specific/bsd/freebsd/librpcsvc-include-subdir.patch b/pkgs/os-specific/bsd/freebsd/patches/13.1/librpcsvc-include-subdir.patch
index 38e06682869fb..38e06682869fb 100644
--- a/pkgs/os-specific/bsd/freebsd/librpcsvc-include-subdir.patch
+++ b/pkgs/os-specific/bsd/freebsd/patches/13.1/librpcsvc-include-subdir.patch
diff --git a/pkgs/os-specific/bsd/freebsd/patches/13.1/mtree-Makefile.patch b/pkgs/os-specific/bsd/freebsd/patches/13.1/mtree-Makefile.patch
new file mode 100644
index 0000000000000..2a6e560d1d287
--- /dev/null
+++ b/pkgs/os-specific/bsd/freebsd/patches/13.1/mtree-Makefile.patch
@@ -0,0 +1,13 @@
+--- a/contrib/mtree/Makefile	2023-12-04 23:02:13.919144141 -0700
++++ b/contrib/mtree/Makefile		2023-12-04 23:02:58.371810109 -0700
+@@ -10,8 +10,8 @@
+ SRCS=  compare.c crc.c create.c excludes.c misc.c mtree.c spec.c specspec.c \
+        verify.c getid.c pack_dev.c only.c
+ .if (${HOSTPROG:U} == "")
+-DPADD+= ${LIBUTIL}
+-LDADD+= -lutil
++LIBADD+= ${LIBUTIL}
++#LIBADD+= -lutil
+ .endif
+
+ CPPFLAGS+=	-I${NETBSDSRCDIR}/sbin/mknod
diff --git a/pkgs/os-specific/bsd/freebsd/no-perms-BSD.include.dist.patch b/pkgs/os-specific/bsd/freebsd/patches/13.1/no-perms-BSD.include.dist.patch
index 985617ee0f457..985617ee0f457 100644
--- a/pkgs/os-specific/bsd/freebsd/no-perms-BSD.include.dist.patch
+++ b/pkgs/os-specific/bsd/freebsd/patches/13.1/no-perms-BSD.include.dist.patch
diff --git a/pkgs/os-specific/bsd/freebsd/sys-gnu-date.patch b/pkgs/os-specific/bsd/freebsd/patches/13.1/sys-gnu-date.patch
index 2356446baf853..2356446baf853 100644
--- a/pkgs/os-specific/bsd/freebsd/sys-gnu-date.patch
+++ b/pkgs/os-specific/bsd/freebsd/patches/13.1/sys-gnu-date.patch
diff --git a/pkgs/os-specific/bsd/freebsd/sys-no-explicit-intrinsics-dep.patch b/pkgs/os-specific/bsd/freebsd/patches/13.1/sys-no-explicit-intrinsics-dep.patch
index edf44de5bb0d7..edf44de5bb0d7 100644
--- a/pkgs/os-specific/bsd/freebsd/sys-no-explicit-intrinsics-dep.patch
+++ b/pkgs/os-specific/bsd/freebsd/patches/13.1/sys-no-explicit-intrinsics-dep.patch
diff --git a/pkgs/os-specific/bsd/freebsd/patches/14.0/bmake-no-compiler-rt.patch b/pkgs/os-specific/bsd/freebsd/patches/14.0/bmake-no-compiler-rt.patch
new file mode 100644
index 0000000000000..f43d87c01e549
--- /dev/null
+++ b/pkgs/os-specific/bsd/freebsd/patches/14.0/bmake-no-compiler-rt.patch
@@ -0,0 +1,11 @@
+--- a/share/mk/src.libnames.mk	2023-12-21 23:56:50.767042385 -0800
++++ b/share/mk/src.libnames.mk	2023-12-21 23:56:39.671089506 -0800
+@@ -392,7 +392,7 @@
+ _DP_ztest=	geom m nvpair umem zpool pthread avl zfs_core spl zutil zfs uutil icp
+ # The libc dependencies are not strictly needed but are defined to make the
+ # assert happy.
+-_DP_c=		compiler_rt
++_DP_c=		
+ # Use libssp_nonshared only on i386 and power*.  Other archs emit direct calls
+ # to __stack_chk_fail, not __stack_chk_fail_local provided by libssp_nonshared.
+ .if ${MK_SSP} != "no" && \
diff --git a/pkgs/os-specific/bsd/freebsd/patches/14.0/compat-fix-typedefs-locations.patch b/pkgs/os-specific/bsd/freebsd/patches/14.0/compat-fix-typedefs-locations.patch
new file mode 100644
index 0000000000000..3336a2504e584
--- /dev/null
+++ b/pkgs/os-specific/bsd/freebsd/patches/14.0/compat-fix-typedefs-locations.patch
@@ -0,0 +1,32 @@
+--- a/tools/build/cross-build/include/common/sys/_types.h
++++ b/tools/build/cross-build/include/common/sys/_types.h
+@@ -47,3 +47,6 @@
+  * Neither GLibc nor macOS define __va_list but many FreeBSD headers require it.
+  */
+ typedef __builtin_va_list __va_list;
++
++typedef __UINTPTR_TYPE__ __uintptr_t;
++typedef __INTPTR_TYPE__ __intptr_t;
+--- a/tools/build/cross-build/include/common/sys/types.h
++++ b/tools/build/cross-build/include/common/sys/types.h
+@@ -49,9 +49,6 @@
+ #include <sys/sysmacros.h>
+ #endif
+ 
+-typedef __UINTPTR_TYPE__ __uintptr_t;
+-typedef __INTPTR_TYPE__ __intptr_t;
+-
+ /* needed for gencat */
+ typedef int __nl_item;
+ 
+--- a/tools/build/cross-build/include/linux/sys/types.h
++++ b/tools/build/cross-build/include/linux/sys/types.h
+@@ -39,6 +39,8 @@
+ 
+ #include_next <sys/types.h>
+ 
++#include <sys/_types.h>
++
+ #ifndef __size_t
+ typedef __SIZE_TYPE__ __size_t;
+ #endif
diff --git a/pkgs/os-specific/bsd/freebsd/patches/14.0/compat-install-dirs.patch b/pkgs/os-specific/bsd/freebsd/patches/14.0/compat-install-dirs.patch
new file mode 100644
index 0000000000000..4bc21cf8eb147
--- /dev/null
+++ b/pkgs/os-specific/bsd/freebsd/patches/14.0/compat-install-dirs.patch
@@ -0,0 +1,40 @@
+diff --git a/tools/build/Makefile b/tools/build/Makefile
+index 948a5f9dfdb..592af84eeae 100644
+--- a/tools/build/Makefile
++++ b/tools/build/Makefile
+@@ -327,14 +327,14 @@ host-symlinks:
+ # and cross-tools stages. We do this here using mkdir since mtree may not exist
+ # yet (this happens if we are crossbuilding from Linux/Mac).
+ INSTALLDIR_LIST= \
+-	bin \
+-	lib/geom \
+-	usr/include/casper \
+-	usr/include/private/ucl \
+-	usr/include/private/zstd \
+-	usr/lib \
+-	usr/libdata/pkgconfig \
+-	usr/libexec
++	${BINDIR} \
++	${LIBDIR}/geom \
++	${INCLUDEDIR}/casper \
++	${INCLUDEDIR}/private/ucl \
++	${INCLUDEDIR}/private/zstd \
++	${LIBDIR} \
++	${LIBDIR}/libdata/pkgconfig \
++	${LIBEXECDIR}
+ 
+ installdirs:
+ 	mkdir -p ${INSTALLDIR_LIST:S,^,${DESTDIR}/,}
+@@ -352,9 +352,9 @@ installdirs:
+ 	    rm -rf "${DESTDIR}/${_dir}"; \
+ 	fi
+ .endfor
+-	ln -sfn bin ${DESTDIR}/sbin
+-	ln -sfn ../bin ${DESTDIR}/usr/bin
+-	ln -sfn ../bin ${DESTDIR}/usr/sbin
++	ln -sfn bin ${DESTDIR}/${SBINDIR}
++	ln -sfn ../bin ${DESTDIR}/${BINDIR}
++	ln -sfn ../bin ${DESTDIR}/${SBINDIR}
+ .for _group in ${INCSGROUPS:NINCS}
+ 	mkdir -p "${DESTDIR}/${${_group}DIR}"
+ .endfor
diff --git a/pkgs/os-specific/bsd/freebsd/patches/14.0/install-bootstrap-Makefile.patch b/pkgs/os-specific/bsd/freebsd/patches/14.0/install-bootstrap-Makefile.patch
new file mode 100644
index 0000000000000..a69c5501ddd16
--- /dev/null
+++ b/pkgs/os-specific/bsd/freebsd/patches/14.0/install-bootstrap-Makefile.patch
@@ -0,0 +1,11 @@
+--- a/usr.bin/xinstall/Makefile	2023-09-23 19:18:49.165192183 -0700
++++ b/usr.bin/xinstall/Makefile	2023-12-06 17:06:57.836888028 -0700
+@@ -14,7 +14,7 @@
+ CFLAGS+=	-I${SRCTOP}/lib/libnetbsd
+ 
+ LIBADD=		md
+-CFLAGS+=	-DWITH_MD5 -DWITH_RIPEMD160
++CFLAGS+=		-I${BSDSRCDIR}/contrib/libc-vis -I${BSDSRCDIR}/lib/libnetbsd
+ 
+ .ifdef BOOTSTRAPPING
+ # For the bootstrap we disable copy_file_range()
diff --git a/pkgs/os-specific/bsd/freebsd/patches/14.0/libc-msun-arch-subdir.patch b/pkgs/os-specific/bsd/freebsd/patches/14.0/libc-msun-arch-subdir.patch
new file mode 100644
index 0000000000000..4a69e85a986a0
--- /dev/null
+++ b/pkgs/os-specific/bsd/freebsd/patches/14.0/libc-msun-arch-subdir.patch
@@ -0,0 +1,11 @@
+--- a/lib/libc/Makefile
++++ b/lib/libc/Makefile
+@@ -194,7 +194,7 @@ SUBDIR.${MK_TESTS}+= tests
+ # recording a build dependency
+ CFLAGS+= -I${SRCTOP}/lib/libutil
+ # Same issue with libm
+-MSUN_ARCH_SUBDIR != ${MAKE} -B -C ${SRCTOP}/lib/msun -V ARCH_SUBDIR
++MSUN_ARCH_SUBDIR = ${MACHINE_CPUARCH:S/i386/i387/}
+ # unfortunately msun/src contains both private and public headers
+ CFLAGS+= -I${SRCTOP}/lib/msun/${MSUN_ARCH_SUBDIR}
+ .if ${MACHINE_CPUARCH} == "i386" || ${MACHINE_CPUARCH} == "amd64"
diff --git a/pkgs/os-specific/bsd/freebsd/patches/14.0/libc-no-force--lcompiler-rt.patch b/pkgs/os-specific/bsd/freebsd/patches/14.0/libc-no-force--lcompiler-rt.patch
new file mode 100644
index 0000000000000..60176fb73cf76
--- /dev/null
+++ b/pkgs/os-specific/bsd/freebsd/patches/14.0/libc-no-force--lcompiler-rt.patch
@@ -0,0 +1,10 @@
+--- a/lib/libc/Makefile
++++ b/lib/libc/Makefile
+@@ -58,7 +58,6 @@ CFLAGS+=${CANCELPOINTS_CFLAGS}
+ # Link with static libcompiler_rt.a.
+ #
+ LDFLAGS+= -nodefaultlibs
+-LIBADD+=	compiler_rt
+ 
+ .if ${MK_SSP} != "no" && \
+     (${LIBC_ARCH} == "i386" || ${MACHINE_ARCH:Mpower*} != "")
diff --git a/pkgs/os-specific/bsd/freebsd/patches/14.0/libnetbsd-do-install.patch b/pkgs/os-specific/bsd/freebsd/patches/14.0/libnetbsd-do-install.patch
new file mode 100644
index 0000000000000..a7bd032d2be54
--- /dev/null
+++ b/pkgs/os-specific/bsd/freebsd/patches/14.0/libnetbsd-do-install.patch
@@ -0,0 +1,32 @@
+diff --git a/Makefile b/Makefile
+index 22710f3d933..22effc848cf 100644
+--- a/lib/libnetbsd/Makefile
++++ b/lib/libnetbsd/Makefile
+@@ -9,6 +9,26 @@ CFLAGS+=	-I${.CURDIR}
+ 
+ SRCS+=	efun.c sockaddr_snprintf.c strsuftoll.c util.c util.h
+ 
+-INTERNALLIB=
++INCSGROUPS= INCS SYSINCS NETINETINCS
++
++INCS+= \
++	glob.h \
++	pthread.h \
++	rmd160.h \
++	sha1.h \
++	sha2.h \
++	stdlib.h \
++	util.h
++
++SYSINCSDIR= ${INCLUDEDIR}/sys
++SYSINCS+= \
++	sys/cdefs.h \
++	sys/event.h \
++	sys/types.h \
++	sys/wait.h
++
++NETINETINCSDIR= ${INCLUDEDIR}/netinet
++NETINETINCS+= \
++	netinet/in.h
+ 
+ .include <bsd.lib.mk>
diff --git a/pkgs/os-specific/bsd/freebsd/patches/14.0/librpcsvc-include-subdir.patch b/pkgs/os-specific/bsd/freebsd/patches/14.0/librpcsvc-include-subdir.patch
new file mode 100644
index 0000000000000..38e06682869fb
--- /dev/null
+++ b/pkgs/os-specific/bsd/freebsd/patches/14.0/librpcsvc-include-subdir.patch
@@ -0,0 +1,11 @@
+--- a/lib/librpcsvc/Makefile
++++ b/lib/librpcsvc/Makefile
+@@ -20,7 +20,7 @@ OTHERSRCS+= yp_passwd.c yp_update.c
+ 
+ RPCCOM=	RPCGEN_CPP=${CPP:Q} rpcgen -C
+ 
+-INCDIRS= -I${SYSROOT:U${DESTDIR}}/usr/include/rpcsvc
++INCDIRS= -I${INCLUDEDIR}/rpcsvc
+ 
+ CFLAGS+= -DYP ${INCDIRS}
+ 
diff --git a/pkgs/os-specific/bsd/freebsd/patches/14.0/mtree-Makefile.patch b/pkgs/os-specific/bsd/freebsd/patches/14.0/mtree-Makefile.patch
new file mode 100644
index 0000000000000..2a6e560d1d287
--- /dev/null
+++ b/pkgs/os-specific/bsd/freebsd/patches/14.0/mtree-Makefile.patch
@@ -0,0 +1,13 @@
+--- a/contrib/mtree/Makefile	2023-12-04 23:02:13.919144141 -0700
++++ b/contrib/mtree/Makefile		2023-12-04 23:02:58.371810109 -0700
+@@ -10,8 +10,8 @@
+ SRCS=  compare.c crc.c create.c excludes.c misc.c mtree.c spec.c specspec.c \
+        verify.c getid.c pack_dev.c only.c
+ .if (${HOSTPROG:U} == "")
+-DPADD+= ${LIBUTIL}
+-LDADD+= -lutil
++LIBADD+= ${LIBUTIL}
++#LIBADD+= -lutil
+ .endif
+
+ CPPFLAGS+=	-I${NETBSDSRCDIR}/sbin/mknod
diff --git a/pkgs/os-specific/bsd/freebsd/patches/14.0/no-perms-BSD.include.dist.patch b/pkgs/os-specific/bsd/freebsd/patches/14.0/no-perms-BSD.include.dist.patch
new file mode 100644
index 0000000000000..985617ee0f457
--- /dev/null
+++ b/pkgs/os-specific/bsd/freebsd/patches/14.0/no-perms-BSD.include.dist.patch
@@ -0,0 +1,11 @@
+--- a/etc/mtree/BSD.include.dist
++++ b/etc/mtree/BSD.include.dist
+@@ -3,7 +3,7 @@
+ # Please see the file src/etc/mtree/README before making changes to this file.
+ #
+ 
+-/set type=dir uname=root gname=wheel mode=0755
++/set type=dir
+ .
+     arpa
+     ..
diff --git a/pkgs/os-specific/bsd/freebsd/patches/14.0/rtld-no-force--lcompiler-rt.patch b/pkgs/os-specific/bsd/freebsd/patches/14.0/rtld-no-force--lcompiler-rt.patch
new file mode 100644
index 0000000000000..45f0d0c51eec0
--- /dev/null
+++ b/pkgs/os-specific/bsd/freebsd/patches/14.0/rtld-no-force--lcompiler-rt.patch
@@ -0,0 +1,10 @@
+--- a/libexec/rtld-elf/Makefile
++++ b/libexec/rtld-elf/Makefile
+@@ -86,7 +86,6 @@ 
+ 
+ # Some of the required math functions (div & mod) are implemented in
+ # libcompiler_rt on some architectures.
+-LIBADD+=	compiler_rt
+ 
+ .include <bsd.prog.mk>
+ ${PROG_FULL}:  ${VERSION_MAP}
diff --git a/pkgs/os-specific/bsd/freebsd/patches/14.0/sys-gnu-date.patch b/pkgs/os-specific/bsd/freebsd/patches/14.0/sys-gnu-date.patch
new file mode 100644
index 0000000000000..2356446baf853
--- /dev/null
+++ b/pkgs/os-specific/bsd/freebsd/patches/14.0/sys-gnu-date.patch
@@ -0,0 +1,13 @@
+diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh
+index c594724d814..d5287c7b992 100644
+--- a/sys/conf/newvers.sh
++++ b/sys/conf/newvers.sh
+@@ -177,7 +177,7 @@ u=${USER:-root}
+ d=$(pwd)
+ h=${HOSTNAME:-$(hostname)}
+ if [ -n "$SOURCE_DATE_EPOCH" ]; then
+-	if ! t=$(date -r $SOURCE_DATE_EPOCH 2>/dev/null); then
++	if ! t=$(date -d @$SOURCE_DATE_EPOCH 2>/dev/null); then
+ 		echo "Invalid SOURCE_DATE_EPOCH" >&2
+ 		exit 1
+ 	fi
diff --git a/pkgs/os-specific/bsd/freebsd/patches/14.0/sys-no-explicit-intrinsics-dep.patch b/pkgs/os-specific/bsd/freebsd/patches/14.0/sys-no-explicit-intrinsics-dep.patch
new file mode 100644
index 0000000000000..5cf926d4519b2
--- /dev/null
+++ b/pkgs/os-specific/bsd/freebsd/patches/14.0/sys-no-explicit-intrinsics-dep.patch
@@ -0,0 +1,42 @@
+--- a/sys/modules/aesni/Makefile	2023-12-16 09:19:28.454892154 -0700
++++ b/sys/Modules/aesni/Makefile	2023-12-16 09:19:41.975047684 -0700
+@@ -1,6 +1,5 @@
+ 
+ .PATH: ${SRCTOP}/sys/crypto/aesni
+-.PATH: ${SRCTOP}/contrib/llvm-project/clang/lib/Headers
+ 
+ KMOD=	aesni
+ SRCS=	aesni.c
+@@ -39,8 +38,8 @@
+ aesni_ghash.o: aesni.h
+ aesni_wrap.o: aesni.h
+ aesni_ccm.o: aesni.h
+-intel_sha1.o: sha_sse.h immintrin.h shaintrin.h tmmintrin.h xmmintrin.h
+-intel_sha256.o: sha_sse.h immintrin.h shaintrin.h tmmintrin.h xmmintrin.h
++intel_sha1.o: sha_sse.h
++intel_sha256.o: sha_sse.h
+ 
+ .include <bsd.kmod.mk>
+ 
+diff --git a/sys/modules/blake2/Makefile b/sys/modules/blake2/Makefile
+index e4b3fb9f126..5bfd9c2ae02 100644
+--- a/sys/modules/blake2/Makefile
++++ b/sys/modules/blake2/Makefile
+@@ -3,7 +3,6 @@
+ .PATH:	${SRCTOP}/sys/contrib/libb2
+ .PATH:	${SRCTOP}/sys/crypto/blake2
+ .PATH:	${SRCTOP}/sys/opencrypto
+-.PATH:	${SRCTOP}/contrib/llvm-project/clang/lib/Headers
+ 
+ KMOD	= blake2
+ 
+@@ -64,8 +63,7 @@ ${src:S/.c/.o/}: ${src}
+ 	    -D_MM_MALLOC_H_INCLUDED -Wno-unused-function ${.IMPSRC}
+ 	${CTFCONVERT_CMD}
+ 
+-${src:S/.c/.o/}: intrin.h emmintrin.h tmmintrin.h smmintrin.h immintrin.h \
+-    x86intrin.h ${SRCS:M*.h}
++${src:S/.c/.o/}: ${SRCS:M*.h}
+ .endfor
+ 
+ # FreeBSD-specific sources:
diff --git a/pkgs/os-specific/bsd/freebsd/pkgs/boot-install.nix b/pkgs/os-specific/bsd/freebsd/pkgs/boot-install.nix
new file mode 100644
index 0000000000000..966489d9aef36
--- /dev/null
+++ b/pkgs/os-specific/bsd/freebsd/pkgs/boot-install.nix
@@ -0,0 +1,10 @@
+{ buildPackages, freebsd-lib }:
+
+# Wrap NetBSD's install
+buildPackages.writeShellScriptBin "boot-install" (
+  freebsd-lib.install-wrapper
+  + ''
+
+    ${buildPackages.netbsd.install}/bin/xinstall "''${args[@]}"
+  ''
+)
diff --git a/pkgs/os-specific/bsd/freebsd/compat-setup-hook.sh b/pkgs/os-specific/bsd/freebsd/pkgs/compat/compat-setup-hook.sh
index 6c3fda4e95ac9..6c3fda4e95ac9 100644
--- a/pkgs/os-specific/bsd/freebsd/compat-setup-hook.sh
+++ b/pkgs/os-specific/bsd/freebsd/pkgs/compat/compat-setup-hook.sh
diff --git a/pkgs/os-specific/bsd/freebsd/pkgs/compat/package.nix b/pkgs/os-specific/bsd/freebsd/pkgs/compat/package.nix
new file mode 100644
index 0000000000000..f597d6e3705b4
--- /dev/null
+++ b/pkgs/os-specific/bsd/freebsd/pkgs/compat/package.nix
@@ -0,0 +1,174 @@
+{
+  lib,
+  stdenv,
+  mkDerivation,
+  versionData,
+  bsdSetupHook,
+  freebsdSetupHook,
+  makeMinimal,
+  boot-install,
+  which,
+  freebsd-lib,
+  expat,
+  zlib,
+}:
+
+let
+  inherit (freebsd-lib) mkBsdArch;
+in
+
+mkDerivation {
+  pname = "compat";
+  path = "tools/build";
+  extraPaths =
+    [
+      "lib/libc/db"
+      "lib/libc/stdlib" # getopt
+      "lib/libc/gen" # getcap
+      "lib/libc/locale" # rpmatch
+    ]
+    ++ lib.optionals stdenv.hostPlatform.isLinux [
+      "lib/libc/string" # strlcpy
+      "lib/libutil"
+    ]
+    ++ [
+      "contrib/libc-pwcache"
+      "contrib/libc-vis"
+      "sys/libkern"
+      "sys/kern/subr_capability.c"
+
+      # Take only individual headers, or else we will clobber native libc, etc.
+
+      "sys/rpc/types.h"
+    ]
+    ++ lib.optionals (versionData.major == 14) [ "sys/sys/bitcount.h" ]
+    ++ [
+
+      # Listed in Makekfile as INC
+      "include/mpool.h"
+      "include/ndbm.h"
+      "include/err.h"
+      "include/stringlist.h"
+      "include/a.out.h"
+      "include/nlist.h"
+      "include/db.h"
+      "include/getopt.h"
+      "include/nl_types.h"
+      "include/elf.h"
+      "sys/sys/ctf.h"
+    ]
+    ++ lib.optionals (versionData.major == 14) [
+      "include/bitstring.h"
+      "sys/sys/bitstring.h"
+      "sys/sys/nv_namespace.h"
+    ]
+    ++ [
+
+      # Listed in Makekfile as SYSINC
+
+      "sys/sys/capsicum.h"
+      "sys/sys/caprights.h"
+      "sys/sys/imgact_aout.h"
+      "sys/sys/nlist_aout.h"
+      "sys/sys/nv.h"
+      "sys/sys/dnv.h"
+      "sys/sys/cnv.h"
+
+      "sys/sys/elf32.h"
+      "sys/sys/elf64.h"
+      "sys/sys/elf_common.h"
+      "sys/sys/elf_generic.h"
+      "sys/${mkBsdArch stdenv}/include"
+    ]
+    ++ lib.optionals stdenv.hostPlatform.isx86 [ "sys/x86/include" ]
+    ++ [
+
+      "sys/sys/queue.h"
+      "sys/sys/md5.h"
+      "sys/sys/sbuf.h"
+      "sys/sys/tree.h"
+      "sys/sys/font.h"
+      "sys/sys/consio.h"
+      "sys/sys/fnv_hash.h"
+      #"sys/sys/cdefs.h"
+      #"sys/sys/param.h"
+      "sys/sys/_null.h"
+      #"sys/sys/types.h"
+      "sys/sys/_pthreadtypes.h"
+      "sys/sys/_stdint.h"
+
+      "sys/crypto/chacha20/_chacha.h"
+      "sys/crypto/chacha20/chacha.h"
+      # included too, despite ".c"
+      "sys/crypto/chacha20/chacha.c"
+
+      "sys/fs"
+      "sys/ufs"
+      "sys/sys/disk"
+
+      "lib/libcapsicum"
+      "lib/libcasper"
+      "lib/libmd"
+
+      # idk bro
+      "sys/sys/kbio.h"
+    ];
+
+  preBuild =
+    ''
+      NIX_CFLAGS_COMPILE+=' -I../../include -I../../sys'
+
+      cp ../../sys/${mkBsdArch stdenv}/include/elf.h ../../sys/sys
+      cp ../../sys/${mkBsdArch stdenv}/include/elf.h ../../sys/sys/${mkBsdArch stdenv}
+    ''
+    + lib.optionalString stdenv.hostPlatform.isx86 ''
+      cp ../../sys/x86/include/elf.h ../../sys/x86
+    '';
+
+  setupHooks = [
+    ../../../../../build-support/setup-hooks/role.bash
+    ./compat-setup-hook.sh
+  ];
+
+  # This one has an ifdefed `#include_next` that makes it annoying.
+  postInstall = ''
+    rm ''${!outputDev}/0-include/libelf.h
+  '';
+
+  nativeBuildInputs = [
+    bsdSetupHook
+    freebsdSetupHook
+    makeMinimal
+    boot-install
+
+    which
+  ];
+  buildInputs = [
+    expat
+    zlib
+  ];
+
+  makeFlags = [
+    "STRIP=-s" # flag to install, not command
+    "MK_WERROR=no"
+    "HOST_INCLUDE_ROOT=${lib.getDev stdenv.cc.libc}/include"
+    "INSTALL=boot-install"
+  ];
+
+  preIncludes =
+    ''
+      mkdir -p $out/{0,1}-include
+      cp --no-preserve=mode -r cross-build/include/common/* $out/0-include
+    ''
+    + lib.optionalString stdenv.hostPlatform.isLinux ''
+      cp --no-preserve=mode -r cross-build/include/linux/* $out/1-include
+    ''
+    + lib.optionalString stdenv.hostPlatform.isDarwin ''
+      cp --no-preserve=mode -r cross-build/include/darwin/* $out/1-include
+    '';
+
+  # Compat is for making other platforms look like FreeBSD (e.g. to
+  # build build-time dependencies for building FreeBSD packages). It is
+  # not needed when building for FreeBSD.
+  meta.broken = stdenv.hostPlatform.isFreeBSD;
+}
diff --git a/pkgs/os-specific/bsd/freebsd/pkgs/config.nix b/pkgs/os-specific/bsd/freebsd/pkgs/config.nix
new file mode 100644
index 0000000000000..f7ba273ed5583
--- /dev/null
+++ b/pkgs/os-specific/bsd/freebsd/pkgs/config.nix
@@ -0,0 +1,35 @@
+{
+  mkDerivation,
+  bsdSetupHook,
+  freebsdSetupHook,
+  makeMinimal,
+  install,
+  mandoc,
+  groff,
+  flex,
+  byacc,
+  file2c,
+  compatIfNeeded,
+  libnv,
+  libsbuf,
+}:
+
+mkDerivation {
+  path = "usr.sbin/config";
+  nativeBuildInputs = [
+    bsdSetupHook
+    freebsdSetupHook
+    makeMinimal
+    install
+    mandoc
+    groff
+
+    flex
+    byacc
+    file2c
+  ];
+  buildInputs = compatIfNeeded ++ [
+    libnv
+    libsbuf
+  ];
+}
diff --git a/pkgs/os-specific/bsd/freebsd/pkgs/csu.nix b/pkgs/os-specific/bsd/freebsd/pkgs/csu.nix
new file mode 100644
index 0000000000000..0f74d78b1d13d
--- /dev/null
+++ b/pkgs/os-specific/bsd/freebsd/pkgs/csu.nix
@@ -0,0 +1,34 @@
+{
+  lib,
+  mkDerivation,
+  bsdSetupHook,
+  freebsdSetupHook,
+  makeMinimal,
+  install,
+  flex,
+  byacc,
+  gencat,
+  include,
+}:
+
+mkDerivation {
+  isStatic = true;
+  path = "lib/csu";
+  extraPaths = [
+    "lib/Makefile.inc"
+    "lib/libc/include/libc_private.h"
+  ];
+  nativeBuildInputs = [
+    bsdSetupHook
+    freebsdSetupHook
+    makeMinimal
+    install
+
+    flex
+    byacc
+    gencat
+  ];
+  buildInputs = [ include ];
+  MK_TESTS = "no";
+  meta.platforms = lib.platforms.freebsd;
+}
diff --git a/pkgs/os-specific/bsd/freebsd/pkgs/ctfconvert.nix b/pkgs/os-specific/bsd/freebsd/pkgs/ctfconvert.nix
new file mode 100644
index 0000000000000..9e653bb4f51ef
--- /dev/null
+++ b/pkgs/os-specific/bsd/freebsd/pkgs/ctfconvert.nix
@@ -0,0 +1,35 @@
+{
+  lib,
+  mkDerivation,
+  compatIfNeeded,
+  libdwarf,
+  zlib,
+  libspl,
+}:
+
+mkDerivation {
+  path = "cddl/usr.bin/ctfconvert";
+  extraPaths = [
+    "cddl/compat/opensolaris"
+    "cddl/contrib/opensolaris"
+    "sys/cddl/compat/opensolaris"
+    "sys/cddl/contrib/opensolaris"
+    "sys/contrib/openzfs"
+  ];
+  OPENSOLARIS_USR_DISTDIR = "$(SRCTOP)/cddl/contrib/opensolaris";
+  OPENSOLARIS_SYS_DISTDIR = "$(SRCTOP)/sys/cddl/contrib/opensolaris";
+
+  makeFlags = [
+    "STRIP=-s"
+    "MK_WERROR=no"
+    "MK_TESTS=no"
+  ];
+
+  buildInputs = compatIfNeeded ++ [
+    libdwarf
+    zlib
+    libspl
+  ];
+
+  meta.license = lib.licenses.cddl;
+}
diff --git a/pkgs/os-specific/bsd/freebsd/pkgs/file2c.nix b/pkgs/os-specific/bsd/freebsd/pkgs/file2c.nix
new file mode 100644
index 0000000000000..ff35d97afe360
--- /dev/null
+++ b/pkgs/os-specific/bsd/freebsd/pkgs/file2c.nix
@@ -0,0 +1,6 @@
+{ mkDerivation }:
+
+mkDerivation {
+  path = "usr.bin/file2c";
+  MK_TESTS = "no";
+}
diff --git a/pkgs/os-specific/bsd/freebsd/pkgs/filterSource.nix b/pkgs/os-specific/bsd/freebsd/pkgs/filterSource.nix
new file mode 100644
index 0000000000000..dc215c18aecb7
--- /dev/null
+++ b/pkgs/os-specific/bsd/freebsd/pkgs/filterSource.nix
@@ -0,0 +1,23 @@
+{
+  lib,
+  pkgsBuildBuild,
+  runCommand,
+  writeText,
+  source,
+}:
+
+{
+  pname,
+  path,
+  extraPaths ? [ ],
+}:
+
+let
+  sortedPaths = lib.naturalSort ([ path ] ++ extraPaths);
+  filterText = writeText "${pname}-src-include" (
+    lib.concatMapStringsSep "\n" (path: "/${path}") sortedPaths
+  );
+in
+runCommand "${pname}-filtered-src" { nativeBuildInputs = [ pkgsBuildBuild.rsync ]; } ''
+  rsync -a -r --files-from=${filterText} ${source}/ $out
+''
diff --git a/pkgs/os-specific/bsd/freebsd/pkgs/freebsdSetupHook/package.nix b/pkgs/os-specific/bsd/freebsd/pkgs/freebsdSetupHook/package.nix
new file mode 100644
index 0000000000000..ef4a14ccf4aa9
--- /dev/null
+++ b/pkgs/os-specific/bsd/freebsd/pkgs/freebsdSetupHook/package.nix
@@ -0,0 +1,3 @@
+{ makeSetupHook }:
+
+makeSetupHook { name = "freebsd-setup-hook"; } ./setup-hook.sh
diff --git a/pkgs/os-specific/bsd/freebsd/pkgs/freebsdSetupHook/setup-hook.sh b/pkgs/os-specific/bsd/freebsd/pkgs/freebsdSetupHook/setup-hook.sh
new file mode 100644
index 0000000000000..96a3d14c80f7b
--- /dev/null
+++ b/pkgs/os-specific/bsd/freebsd/pkgs/freebsdSetupHook/setup-hook.sh
@@ -0,0 +1,23 @@
+setFreeBSDSrcTop() {
+  makeFlags="SRCTOP=$BSDSRCDIR $makeFlags"
+}
+
+addFreeBSDMakeFlags() {
+  makeFlags="SBINDIR=${!outputBin}/bin $makeFlags"
+  makeFlags="LIBEXECDIR=${!outputLib}/libexec $makeFlags"
+  makeFlags="LIBDATADIR=${!outputLib}/data $makeFlags"
+  makeFlags="INCLUDEDIR=${!outputDev}/include $makeFlags"
+  makeFlags="CONFDIR=${!outputBin}/etc $makeFlags"
+  makeFlags="MANDIR=${!outputMan}/share/man/man $makeFlags"
+
+  if [ -n "$debug" ]; then
+    makeFlags="DEBUGFILEDIR=${debug}/lib/debug $makeFlags"
+  else
+    makeFlags="DEBUGFILEDIR=${out}/lib/debug $makeFlags"
+  fi
+
+  echo $makeFlags
+}
+
+postUnpackHooks+=(setFreeBSDSrcTop)
+preConfigureHooks+=(addFreeBSDMakeFlags)
diff --git a/pkgs/os-specific/bsd/freebsd/pkgs/gencat.nix b/pkgs/os-specific/bsd/freebsd/pkgs/gencat.nix
new file mode 100644
index 0000000000000..ea701b6404ecc
--- /dev/null
+++ b/pkgs/os-specific/bsd/freebsd/pkgs/gencat.nix
@@ -0,0 +1,3 @@
+{ mkDerivation }:
+
+mkDerivation { path = "usr.bin/gencat"; }
diff --git a/pkgs/os-specific/bsd/freebsd/pkgs/include/package.nix b/pkgs/os-specific/bsd/freebsd/pkgs/include/package.nix
new file mode 100644
index 0000000000000..70734226a54f5
--- /dev/null
+++ b/pkgs/os-specific/bsd/freebsd/pkgs/include/package.nix
@@ -0,0 +1,47 @@
+{
+  lib,
+  mkDerivation,
+  buildPackages,
+  rpcgen,
+  mtree,
+}:
+
+mkDerivation {
+  isStatic = true;
+  path = "include";
+
+  extraPaths = [
+    "contrib/libc-vis"
+    "etc/mtree/BSD.include.dist"
+    "sys"
+  ];
+
+  extraNativeBuildInputs = [
+    rpcgen
+    mtree
+  ];
+
+  # The makefiles define INCSDIR per subdirectory, so we have to set
+  # something else on the command line so those definitions aren't
+  # overridden.
+  postPatch = ''
+    find "$BSDSRCDIR" -name Makefile -exec \
+      sed -i -E \
+        -e 's_/usr/include_''${INCSDIR0}_' \
+        {} \;
+    sed -E -i -e "/_PATH_LOGIN/d" $BSDSRCDIR/include/paths.h
+  '';
+
+  makeFlags = [ "RPCGEN_CPP=${buildPackages.stdenv.cc.cc}/bin/cpp" ];
+
+  # multiple header dirs, see above
+  postConfigure = ''
+    makeFlags=''${makeFlags/INCSDIR/INCSDIR0}
+  '';
+
+  headersOnly = true;
+
+  MK_HESIOD = "yes";
+
+  meta.platforms = lib.platforms.freebsd;
+}
diff --git a/pkgs/os-specific/bsd/freebsd/pkgs/install.nix b/pkgs/os-specific/bsd/freebsd/pkgs/install.nix
new file mode 100644
index 0000000000000..b8e59adb09c5f
--- /dev/null
+++ b/pkgs/os-specific/bsd/freebsd/pkgs/install.nix
@@ -0,0 +1,67 @@
+{
+  lib,
+  stdenv,
+  mkDerivation,
+  writeShellScript,
+  freebsd-lib,
+  bsdSetupHook,
+  freebsdSetupHook,
+  makeMinimal,
+  mandoc,
+  groff,
+  boot-install,
+  install,
+  compatIfNeeded,
+  libmd,
+  libnetbsd,
+}:
+
+# HACK: to ensure parent directories exist. This emulates GNU
+# install’s -D option. No alternative seems to exist in BSD install.
+let
+  binstall = writeShellScript "binstall" (
+    freebsd-lib.install-wrapper
+    + ''
+
+      @out@/bin/xinstall "''${args[@]}"
+    ''
+  );
+in
+mkDerivation {
+  path = "usr.bin/xinstall";
+  extraPaths = [ "contrib/mtree" ];
+  nativeBuildInputs = [
+    bsdSetupHook
+    freebsdSetupHook
+    makeMinimal
+    mandoc
+    groff
+    (if stdenv.hostPlatform == stdenv.buildPlatform then boot-install else install)
+  ];
+  skipIncludesPhase = true;
+  buildInputs = compatIfNeeded ++ [
+    libmd
+    libnetbsd
+  ];
+  makeFlags =
+    [
+      "STRIP=-s" # flag to install, not command
+      "MK_WERROR=no"
+      "TESTSDIR=${builtins.placeholder "test"}"
+    ]
+    ++ lib.optionals (stdenv.hostPlatform == stdenv.buildPlatform) [
+      "BOOTSTRAPPING=1"
+      "INSTALL=boot-install"
+    ];
+  postInstall = ''
+    install -C -m 0550 ${binstall} $out/bin/binstall
+    substituteInPlace $out/bin/binstall --subst-var out
+    mv $out/bin/install $out/bin/xinstall
+    ln -s ./binstall $out/bin/install
+  '';
+  outputs = [
+    "out"
+    "man"
+    "test"
+  ];
+}
diff --git a/pkgs/os-specific/bsd/freebsd/pkgs/libc/package.nix b/pkgs/os-specific/bsd/freebsd/pkgs/libc/package.nix
new file mode 100644
index 0000000000000..8f2cc976463e4
--- /dev/null
+++ b/pkgs/os-specific/bsd/freebsd/pkgs/libc/package.nix
@@ -0,0 +1,286 @@
+{
+  lib,
+  buildPackages,
+  stdenv,
+  mkDerivation,
+
+  bsdSetupHook,
+  freebsdSetupHook,
+  makeMinimal,
+  install,
+  flex,
+  byacc,
+  gencat,
+  rpcgen,
+  mkcsmapper,
+  mkesdb,
+
+  csu,
+  include,
+  versionData,
+}:
+
+mkDerivation {
+  isStatic = true;
+  pname = "libc";
+  path = "lib/libc";
+  extraPaths =
+    [
+      "lib/libc_nonshared"
+      "etc/group"
+      "etc/master.passwd"
+      "etc/shells"
+      "lib/libmd"
+      "lib/libutil"
+      "lib/msun"
+      "sys/kern"
+      "sys/libkern"
+      "sys/sys"
+      "sys/crypto/chacha20"
+      "include/rpcsvc"
+      "contrib/jemalloc"
+      "contrib/gdtoa"
+      "contrib/libc-pwcache"
+      "contrib/libc-vis"
+    ]
+    ++ lib.optionals (versionData.major == 13) [ "contrib/tzcode/stdtime" ]
+    ++ lib.optionals (versionData.major == 14) [ "contrib/tzcode" ]
+    ++ [
+
+      # libthr
+      "lib/libthr"
+      "lib/libthread_db"
+      "libexec/rtld-elf"
+      "lib/csu/common/crtbrand.S"
+      "lib/csu/common/notes.h"
+
+      # librpcsvc
+      "lib/librpcsvc"
+
+      # librt
+      "lib/librt"
+
+      # libcrypt
+      "lib/libcrypt"
+      "lib/libmd"
+      "sys/crypto/sha2"
+      "sys/crypto/skein"
+
+      # libgcc and friends
+      "lib/libgcc_eh"
+      "lib/libgcc_s"
+      "lib/libcompiler_rt"
+      "contrib/llvm-project/libunwind"
+      "contrib/llvm-project/compiler-rt"
+      #"contrib/llvm-project/libcxx"
+
+      # terminfo
+      "lib/ncurses"
+      "contrib/ncurses"
+      "lib/Makefile.inc"
+    ]
+    ++ lib.optionals (stdenv.hostPlatform.isx86_32) [ "lib/libssp_nonshared" ]
+    ++ [
+      "lib/libexecinfo"
+      "contrib/libexecinfo"
+
+      "lib/libkvm"
+      "sys" # ummmmmmmmmm libkvm wants arch-specific headers from the kernel tree
+
+      "lib/libmemstat"
+
+      "lib/libprocstat"
+      "sys/contrib/openzfs"
+      "sys/contrib/pcg-c"
+      "sys/opencrypto"
+      "sys/contrib/ck"
+      "sys/crypto"
+
+      "lib/libdevstat"
+
+      "lib/libelf"
+      "contrib/elftoolchain"
+
+      "lib/libiconv_modules"
+      "share/i18n"
+      "include/paths.h"
+
+      "lib/libdl"
+    ];
+
+  postPatch = ''
+    substituteInPlace $COMPONENT_PATH/Makefile --replace '.include <src.opts.mk>' ""
+
+    substituteInPlace $BSDSRCDIR/include/paths.h \
+        --replace '/usr/lib/i18n' '${builtins.placeholder "out"}/lib/i18n' \
+        --replace '/usr/share/i18n' '${builtins.placeholder "out"}/share/i18n'
+  '';
+
+  nativeBuildInputs = [
+    bsdSetupHook
+    freebsdSetupHook
+    makeMinimal
+    install
+
+    flex
+    byacc
+    gencat
+    rpcgen
+    mkcsmapper
+    mkesdb
+  ];
+  buildInputs = [
+    include
+    csu
+  ];
+  env.NIX_CFLAGS_COMPILE = toString [
+    "-B${csu}/lib"
+    # These are supposed to have _RTLD_COMPAT_LIB_SUFFIX so we can get things like "lib32"
+    # but that's unnecessary
+    "-DSTANDARD_LIBRARY_PATH=\"${builtins.placeholder "out"}/lib\""
+    "-D_PATH_RTLD=\"${builtins.placeholder "out"}/libexec/ld-elf.so.1\""
+  ];
+
+  makeFlags = [
+    "STRIP=-s" # flag to install, not command
+    # lib/libc/gen/getgrent.c has sketchy cast from `void *` to enum
+    "MK_WERROR=no"
+  ];
+
+  MK_SYMVER = "yes";
+  MK_SSP = "yes";
+  MK_NLS = "yes";
+  MK_ICONV = "yes";
+  MK_NS_CACHING = "yes";
+  MK_INET6_SUPPORT = "yes";
+  MK_HESIOD = "yes";
+  MK_NIS = "yes";
+  MK_HYPERV = "yes";
+  MK_FP_LIBC = "yes";
+
+  MK_TCSH = "no";
+  MK_MALLOC_PRODUCTION = "yes";
+
+  MK_TESTS = "no";
+  MACHINE_ABI = "";
+  MK_DETECT_TZ_CHANGES = "no";
+  MK_MACHDEP_OPTIMIZATIONS = "yes";
+  MK_ASAN = "no";
+  MK_UBSAN = "no";
+
+  NO_FSCHG = "yes";
+
+  preBuild = lib.optionalString (stdenv.hostPlatform.isx86_32) ''
+    make -C $BSDSRCDIR/lib/libssp_nonshared $makeFlags
+    make -C $BSDSRCDIR/lib/libssp_nonshared $makeFlags install
+  '';
+
+  postInstall =
+    ''
+      pushd ${include}
+      find . -type d -exec mkdir -p $out/\{} \;
+      find . \( -type f -o -type l \) -exec cp -pr \{} $out/\{} \;
+      popd
+
+      pushd ${csu}
+      find . -type d -exec mkdir -p $out/\{} \;
+      find . \( -type f -o -type l \) -exec cp -pr \{} $out/\{} \;
+      popd
+
+      mkdir $BSDSRCDIR/lib/libcompiler_rt/i386
+      make -C $BSDSRCDIR/lib/libcompiler_rt $makeFlags
+      make -C $BSDSRCDIR/lib/libcompiler_rt $makeFlags install
+
+      make -C $BSDSRCDIR/lib/libgcc_eh $makeFlags
+      make -C $BSDSRCDIR/lib/libgcc_eh $makeFlags install
+
+      ln -s $BSDSRCDIR/lib/libc/libc.so.7 $BSDSRCDIR/lib/libc/libc.so  # not sure
+      mkdir $BSDSRCDIR/lib/libgcc_s/i386
+      make -C $BSDSRCDIR/lib/libgcc_s $makeFlags
+      make -C $BSDSRCDIR/lib/libgcc_s $makeFlags install
+
+      NIX_CFLAGS_COMPILE+=" -B$out/lib"
+      NIX_CFLAGS_COMPILE+=" -I$out/include"
+      NIX_LDFLAGS+=" -L$out/lib"
+
+      make -C $BSDSRCDIR/lib/libc_nonshared $makeFlags
+      make -C $BSDSRCDIR/lib/libc_nonshared $makeFlags install
+
+      mkdir $BSDSRCDIR/lib/libmd/sys
+      make -C $BSDSRCDIR/lib/libmd $makeFlags
+      make -C $BSDSRCDIR/lib/libmd $makeFlags install
+
+      make -C $BSDSRCDIR/lib/libthr $makeFlags
+      make -C $BSDSRCDIR/lib/libthr $makeFlags install
+
+      make -C $BSDSRCDIR/lib/msun $makeFlags
+      make -C $BSDSRCDIR/lib/msun $makeFlags install
+
+      make -C $BSDSRCDIR/lib/librpcsvc $makeFlags
+      make -C $BSDSRCDIR/lib/librpcsvc $makeFlags install
+
+      make -C $BSDSRCDIR/lib/libutil $makeFlags
+      make -C $BSDSRCDIR/lib/libutil $makeFlags install
+
+      make -C $BSDSRCDIR/lib/librt $makeFlags
+      make -C $BSDSRCDIR/lib/librt $makeFlags install
+
+      make -C $BSDSRCDIR/lib/libcrypt $makeFlags
+      make -C $BSDSRCDIR/lib/libcrypt $makeFlags install
+
+      make -C $BSDSRCDIR/lib/libelf $makeFlags
+      make -C $BSDSRCDIR/lib/libelf $makeFlags install
+
+      make -C $BSDSRCDIR/lib/libexecinfo $makeFlags
+      make -C $BSDSRCDIR/lib/libexecinfo $makeFlags install
+
+      make -C $BSDSRCDIR/lib/libkvm $makeFlags
+      make -C $BSDSRCDIR/lib/libkvm $makeFlags install
+
+      make -C $BSDSRCDIR/lib/libmemstat $makeFlags
+      make -C $BSDSRCDIR/lib/libmemstat $makeFlags install
+
+      make -C $BSDSRCDIR/lib/libprocstat $makeFlags
+      make -C $BSDSRCDIR/lib/libprocstat $makeFlags install
+
+      make -C $BSDSRCDIR/lib/libdevstat $makeFlags
+      make -C $BSDSRCDIR/lib/libdevstat $makeFlags install
+
+      make -C $BSDSRCDIR/lib/libiconv_modules $makeFlags
+      make -C $BSDSRCDIR/lib/libiconv_modules $makeFlags SHLIBDIR=${builtins.placeholder "out"}/lib/i18n install
+
+      make -C $BSDSRCDIR/lib/libdl $makeFlags
+      make -C $BSDSRCDIR/lib/libdl $makeFlags install
+
+      make -C $BSDSRCDIR/share/i18n $makeFlags
+      make -C $BSDSRCDIR/share/i18n $makeFlags ESDBDIR=${builtins.placeholder "out"}/share/i18n/esdb CSMAPPERDIR=${builtins.placeholder "out"}/share/i18n/csmapper install
+
+    ''
+    + lib.optionalString stdenv.hostPlatform.isx86_32 ''
+      $CC -c $BSDSRCDIR/contrib/llvm-project/compiler-rt/lib/builtins/udivdi3.c -o $BSDSRCDIR/contrib/llvm-project/compiler-rt/lib/builtins/udivdi3.o
+      ORIG_NIX_LDFLAGS="$NIX_LDFLAGS"
+      NIX_LDFLAGS+=" $BSDSRCDIR/contrib/llvm-project/compiler-rt/lib/builtins/udivdi3.o"
+    ''
+    + ''
+      make -C $BSDSRCDIR/libexec/rtld-elf $makeFlags
+      make -C $BSDSRCDIR/libexec/rtld-elf $makeFlags install
+      rm -f $out/libexec/ld-elf.so.1
+      mv $out/bin/ld-elf.so.1 $out/libexec
+    '';
+
+  # libc should not be allowed to refer to anything other than itself
+  postFixup = ''
+    find $out -type f | xargs -n1 ${buildPackages.patchelf}/bin/patchelf --shrink-rpath --allowed-rpath-prefixes $out || true
+  '';
+
+  meta.platforms = lib.platforms.freebsd;
+
+  # definitely a bad idea to enable stack protection on the stack protection initializers
+  hardeningDisable = [ "stackprotector" ];
+
+  outputs = [
+    "out"
+    "man"
+    "debug"
+  ];
+}
diff --git a/pkgs/os-specific/bsd/freebsd/pkgs/libcxxrt.nix b/pkgs/os-specific/bsd/freebsd/pkgs/libcxxrt.nix
new file mode 100644
index 0000000000000..0640d2292d491
--- /dev/null
+++ b/pkgs/os-specific/bsd/freebsd/pkgs/libcxxrt.nix
@@ -0,0 +1,11 @@
+{ mkDerivation, ... }:
+# this package is quite different from stock libcxxrt.
+# as of FreeBSD 14.0, it is vendored from APPROXIMATELY libcxxrt
+# 5d8a15823a103bbc27f1bfdcf2b5aa008fab57dd, though the vendoring mechanism is
+# extremely ad-hoc. Moreover, the build mechanism is totally custom, and adds
+# symbol versions not specified on any version of libcxxrt.
+mkDerivation {
+  pname = "libcxxrt";
+  path = "lib/libcxxrt";
+  extraPaths = [ "contrib/libcxxrt" ];
+}
diff --git a/pkgs/os-specific/bsd/freebsd/pkgs/libdwarf.nix b/pkgs/os-specific/bsd/freebsd/pkgs/libdwarf.nix
new file mode 100644
index 0000000000000..ee4d57b021b1d
--- /dev/null
+++ b/pkgs/os-specific/bsd/freebsd/pkgs/libdwarf.nix
@@ -0,0 +1,20 @@
+{
+  mkDerivation,
+  m4,
+  compatIfNeeded,
+  zlib,
+}:
+
+mkDerivation {
+  path = "lib/libdwarf";
+  extraPaths = [
+    "contrib/elftoolchain/libdwarf"
+    "contrib/elftoolchain/common"
+    "sys/sys/elf32.h"
+    "sys/sys/elf64.h"
+    "sys/sys/elf_common.h"
+  ];
+  extraNativeBuildInputs = [ m4 ];
+  buildInputs = compatIfNeeded ++ [ zlib ];
+  MK_TESTS = "no";
+}
diff --git a/pkgs/os-specific/bsd/freebsd/pkgs/libmd.nix b/pkgs/os-specific/bsd/freebsd/pkgs/libmd.nix
new file mode 100644
index 0000000000000..71d0c1e50d5ea
--- /dev/null
+++ b/pkgs/os-specific/bsd/freebsd/pkgs/libmd.nix
@@ -0,0 +1,49 @@
+{
+  lib,
+  stdenv,
+  mkDerivation,
+  freebsdSetupHook,
+  bsdSetupHook,
+  makeMinimal,
+}:
+mkDerivation {
+  path = "lib/libmd";
+  extraPaths = [
+    "sys/sys/md5.h"
+    "sys/crypto/sha2"
+    "sys/crypto/skein"
+  ];
+  nativeBuildInputs = [
+    makeMinimal
+    bsdSetupHook
+    freebsdSetupHook
+  ];
+
+  makeFlags = [
+    "STRIP=-s" # flag to install, not command
+    "RELDIR=."
+  ] ++ lib.optional (!stdenv.hostPlatform.isFreeBSD) "MK_WERROR=no";
+
+  preBuild = ''
+    mkdir sys
+  '';
+
+  installPhase = ''
+    # libmd is used by install. do it yourself!
+    mkdir -p $out/include $out/lib $man/share/man
+    cp libmd.a $out/lib/libmd.a
+    for f in $(make $makeFlags -V INCS); do
+      if [ -e "$f" ]; then cp "$f" "$out/include/$f"; fi
+      if [ -e "$BSDSRCDIR/sys/crypto/sha2/$f" ]; then cp "$BSDSRCDIR/sys/crypto/sha2/$f" "$out/include/$f"; fi
+      if [ -e "$BSDSRCDIR/sys/crypto/skein/$f" ]; then cp "$BSDSRCDIR/sys/crypto/skein/$f" "$out/include/$f"; fi
+    done
+    for f in $(make $makeFlags -V MAN); do
+      cp "$f" "$man/share/man/$f"
+    done
+  '';
+
+  outputs = [
+    "out"
+    "man"
+  ];
+}
diff --git a/pkgs/os-specific/bsd/freebsd/pkgs/libnetbsd/package.nix b/pkgs/os-specific/bsd/freebsd/pkgs/libnetbsd/package.nix
new file mode 100644
index 0000000000000..82a9e140102f6
--- /dev/null
+++ b/pkgs/os-specific/bsd/freebsd/pkgs/libnetbsd/package.nix
@@ -0,0 +1,28 @@
+{
+  lib,
+  stdenv,
+  mkDerivation,
+  bsdSetupHook,
+  freebsdSetupHook,
+  makeMinimal,
+  mandoc,
+  groff,
+  boot-install,
+  install,
+}:
+
+mkDerivation {
+  path = "lib/libnetbsd";
+  nativeBuildInputs = [
+    bsdSetupHook
+    freebsdSetupHook
+    makeMinimal
+    mandoc
+    groff
+    (if stdenv.hostPlatform == stdenv.buildPlatform then boot-install else install)
+  ];
+  makeFlags = [
+    "STRIP=-s" # flag to install, not command
+    "MK_WERROR=no"
+  ] ++ lib.optional (stdenv.hostPlatform == stdenv.buildPlatform) "INSTALL=boot-install";
+}
diff --git a/pkgs/os-specific/bsd/freebsd/pkgs/libnv.nix b/pkgs/os-specific/bsd/freebsd/pkgs/libnv.nix
new file mode 100644
index 0000000000000..6ce61e5a68c7b
--- /dev/null
+++ b/pkgs/os-specific/bsd/freebsd/pkgs/libnv.nix
@@ -0,0 +1,10 @@
+{ mkDerivation }:
+
+mkDerivation {
+  path = "lib/libnv";
+  extraPaths = [
+    "sys/contrib/libnv"
+    "sys/sys"
+  ];
+  MK_TESTS = "no";
+}
diff --git a/pkgs/os-specific/bsd/freebsd/pkgs/libsbuf.nix b/pkgs/os-specific/bsd/freebsd/pkgs/libsbuf.nix
new file mode 100644
index 0000000000000..242492a3f2f23
--- /dev/null
+++ b/pkgs/os-specific/bsd/freebsd/pkgs/libsbuf.nix
@@ -0,0 +1,7 @@
+{ mkDerivation }:
+
+mkDerivation {
+  path = "lib/libsbuf";
+  extraPaths = [ "sys/kern" ];
+  MK_TESTS = "no";
+}
diff --git a/pkgs/os-specific/bsd/freebsd/pkgs/libspl.nix b/pkgs/os-specific/bsd/freebsd/pkgs/libspl.nix
new file mode 100644
index 0000000000000..c444975549ad6
--- /dev/null
+++ b/pkgs/os-specific/bsd/freebsd/pkgs/libspl.nix
@@ -0,0 +1,22 @@
+{ lib, mkDerivation }:
+
+mkDerivation {
+  path = "cddl/lib/libspl";
+  extraPaths = [
+    "cddl/compat/opensolaris/include"
+    "sys/contrib/openzfs/include"
+    "sys/contrib/openzfs/lib/libspl"
+    "sys/contrib/openzfs/module/icp/include"
+    "sys/modules/zfs/zfs_config.h"
+  ];
+
+  # Without a prefix it will try to put object files in nonexistant directories
+  preBuild = ''
+    export MAKEOBJDIRPREFIX=$TMP/obj
+  '';
+
+  meta = with lib; {
+    platform = platforms.freebsd;
+    license = licenses.cddl;
+  };
+}
diff --git a/pkgs/os-specific/bsd/freebsd/pkgs/libutil.nix b/pkgs/os-specific/bsd/freebsd/pkgs/libutil.nix
new file mode 100644
index 0000000000000..6df6fa740f45e
--- /dev/null
+++ b/pkgs/os-specific/bsd/freebsd/pkgs/libutil.nix
@@ -0,0 +1,10 @@
+{
+  mkDerivation,
+  lib,
+  stdenv,
+}:
+mkDerivation {
+  path = "lib/libutil";
+  extraPaths = [ "lib/libc/gen" ];
+  MK_TESTS = "no";
+}
diff --git a/pkgs/os-specific/bsd/freebsd/pkgs/lorder.nix b/pkgs/os-specific/bsd/freebsd/pkgs/lorder.nix
new file mode 100644
index 0000000000000..25e7f491a1c94
--- /dev/null
+++ b/pkgs/os-specific/bsd/freebsd/pkgs/lorder.nix
@@ -0,0 +1,25 @@
+{
+  mkDerivation,
+  bsdSetupHook,
+  freebsdSetupHook,
+}:
+mkDerivation {
+  path = "usr.bin/lorder";
+  noCC = true;
+  dontBuild = true;
+  installPhase = ''
+    mkdir -p "$out/bin" "$man/share/man"
+    mv "lorder.sh" "$out/bin/lorder"
+    chmod +x "$out/bin/lorder"
+    mv "lorder.1" "$man/share/man"
+  '';
+  nativeBuildInputs = [
+    bsdSetupHook
+    freebsdSetupHook
+  ];
+  buildInputs = [ ];
+  outputs = [
+    "out"
+    "man"
+  ];
+}
diff --git a/pkgs/os-specific/bsd/freebsd/pkgs/make.nix b/pkgs/os-specific/bsd/freebsd/pkgs/make.nix
new file mode 100644
index 0000000000000..ecf231c304145
--- /dev/null
+++ b/pkgs/os-specific/bsd/freebsd/pkgs/make.nix
@@ -0,0 +1,25 @@
+{
+  lib,
+  mkDerivation,
+  stdenv,
+}:
+
+mkDerivation {
+  path = "contrib/bmake";
+  version = "9.2";
+  postPatch =
+    ''
+      # make needs this to pick up our sys make files
+      export NIX_CFLAGS_COMPILE+=" -D_PATH_DEFSYSPATH=\"$out/share/mk\""
+
+    ''
+    + lib.optionalString stdenv.isDarwin ''
+      substituteInPlace $BSDSRCDIR/share/mk/bsd.sys.mk \
+        --replace '-Wl,--fatal-warnings' "" \
+        --replace '-Wl,--warn-shared-textrel' ""
+    '';
+  postInstall = ''
+    make -C $BSDSRCDIR/share/mk FILESDIR=$out/share/mk install
+  '';
+  extraPaths = [ "share/mk" ] ++ lib.optional (!stdenv.hostPlatform.isFreeBSD) "tools/build/mk";
+}
diff --git a/pkgs/os-specific/bsd/freebsd/pkgs/makeMinimal.nix b/pkgs/os-specific/bsd/freebsd/pkgs/makeMinimal.nix
new file mode 100644
index 0000000000000..069e74474852a
--- /dev/null
+++ b/pkgs/os-specific/bsd/freebsd/pkgs/makeMinimal.nix
@@ -0,0 +1,68 @@
+{
+  lib,
+  stdenv,
+  mkDerivation,
+  make,
+  bsdSetupHook,
+  freebsdSetupHook,
+}:
+
+mkDerivation {
+  inherit (make) path;
+
+  buildInputs = [ ];
+  nativeBuildInputs = [
+    bsdSetupHook
+    freebsdSetupHook
+  ];
+
+  skipIncludesPhase = true;
+
+  makeFlags = [ ];
+
+  postPatch = ''
+    patchShebangs configure
+    ${make.postPatch}
+  '';
+
+  configureFlags = [ "--with-filemon=no" ];
+
+  buildPhase = ''
+    runHook preBuild
+
+    sh ./make-bootstrap.sh
+
+    runHook postBuild
+  '';
+
+  installPhase = ''
+    runHook preInstall
+
+    install -D bmake "$out/bin/bmake"
+    ln -s "$out/bin/bmake" "$out/bin/make"
+    mkdir -p "$out/share"
+    cp -r "$BSDSRCDIR/share/mk" "$out/share/mk"
+    find "$out/share/mk" -type f -print0 |
+      while IFS= read -r -d "" f; do
+        substituteInPlace "$f" --replace 'usr/' ""
+      done
+    substituteInPlace "$out/share/mk/bsd.symver.mk" \
+      --replace '/share/mk' "$out/share/mk"
+
+    runHook postInstall
+  '';
+
+  postInstall = lib.optionalString (!stdenv.targetPlatform.isFreeBSD) ''
+    boot_mk="$BSDSRCDIR/tools/build/mk"
+    cp "$boot_mk"/Makefile.boot* "$out/share/mk"
+    replaced_mk="$out/share/mk.orig"
+    mkdir "$replaced_mk"
+    mv "$out"/share/mk/bsd.{lib,prog}.mk "$replaced_mk"
+    for m in bsd.{lib,prog}.mk; do
+      cp "$boot_mk/$m" "$out/share/mk"
+      substituteInPlace "$out/share/mk/$m" --replace '../../../share/mk' '../mk.orig'
+    done
+  '';
+
+  extraPaths = make.extraPaths;
+}
diff --git a/pkgs/os-specific/bsd/freebsd/pkgs/mkDerivation.nix b/pkgs/os-specific/bsd/freebsd/pkgs/mkDerivation.nix
new file mode 100644
index 0000000000000..be195b3bc6fa5
--- /dev/null
+++ b/pkgs/os-specific/bsd/freebsd/pkgs/mkDerivation.nix
@@ -0,0 +1,164 @@
+{
+  lib,
+  stdenv,
+  stdenvNoCC,
+  versionData,
+  writeText,
+  patches,
+  compatIfNeeded,
+  freebsd-lib,
+  filterSource,
+  bsdSetupHook,
+  freebsdSetupHook,
+  makeMinimal,
+  install,
+  tsort,
+  lorder,
+  mandoc,
+  groff,
+}:
+
+lib.makeOverridable (
+  attrs:
+  let
+    stdenv' = if attrs.noCC or false then stdenvNoCC else stdenv;
+  in
+  stdenv'.mkDerivation (
+    rec {
+      inherit (freebsd-lib) version;
+      pname = "${attrs.pname or (baseNameOf attrs.path)}";
+      src = filterSource {
+        inherit pname;
+        inherit (attrs) path;
+        extraPaths = attrs.extraPaths or [ ];
+      };
+
+      nativeBuildInputs = [
+        bsdSetupHook
+        freebsdSetupHook
+        makeMinimal
+        install
+        tsort
+        lorder
+        mandoc
+        groff
+      ] ++ attrs.extraNativeBuildInputs or [ ];
+      buildInputs = compatIfNeeded;
+
+      HOST_SH = stdenv'.shell;
+
+      # Since STRIP below is the flag
+      STRIPBIN = "${stdenv.cc.bintools.targetPrefix}strip";
+
+      makeFlags = [
+        "STRIP=-s" # flag to install, not command
+      ] ++ lib.optional (!stdenv.hostPlatform.isFreeBSD) "MK_WERROR=no";
+
+      # amd64 not x86_64 for this on unlike NetBSD
+      MACHINE_ARCH = freebsd-lib.mkBsdArch stdenv';
+
+      MACHINE = freebsd-lib.mkBsdArch stdenv';
+
+      MACHINE_CPUARCH = MACHINE_ARCH;
+
+      COMPONENT_PATH = attrs.path or null;
+
+      strictDeps = true;
+
+      meta =
+        with lib;
+        {
+          maintainers = with maintainers; [
+            rhelmot
+            artemist
+          ];
+          platforms = platforms.unix;
+          license = licenses.bsd2;
+        }
+        // attrs.meta or { };
+    }
+    // lib.optionalAttrs stdenv'.hasCC {
+      # TODO should CC wrapper set this?
+      CPP = "${stdenv'.cc.targetPrefix}cpp";
+    }
+    // lib.optionalAttrs stdenv'.isDarwin { MKRELRO = "no"; }
+    // lib.optionalAttrs (stdenv'.cc.isClang or false) {
+      HAVE_LLVM = lib.versions.major (lib.getVersion stdenv'.cc.cc);
+    }
+    // lib.optionalAttrs (stdenv'.cc.isGNU or false) {
+      HAVE_GCC = lib.versions.major (lib.getVersion stdenv'.cc.cc);
+    }
+    // lib.optionalAttrs (stdenv'.isx86_32) { USE_SSP = "no"; }
+    // lib.optionalAttrs (attrs.headersOnly or false) {
+      installPhase = "includesPhase";
+      dontBuild = true;
+    }
+    // attrs
+    // lib.optionalAttrs (stdenv'.hasCC && stdenv'.cc.isClang or false && attrs.clangFixup or true) {
+      preBuild =
+        ''
+          export NIX_CFLAGS_COMPILE="$NIX_CFLAGS_COMPILE -D_VA_LIST -D_VA_LIST_DECLARED -Dva_list=__builtin_va_list -D_SIZE_T_DECLARED -D_SIZE_T -Dsize_t=__SIZE_TYPE__ -D_WCHAR_T"
+        ''
+        + lib.optionalString (versionData.major == 13) ''
+          export NIX_LDFLAGS="$NIX_LDFLAGS --undefined-version"
+        ''
+        + (attrs.preBuild or "");
+    }
+    // {
+      patches =
+        let
+          isDir =
+            file:
+            let
+              base = baseNameOf file;
+              type = (builtins.readDir (dirOf file)).${base} or null;
+            in
+            file == /. || type == "directory";
+          consolidatePatches =
+            patches:
+            if (lib.isDerivation patches) then
+              [ patches ]
+            else if (builtins.isPath patches) then
+              (if (isDir patches) then (lib.filesystem.listFilesRecursive patches) else [ patches ])
+            else if (builtins.isList patches) then
+              (lib.flatten (builtins.map consolidatePatches patches))
+            else
+              throw "Bad patches - must be path or derivation or list thereof";
+          consolidated = consolidatePatches patches;
+          splitPatch =
+            patchFile:
+            let
+              foldFunc =
+                a: b:
+                if (lib.strings.hasPrefix "--- " b) then
+                  (a ++ [ [ b ] ])
+                else
+                  ((lib.lists.init a) ++ (lib.lists.singleton ((lib.lists.last a) ++ [ b ])));
+              partitionedPatches' = lib.lists.foldl foldFunc [ [ ] ] (
+                lib.strings.splitString "\n" (builtins.readFile patchFile)
+              );
+              partitionedPatches =
+                if (builtins.length partitionedPatches' > 1) then
+                  (lib.lists.drop 1 partitionedPatches')
+                else
+                  (throw "${patchFile} does not seem to be a unified patch (diff -u). this is required for FreeBSD.");
+              filterFunc =
+                patchLines:
+                let
+                  prefixedPath = builtins.elemAt (builtins.split " |\t" (builtins.elemAt patchLines 1)) 2;
+                  unfixedPath = lib.path.subpath.join (lib.lists.drop 1 (lib.path.subpath.components prefixedPath));
+                in
+                lib.lists.any (included: lib.path.hasPrefix (/. + ("/" + included)) (/. + ("/" + unfixedPath))) (
+                  (attrs.extraPaths or [ ]) ++ [ attrs.path ]
+                );
+              filteredLines = builtins.filter filterFunc partitionedPatches;
+              derive = patchLines: writeText "freebsd-patch" (lib.concatLines patchLines);
+              derivedPatches = builtins.map derive filteredLines;
+            in
+            derivedPatches;
+          picked = lib.lists.concatMap splitPatch consolidated;
+        in
+        picked ++ attrs.patches or [ ];
+    }
+  )
+)
diff --git a/pkgs/os-specific/bsd/freebsd/pkgs/mkcsmapper.nix b/pkgs/os-specific/bsd/freebsd/pkgs/mkcsmapper.nix
new file mode 100644
index 0000000000000..60cef347446ec
--- /dev/null
+++ b/pkgs/os-specific/bsd/freebsd/pkgs/mkcsmapper.nix
@@ -0,0 +1,22 @@
+{
+  stdenv,
+  mkDerivation,
+  byacc,
+  flex,
+}:
+
+mkDerivation {
+  path = "usr.bin/mkcsmapper";
+
+  extraPaths = [
+    "lib/libc/iconv"
+    "lib/libiconv_modules/mapper_std"
+  ];
+
+  BOOTSTRAPPING = !stdenv.hostPlatform.isFreeBSD;
+
+  extraNativeBuildInputs = [
+    byacc
+    flex
+  ];
+}
diff --git a/pkgs/os-specific/bsd/freebsd/pkgs/mkesdb.nix b/pkgs/os-specific/bsd/freebsd/pkgs/mkesdb.nix
new file mode 100644
index 0000000000000..a503af529f274
--- /dev/null
+++ b/pkgs/os-specific/bsd/freebsd/pkgs/mkesdb.nix
@@ -0,0 +1,19 @@
+{
+  stdenv,
+  mkDerivation,
+  byacc,
+  flex,
+}:
+
+mkDerivation {
+  path = "usr.bin/mkesdb";
+
+  extraPaths = [ "lib/libc/iconv" ];
+
+  BOOTSTRAPPING = !stdenv.hostPlatform.isFreeBSD;
+
+  extraNativeBuildInputs = [
+    byacc
+    flex
+  ];
+}
diff --git a/pkgs/os-specific/bsd/freebsd/pkgs/mknod.nix b/pkgs/os-specific/bsd/freebsd/pkgs/mknod.nix
new file mode 100644
index 0000000000000..bf7d8b7db689b
--- /dev/null
+++ b/pkgs/os-specific/bsd/freebsd/pkgs/mknod.nix
@@ -0,0 +1,3 @@
+{ mkDerivation }:
+
+mkDerivation { path = "sbin/mknod"; }
diff --git a/pkgs/os-specific/bsd/freebsd/pkgs/mtree.nix b/pkgs/os-specific/bsd/freebsd/pkgs/mtree.nix
new file mode 100644
index 0000000000000..bbcaff3a1c6a8
--- /dev/null
+++ b/pkgs/os-specific/bsd/freebsd/pkgs/mtree.nix
@@ -0,0 +1,39 @@
+{
+  lib,
+  stdenv,
+  mkDerivation,
+  compatIfNeeded,
+  compatIsNeeded,
+  libmd,
+  libnetbsd,
+  libutil,
+}:
+
+mkDerivation {
+  path = "contrib/mtree";
+  extraPaths = [ "contrib/mknod" ];
+  buildInputs =
+    compatIfNeeded
+    ++ [
+      libmd
+      libnetbsd
+    ]
+    ++ lib.optional (stdenv.isFreeBSD) libutil;
+
+  postPatch = ''
+    ln -s $BSDSRCDIR/contrib/mknod/*.c $BSDSRCDIR/contrib/mknod/*.h $BSDSRCDIR/contrib/mtree
+  '';
+
+  preBuild = ''
+    export NIX_LDFLAGS="$NIX_LDFLAGS ${
+      toString (
+        [
+          "-lmd"
+          "-lnetbsd"
+        ]
+        ++ lib.optional compatIsNeeded "-legacy"
+        ++ lib.optional stdenv.isFreeBSD "-lutil"
+      )
+    }"
+  '';
+}
diff --git a/pkgs/os-specific/bsd/freebsd/pkgs/rpcgen/package.nix b/pkgs/os-specific/bsd/freebsd/pkgs/rpcgen/package.nix
new file mode 100644
index 0000000000000..e187cacbb0d05
--- /dev/null
+++ b/pkgs/os-specific/bsd/freebsd/pkgs/rpcgen/package.nix
@@ -0,0 +1,27 @@
+{
+  lib,
+  mkDerivation,
+  stdenv,
+  patchesRoot,
+}:
+
+mkDerivation {
+  path = "usr.bin/rpcgen";
+  patches = lib.optionals (stdenv.hostPlatform.libc == "glibc") [
+    # `WUNTRACED` is defined privately `bits/waitflags.h` in glibc.
+    # But instead of having a regular header guard, it has some silly
+    # non-modular logic. `stdlib.h` will include it if `sys/wait.h`
+    # hasn't yet been included (for it would first), and vice versa.
+    #
+    # The problem is that with the FreeBSD compat headers, one of
+    # those headers ends up included other headers...which ends up
+    # including the other one, this means by the first time we reach
+    # `#include `<bits/waitflags.h>`, both `_SYS_WAIT_H` and
+    # `_STDLIB_H` are already defined! Thus, we never end up including
+    # `<bits/waitflags.h>` and defining `WUNTRACED`.
+    #
+    # This hacks around this by manually including `WUNTRACED` until
+    # the problem is fixed properly in glibc.
+    ./rpcgen-glibc-hack.patch
+  ];
+}
diff --git a/pkgs/os-specific/bsd/freebsd/rpcgen-glibc-hack.patch b/pkgs/os-specific/bsd/freebsd/pkgs/rpcgen/rpcgen-glibc-hack.patch
index 3dde1a0106514..3dde1a0106514 100644
--- a/pkgs/os-specific/bsd/freebsd/rpcgen-glibc-hack.patch
+++ b/pkgs/os-specific/bsd/freebsd/pkgs/rpcgen/rpcgen-glibc-hack.patch
diff --git a/pkgs/os-specific/bsd/freebsd/pkgs/sed.nix b/pkgs/os-specific/bsd/freebsd/pkgs/sed.nix
new file mode 100644
index 0000000000000..ec5bfee17d2c1
--- /dev/null
+++ b/pkgs/os-specific/bsd/freebsd/pkgs/sed.nix
@@ -0,0 +1,6 @@
+{ mkDerivation }:
+
+mkDerivation {
+  path = "usr.bin/sed";
+  MK_TESTS = "no";
+}
diff --git a/pkgs/os-specific/bsd/freebsd/pkgs/source.nix b/pkgs/os-specific/bsd/freebsd/pkgs/source.nix
new file mode 100644
index 0000000000000..c14d26559047b
--- /dev/null
+++ b/pkgs/os-specific/bsd/freebsd/pkgs/source.nix
@@ -0,0 +1,10 @@
+{ fetchFromGitHub, sourceData }:
+
+# Using fetchFromGitHub from their mirror because it's a lot faster than their git server
+# If you want you could fetchgit from "https://git.FreeBSD.org/src.git" instead.
+# The update script still pulls directly from git.freebsd.org
+fetchFromGitHub {
+  owner = "freebsd";
+  repo = "freebsd-src";
+  inherit (sourceData) rev hash;
+}
diff --git a/pkgs/os-specific/bsd/freebsd/pkgs/stat.nix b/pkgs/os-specific/bsd/freebsd/pkgs/stat.nix
new file mode 100644
index 0000000000000..a801ab895441c
--- /dev/null
+++ b/pkgs/os-specific/bsd/freebsd/pkgs/stat.nix
@@ -0,0 +1,22 @@
+{
+  mkDerivation,
+  bsdSetupHook,
+  freebsdSetupHook,
+  makeMinimal,
+  install,
+  mandoc,
+  groff,
+}:
+
+# Don't add this to nativeBuildInputs directly.  Use statHook instead.
+mkDerivation {
+  path = "usr.bin/stat";
+  nativeBuildInputs = [
+    bsdSetupHook
+    freebsdSetupHook
+    makeMinimal
+    install
+    mandoc
+    groff
+  ];
+}
diff --git a/pkgs/os-specific/bsd/freebsd/pkgs/statHook.nix b/pkgs/os-specific/bsd/freebsd/pkgs/statHook.nix
new file mode 100644
index 0000000000000..4609c004e6f51
--- /dev/null
+++ b/pkgs/os-specific/bsd/freebsd/pkgs/statHook.nix
@@ -0,0 +1,16 @@
+{
+  makeSetupHook,
+  writeText,
+  stat,
+}:
+
+# stat isn't in POSIX, and NetBSD stat supports a completely
+# different range of flags than GNU stat, so including it in PATH
+# breaks stdenv.  Work around that with a hook that will point
+# NetBSD's build system and NetBSD stat without including it in
+# PATH.
+makeSetupHook { name = "netbsd-stat-hook"; } (
+  writeText "netbsd-stat-hook-impl" ''
+    makeFlagsArray+=(TOOL_STAT=${stat}/bin/stat)
+  ''
+)
diff --git a/pkgs/os-specific/bsd/freebsd/pkgs/sys/package.nix b/pkgs/os-specific/bsd/freebsd/pkgs/sys/package.nix
new file mode 100644
index 0000000000000..86f847cbd45cf
--- /dev/null
+++ b/pkgs/os-specific/bsd/freebsd/pkgs/sys/package.nix
@@ -0,0 +1,85 @@
+{
+  stdenv,
+  mkDerivation,
+  freebsd-lib,
+  buildPackages,
+  bsdSetupHook,
+  freebsdSetupHook,
+  makeMinimal,
+  install,
+  mandoc,
+  groff,
+  config,
+  rpcgen,
+  file2c,
+  gawk,
+  uudecode,
+  xargs-j,
+}:
+
+mkDerivation (
+  let
+    cfg = "MINIMAL";
+  in
+  rec {
+    path = "sys";
+
+    nativeBuildInputs = [
+      bsdSetupHook
+      freebsdSetupHook
+      makeMinimal
+      install
+      mandoc
+      groff
+
+      config
+      rpcgen
+      file2c
+      gawk
+      uudecode
+      xargs-j
+    ];
+
+    # --dynamic-linker /red/herring is used when building the kernel.
+    NIX_ENFORCE_PURITY = 0;
+
+    AWK = "${buildPackages.gawk}/bin/awk";
+
+    CWARNEXTRA = "-Wno-error=shift-negative-value -Wno-address-of-packed-member";
+
+    MK_CTF = "no";
+
+    KODIR = "${builtins.placeholder "out"}/kernel";
+    KMODDIR = "${builtins.placeholder "out"}/kernel";
+    DTBDIR = "${builtins.placeholder "out"}/dbt";
+
+    KERN_DEBUGDIR = "${builtins.placeholder "out"}/debug";
+    KERN_DEBUGDIR_KODIR = "${KERN_DEBUGDIR}/kernel";
+    KERN_DEBUGDIR_KMODDIR = "${KERN_DEBUGDIR}/kernel";
+
+    skipIncludesPhase = true;
+
+    configurePhase = ''
+      runHook preConfigure
+
+      for f in conf/kmod.mk contrib/dev/acpica/acpica_prep.sh; do
+        substituteInPlace "$f" --replace 'xargs -J' 'xargs-j '
+      done
+
+      for f in conf/*.mk; do
+        substituteInPlace "$f" --replace 'KERN_DEBUGDIR}''${' 'KERN_DEBUGDIR_'
+      done
+
+      cd ${freebsd-lib.mkBsdArch stdenv}/conf
+      sed -i ${cfg} \
+        -e 's/WITH_CTF=1/WITH_CTF=0/' \
+        -e '/KDTRACE/d'
+      config ${cfg}
+
+      runHook postConfigure
+    '';
+    preBuild = ''
+      cd ../compile/${cfg}
+    '';
+  }
+)
diff --git a/pkgs/os-specific/bsd/freebsd/pkgs/tsort.nix b/pkgs/os-specific/bsd/freebsd/pkgs/tsort.nix
new file mode 100644
index 0000000000000..04a45ff980cba
--- /dev/null
+++ b/pkgs/os-specific/bsd/freebsd/pkgs/tsort.nix
@@ -0,0 +1,28 @@
+{
+  lib,
+  mkDerivation,
+  bsdSetupHook,
+  freebsdSetupHook,
+  makeMinimal,
+  install,
+  mandoc,
+  groff,
+}:
+
+mkDerivation {
+  path = "usr.bin/tsort";
+  extraPaths = [ ];
+  outputs = [ "out" ];
+  MK_TESTS = "no";
+  makeFlags = [
+    "STRIP=-s" # flag to install, not command
+  ];
+  nativeBuildInputs = [
+    bsdSetupHook
+    freebsdSetupHook
+    makeMinimal
+    install
+    mandoc
+    groff
+  ];
+}
diff --git a/pkgs/os-specific/bsd/freebsd/pkgs/uudecode.nix b/pkgs/os-specific/bsd/freebsd/pkgs/uudecode.nix
new file mode 100644
index 0000000000000..7e2341913dc08
--- /dev/null
+++ b/pkgs/os-specific/bsd/freebsd/pkgs/uudecode.nix
@@ -0,0 +1,6 @@
+{ mkDerivation }:
+
+mkDerivation {
+  path = "usr.bin/uudecode";
+  MK_TESTS = "no";
+}
diff --git a/pkgs/os-specific/bsd/freebsd/pkgs/xargs-j/package.nix b/pkgs/os-specific/bsd/freebsd/pkgs/xargs-j/package.nix
new file mode 100644
index 0000000000000..3a6b0ff004287
--- /dev/null
+++ b/pkgs/os-specific/bsd/freebsd/pkgs/xargs-j/package.nix
@@ -0,0 +1,9 @@
+{ substituteAll, runtimeShell }:
+
+substituteAll {
+  name = "xargs-j";
+  shell = runtimeShell;
+  src = ./xargs-j.sh;
+  dir = "bin";
+  isExecutable = true;
+}
diff --git a/pkgs/os-specific/bsd/xargs-j.sh b/pkgs/os-specific/bsd/freebsd/pkgs/xargs-j/xargs-j.sh
index 3dd27c2cd2cd7..3dd27c2cd2cd7 100644
--- a/pkgs/os-specific/bsd/xargs-j.sh
+++ b/pkgs/os-specific/bsd/freebsd/pkgs/xargs-j/xargs-j.sh
diff --git a/pkgs/os-specific/bsd/freebsd/setup-hook.sh b/pkgs/os-specific/bsd/freebsd/setup-hook.sh
deleted file mode 100644
index 929782954ba77..0000000000000
--- a/pkgs/os-specific/bsd/freebsd/setup-hook.sh
+++ /dev/null
@@ -1,12 +0,0 @@
-setFreeBSDSrcTop() {
-  makeFlags="SRCTOP=$BSDSRCDIR $makeFlags"
-}
-
-addFreeBSDMakeFlags() {
-  makeFlags="SBINDIR=${!outputBin}/bin $makeFlags"
-  makeFlags="LIBEXECDIR=${!outputLib}/libexec $makeFlags"
-  makeFlags="INCLUDEDIR=${!outputDev}/include $makeFlags"
-}
-
-postUnpackHooks+=(setFreeBSDSrcTop)
-preConfigureHooks+=(addFreeBSDMakeFlags)
diff --git a/pkgs/os-specific/bsd/freebsd/update.py b/pkgs/os-specific/bsd/freebsd/update.py
new file mode 100755
index 0000000000000..533a871a4b04d
--- /dev/null
+++ b/pkgs/os-specific/bsd/freebsd/update.py
@@ -0,0 +1,200 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -i python3 -p git "python3.withPackages (ps: with ps; [ gitpython packaging beautifulsoup4 pandas lxml ])"
+
+import bs4
+import git
+import io
+import json
+import os
+import packaging.version
+import pandas
+import re
+import subprocess
+import sys
+import tempfile
+import typing
+import urllib.request
+
+_QUERY_VERSION_PATTERN = re.compile('^([A-Z]+)="(.+)"$')
+_RELEASE_PATCH_PATTERN = re.compile('^RELEASE-p([0-9]+)$')
+BASE_DIR = os.path.dirname(os.path.abspath(__file__))
+MIN_VERSION = packaging.version.Version("13.0.0")
+MAIN_BRANCH = "main"
+TAG_PATTERN = re.compile(
+    f"^release/({packaging.version.VERSION_PATTERN})$", re.IGNORECASE | re.VERBOSE
+)
+REMOTE = "origin"
+BRANCH_PATTERN = re.compile(
+    f"^{REMOTE}/((stable|releng)/({packaging.version.VERSION_PATTERN}))$",
+    re.IGNORECASE | re.VERBOSE,
+)
+
+
+def request_supported_refs() -> list[str]:
+    # Looks pretty shady but I think this should work with every version of the page in the last 20 years
+    r = re.compile("^h\d$", re.IGNORECASE)
+    soup = bs4.BeautifulSoup(
+        urllib.request.urlopen("https://www.freebsd.org/security"), features="lxml"
+    )
+    header = soup.find(
+        lambda tag: r.match(tag.name) is not None
+        and tag.text.lower() == "supported freebsd releases"
+    )
+    table = header.find_next("table")
+    df = pandas.read_html(io.StringIO(table.prettify()))[0]
+    return list(df["Branch"])
+
+
+def query_version(repo: git.Repo) -> dict[str, typing.Any]:
+    # This only works on FreeBSD 13 and later
+    text = (
+        subprocess.check_output(
+            ["bash", os.path.join(repo.working_dir, "sys", "conf", "newvers.sh"), "-v"]
+        )
+        .decode("utf-8")
+        .strip()
+    )
+    fields = dict()
+    for line in text.splitlines():
+        m = _QUERY_VERSION_PATTERN.match(line)
+        if m is None:
+            continue
+        fields[m[1].lower()] = m[2]
+
+    parsed = packaging.version.parse(fields["revision"])
+    fields["major"] = parsed.major
+    fields["minor"] = parsed.minor
+
+    # Extract the patch number from `RELAESE-p<patch>`, which is used
+    # e.g. in the "releng" branches.
+    m = _RELEASE_PATCH_PATTERN.match(fields["branch"])
+    if m is not None:
+        fields["patch"] = m[1]
+
+    return fields
+
+
+def handle_commit(
+    repo: git.Repo,
+    rev: git.objects.commit.Commit,
+    ref_name: str,
+    ref_type: str,
+    supported_refs: list[str],
+    old_versions: dict[str, typing.Any],
+) -> dict[str, typing.Any]:
+    if old_versions.get(ref_name, {}).get("rev", None) == rev.hexsha:
+        print(f"{ref_name}: revision still {rev.hexsha}, skipping")
+        return old_versions[ref_name]
+
+    repo.git.checkout(rev)
+    print(f"{ref_name}: checked out {rev.hexsha}")
+
+    full_hash = (
+        subprocess.check_output(["nix", "hash", "path", "--sri", repo.working_dir])
+        .decode("utf-8")
+        .strip()
+    )
+    print(f"{ref_name}: hash is {full_hash}")
+
+    version = query_version(repo)
+    print(f"{ref_name}: version is {version['version']}")
+
+    return {
+        "rev": rev.hexsha,
+        "hash": full_hash,
+        "ref": ref_name,
+        "refType": ref_type,
+        "supported": ref_name in supported_refs,
+        "version": version,
+    }
+
+
+def main() -> None:
+    # Normally uses /run/user/*, which is on a tmpfs and too small
+    temp_dir = tempfile.TemporaryDirectory(dir="/tmp")
+    print(f"Selected temporary directory {temp_dir.name}")
+
+    if len(sys.argv) >= 2:
+        orig_repo = git.Repo(sys.argv[1])
+        print(f"Fetching updates on {orig_repo.git_dir}")
+        orig_repo.remote("origin").fetch()
+    else:
+        print("Cloning source repo")
+        orig_repo = git.Repo.clone_from(
+            "https://git.FreeBSD.org/src.git", to_path=os.path.join(temp_dir.name, "orig")
+        )
+
+    supported_refs = request_supported_refs()
+    print(f"Supported refs are: {' '.join(supported_refs)}")
+
+    print("Doing git crimes, do not run `git worktree prune` until after script finishes!")
+    workdir = os.path.join(temp_dir.name, "work")
+    git.cmd.Git(orig_repo.git_dir).worktree("add", "--orphan", workdir)
+
+    # Have to create object before removing .git otherwise it will complain
+    repo = git.Repo(workdir)
+    repo.git.set_persistent_git_options(git_dir=repo.git_dir)
+    # Remove so that nix hash doesn't see the file
+    os.remove(os.path.join(workdir, ".git"))
+
+    print(f"Working in directory {repo.working_dir} with git directory {repo.git_dir}")
+
+
+    try:
+        with open(os.path.join(BASE_DIR, "versions.json"), "r") as f:
+            old_versions = json.load(f)
+    except FileNotFoundError:
+        old_versions = dict()
+
+    versions = dict()
+    for tag in repo.tags:
+        m = TAG_PATTERN.match(tag.name)
+        if m is None:
+            continue
+        version = packaging.version.parse(m[1])
+        if version < MIN_VERSION:
+            print(f"Skipping old tag {tag.name} ({version})")
+            continue
+
+        print(f"Trying tag {tag.name} ({version})")
+
+        result = handle_commit(
+            repo, tag.commit, tag.name, "tag", supported_refs, old_versions
+        )
+
+        # Hack in the patch version from parsing the tag, if we didn't
+        # get one from the "branch" field (from newvers). This is
+        # probably 0.
+        versionObj = result["version"]
+        if "patch" not in versionObj:
+            versionObj["patch"] = version.micro
+
+        versions[tag.name] = result
+
+    for branch in repo.remote("origin").refs:
+        m = BRANCH_PATTERN.match(branch.name)
+        if m is not None:
+            fullname = m[1]
+            version = packaging.version.parse(m[3])
+            if version < MIN_VERSION:
+                print(f"Skipping old branch {fullname} ({version})")
+                continue
+            print(f"Trying branch {fullname} ({version})")
+        elif branch.name == f"{REMOTE}/{MAIN_BRANCH}":
+            fullname = MAIN_BRANCH
+            print(f"Trying development branch {fullname}")
+        else:
+            continue
+
+        result = handle_commit(
+            repo, branch.commit, fullname, "branch", supported_refs, old_versions
+        )
+        versions[fullname] = result
+
+
+    with open(os.path.join(BASE_DIR, "versions.json"), "w") as out:
+        json.dump(versions, out, sort_keys=True, indent=2)
+        out.write("\n")
+
+if __name__ == '__main__':
+    main()
diff --git a/pkgs/os-specific/bsd/freebsd/versions.json b/pkgs/os-specific/bsd/freebsd/versions.json
new file mode 100644
index 0000000000000..3f781b4eeaf23
--- /dev/null
+++ b/pkgs/os-specific/bsd/freebsd/versions.json
@@ -0,0 +1,233 @@
+{
+  "main": {
+    "hash": "sha256-3aUsD2yRqVvb12z2XPmhE5/u4d9bqyD2ZHH3xNmwYwU=",
+    "ref": "main",
+    "refType": "branch",
+    "rev": "aa34b1d20e44141749ffdecf16908fc1e5db4db6",
+    "supported": false,
+    "version": {
+      "branch": "CURRENT",
+      "major": 15,
+      "minor": 0,
+      "reldate": "1500018",
+      "release": "15.0-CURRENT",
+      "revision": "15.0",
+      "type": "FreeBSD",
+      "version": "FreeBSD 15.0-CURRENT"
+    }
+  },
+  "release/13.0.0": {
+    "hash": "sha256-2WYk/taxWc74uh2KJf9TzWDxUPrtkvt2nhU/qUZMu+Q=",
+    "ref": "release/13.0.0",
+    "refType": "tag",
+    "rev": "ea31abc261ffc01b6ff5671bffb15cf910a07f4b",
+    "supported": false,
+    "version": {
+      "branch": "RELEASE",
+      "major": 13,
+      "minor": 0,
+      "patch": 0,
+      "reldate": "1300139",
+      "release": "13.0-RELEASE",
+      "revision": "13.0",
+      "type": "FreeBSD",
+      "version": "FreeBSD 13.0-RELEASE"
+    }
+  },
+  "release/13.1.0": {
+    "hash": "sha256-m2aR2bwJNxsBepJ5ybWiaJp4Nwm+l0bMcn0gTSeY0JI=",
+    "ref": "release/13.1.0",
+    "refType": "tag",
+    "rev": "fc952ac2212b121aa6eefc273f5960ec3e0a466d",
+    "supported": false,
+    "version": {
+      "branch": "RELEASE",
+      "major": 13,
+      "minor": 1,
+      "patch": 0,
+      "reldate": "1301000",
+      "release": "13.1-RELEASE",
+      "revision": "13.1",
+      "type": "FreeBSD",
+      "version": "FreeBSD 13.1-RELEASE"
+    }
+  },
+  "release/13.2.0": {
+    "hash": "sha256-VuktVknlKYkklST0I5CUiH7OsDn3DVTE1W9O/IhaCkE=",
+    "ref": "release/13.2.0",
+    "refType": "tag",
+    "rev": "525ecfdad597980ea4cd59238e24c8530dbcd31d",
+    "supported": false,
+    "version": {
+      "branch": "RELEASE",
+      "major": 13,
+      "minor": 2,
+      "patch": 0,
+      "reldate": "1302001",
+      "release": "13.2-RELEASE",
+      "revision": "13.2",
+      "type": "FreeBSD",
+      "version": "FreeBSD 13.2-RELEASE"
+    }
+  },
+  "release/13.3.0": {
+    "hash": "sha256-djqHlPnGlJCi9DGtX1kTULB2EEj8YUsjGTIUDQoHzAQ=",
+    "ref": "release/13.3.0",
+    "refType": "tag",
+    "rev": "80d2b634ddf0b459910b54a04bc09f5cbc7185a7",
+    "supported": false,
+    "version": {
+      "branch": "RELEASE",
+      "major": 13,
+      "minor": 3,
+      "patch": 0,
+      "reldate": "1303001",
+      "release": "13.3-RELEASE",
+      "revision": "13.3",
+      "type": "FreeBSD",
+      "version": "FreeBSD 13.3-RELEASE"
+    }
+  },
+  "release/14.0.0": {
+    "hash": "sha256-eBKwCYcOG9Lg7gBA2gZqxQFO/3uMMrcQGtgqi8se6zA=",
+    "ref": "release/14.0.0",
+    "refType": "tag",
+    "rev": "f9716eee8ab45ad906d9b5c5233ca20c10226ca7",
+    "supported": false,
+    "version": {
+      "branch": "RELEASE",
+      "major": 14,
+      "minor": 0,
+      "patch": 0,
+      "reldate": "1400097",
+      "release": "14.0-RELEASE",
+      "revision": "14.0",
+      "type": "FreeBSD",
+      "version": "FreeBSD 14.0-RELEASE"
+    }
+  },
+  "releng/13.0": {
+    "hash": "sha256-7PrqTb2o21IQgQ2N+zjavlzX/ju60Rw+MXjMRICmQi0=",
+    "ref": "releng/13.0",
+    "refType": "branch",
+    "rev": "5fe9c9de03ef3191d216964bc4d8e427d5ed5720",
+    "supported": false,
+    "version": {
+      "branch": "RELEASE-p13",
+      "major": 13,
+      "minor": 0,
+      "patch": "13",
+      "reldate": "1300139",
+      "release": "13.0-RELEASE-p13",
+      "revision": "13.0",
+      "type": "FreeBSD",
+      "version": "FreeBSD 13.0-RELEASE-p13"
+    }
+  },
+  "releng/13.1": {
+    "hash": "sha256-9fou2HVWlpNRKkc8XToe8/aSxwbNsIZIAKpteeSjLnc=",
+    "ref": "releng/13.1",
+    "refType": "branch",
+    "rev": "39b281c2996526288c0f2ae94abe6b164bcd5954",
+    "supported": false,
+    "version": {
+      "branch": "RELEASE-p9",
+      "major": 13,
+      "minor": 1,
+      "patch": "9",
+      "reldate": "1301000",
+      "release": "13.1-RELEASE-p9",
+      "revision": "13.1",
+      "type": "FreeBSD",
+      "version": "FreeBSD 13.1-RELEASE-p9"
+    }
+  },
+  "releng/13.2": {
+    "hash": "sha256-KN508aIe02Ue4TjlonO6TmAQ7DmiOOSOYrZfg5HP9AM=",
+    "ref": "releng/13.2",
+    "refType": "branch",
+    "rev": "f5ac4e174fdd3497749e351c27aafb34171c5730",
+    "supported": true,
+    "version": {
+      "branch": "RELEASE-p11",
+      "major": 13,
+      "minor": 2,
+      "patch": "11",
+      "reldate": "1302001",
+      "release": "13.2-RELEASE-p11",
+      "revision": "13.2",
+      "type": "FreeBSD",
+      "version": "FreeBSD 13.2-RELEASE-p11"
+    }
+  },
+  "releng/13.3": {
+    "hash": "sha256-g3i9q9XihesdfQxGy3oC7IMGtbWaLNwFlNzbdvS/4ng=",
+    "ref": "releng/13.3",
+    "refType": "branch",
+    "rev": "be4f1894ef399f421bab451e8cf8557e27e5a948",
+    "supported": true,
+    "version": {
+      "branch": "RELEASE-p2",
+      "major": 13,
+      "minor": 3,
+      "patch": "2",
+      "reldate": "1303001",
+      "release": "13.3-RELEASE-p2",
+      "revision": "13.3",
+      "type": "FreeBSD",
+      "version": "FreeBSD 13.3-RELEASE-p2"
+    }
+  },
+  "releng/14.0": {
+    "hash": "sha256-15B9Nglshniokju88dEKj3BIffZ6L28L+ZuhAC3UqOI=",
+    "ref": "releng/14.0",
+    "refType": "branch",
+    "rev": "d338712beb16ad7740bbd00bd93299a131a68045",
+    "supported": true,
+    "version": {
+      "branch": "RELEASE-p6",
+      "major": 14,
+      "minor": 0,
+      "patch": "6",
+      "reldate": "1400097",
+      "release": "14.0-RELEASE-p6",
+      "revision": "14.0",
+      "type": "FreeBSD",
+      "version": "FreeBSD 14.0-RELEASE-p6"
+    }
+  },
+  "stable/13": {
+    "hash": "sha256-ItC8haDdxMSZt1thpCrn8p0xxvs7Uqh/uNo1OwMalj8=",
+    "ref": "stable/13",
+    "refType": "branch",
+    "rev": "825cb4c850f2b97cfd1b24ed421d7938bf37eee7",
+    "supported": true,
+    "version": {
+      "branch": "STABLE",
+      "major": 13,
+      "minor": 3,
+      "reldate": "1303503",
+      "release": "13.3-STABLE",
+      "revision": "13.3",
+      "type": "FreeBSD",
+      "version": "FreeBSD 13.3-STABLE"
+    }
+  },
+  "stable/14": {
+    "hash": "sha256-iAj75IXJi4Oium6BqFvsyQipDP2crBZIGg0Dac8Zf1g=",
+    "ref": "stable/14",
+    "refType": "branch",
+    "rev": "a3b8266f5420601e231bc08c5402d9a4929fbdc0",
+    "supported": true,
+    "version": {
+      "branch": "PRERELEASE",
+      "major": 14,
+      "minor": 1,
+      "reldate": "1400511",
+      "release": "14.1-PRERELEASE",
+      "revision": "14.1",
+      "type": "FreeBSD",
+      "version": "FreeBSD 14.1-PRERELEASE"
+    }
+  }
+}
diff --git a/pkgs/os-specific/bsd/lib/install-wrapper.sh b/pkgs/os-specific/bsd/lib/install-wrapper.sh
new file mode 100644
index 0000000000000..91a7a2679f209
--- /dev/null
+++ b/pkgs/os-specific/bsd/lib/install-wrapper.sh
@@ -0,0 +1,30 @@
+set -eu
+
+args=()
+declare -i path_args=0
+
+while (( $# )); do
+  if (( $# == 1 )); then
+    if (( path_args > 1)) || [[ "$1" = */ ]]; then
+      mkdir -p "$1"
+    else
+      mkdir -p "$(dirname "$1")"
+    fi
+  fi
+  case $1 in
+    -C) ;;
+    -o | -g) shift ;;
+    -s) ;;
+    -m | -l)
+      # handle next arg so not counted as path arg
+      args+=("$1" "$2")
+      shift
+      ;;
+    -*) args+=("$1") ;;
+    *)
+      path_args+=1
+      args+=("$1")
+      ;;
+  esac
+  shift
+done
diff --git a/pkgs/os-specific/bsd/netbsd/default.nix b/pkgs/os-specific/bsd/netbsd/default.nix
index 79d46732bd6c2..e0d03108960c0 100644
--- a/pkgs/os-specific/bsd/netbsd/default.nix
+++ b/pkgs/os-specific/bsd/netbsd/default.nix
@@ -1,1028 +1,187 @@
-{ stdenv, lib, stdenvNoCC
-, makeScopeWithSplicing', generateSplicesForMkScope
-, buildPackages
-, bsdSetupHook, makeSetupHook, fetchcvs, groff, mandoc, byacc, flex
-, zlib
-, writeShellScript, writeText, runtimeShell, symlinkJoin
+{
+  stdenv,
+  lib,
+  stdenvNoCC,
+  makeScopeWithSplicing',
+  generateSplicesForMkScope,
+  buildPackages,
+  fetchcvs,
 }:
 
-let
-  inherit (buildPackages.buildPackages) rsync;
-
-  fetchNetBSD = path: version: sha256: fetchcvs {
-    cvsRoot = ":pserver:anoncvs@anoncvs.NetBSD.org:/cvsroot";
-    module = "src/${path}";
-    inherit sha256;
-    tag = "netbsd-${lib.replaceStrings ["."] ["-"] version}-RELEASE";
-  };
-
-  netbsdSetupHook = makeSetupHook {
-    name = "netbsd-setup-hook";
-  } ./setup-hook.sh;
-
-  defaultMakeFlags = [
-    "MKSOFTFLOAT=${if stdenv.hostPlatform.gcc.float or (stdenv.hostPlatform.parsed.abi.float or "hard") == "soft"
-      then "yes"
-      else "no"}"
-  ];
-
-in makeScopeWithSplicing' {
+makeScopeWithSplicing' {
   otherSplices = generateSplicesForMkScope "netbsd";
-  f = (self: let
-    inherit (self) mkDerivation;
-  in {
-
-  # Why do we have splicing and yet do `nativeBuildInputs = with self; ...`?
-  #
-  # We use `makeScopeWithSplicing'` because this should be used for all
-  # nested package sets which support cross, so the inner `callPackage` works
-  # correctly. But for the inline packages we don't bother to use
-  # `callPackage`.
-  #
-  # We still could have tried to `with` a big spliced packages set, but
-  # splicing is jank and causes a number of bootstrapping infinite recursions
-  # if one is not careful. Pulling deps out of the right package set directly
-  # side-steps splicing entirely and avoids those footguns.
-  #
-  # For non-bootstrap-critical packages, we might as well use `callPackage` for
-  # consistency with everything else, and maybe put in separate files too.
-
-  compatIfNeeded = lib.optional (!stdenvNoCC.hostPlatform.isNetBSD) self.compat;
-
-  mkDerivation = lib.makeOverridable (attrs: let
-    stdenv' = if attrs.noCC or false then stdenvNoCC else stdenv;
-  in stdenv'.mkDerivation ({
-    pname = "${attrs.pname or (baseNameOf attrs.path)}-netbsd";
-    inherit (attrs) version;
-    src = fetchNetBSD attrs.path attrs.version attrs.sha256;
-
-    extraPaths = [ ];
-
-    nativeBuildInputs = with buildPackages.netbsd; [
-      bsdSetupHook netbsdSetupHook
-      makeMinimal
-      install tsort lorder buildPackages.mandoc groff statHook rsync
-    ];
-    buildInputs = with self; compatIfNeeded;
-
-    HOST_SH = stdenv'.shell;
-
-    MACHINE_ARCH = {
-      i486 = "i386";
-      i586 = "i386";
-      i686 = "i386";
-    }.${stdenv'.hostPlatform.parsed.cpu.name}
-      or stdenv'.hostPlatform.parsed.cpu.name;
-
-    MACHINE = {
-      x86_64 = "amd64";
-      aarch64 = "evbarm64";
-      i486 = "i386";
-      i586 = "i386";
-      i686 = "i386";
-    }.${stdenv'.hostPlatform.parsed.cpu.name}
-      or stdenv'.hostPlatform.parsed.cpu.name;
-
-    COMPONENT_PATH = attrs.path;
-
-    makeFlags = defaultMakeFlags;
-
-    strictDeps = true;
-
-    meta = with lib; {
-      maintainers = with maintainers; [ matthewbauer qyliss ];
-      platforms = platforms.unix;
-      license = licenses.bsd2;
-    };
-
-  } // lib.optionalAttrs stdenv'.hasCC {
-    # TODO should CC wrapper set this?
-    CPP = "${stdenv'.cc.targetPrefix}cpp";
-  } // lib.optionalAttrs stdenv'.isDarwin {
-    MKRELRO = "no";
-  } // lib.optionalAttrs (stdenv'.cc.isClang or false) {
-    HAVE_LLVM = lib.versions.major (lib.getVersion stdenv'.cc.cc);
-  } // lib.optionalAttrs (stdenv'.cc.isGNU or false) {
-    HAVE_GCC = lib.versions.major (lib.getVersion stdenv'.cc.cc);
-  } // lib.optionalAttrs (stdenv'.isx86_32) {
-    USE_SSP = "no";
-  } // lib.optionalAttrs (attrs.headersOnly or false) {
-    installPhase = "includesPhase";
-    dontBuild = true;
-  } // attrs // {
-    # Files that use NetBSD-specific macros need to have nbtool_config.h
-    # included ahead of them on non-NetBSD platforms.
-    postPatch = lib.optionalString (!stdenv'.hostPlatform.isNetBSD) ''
-      set +e
-      grep -Zlr "^__RCSID
-      ^__BEGIN_DECLS" $COMPONENT_PATH | xargs -0r grep -FLZ nbtool_config.h |
-          xargs -0tr sed -i '0,/^#/s//#include <nbtool_config.h>\n\0/'
-      set -e
-    '' + attrs.postPatch or "";
-  }));
-
-  ##
-  ## START BOOTSTRAPPING
-  ##
-  makeMinimal = mkDerivation {
-    path = "tools/make";
-    sha256 = "0fh0nrnk18m613m5blrliq2aydciv51qhc0ihsj4k63incwbk90n";
-    version = "9.2";
-
-    buildInputs = with self; [];
-    nativeBuildInputs = with buildPackages.netbsd; [ bsdSetupHook netbsdSetupHook rsync ];
-
-    skipIncludesPhase = true;
-
-    postPatch = ''
-      patchShebangs $COMPONENT_PATH/configure
-      ${self.make.postPatch}
-    '';
-
-    buildPhase = ''
-      runHook preBuild
-
-      sh ./buildmake.sh
-
-      runHook postBuild
-    '';
-
-    installPhase = ''
-      runHook preInstall
-
-      install -D nbmake $out/bin/nbmake
-      ln -s $out/bin/nbmake $out/bin/make
-      mkdir -p $out/share
-      cp -r $BSDSRCDIR/share/mk $out/share/mk
-
-      runHook postInstall
-    '';
-
-    extraPaths = with self; [ make.src ] ++ make.extraPaths;
-  };
-
-  compat = mkDerivation (let
-    version = "9.2";
-    commonDeps = [ zlib ];
-  in {
-    path = "tools/compat";
-    sha256 = "1vsxg7136nlhc72vpa664vs22874xh7ila95nkmsd8crn3z3cyn0";
-    inherit version;
-
-    setupHooks = [
-      ../../../build-support/setup-hooks/role.bash
-      ./compat-setup-hook.sh
-    ];
-
-    preConfigure = ''
-      make include/.stamp configure nbtool_config.h.in defs.mk.in
-    '';
-
-    configurePlatforms = [ "build" "host" ];
-    configureFlags = [
-      "--cache-file=config.cache"
-    ] ++ lib.optionals stdenv.hostPlatform.isMusl [
-      # We include this header in our musl package only for legacy
-      # compatibility, and compat works fine without it (and having it
-      # know about sys/cdefs.h breaks packages like glib when built
-      # statically).
-      "ac_cv_header_sys_cdefs_h=no"
-    ];
-
-    nativeBuildInputs = with buildPackages.netbsd; commonDeps ++ [
-      bsdSetupHook netbsdSetupHook
-      makeMinimal
-      rsync
-    ];
-
-    buildInputs = with self; commonDeps;
-
-    # temporarily use gnuinstall for bootstrapping
-    # bsdinstall will be built later
-    makeFlags = defaultMakeFlags ++ [
-      "INSTALL=${buildPackages.coreutils}/bin/install"
-      "DATADIR=$(out)/share"
-      # Can't sort object files yet
-      "LORDER=echo"
-      "TSORT=cat"
-      # Can't process man pages yet
-      "MKSHARE=no"
-    ] ++ lib.optionals stdenv.hostPlatform.isDarwin [
-      # GNU objcopy produces broken .a libs which won't link into dependers.
-      # Makefiles only invoke `$OBJCOPY -x/-X`, so cctools strip works here.
-      "OBJCOPY=${buildPackages.darwin.cctools-port}/bin/strip"
-    ];
-    RENAME = "-D";
-
-    passthru.tests = { netbsd-install = self.install; };
-
-    patches = [
-      ./compat-cxx-safe-header.patch
-      ./compat-dont-configure-twice.patch
-      ./compat-no-force-native.patch
-    ];
-
-    preInstall = ''
-      makeFlagsArray+=('INSTALL_FILE=''${INSTALL} ''${COPY} ''${PRESERVE} ''${RENAME}')
-      makeFlagsArray+=('INSTALL_DIR=''${INSTALL} -d')
-      makeFlagsArray+=('INSTALL_SYMLINK=''${INSTALL} ''${SYMLINK} ''${RENAME}')
-    '';
-
-    postInstall = ''
-      # why aren't these installed by netbsd?
-      install -D compat_defs.h $out/include/compat_defs.h
-      install -D $BSDSRCDIR/include/cdbw.h $out/include/cdbw.h
-      install -D $BSDSRCDIR/sys/sys/cdbr.h $out/include/cdbr.h
-      install -D $BSDSRCDIR/sys/sys/featuretest.h \
-                 $out/include/sys/featuretest.h
-      install -D $BSDSRCDIR/sys/sys/md5.h $out/include/md5.h
-      install -D $BSDSRCDIR/sys/sys/rmd160.h $out/include/rmd160.h
-      install -D $BSDSRCDIR/sys/sys/sha1.h $out/include/sha1.h
-      install -D $BSDSRCDIR/sys/sys/sha2.h $out/include/sha2.h
-      install -D $BSDSRCDIR/sys/sys/queue.h $out/include/sys/queue.h
-      install -D $BSDSRCDIR/include/vis.h $out/include/vis.h
-      install -D $BSDSRCDIR/include/db.h $out/include/db.h
-      install -D $BSDSRCDIR/include/netconfig.h $out/include/netconfig.h
-      install -D $BSDSRCDIR/include/utmpx.h $out/include/utmpx.h
-      install -D $BSDSRCDIR/include/tzfile.h $out/include/tzfile.h
-      install -D $BSDSRCDIR/sys/sys/tree.h $out/include/sys/tree.h
-      install -D $BSDSRCDIR/include/nl_types.h $out/include/nl_types.h
-      install -D $BSDSRCDIR/include/stringlist.h $out/include/stringlist.h
-
-      # Collapse includes slightly to fix dangling reference
-      install -D $BSDSRCDIR/common/include/rpc/types.h $out/include/rpc/types.h
-      sed -i '1s;^;#include "nbtool_config.h"\n;' $out/include/rpc/types.h
-   '' + lib.optionalString stdenv.isDarwin ''
-      mkdir -p $out/include/ssp
-      touch $out/include/ssp/ssp.h
-   '' + ''
-      mkdir -p $out/lib/pkgconfig
-      substitute ${./libbsd-overlay.pc} $out/lib/pkgconfig/libbsd-overlay.pc \
-        --subst-var-by out $out \
-        --subst-var-by version ${version}
-    '';
-    extraPaths = with self; [ include.src libc.src libutil.src
-      (fetchNetBSD "external/bsd/flex" "9.2" "0h98jpfj7vx5zh7vd7bk6b1hmzgkcb757a8j6d9zgygxxv13v43m")
-      (fetchNetBSD "sys/sys" "9.2" "0zawhw51klaigqqwkx0lzrx3mim2jywrc24cm7c66qsf1im9awgd")
-      (fetchNetBSD "common/include/rpc/types.h" "9.2" "0n2df12mlc3cbc48jxq35yzl1y7ghgpykvy7jnfh898rdhac7m9a")
-    ] ++ libutil.extraPaths ++ _mainLibcExtraPaths;
-  });
-
-  # HACK: to ensure parent directories exist. This emulates GNU
-  # install’s -D option. No alternative seems to exist in BSD install.
-  install = let binstall = writeShellScript "binstall" ''
-    set -eu
-    for last in "$@"; do true; done
-    mkdir -p $(dirname $last)
-    @out@/bin/xinstall "$@"
-  ''; in mkDerivation {
-    path = "usr.bin/xinstall";
-    version = "9.2";
-    sha256 = "1f6pbz3qv1qcrchdxif8p5lbmnwl8b9nq615hsd3cyl4avd5bfqj";
-    extraPaths = with self; [ mtree.src make.src ];
-    nativeBuildInputs = with buildPackages.netbsd; [
-      bsdSetupHook netbsdSetupHook
-      makeMinimal
-      mandoc groff rsync
-    ];
-    skipIncludesPhase = true;
-    buildInputs = with self; compatIfNeeded
-      # fts header is needed. glibc already has this header, but musl doesn't,
-      # so make sure pkgsMusl.netbsd.install still builds in case you want to
-      # remove it!
-      ++ [ fts ];
-    installPhase = ''
-      runHook preInstall
-
-      install -D install.1 $out/share/man/man1/install.1
-      install -D xinstall $out/bin/xinstall
-      install -D -m 0550 ${binstall} $out/bin/binstall
-      substituteInPlace $out/bin/binstall --subst-var out
-      ln -s $out/bin/binstall $out/bin/install
-
-      runHook postInstall
-    '';
-    setupHook = ./install-setup-hook.sh;
-  };
-
-  fts = mkDerivation {
-    pname = "fts";
-    path = "include/fts.h";
-    sha256 = "01d4fpxvz1pgzfk5xznz5dcm0x0gdzwcsfm1h3d0xc9kc6hj2q77";
-    version = "9.2";
-    nativeBuildInputs = with buildPackages.netbsd; [
-      bsdSetupHook netbsdSetupHook rsync
-    ];
-    propagatedBuildInputs = with self; compatIfNeeded;
-    extraPaths = with self; [
-      (fetchNetBSD "lib/libc/gen/fts.c" "9.2" "1a8hmf26242nmv05ipn3ircxb0jqmmi66rh78kkyi9vjwkfl3qn7")
-      (fetchNetBSD "lib/libc/include/namespace.h" "9.2" "0kksr3pdwdc1cplqf5z12ih4cml6l11lqrz91f7hjjm64y7785kc")
-      (fetchNetBSD "lib/libc/gen/fts.3" "9.2" "1asxw0n3fhjdadwkkq3xplfgqgl3q32w1lyrvbakfa3gs0wz5zc1")
-    ];
-    skipIncludesPhase = true;
-    buildPhase = ''
-      "$CC" -c -Iinclude -Ilib/libc/include lib/libc/gen/fts.c \
-          -o lib/libc/gen/fts.o
-      "$AR" -rsc libfts.a lib/libc/gen/fts.o
-    '';
-    installPhase = ''
-      runHook preInstall
-
-      install -D lib/libc/gen/fts.3 $out/share/man/man3/fts.3
-      install -D include/fts.h $out/include/fts.h
-      install -D lib/libc/include/namespace.h $out/include/namespace.h
-      install -D libfts.a $out/lib/libfts.a
-
-      runHook postInstall
-    '';
-    setupHooks = [
-      ../../../build-support/setup-hooks/role.bash
-      ./fts-setup-hook.sh
-    ];
-  };
-
-  # Don't add this to nativeBuildInputs directly.  Use statHook instead.
-  stat = mkDerivation {
-    path = "usr.bin/stat";
-    version = "9.2";
-    sha256 = "18nqwlndfc34qbbgqx5nffil37jfq9aw663ippasfxd2hlyc106x";
-    nativeBuildInputs = with buildPackages.netbsd; [
-      bsdSetupHook netbsdSetupHook
-      makeMinimal
-      install mandoc groff rsync
-    ];
-  };
-
-  # stat isn't in POSIX, and NetBSD stat supports a completely
-  # different range of flags than GNU stat, so including it in PATH
-  # breaks stdenv.  Work around that with a hook that will point
-  # NetBSD's build system and NetBSD stat without including it in
-  # PATH.
-  statHook = makeSetupHook {
-    name = "netbsd-stat-hook";
-  } (writeText "netbsd-stat-hook-impl" ''
-    makeFlagsArray+=(TOOL_STAT=${self.stat}/bin/stat)
-  '');
-
-  tsort = mkDerivation {
-    path = "usr.bin/tsort";
-    version = "9.2";
-    sha256 = "1dqvf9gin29nnq3c4byxc7lfd062pg7m84843zdy6n0z63hnnwiq";
-    nativeBuildInputs = with buildPackages.netbsd; [
-      bsdSetupHook netbsdSetupHook
-      makeMinimal
-      install mandoc groff rsync
-    ];
-  };
-
-  lorder = mkDerivation {
-    path = "usr.bin/lorder";
-    version = "9.2";
-    sha256 = "0rjf9blihhm0n699vr2bg88m4yjhkbxh6fxliaay3wxkgnydjwn2";
-    nativeBuildInputs = with buildPackages.netbsd; [
-      bsdSetupHook netbsdSetupHook
-      makeMinimal
-      install mandoc groff rsync
-    ];
-  };
-
-  ##
-  ## END BOOTSTRAPPING
-  ##
-
-  ##
-  ## START COMMAND LINE TOOLS
-  ##
-  make = mkDerivation {
-    path = "usr.bin/make";
-    sha256 = "0vi73yicbmbp522qzqvd979cx6zm5jakhy77xh73c1kygf8klccs";
-    version = "9.2";
-
-   postPatch = ''
-     substituteInPlace $BSDSRCDIR/share/mk/bsd.doc.mk \
-       --replace '-o ''${DOCOWN}' "" \
-       --replace '-g ''${DOCGRP}' ""
-     for mk in $BSDSRCDIR/share/mk/bsd.inc.mk $BSDSRCDIR/share/mk/bsd.kinc.mk; do
-       substituteInPlace $mk \
-         --replace '-o ''${BINOWN}' "" \
-         --replace '-g ''${BINGRP}' ""
-     done
-     substituteInPlace $BSDSRCDIR/share/mk/bsd.kmodule.mk \
-       --replace '-o ''${KMODULEOWN}' "" \
-       --replace '-g ''${KMODULEGRP}' ""
-     substituteInPlace $BSDSRCDIR/share/mk/bsd.lib.mk \
-       --replace '-o ''${LIBOWN}' "" \
-       --replace '-g ''${LIBGRP}' "" \
-       --replace '-o ''${DEBUGOWN}' "" \
-       --replace '-g ''${DEBUGGRP}' ""
-     substituteInPlace $BSDSRCDIR/share/mk/bsd.lua.mk \
-       --replace '-o ''${LIBOWN}' "" \
-       --replace '-g ''${LIBGRP}' ""
-     substituteInPlace $BSDSRCDIR/share/mk/bsd.man.mk \
-       --replace '-o ''${MANOWN}' "" \
-       --replace '-g ''${MANGRP}' ""
-     substituteInPlace $BSDSRCDIR/share/mk/bsd.nls.mk \
-       --replace '-o ''${NLSOWN}' "" \
-       --replace '-g ''${NLSGRP}' ""
-     substituteInPlace $BSDSRCDIR/share/mk/bsd.prog.mk \
-       --replace '-o ''${BINOWN}' "" \
-       --replace '-g ''${BINGRP}' "" \
-       --replace '-o ''${RUMPBINOWN}' "" \
-       --replace '-g ''${RUMPBINGRP}' "" \
-       --replace '-o ''${DEBUGOWN}' "" \
-       --replace '-g ''${DEBUGGRP}' ""
-
-      # make needs this to pick up our sys make files
-      export NIX_CFLAGS_COMPILE+=" -D_PATH_DEFSYSPATH=\"$out/share/mk\""
-
-      substituteInPlace $BSDSRCDIR/share/mk/bsd.lib.mk \
-        --replace '_INSTRANLIB=''${empty(PRESERVE):?-a "''${RANLIB} -t":}' '_INSTRANLIB='
-      substituteInPlace $BSDSRCDIR/share/mk/bsd.kinc.mk \
-        --replace /bin/rm rm
-    '' + lib.optionalString stdenv.isDarwin ''
-      substituteInPlace $BSDSRCDIR/share/mk/bsd.sys.mk \
-        --replace '-Wl,--fatal-warnings' "" \
-        --replace '-Wl,--warn-shared-textrel' ""
-    '';
-    postInstall = ''
-      make -C $BSDSRCDIR/share/mk FILESDIR=$out/share/mk install
-    '';
-    extraPaths = [
-      (fetchNetBSD "share/mk" "9.2" "0w9x77cfnm6zwy40slradzi0ip9gz80x6lk7pvnlxzsr2m5ra5sy")
-    ];
-  };
-
-  mtree = mkDerivation {
-    path = "usr.sbin/mtree";
-    version = "9.2";
-    sha256 = "04p7w540vz9npvyb8g8hcf2xa05phn1y88hsyrcz3vwanvpc0yv9";
-    extraPaths = with self; [ mknod.src ];
-  };
-
-  mknod = mkDerivation {
-    path = "sbin/mknod";
-    version = "9.2";
-    sha256 = "1d9369shzwgixz3nph991i8q5vk7hr04py3n9avbfbhzy4gndqs2";
-  };
-
-  getent = mkDerivation {
-    path = "usr.bin/getent";
-    sha256 = "1qngywcmm0y7nl8h3n8brvkxq4jw63szbci3kc1q6a6ndhycbbvr";
-    version = "9.2";
-    patches = [ ./getent.patch ];
-  };
-
-  getconf = mkDerivation {
-    path = "usr.bin/getconf";
-    sha256 = "122vslz4j3h2mfs921nr2s6m078zcj697yrb75rwp2hnw3qz4s8q";
-    version = "9.2";
-  };
-
-  locale = mkDerivation {
-    path = "usr.bin/locale";
-    version = "9.2";
-    sha256 = "0kk6v9k2bygq0wf9gbinliqzqpzs9bgxn0ndyl2wcv3hh2bmsr9p";
-    patches = [ ./locale.patch ];
-    env.NIX_CFLAGS_COMPILE = "-DYESSTR=__YESSTR -DNOSTR=__NOSTR";
-  };
-
-  rpcgen = mkDerivation {
-    path = "usr.bin/rpcgen";
-    version = "9.2";
-    sha256 = "1kfgfx54jg98wbg0d95p0rvf4w0302v8fz724b0bdackdsrd4988";
-  };
-
-  genassym = mkDerivation {
-    path = "usr.bin/genassym";
-    version = "9.2";
-    sha256 = "1acl1dz5kvh9h5806vkz2ap95rdsz7phmynh5i3x5y7agbki030c";
-  };
-
-  gencat = mkDerivation {
-    path = "usr.bin/gencat";
-    version = "9.2";
-    sha256 = "0gd463x1hg36bhr7y0xryb5jyxk0z0g7xvy8rgk82nlbnlnsbbwb";
-  };
-
-  nbperf = mkDerivation {
-    path = "usr.bin/nbperf";
-    version = "9.2";
-    sha256 = "1nxc302vgmjhm3yqdivqyfzslrg0vjpbss44s74rcryrl19mma9r";
-  };
-
-  tic = mkDerivation {
-    path = "tools/tic";
-    version = "9.2";
-    sha256 = "092y7db7k4kh2jq8qc55126r5qqvlb8lq8mhmy5ipbi36hwb4zrz";
-    HOSTPROG = "tic";
-    buildInputs = with self; compatIfNeeded;
-    nativeBuildInputs = with buildPackages.netbsd; [
-      bsdSetupHook netbsdSetupHook
-      makeMinimal
-      install mandoc groff nbperf rsync
-    ];
-    makeFlags = defaultMakeFlags ++ [ "TOOLDIR=$(out)" ];
-    extraPaths = with self; [
-      libterminfo.src
-      (fetchNetBSD "usr.bin/tic" "9.2" "1mwdfg7yx1g43ss378qsgl5rqhsxskqvsd2mqvrn38qw54i8v5i1")
-      (fetchNetBSD "tools/Makefile.host" "9.2" "15b4ab0n36lqj00j5lz2xs83g7l8isk3wx1wcapbrn66qmzz2sxy")
-    ];
-  };
-
-  uudecode = mkDerivation {
-    path = "usr.bin/uudecode";
-    version = "9.2";
-    sha256 = "00a3zmh15pg4vx6hz0kaa5mi8d2b1sj4h512d7p6wbvxq6mznwcn";
-    env.NIX_CFLAGS_COMPILE = lib.optionalString stdenv.isLinux "-DNO_BASE64";
-    NIX_LDFLAGS = lib.optional stdenv.isDarwin "-lresolv";
-  };
-
-  cksum = mkDerivation {
-    path = "usr.bin/cksum";
-    version = "9.2";
-    sha256 = "0msfhgyvh5c2jmc6qjnf12c378dhw32ffsl864qz4rdb2b98rfcq";
-    meta.platforms = lib.platforms.netbsd;
-  };
-
-  config = mkDerivation {
-    path = "usr.bin/config";
-    version = "9.2";
-    sha256 = "1yz3n4hncdkk6kp595fh2q5lg150vpqg8iw2dccydkyw4y3hgsjj";
-    env.NIX_CFLAGS_COMPILE = toString [ "-DMAKE_BOOTSTRAP" ];
-    nativeBuildInputs = with buildPackages.netbsd; [
-      bsdSetupHook netbsdSetupHook
-      makeMinimal install mandoc byacc flex rsync
-    ];
-    buildInputs = with self; compatIfNeeded;
-    extraPaths = with self; [ cksum.src ];
-  };
-  ##
-  ## END COMMAND LINE TOOLS
-  ##
-
-  ##
-  ## START HEADERS
-  ##
-  include = mkDerivation {
-    path = "include";
-    version = "9.2";
-    sha256 = "0nxnmj4c8s3hb9n3fpcmd0zl3l1nmhivqgi9a35sis943qvpgl9h";
-    nativeBuildInputs = with buildPackages.netbsd; [
-      bsdSetupHook netbsdSetupHook
-      makeMinimal
-      install mandoc groff rsync nbperf rpcgen
-    ];
-
-    # The makefiles define INCSDIR per subdirectory, so we have to set
-    # something else on the command line so those definitions aren't
-    # overridden.
-    postPatch = ''
-      find "$BSDSRCDIR" -name Makefile -exec \
-        sed -i -E \
-          -e 's_/usr/include_''${INCSDIR0}_' \
-          {} \;
-    '';
-
-    # multiple header dirs, see above
-    postConfigure = ''
-      makeFlags=''${makeFlags/INCSDIR/INCSDIR0}
-    '';
-
-    extraPaths = with self; [ common ];
-    headersOnly = true;
-    noCC = true;
-    meta.platforms = lib.platforms.netbsd;
-    makeFlags = defaultMakeFlags ++ [ "RPCGEN_CPP=${buildPackages.stdenv.cc.cc}/bin/cpp" ];
-  };
-
-  common = fetchNetBSD "common" "9.2" "1pfylz9r3ap5wnwwbwczbfjb1m5qdyspzbnmxmcdkpzz2zgj64b9";
-
-  sys-headers = mkDerivation {
-    pname = "sys-headers";
-    path = "sys";
-    version = "9.2";
-    sha256 = "03s18q8d9giipf05bx199fajc2qwikji0djz7hw63d2lya6bfnpj";
-
-    # Make the build ignore linker warnings
-    prePatch = ''
-      substituteInPlace sys/conf/Makefile.kern.inc \
-        --replace "-Wa,--fatal-warnings" ""
-    '';
-
-    patches = [
-      # Fix this error when building bootia32.efi and bootx64.efi:
-      # error: PHDR segment not covered by LOAD segment
-      ./no-dynamic-linker.patch
-
-      # multiple header dirs, see above
-      ./sys-headers-incsdir.patch
-    ];
-
-    postPatch =
-      ''
-        substituteInPlace sys/arch/i386/stand/efiboot/Makefile.efiboot \
-          --replace "-nocombreloc" "-z nocombreloc"
-      '' +
-      # multiple header dirs, see above
-      self.include.postPatch;
-
-    CONFIG = "GENERIC";
-
-    propagatedBuildInputs = with self; [ include ];
-    nativeBuildInputs = with buildPackages.netbsd; [
-      bsdSetupHook netbsdSetupHook
-      makeMinimal install tsort lorder statHook rsync uudecode config genassym
-    ];
-
-    postConfigure = ''
-      pushd arch/$MACHINE/conf
-      config $CONFIG
-      popd
-    ''
-      # multiple header dirs, see above
-      + self.include.postConfigure;
-
-    makeFlags = defaultMakeFlags ++ [ "FIRMWAREDIR=$(out)/libdata/firmware" ];
-    hardeningDisable = [ "pic" ];
-    MKKMOD = "no";
-    env.NIX_CFLAGS_COMPILE = toString [
-      "-Wno-error=array-parameter"
-      "-Wno-error=array-bounds"
-      "-Wa,--no-warn"
-    ];
-
-    postBuild = ''
-      make -C arch/$MACHINE/compile/$CONFIG $makeFlags
-    '';
-
-    postInstall = ''
-      cp arch/$MACHINE/compile/$CONFIG/netbsd $out
-    '';
-
-    meta.platforms = lib.platforms.netbsd;
-    extraPaths = with self; [ common ];
-
-    installPhase = "includesPhase";
-    dontBuild = true;
-    noCC = true;
-  };
-
-  # The full kernel. We do the funny thing of overridding the headers to the
-  # full kernal and not vice versa to avoid infinite recursion -- the headers
-  # come earlier in the bootstrap.
-  sys = self.sys-headers.override {
-    pname = "sys";
-    installPhase = null;
-    noCC = false;
-    dontBuild = false;
-  };
-
-  headers = symlinkJoin {
-    name = "netbsd-headers-9.2";
-    paths = with self; [
-      include
-      sys-headers
-      libpthread-headers
-    ];
-    meta.platforms = lib.platforms.netbsd;
-  };
-  ##
-  ## END HEADERS
-  ##
-
-  ##
-  ## START LIBRARIES
-  ##
-  libarch = mkDerivation {
-    path = "lib/libarch";
-    version = "9.2";
-    sha256 = "6ssenRhuSwp0Jn71ErT0PrEoCJ+cIYRztwdL4QTDZsQ=";
-    meta.platforms = lib.platforms.netbsd;
-  };
-
-  libutil = mkDerivation {
-    path = "lib/libutil";
-    version = "9.2";
-    sha256 = "02gm5a5zhh8qp5r5q5r7x8x6x50ir1i0ncgsnfwh1vnrz6mxbq7z";
-    extraPaths = with self; [ common libc.src sys.src ];
-    nativeBuildInputs = with buildPackages.netbsd; [
-      bsdSetupHook netbsdSetupHook
-      makeMinimal
-      byacc install tsort lorder mandoc statHook rsync
-    ];
-    buildInputs = with self; [ headers ];
-    SHLIBINSTALLDIR = "$(out)/lib";
-  };
-
-  libedit = mkDerivation {
-    path = "lib/libedit";
-    version = "9.2";
-    sha256 = "1wqhngraxwqk4jgrf5f18jy195yrp7c06n1gf31pbplq79mg1bcj";
-    buildInputs = with self; [ libterminfo libcurses ];
-    propagatedBuildInputs = with self; compatIfNeeded;
-    SHLIBINSTALLDIR = "$(out)/lib";
-    makeFlags = defaultMakeFlags ++ [ "LIBDO.terminfo=${self.libterminfo}/lib" ];
-    postPatch = ''
-      sed -i '1i #undef bool_t' $COMPONENT_PATH/el.h
-      substituteInPlace $COMPONENT_PATH/config.h \
-        --replace "#define HAVE_STRUCT_DIRENT_D_NAMLEN 1" ""
-      substituteInPlace $COMPONENT_PATH/readline/Makefile --replace /usr/include "$out/include"
-    '';
-    env.NIX_CFLAGS_COMPILE = toString [
-      "-D__noinline="
-      "-D__scanflike(a,b)="
-      "-D__va_list=va_list"
-    ];
-  };
-
-  libterminfo = mkDerivation {
-    path = "lib/libterminfo";
-    version = "9.2";
-    sha256 = "0pq05k3dj0dfsczv07frnnji92mazmy2qqngqbx2zgqc1x251414";
-    nativeBuildInputs = with buildPackages.netbsd; [
-      bsdSetupHook netbsdSetupHook
-      makeMinimal install tsort lorder mandoc statHook nbperf tic rsync
-    ];
-    buildInputs = with self; compatIfNeeded;
-    SHLIBINSTALLDIR = "$(out)/lib";
-    postPatch = ''
-      substituteInPlace $COMPONENT_PATH/term.c --replace /usr/share $out/share
-      substituteInPlace $COMPONENT_PATH/setupterm.c \
-        --replace '#include <curses.h>' 'void use_env(bool);'
-    '';
-    postBuild = ''
-      make -C $BSDSRCDIR/share/terminfo $makeFlags BINDIR=$out/share
-    '';
-    postInstall = ''
-      make -C $BSDSRCDIR/share/terminfo $makeFlags BINDIR=$out/share install
-    '';
-    extraPaths = with self; [
-      (fetchNetBSD "share/terminfo" "9.2" "1vh9rl4w8118a9qdpblfxmv1wkpm83rm9gb4rzz5bpm56i6d7kk7")
-    ];
-  };
-
-  libcurses = mkDerivation {
-    path = "lib/libcurses";
-    version = "9.2";
-    sha256 = "0pd0dggl3w4bv5i5h0s1wrc8hr66n4hkv3zlklarwfdhc692fqal";
-    buildInputs = with self; [ libterminfo ];
-    env.NIX_CFLAGS_COMPILE = toString ([
-      "-D__scanflike(a,b)="
-      "-D__va_list=va_list"
-      "-D__warn_references(a,b)="
-    ] ++ lib.optional stdenv.isDarwin "-D__strong_alias(a,b)=");
-    propagatedBuildInputs = with self; compatIfNeeded;
-    MKDOC = "no"; # missing vfontedpr
-    makeFlags = defaultMakeFlags ++ [ "LIBDO.terminfo=${self.libterminfo}/lib" ];
-    postPatch = lib.optionalString (!stdenv.isDarwin) ''
-      substituteInPlace $COMPONENT_PATH/printw.c \
-        --replace "funopen(win, NULL, __winwrite, NULL, NULL)" NULL \
-        --replace "__strong_alias(vwprintw, vw_printw)" 'extern int vwprintw(WINDOW*, const char*, va_list) __attribute__ ((alias ("vw_printw")));'
-      substituteInPlace $COMPONENT_PATH/scanw.c \
-        --replace "__strong_alias(vwscanw, vw_scanw)" 'extern int vwscanw(WINDOW*, const char*, va_list) __attribute__ ((alias ("vw_scanw")));'
-    '';
-  };
-
-  column = mkDerivation {
-    path = "usr.bin/column";
-    version = "9.2";
-    sha256 = "0r6b0hjn5ls3j3sv6chibs44fs32yyk2cg8kh70kb4cwajs4ifyl";
-  };
-
-  libossaudio = mkDerivation {
-    path = "lib/libossaudio";
-    version = "9.2";
-    sha256 = "16l3bfy6dcwqnklvh3x0ps8ld1y504vf57v9rx8f9adzhb797jh0";
-    meta.platforms = lib.platforms.netbsd;
-  };
-
-  librpcsvc = mkDerivation {
-    path = "lib/librpcsvc";
-    version = "9.2";
-    sha256 = "1q34pfiyjbrgrdqm46jwrsqms49ly6z3b0xh1wg331zga900vq5n";
-    makeFlags = defaultMakeFlags ++ [ "INCSDIR=$(out)/include/rpcsvc" ];
-    meta.platforms = lib.platforms.netbsd;
-    nativeBuildInputs = with buildPackages.netbsd; [
-      bsdSetupHook netbsdSetupHook
-      makeMinimal
-      install tsort lorder rpcgen statHook
-    ];
-  };
-
-  librt = mkDerivation {
-    path = "lib/librt";
-    version = "9.2";
-    sha256 = "07f8mpjcqh5kig5z5sp97fg55mc4dz6aa1x5g01nv2pvbmqczxc6";
-    meta.platforms = lib.platforms.netbsd;
-    extraPaths = with self; [ libc.src ] ++ libc.extraPaths;
-    postPatch = ''
-      sed -i 's,/usr\(/include/sys/syscall.h\),${self.headers}\1,g' \
-        $BSDSRCDIR/lib/{libc,librt}/sys/Makefile.inc
-    '';
-  };
-
-  libcrypt = mkDerivation {
-    path = "lib/libcrypt";
-    version = "9.2";
-    sha256 = "0siqan1wdqmmhchh2n8w6a8x1abbff8n4yb6jrqxap3hqn8ay54g";
-    SHLIBINSTALLDIR = "$(out)/lib";
-    meta.platforms = lib.platforms.netbsd;
-  };
-
-  libpci = mkDerivation {
-    pname = "libpci";
-    path = "lib/libpci";
-    version = "9.2";
-    sha256 = "+IOEO1Bw3/H3iCp3uk3bwsFZbvCqN5Ciz70irnPl8E8=";
-    env.NIX_CFLAGS_COMPILE = toString [ "-I." ];
-    meta.platforms = lib.platforms.netbsd;
-    extraPaths = with self; [ sys.src ];
-  };
-
-  libpthread-headers = mkDerivation {
-    pname = "libpthread-headers";
-    path = "lib/libpthread";
-    version = "9.2";
-    sha256 = "0mlmc31k509dwfmx5s2x010wxjc44mr6y0cbmk30cfipqh8c962h";
-    installPhase = "includesPhase";
-    dontBuild = true;
-    noCC = true;
-    meta.platforms = lib.platforms.netbsd;
-  };
-
-  libpthread = self.libpthread-headers.override {
-    pname = "libpthread";
-    installPhase = null;
-    noCC = false;
-    dontBuild = false;
-    buildInputs = with self; [ headers ];
-    SHLIBINSTALLDIR = "$(out)/lib";
-    extraPaths = with self; [ common libc.src librt.src sys.src ];
-  };
-
-  libresolv = mkDerivation {
-    path = "lib/libresolv";
-    version = "9.2";
-    sha256 = "1am74s74mf1ynwz3p4ncjkg63f78a1zjm983q166x4sgzps15626";
-    meta.platforms = lib.platforms.netbsd;
-    extraPaths = with self; [ libc.src ];
-  };
-
-  libm = mkDerivation {
-    path = "lib/libm";
-    version = "9.2";
-    sha256 = "1apwfr26shdmbqqnmg7hxf7bkfxw44ynqnnnghrww9bnhqdnsy92";
-    SHLIBINSTALLDIR = "$(out)/lib";
-    meta.platforms = lib.platforms.netbsd;
-    extraPaths = with self; [ sys.src ];
-  };
-
-  i18n_module = mkDerivation {
-    path = "lib/i18n_module";
-    version = "9.2";
-    sha256 = "0w6y5v3binm7gf2kn7y9jja8k18rhnyl55cvvfnfipjqdxvxd9jd";
-    meta.platforms = lib.platforms.netbsd;
-    extraPaths = with self; [ libc.src ];
-  };
-
-  csu = mkDerivation {
-    path = "lib/csu";
-    version = "9.2";
-    sha256 = "0al5jfazvhlzn9hvmnrbchx4d0gm282hq5gp4xs2zmj9ycmf6d03";
-    meta.platforms = lib.platforms.netbsd;
-    nativeBuildInputs = with buildPackages.netbsd; [
-      bsdSetupHook netbsdSetupHook
-      makeMinimal
-      install mandoc groff flex
-      byacc genassym gencat lorder tsort statHook rsync
-    ];
-    buildInputs = with self; [ headers ];
-    extraPaths = with self; [ sys.src ld_elf_so.src ];
-  };
-
-  ld_elf_so = mkDerivation {
-    path  = "libexec/ld.elf_so";
-    version = "9.2";
-    sha256 = "0ia9mqzdljly0vqfwflm5mzz55k7qsr4rw2bzhivky6k30vgirqa";
-    meta.platforms = lib.platforms.netbsd;
-    LIBC_PIC = "${self.libc}/lib/libc_pic.a";
-    # Hack to prevent a symlink being installed here for compatibility.
-    SHLINKINSTALLDIR = "/usr/libexec";
-    USE_FORT = "yes";
-    makeFlags = defaultMakeFlags ++ [ "BINDIR=$(out)/libexec" "CLIBOBJ=${self.libc}/lib" ];
-    extraPaths = with self; [ libc.src ] ++ libc.extraPaths;
-  };
-
-  _mainLibcExtraPaths = with self; [
-      common i18n_module.src sys.src
-      ld_elf_so.src libpthread.src libm.src libresolv.src
-      librpcsvc.src libutil.src librt.src libcrypt.src
-  ];
-
-  libc = mkDerivation {
-    path = "lib/libc";
-    version = "9.2";
-    sha256 = "1y9c13igg0kai07sqvf9cm6yqmd8lhfd8hq3q7biilbgs1l99as3";
-    USE_FORT = "yes";
-    MKPROFILE = "no";
-    extraPaths = with self; _mainLibcExtraPaths ++ [
-      (fetchNetBSD "external/bsd/jemalloc" "9.2" "0cq704swa0h2yxv4gc79z2lwxibk9k7pxh3q5qfs7axx3jx3n8kb")
-    ];
-    nativeBuildInputs = with buildPackages.netbsd; [
-      bsdSetupHook netbsdSetupHook
-      makeMinimal
-      install mandoc groff flex
-      byacc genassym gencat lorder tsort statHook rsync rpcgen
-    ];
-    buildInputs = with self; [ headers csu ];
-    env.NIX_CFLAGS_COMPILE = "-B${self.csu}/lib -fcommon";
-    meta.platforms = lib.platforms.netbsd;
-    SHLIBINSTALLDIR = "$(out)/lib";
-    MKPICINSTALL = "yes";
-    NLSDIR = "$(out)/share/nls";
-    makeFlags = defaultMakeFlags ++ [ "FILESDIR=$(out)/var/db"];
-    postInstall = ''
-      pushd ${self.headers}
-      find . -type d -exec mkdir -p $out/\{} \;
-      find . \( -type f -o -type l \) -exec cp -pr \{} $out/\{} \;
-      popd
-
-      pushd ${self.csu}
-      find . -type d -exec mkdir -p $out/\{} \;
-      find . \( -type f -o -type l \) -exec cp -pr \{} $out/\{} \;
-      popd
-
-      NIX_CFLAGS_COMPILE+=" -B$out/lib"
-      NIX_CFLAGS_COMPILE+=" -I$out/include"
-      NIX_LDFLAGS+=" -L$out/lib"
-
-      make -C $BSDSRCDIR/lib/libpthread $makeFlags
-      make -C $BSDSRCDIR/lib/libpthread $makeFlags install
-
-      make -C $BSDSRCDIR/lib/libm $makeFlags
-      make -C $BSDSRCDIR/lib/libm $makeFlags install
-
-      make -C $BSDSRCDIR/lib/libresolv $makeFlags
-      make -C $BSDSRCDIR/lib/libresolv $makeFlags install
-
-      make -C $BSDSRCDIR/lib/librpcsvc $makeFlags
-      make -C $BSDSRCDIR/lib/librpcsvc $makeFlags install
-
-      make -C $BSDSRCDIR/lib/i18n_module $makeFlags
-      make -C $BSDSRCDIR/lib/i18n_module $makeFlags install
-
-      make -C $BSDSRCDIR/lib/libutil $makeFlags
-      make -C $BSDSRCDIR/lib/libutil $makeFlags install
-
-      make -C $BSDSRCDIR/lib/librt $makeFlags
-      make -C $BSDSRCDIR/lib/librt $makeFlags install
-
-      make -C $BSDSRCDIR/lib/libcrypt $makeFlags
-      make -C $BSDSRCDIR/lib/libcrypt $makeFlags install
-    '';
-    inherit (self.librt) postPatch;
-  };
-  #
-  # END LIBRARIES
-  #
-
-  #
-  # START MISCELLANEOUS
-  #
-  dict = mkDerivation {
-    path = "share/dict";
-    noCC = true;
-    version = "9.2";
-    sha256 = "0svfc0byk59ri37pyjslv4c4rc7zw396r73mr593i78d39q5g3ad";
-    makeFlags = defaultMakeFlags ++ [ "BINDIR=$(out)/share" ];
-  };
-
-  misc = mkDerivation {
-    path = "share/misc";
-    noCC = true;
-    version = "9.2";
-    sha256 = "1j2cdssdx6nncv8ffj7f7ybl7m9hadjj8vm8611skqdvxnjg6nbc";
-    makeFlags = defaultMakeFlags ++ [ "BINDIR=$(out)/share" ];
-  };
-
-  man = mkDerivation {
-    path = "share/man";
-    noCC = true;
-    version = "9.2";
-    sha256 = "1l4lmj4kmg8dl86x94sr45w0xdnkz8dn4zjx0ipgr9bnq98663zl";
-    # man0 generates a man.pdf using ps2pdf, but doesn't install it later,
-    # so we can avoid the dependency on ghostscript
-    postPatch = ''
-      substituteInPlace $COMPONENT_PATH/man0/Makefile --replace "ps2pdf" "echo noop "
-    '';
-    makeFlags = defaultMakeFlags ++ [
-      "FILESDIR=$(out)/share"
-      "MKRUMP=no" # would require to have additional path sys/rump/share/man
-    ];
-  };
-  #
-  # END MISCELLANEOUS
-  #
-
-});
+  f = (
+    self:
+    lib.packagesFromDirectoryRecursive {
+      callPackage = self.callPackage;
+      directory = ./pkgs;
+    }
+    // {
+
+      fetchNetBSD =
+        path: version: sha256:
+        fetchcvs {
+          cvsRoot = ":pserver:anoncvs@anoncvs.NetBSD.org:/cvsroot";
+          module = "src/${path}";
+          inherit sha256;
+          tag = "netbsd-${lib.replaceStrings [ "." ] [ "-" ] version}-RELEASE";
+        };
+
+      defaultMakeFlags = [
+        "MKSOFTFLOAT=${
+          if stdenv.hostPlatform.gcc.float or (stdenv.hostPlatform.parsed.abi.float or "hard") == "soft" then
+            "yes"
+          else
+            "no"
+        }"
+      ];
+
+      compatIfNeeded = lib.optional (!stdenvNoCC.hostPlatform.isNetBSD) self.compat;
+
+      # The manual callPackages below should in principle be unnecessary because
+      # they're just selecting arguments that would be selected anyway. However,
+      # if we don't perform these manual calls, we get infinite recursion issues
+      # because of the splices.
+
+      mkDerivation = self.callPackage ./pkgs/mkDerivation.nix {
+        inherit stdenv stdenvNoCC;
+        inherit (buildPackages.netbsd)
+          netbsdSetupHook
+          makeMinimal
+          install
+          tsort
+          lorder
+          ;
+        inherit (buildPackages) mandoc;
+        inherit (buildPackages.buildPackages) rsync;
+      };
+
+      makeMinimal = self.callPackage ./pkgs/makeMinimal.nix { inherit (self) make; };
+
+      compat = self.callPackage ./pkgs/compat/package.nix {
+        inherit (buildPackages) coreutils;
+        inherit (buildPackages.darwin) cctools-port;
+        inherit (buildPackages.buildPackages) rsync;
+        inherit (buildPackages.netbsd) makeMinimal;
+        inherit (self)
+          install
+          include
+          libc
+          libutil
+          ;
+      };
+
+      install = self.callPackage ./pkgs/install/package.nix {
+        inherit (self)
+          fts
+          mtree
+          make
+          compatIfNeeded
+          ;
+        inherit (buildPackages.buildPackages) rsync;
+        inherit (buildPackages.netbsd) makeMinimal;
+      };
+
+      # See note in pkgs/stat/package.nix
+      stat = self.callPackage ./pkgs/stat/package.nix {
+        inherit (buildPackages.netbsd) makeMinimal install;
+        inherit (buildPackages.buildPackages) rsync;
+      };
+
+      # See note in pkgs/stat/hook.nix
+      statHook = self.callPackage ./pkgs/stat/hook.nix { inherit (self) stat; };
+
+      tsort = self.callPackage ./pkgs/tsort.nix {
+        inherit (buildPackages.netbsd) makeMinimal install;
+        inherit (buildPackages.buildPackages) rsync;
+      };
+
+      lorder = self.callPackage ./pkgs/lorder.nix {
+        inherit (buildPackages.netbsd) makeMinimal install;
+        inherit (buildPackages.buildPackages) rsync;
+      };
+
+      config = self.callPackage ./pkgs/config.nix {
+        inherit (buildPackages.netbsd) makeMinimal install;
+        inherit (buildPackages.buildPackages) rsync;
+        inherit (self) cksum;
+      };
+
+      include = self.callPackage ./pkgs/include.nix {
+        inherit (buildPackages.netbsd)
+          makeMinimal
+          install
+          nbperf
+          rpcgen
+          ;
+        inherit (buildPackages) stdenv;
+        inherit (buildPackages.buildPackages) rsync;
+      };
+
+      sys-headers = self.callPackage ./pkgs/sys/headers.nix {
+        inherit (buildPackages.netbsd)
+          makeMinimal
+          install
+          tsort
+          lorder
+          statHook
+          uudecode
+          config
+          genassym
+          ;
+        inherit (buildPackages.buildPackages) rsync;
+      };
+
+      libutil = self.callPackage ./pkgs/libutil.nix { inherit (self) libc sys; };
+
+      libpthread-headers = self.callPackage ./pkgs/libpthread/headers.nix { };
+
+      csu = self.callPackage ./pkgs/csu.nix {
+        inherit (self) headers sys ld_elf_so;
+        inherit (buildPackages.netbsd)
+          netbsdSetupHook
+          makeMinimal
+          install
+          genassym
+          gencat
+          lorder
+          tsort
+          statHook
+          ;
+        inherit (buildPackages.buildPackages) rsync;
+      };
+
+      _mainLibcExtraPaths = with self; [
+        common
+        i18n_module.src
+        sys.src
+        ld_elf_so.src
+        libpthread.src
+        libm.src
+        libresolv.src
+        librpcsvc.src
+        libutil.src
+        librt.src
+        libcrypt.src
+      ];
+
+      libc = self.callPackage ./pkgs/libc.nix {
+        inherit (self) headers csu librt;
+        inherit (buildPackages.netbsd)
+          netbsdSetupHook
+          makeMinimal
+          install
+          genassym
+          gencat
+          lorder
+          tsort
+          statHook
+          rpcgen
+          ;
+        inherit (buildPackages.buildPackages) rsync;
+      };
+
+      mtree = self.callPackage ./pkgs/mtree.nix { inherit (self) mknod; };
+    }
+  );
 }
diff --git a/pkgs/os-specific/bsd/netbsd/pkgs/cksum.nix b/pkgs/os-specific/bsd/netbsd/pkgs/cksum.nix
new file mode 100644
index 0000000000000..a2ec387501ae1
--- /dev/null
+++ b/pkgs/os-specific/bsd/netbsd/pkgs/cksum.nix
@@ -0,0 +1,8 @@
+{ lib, mkDerivation }:
+
+mkDerivation {
+  path = "usr.bin/cksum";
+  version = "9.2";
+  sha256 = "0msfhgyvh5c2jmc6qjnf12c378dhw32ffsl864qz4rdb2b98rfcq";
+  meta.platforms = lib.platforms.netbsd;
+}
diff --git a/pkgs/os-specific/bsd/netbsd/pkgs/column.nix b/pkgs/os-specific/bsd/netbsd/pkgs/column.nix
new file mode 100644
index 0000000000000..f3cebfa9ab261
--- /dev/null
+++ b/pkgs/os-specific/bsd/netbsd/pkgs/column.nix
@@ -0,0 +1,7 @@
+{ mkDerivation }:
+
+mkDerivation {
+  path = "usr.bin/column";
+  version = "9.2";
+  sha256 = "0r6b0hjn5ls3j3sv6chibs44fs32yyk2cg8kh70kb4cwajs4ifyl";
+}
diff --git a/pkgs/os-specific/bsd/netbsd/pkgs/common.nix b/pkgs/os-specific/bsd/netbsd/pkgs/common.nix
new file mode 100644
index 0000000000000..464fc1c9e0c26
--- /dev/null
+++ b/pkgs/os-specific/bsd/netbsd/pkgs/common.nix
@@ -0,0 +1,3 @@
+{ fetchNetBSD }:
+
+fetchNetBSD "common" "9.2" "1pfylz9r3ap5wnwwbwczbfjb1m5qdyspzbnmxmcdkpzz2zgj64b9"
diff --git a/pkgs/os-specific/bsd/netbsd/compat-cxx-safe-header.patch b/pkgs/os-specific/bsd/netbsd/pkgs/compat/compat-cxx-safe-header.patch
index 2aaa90b76146b..2aaa90b76146b 100644
--- a/pkgs/os-specific/bsd/netbsd/compat-cxx-safe-header.patch
+++ b/pkgs/os-specific/bsd/netbsd/pkgs/compat/compat-cxx-safe-header.patch
diff --git a/pkgs/os-specific/bsd/netbsd/compat-dont-configure-twice.patch b/pkgs/os-specific/bsd/netbsd/pkgs/compat/compat-dont-configure-twice.patch
index 2758e256a6168..2758e256a6168 100644
--- a/pkgs/os-specific/bsd/netbsd/compat-dont-configure-twice.patch
+++ b/pkgs/os-specific/bsd/netbsd/pkgs/compat/compat-dont-configure-twice.patch
diff --git a/pkgs/os-specific/bsd/netbsd/compat-no-force-native.patch b/pkgs/os-specific/bsd/netbsd/pkgs/compat/compat-no-force-native.patch
index 117fb7e042982..117fb7e042982 100644
--- a/pkgs/os-specific/bsd/netbsd/compat-no-force-native.patch
+++ b/pkgs/os-specific/bsd/netbsd/pkgs/compat/compat-no-force-native.patch
diff --git a/pkgs/os-specific/bsd/netbsd/compat-setup-hook.sh b/pkgs/os-specific/bsd/netbsd/pkgs/compat/compat-setup-hook.sh
index acd90b7aa2f0e..acd90b7aa2f0e 100644
--- a/pkgs/os-specific/bsd/netbsd/compat-setup-hook.sh
+++ b/pkgs/os-specific/bsd/netbsd/pkgs/compat/compat-setup-hook.sh
diff --git a/pkgs/os-specific/bsd/netbsd/libbsd-overlay.pc b/pkgs/os-specific/bsd/netbsd/pkgs/compat/libbsd-overlay.pc
index 3aadabe508822..3aadabe508822 100644
--- a/pkgs/os-specific/bsd/netbsd/libbsd-overlay.pc
+++ b/pkgs/os-specific/bsd/netbsd/pkgs/compat/libbsd-overlay.pc
diff --git a/pkgs/os-specific/bsd/netbsd/pkgs/compat/package.nix b/pkgs/os-specific/bsd/netbsd/pkgs/compat/package.nix
new file mode 100644
index 0000000000000..4c149e95c1ae6
--- /dev/null
+++ b/pkgs/os-specific/bsd/netbsd/pkgs/compat/package.nix
@@ -0,0 +1,146 @@
+{
+  lib,
+  mkDerivation,
+  stdenv,
+  zlib,
+  defaultMakeFlags,
+  coreutils,
+  cctools-port,
+  include,
+  libc,
+  libutil,
+  install,
+  bsdSetupHook,
+  netbsdSetupHook,
+  makeMinimal,
+  rsync,
+  fetchNetBSD,
+  _mainLibcExtraPaths,
+}:
+
+mkDerivation (
+  let
+    version = "9.2";
+    commonDeps = [ zlib ];
+  in
+  {
+    path = "tools/compat";
+    sha256 = "1vsxg7136nlhc72vpa664vs22874xh7ila95nkmsd8crn3z3cyn0";
+    inherit version;
+
+    setupHooks = [
+      ../../../../../build-support/setup-hooks/role.bash
+      ./compat-setup-hook.sh
+    ];
+
+    preConfigure = ''
+      make include/.stamp configure nbtool_config.h.in defs.mk.in
+    '';
+
+    configurePlatforms = [
+      "build"
+      "host"
+    ];
+    configureFlags =
+      [ "--cache-file=config.cache" ]
+      ++ lib.optionals stdenv.hostPlatform.isMusl [
+        # We include this header in our musl package only for legacy
+        # compatibility, and compat works fine without it (and having it
+        # know about sys/cdefs.h breaks packages like glib when built
+        # statically).
+        "ac_cv_header_sys_cdefs_h=no"
+      ];
+
+    nativeBuildInputs = commonDeps ++ [
+      bsdSetupHook
+      netbsdSetupHook
+      makeMinimal
+      rsync
+    ];
+
+    buildInputs = commonDeps;
+
+    # temporarily use gnuinstall for bootstrapping
+    # bsdinstall will be built later
+    makeFlags =
+      defaultMakeFlags
+      ++ [
+        "INSTALL=${coreutils}/bin/install"
+        "DATADIR=$(out)/share"
+        # Can't sort object files yet
+        "LORDER=echo"
+        "TSORT=cat"
+        # Can't process man pages yet
+        "MKSHARE=no"
+      ]
+      ++ lib.optionals stdenv.hostPlatform.isDarwin [
+        # GNU objcopy produces broken .a libs which won't link into dependers.
+        # Makefiles only invoke `$OBJCOPY -x/-X`, so cctools strip works here.
+        "OBJCOPY=${cctools-port}/bin/strip"
+      ];
+    RENAME = "-D";
+
+    passthru.tests = {
+      netbsd-install = install;
+    };
+
+    patches = [
+      ./compat-cxx-safe-header.patch
+      ./compat-dont-configure-twice.patch
+      ./compat-no-force-native.patch
+    ];
+
+    preInstall = ''
+      makeFlagsArray+=('INSTALL_FILE=''${INSTALL} ''${COPY} ''${PRESERVE} ''${RENAME}')
+      makeFlagsArray+=('INSTALL_DIR=''${INSTALL} -d')
+      makeFlagsArray+=('INSTALL_SYMLINK=''${INSTALL} ''${SYMLINK} ''${RENAME}')
+    '';
+
+    postInstall =
+      ''
+        # why aren't these installed by netbsd?
+        install -D compat_defs.h $out/include/compat_defs.h
+        install -D $BSDSRCDIR/include/cdbw.h $out/include/cdbw.h
+        install -D $BSDSRCDIR/sys/sys/cdbr.h $out/include/cdbr.h
+        install -D $BSDSRCDIR/sys/sys/featuretest.h \
+                   $out/include/sys/featuretest.h
+        install -D $BSDSRCDIR/sys/sys/md5.h $out/include/md5.h
+        install -D $BSDSRCDIR/sys/sys/rmd160.h $out/include/rmd160.h
+        install -D $BSDSRCDIR/sys/sys/sha1.h $out/include/sha1.h
+        install -D $BSDSRCDIR/sys/sys/sha2.h $out/include/sha2.h
+        install -D $BSDSRCDIR/sys/sys/queue.h $out/include/sys/queue.h
+        install -D $BSDSRCDIR/include/vis.h $out/include/vis.h
+        install -D $BSDSRCDIR/include/db.h $out/include/db.h
+        install -D $BSDSRCDIR/include/netconfig.h $out/include/netconfig.h
+        install -D $BSDSRCDIR/include/utmpx.h $out/include/utmpx.h
+        install -D $BSDSRCDIR/include/tzfile.h $out/include/tzfile.h
+        install -D $BSDSRCDIR/sys/sys/tree.h $out/include/sys/tree.h
+        install -D $BSDSRCDIR/include/nl_types.h $out/include/nl_types.h
+        install -D $BSDSRCDIR/include/stringlist.h $out/include/stringlist.h
+
+        # Collapse includes slightly to fix dangling reference
+        install -D $BSDSRCDIR/common/include/rpc/types.h $out/include/rpc/types.h
+        sed -i '1s;^;#include "nbtool_config.h"\n;' $out/include/rpc/types.h
+      ''
+      + lib.optionalString stdenv.isDarwin ''
+        mkdir -p $out/include/ssp
+        touch $out/include/ssp/ssp.h
+      ''
+      + ''
+        mkdir -p $out/lib/pkgconfig
+        substitute ${./libbsd-overlay.pc} $out/lib/pkgconfig/libbsd-overlay.pc \
+          --subst-var-by out $out \
+          --subst-var-by version ${version}
+      '';
+    extraPaths = [
+      include.src
+      libc.src
+      libutil.src
+      (fetchNetBSD "external/bsd/flex" "9.2" "0h98jpfj7vx5zh7vd7bk6b1hmzgkcb757a8j6d9zgygxxv13v43m")
+      (fetchNetBSD "sys/sys" "9.2" "0zawhw51klaigqqwkx0lzrx3mim2jywrc24cm7c66qsf1im9awgd")
+      (fetchNetBSD "common/include/rpc/types.h" "9.2"
+        "0n2df12mlc3cbc48jxq35yzl1y7ghgpykvy7jnfh898rdhac7m9a"
+      )
+    ] ++ libutil.extraPaths ++ _mainLibcExtraPaths;
+  }
+)
diff --git a/pkgs/os-specific/bsd/netbsd/pkgs/config.nix b/pkgs/os-specific/bsd/netbsd/pkgs/config.nix
new file mode 100644
index 0000000000000..c423f3ca86760
--- /dev/null
+++ b/pkgs/os-specific/bsd/netbsd/pkgs/config.nix
@@ -0,0 +1,31 @@
+{
+  mkDerivation,
+  bsdSetupHook,
+  netbsdSetupHook,
+  makeMinimal,
+  install,
+  mandoc,
+  byacc,
+  flex,
+  rsync,
+  compatIfNeeded,
+  cksum,
+}:
+mkDerivation {
+  path = "usr.bin/config";
+  version = "9.2";
+  sha256 = "1yz3n4hncdkk6kp595fh2q5lg150vpqg8iw2dccydkyw4y3hgsjj";
+  env.NIX_CFLAGS_COMPILE = toString [ "-DMAKE_BOOTSTRAP" ];
+  nativeBuildInputs = [
+    bsdSetupHook
+    netbsdSetupHook
+    makeMinimal
+    install
+    mandoc
+    byacc
+    flex
+    rsync
+  ];
+  buildInputs = compatIfNeeded;
+  extraPaths = [ cksum.src ];
+}
diff --git a/pkgs/os-specific/bsd/netbsd/pkgs/csu.nix b/pkgs/os-specific/bsd/netbsd/pkgs/csu.nix
new file mode 100644
index 0000000000000..66443331490f5
--- /dev/null
+++ b/pkgs/os-specific/bsd/netbsd/pkgs/csu.nix
@@ -0,0 +1,49 @@
+{
+  lib,
+  mkDerivation,
+  bsdSetupHook,
+  netbsdSetupHook,
+  makeMinimal,
+  install,
+  mandoc,
+  groff,
+  flex,
+  byacc,
+  genassym,
+  gencat,
+  lorder,
+  tsort,
+  statHook,
+  rsync,
+  headers,
+  sys,
+  ld_elf_so,
+}:
+
+mkDerivation {
+  path = "lib/csu";
+  version = "9.2";
+  sha256 = "0al5jfazvhlzn9hvmnrbchx4d0gm282hq5gp4xs2zmj9ycmf6d03";
+  meta.platforms = lib.platforms.netbsd;
+  nativeBuildInputs = [
+    bsdSetupHook
+    netbsdSetupHook
+    makeMinimal
+    install
+    mandoc
+    groff
+    flex
+    byacc
+    genassym
+    gencat
+    lorder
+    tsort
+    statHook
+    rsync
+  ];
+  buildInputs = [ headers ];
+  extraPaths = [
+    sys.src
+    ld_elf_so.src
+  ];
+}
diff --git a/pkgs/os-specific/bsd/netbsd/pkgs/dict.nix b/pkgs/os-specific/bsd/netbsd/pkgs/dict.nix
new file mode 100644
index 0000000000000..0d7d026dd21d2
--- /dev/null
+++ b/pkgs/os-specific/bsd/netbsd/pkgs/dict.nix
@@ -0,0 +1,9 @@
+{ mkDerivation, defaultMakeFlags }:
+
+mkDerivation {
+  path = "share/dict";
+  noCC = true;
+  version = "9.2";
+  sha256 = "0svfc0byk59ri37pyjslv4c4rc7zw396r73mr593i78d39q5g3ad";
+  makeFlags = defaultMakeFlags ++ [ "BINDIR=$(out)/share" ];
+}
diff --git a/pkgs/os-specific/bsd/netbsd/fts-setup-hook.sh b/pkgs/os-specific/bsd/netbsd/pkgs/fts/fts-setup-hook.sh
index b6cb5aaca05b3..b6cb5aaca05b3 100644
--- a/pkgs/os-specific/bsd/netbsd/fts-setup-hook.sh
+++ b/pkgs/os-specific/bsd/netbsd/pkgs/fts/fts-setup-hook.sh
diff --git a/pkgs/os-specific/bsd/netbsd/pkgs/fts/package.nix b/pkgs/os-specific/bsd/netbsd/pkgs/fts/package.nix
new file mode 100644
index 0000000000000..7c64658bf2e51
--- /dev/null
+++ b/pkgs/os-specific/bsd/netbsd/pkgs/fts/package.nix
@@ -0,0 +1,48 @@
+{
+  mkDerivation,
+  bsdSetupHook,
+  netbsdSetupHook,
+  rsync,
+  compatIfNeeded,
+  fetchNetBSD,
+}:
+
+mkDerivation {
+  pname = "fts";
+  path = "include/fts.h";
+  sha256 = "01d4fpxvz1pgzfk5xznz5dcm0x0gdzwcsfm1h3d0xc9kc6hj2q77";
+  version = "9.2";
+  nativeBuildInputs = [
+    bsdSetupHook
+    netbsdSetupHook
+    rsync
+  ];
+  propagatedBuildInputs = compatIfNeeded;
+  extraPaths = [
+    (fetchNetBSD "lib/libc/gen/fts.c" "9.2" "1a8hmf26242nmv05ipn3ircxb0jqmmi66rh78kkyi9vjwkfl3qn7")
+    (fetchNetBSD "lib/libc/include/namespace.h" "9.2"
+      "0kksr3pdwdc1cplqf5z12ih4cml6l11lqrz91f7hjjm64y7785kc"
+    )
+    (fetchNetBSD "lib/libc/gen/fts.3" "9.2" "1asxw0n3fhjdadwkkq3xplfgqgl3q32w1lyrvbakfa3gs0wz5zc1")
+  ];
+  skipIncludesPhase = true;
+  buildPhase = ''
+    "$CC" -c -Iinclude -Ilib/libc/include lib/libc/gen/fts.c \
+        -o lib/libc/gen/fts.o
+    "$AR" -rsc libfts.a lib/libc/gen/fts.o
+  '';
+  installPhase = ''
+    runHook preInstall
+
+    install -D lib/libc/gen/fts.3 $out/share/man/man3/fts.3
+    install -D include/fts.h $out/include/fts.h
+    install -D lib/libc/include/namespace.h $out/include/namespace.h
+    install -D libfts.a $out/lib/libfts.a
+
+    runHook postInstall
+  '';
+  setupHooks = [
+    ../../../../../build-support/setup-hooks/role.bash
+    ./fts-setup-hook.sh
+  ];
+}
diff --git a/pkgs/os-specific/bsd/netbsd/pkgs/genassym.nix b/pkgs/os-specific/bsd/netbsd/pkgs/genassym.nix
new file mode 100644
index 0000000000000..7f81a77a02dd2
--- /dev/null
+++ b/pkgs/os-specific/bsd/netbsd/pkgs/genassym.nix
@@ -0,0 +1,7 @@
+{ mkDerivation }:
+
+mkDerivation {
+  path = "usr.bin/genassym";
+  version = "9.2";
+  sha256 = "1acl1dz5kvh9h5806vkz2ap95rdsz7phmynh5i3x5y7agbki030c";
+}
diff --git a/pkgs/os-specific/bsd/netbsd/pkgs/gencat.nix b/pkgs/os-specific/bsd/netbsd/pkgs/gencat.nix
new file mode 100644
index 0000000000000..411be85e91e2f
--- /dev/null
+++ b/pkgs/os-specific/bsd/netbsd/pkgs/gencat.nix
@@ -0,0 +1,7 @@
+{ mkDerivation }:
+
+mkDerivation {
+  path = "usr.bin/gencat";
+  version = "9.2";
+  sha256 = "0gd463x1hg36bhr7y0xryb5jyxk0z0g7xvy8rgk82nlbnlnsbbwb";
+}
diff --git a/pkgs/os-specific/bsd/netbsd/pkgs/getconf.nix b/pkgs/os-specific/bsd/netbsd/pkgs/getconf.nix
new file mode 100644
index 0000000000000..c8483d454b877
--- /dev/null
+++ b/pkgs/os-specific/bsd/netbsd/pkgs/getconf.nix
@@ -0,0 +1,7 @@
+{ mkDerivation }:
+
+mkDerivation {
+  path = "usr.bin/getconf";
+  sha256 = "122vslz4j3h2mfs921nr2s6m078zcj697yrb75rwp2hnw3qz4s8q";
+  version = "9.2";
+}
diff --git a/pkgs/os-specific/bsd/netbsd/getent.patch b/pkgs/os-specific/bsd/netbsd/pkgs/getent/getent.patch
index 18258b6486186..18258b6486186 100644
--- a/pkgs/os-specific/bsd/netbsd/getent.patch
+++ b/pkgs/os-specific/bsd/netbsd/pkgs/getent/getent.patch
diff --git a/pkgs/os-specific/bsd/netbsd/pkgs/getent/package.nix b/pkgs/os-specific/bsd/netbsd/pkgs/getent/package.nix
new file mode 100644
index 0000000000000..7a9acb1e0a9e8
--- /dev/null
+++ b/pkgs/os-specific/bsd/netbsd/pkgs/getent/package.nix
@@ -0,0 +1,8 @@
+{ mkDerivation }:
+
+mkDerivation {
+  path = "usr.bin/getent";
+  sha256 = "1qngywcmm0y7nl8h3n8brvkxq4jw63szbci3kc1q6a6ndhycbbvr";
+  version = "9.2";
+  patches = [ ./getent.patch ];
+}
diff --git a/pkgs/os-specific/bsd/netbsd/pkgs/headers.nix b/pkgs/os-specific/bsd/netbsd/pkgs/headers.nix
new file mode 100644
index 0000000000000..40615b2722d5d
--- /dev/null
+++ b/pkgs/os-specific/bsd/netbsd/pkgs/headers.nix
@@ -0,0 +1,17 @@
+{
+  lib,
+  symlinkJoin,
+  include,
+  sys-headers,
+  libpthread-headers,
+}:
+
+symlinkJoin {
+  name = "netbsd-headers-9.2";
+  paths = [
+    include
+    sys-headers
+    libpthread-headers
+  ];
+  meta.platforms = lib.platforms.netbsd;
+}
diff --git a/pkgs/os-specific/bsd/netbsd/pkgs/i18n_module.nix b/pkgs/os-specific/bsd/netbsd/pkgs/i18n_module.nix
new file mode 100644
index 0000000000000..c76ada865775e
--- /dev/null
+++ b/pkgs/os-specific/bsd/netbsd/pkgs/i18n_module.nix
@@ -0,0 +1,13 @@
+{
+  lib,
+  mkDerivation,
+  libc,
+}:
+
+mkDerivation {
+  path = "lib/i18n_module";
+  version = "9.2";
+  sha256 = "0w6y5v3binm7gf2kn7y9jja8k18rhnyl55cvvfnfipjqdxvxd9jd";
+  meta.platforms = lib.platforms.netbsd;
+  extraPaths = [ libc.src ];
+}
diff --git a/pkgs/os-specific/bsd/netbsd/pkgs/include.nix b/pkgs/os-specific/bsd/netbsd/pkgs/include.nix
new file mode 100644
index 0000000000000..ec316a63174fd
--- /dev/null
+++ b/pkgs/os-specific/bsd/netbsd/pkgs/include.nix
@@ -0,0 +1,54 @@
+{
+  lib,
+  mkDerivation,
+  bsdSetupHook,
+  netbsdSetupHook,
+  makeMinimal,
+  install,
+  mandoc,
+  groff,
+  rsync,
+  nbperf,
+  rpcgen,
+  common,
+  defaultMakeFlags,
+  stdenv,
+}:
+
+mkDerivation {
+  path = "include";
+  version = "9.2";
+  sha256 = "0nxnmj4c8s3hb9n3fpcmd0zl3l1nmhivqgi9a35sis943qvpgl9h";
+  nativeBuildInputs = [
+    bsdSetupHook
+    netbsdSetupHook
+    makeMinimal
+    install
+    mandoc
+    groff
+    rsync
+    nbperf
+    rpcgen
+  ];
+
+  # The makefiles define INCSDIR per subdirectory, so we have to set
+  # something else on the command line so those definitions aren't
+  # overridden.
+  postPatch = ''
+    find "$BSDSRCDIR" -name Makefile -exec \
+      sed -i -E \
+        -e 's_/usr/include_''${INCSDIR0}_' \
+        {} \;
+  '';
+
+  # multiple header dirs, see above
+  postConfigure = ''
+    makeFlags=''${makeFlags/INCSDIR/INCSDIR0}
+  '';
+
+  extraPaths = [ common ];
+  headersOnly = true;
+  noCC = true;
+  meta.platforms = lib.platforms.netbsd;
+  makeFlags = defaultMakeFlags ++ [ "RPCGEN_CPP=${stdenv.cc.cc}/bin/cpp" ];
+}
diff --git a/pkgs/os-specific/bsd/netbsd/install-setup-hook.sh b/pkgs/os-specific/bsd/netbsd/pkgs/install/install-setup-hook.sh
index 4bfd4d785fac4..4bfd4d785fac4 100644
--- a/pkgs/os-specific/bsd/netbsd/install-setup-hook.sh
+++ b/pkgs/os-specific/bsd/netbsd/pkgs/install/install-setup-hook.sh
diff --git a/pkgs/os-specific/bsd/netbsd/pkgs/install/package.nix b/pkgs/os-specific/bsd/netbsd/pkgs/install/package.nix
new file mode 100644
index 0000000000000..0fc6ca452be0d
--- /dev/null
+++ b/pkgs/os-specific/bsd/netbsd/pkgs/install/package.nix
@@ -0,0 +1,62 @@
+{
+  mkDerivation,
+  writeShellScript,
+  mtree,
+  make,
+  bsdSetupHook,
+  netbsdSetupHook,
+  makeMinimal,
+  mandoc,
+  groff,
+  rsync,
+  compatIfNeeded,
+  fts,
+
+}:
+
+# HACK: to ensure parent directories exist. This emulates GNU
+# install’s -D option. No alternative seems to exist in BSD install.
+let
+  binstall = writeShellScript "binstall" (
+    builtins.readFile ../../../lib/install-wrapper.sh
+    + ''
+      @out@/bin/xinstall "''${args[@]}"
+    ''
+  );
+in
+mkDerivation {
+  path = "usr.bin/xinstall";
+  version = "9.2";
+  sha256 = "1f6pbz3qv1qcrchdxif8p5lbmnwl8b9nq615hsd3cyl4avd5bfqj";
+  extraPaths = [
+    mtree.src
+    make.src
+  ];
+  nativeBuildInputs = [
+    bsdSetupHook
+    netbsdSetupHook
+    makeMinimal
+    mandoc
+    groff
+    rsync
+  ];
+  skipIncludesPhase = true;
+  buildInputs =
+    compatIfNeeded
+    # fts header is needed. glibc already has this header, but musl doesn't,
+    # so make sure pkgsMusl.netbsd.install still builds in case you want to
+    # remove it!
+    ++ [ fts ];
+  installPhase = ''
+    runHook preInstall
+
+    install -D install.1 $out/share/man/man1/install.1
+    install -D xinstall $out/bin/xinstall
+    install -D -m 0550 ${binstall} $out/bin/binstall
+    substituteInPlace $out/bin/binstall --subst-var out
+    ln -s $out/bin/binstall $out/bin/install
+
+    runHook postInstall
+  '';
+  setupHook = ./install-setup-hook.sh;
+}
diff --git a/pkgs/os-specific/bsd/netbsd/pkgs/ld_elf_so.nix b/pkgs/os-specific/bsd/netbsd/pkgs/ld_elf_so.nix
new file mode 100644
index 0000000000000..a350e81d32064
--- /dev/null
+++ b/pkgs/os-specific/bsd/netbsd/pkgs/ld_elf_so.nix
@@ -0,0 +1,22 @@
+{
+  lib,
+  mkDerivation,
+  libc,
+  defaultMakeFlags,
+}:
+
+mkDerivation {
+  path = "libexec/ld.elf_so";
+  version = "9.2";
+  sha256 = "0ia9mqzdljly0vqfwflm5mzz55k7qsr4rw2bzhivky6k30vgirqa";
+  meta.platforms = lib.platforms.netbsd;
+  LIBC_PIC = "${libc}/lib/libc_pic.a";
+  # Hack to prevent a symlink being installed here for compatibility.
+  SHLINKINSTALLDIR = "/usr/libexec";
+  USE_FORT = "yes";
+  makeFlags = defaultMakeFlags ++ [
+    "BINDIR=$(out)/libexec"
+    "CLIBOBJ=${libc}/lib"
+  ];
+  extraPaths = [ libc.src ] ++ libc.extraPaths;
+}
diff --git a/pkgs/os-specific/bsd/netbsd/pkgs/libarch.nix b/pkgs/os-specific/bsd/netbsd/pkgs/libarch.nix
new file mode 100644
index 0000000000000..93ea02f8a17c1
--- /dev/null
+++ b/pkgs/os-specific/bsd/netbsd/pkgs/libarch.nix
@@ -0,0 +1,8 @@
+{ lib, mkDerivation }:
+
+mkDerivation {
+  path = "lib/libarch";
+  version = "9.2";
+  sha256 = "6ssenRhuSwp0Jn71ErT0PrEoCJ+cIYRztwdL4QTDZsQ=";
+  meta.platforms = lib.platforms.netbsd;
+}
diff --git a/pkgs/os-specific/bsd/netbsd/pkgs/libc.nix b/pkgs/os-specific/bsd/netbsd/pkgs/libc.nix
new file mode 100644
index 0000000000000..d755e4b6870a1
--- /dev/null
+++ b/pkgs/os-specific/bsd/netbsd/pkgs/libc.nix
@@ -0,0 +1,103 @@
+{
+  lib,
+  mkDerivation,
+  defaultMakeFlags,
+  _mainLibcExtraPaths,
+  fetchNetBSD,
+  bsdSetupHook,
+  netbsdSetupHook,
+  makeMinimal,
+  install,
+  mandoc,
+  groff,
+  flex,
+  byacc,
+  genassym,
+  gencat,
+  lorder,
+  tsort,
+  statHook,
+  rsync,
+  rpcgen,
+  csu,
+  headers,
+  librt,
+}:
+
+mkDerivation {
+  path = "lib/libc";
+  version = "9.2";
+  sha256 = "1y9c13igg0kai07sqvf9cm6yqmd8lhfd8hq3q7biilbgs1l99as3";
+  USE_FORT = "yes";
+  MKPROFILE = "no";
+  extraPaths = _mainLibcExtraPaths ++ [
+    (fetchNetBSD "external/bsd/jemalloc" "9.2" "0cq704swa0h2yxv4gc79z2lwxibk9k7pxh3q5qfs7axx3jx3n8kb")
+  ];
+  nativeBuildInputs = [
+    bsdSetupHook
+    netbsdSetupHook
+    makeMinimal
+    install
+    mandoc
+    groff
+    flex
+    byacc
+    genassym
+    gencat
+    lorder
+    tsort
+    statHook
+    rsync
+    rpcgen
+  ];
+  buildInputs = [
+    headers
+    csu
+  ];
+  env.NIX_CFLAGS_COMPILE = "-B${csu}/lib -fcommon";
+  meta.platforms = lib.platforms.netbsd;
+  SHLIBINSTALLDIR = "$(out)/lib";
+  MKPICINSTALL = "yes";
+  NLSDIR = "$(out)/share/nls";
+  makeFlags = defaultMakeFlags ++ [ "FILESDIR=$(out)/var/db" ];
+  postInstall = ''
+    pushd ${headers}
+    find . -type d -exec mkdir -p $out/\{} \;
+    find . \( -type f -o -type l \) -exec cp -pr \{} $out/\{} \;
+    popd
+
+    pushd ${csu}
+    find . -type d -exec mkdir -p $out/\{} \;
+    find . \( -type f -o -type l \) -exec cp -pr \{} $out/\{} \;
+    popd
+
+    NIX_CFLAGS_COMPILE+=" -B$out/lib"
+    NIX_CFLAGS_COMPILE+=" -I$out/include"
+    NIX_LDFLAGS+=" -L$out/lib"
+
+    make -C $BSDSRCDIR/lib/libpthread $makeFlags
+    make -C $BSDSRCDIR/lib/libpthread $makeFlags install
+
+    make -C $BSDSRCDIR/lib/libm $makeFlags
+    make -C $BSDSRCDIR/lib/libm $makeFlags install
+
+    make -C $BSDSRCDIR/lib/libresolv $makeFlags
+    make -C $BSDSRCDIR/lib/libresolv $makeFlags install
+
+    make -C $BSDSRCDIR/lib/librpcsvc $makeFlags
+    make -C $BSDSRCDIR/lib/librpcsvc $makeFlags install
+
+    make -C $BSDSRCDIR/lib/i18n_module $makeFlags
+    make -C $BSDSRCDIR/lib/i18n_module $makeFlags install
+
+    make -C $BSDSRCDIR/lib/libutil $makeFlags
+    make -C $BSDSRCDIR/lib/libutil $makeFlags install
+
+    make -C $BSDSRCDIR/lib/librt $makeFlags
+    make -C $BSDSRCDIR/lib/librt $makeFlags install
+
+    make -C $BSDSRCDIR/lib/libcrypt $makeFlags
+    make -C $BSDSRCDIR/lib/libcrypt $makeFlags install
+  '';
+  inherit (librt) postPatch;
+}
diff --git a/pkgs/os-specific/bsd/netbsd/pkgs/libcrypt.nix b/pkgs/os-specific/bsd/netbsd/pkgs/libcrypt.nix
new file mode 100644
index 0000000000000..c5f9deff589c4
--- /dev/null
+++ b/pkgs/os-specific/bsd/netbsd/pkgs/libcrypt.nix
@@ -0,0 +1,9 @@
+{ lib, mkDerivation }:
+
+mkDerivation {
+  path = "lib/libcrypt";
+  version = "9.2";
+  sha256 = "0siqan1wdqmmhchh2n8w6a8x1abbff8n4yb6jrqxap3hqn8ay54g";
+  SHLIBINSTALLDIR = "$(out)/lib";
+  meta.platforms = lib.platforms.netbsd;
+}
diff --git a/pkgs/os-specific/bsd/netbsd/pkgs/libcurses.nix b/pkgs/os-specific/bsd/netbsd/pkgs/libcurses.nix
new file mode 100644
index 0000000000000..5072821db9117
--- /dev/null
+++ b/pkgs/os-specific/bsd/netbsd/pkgs/libcurses.nix
@@ -0,0 +1,33 @@
+{
+  lib,
+  mkDerivation,
+  stdenv,
+  libterminfo,
+  compatIfNeeded,
+  defaultMakeFlags,
+}:
+
+mkDerivation {
+  path = "lib/libcurses";
+  version = "9.2";
+  sha256 = "0pd0dggl3w4bv5i5h0s1wrc8hr66n4hkv3zlklarwfdhc692fqal";
+  buildInputs = [ libterminfo ];
+  env.NIX_CFLAGS_COMPILE = toString (
+    [
+      "-D__scanflike(a,b)="
+      "-D__va_list=va_list"
+      "-D__warn_references(a,b)="
+    ]
+    ++ lib.optional stdenv.isDarwin "-D__strong_alias(a,b)="
+  );
+  propagatedBuildInputs = compatIfNeeded;
+  MKDOC = "no"; # missing vfontedpr
+  makeFlags = defaultMakeFlags ++ [ "LIBDO.terminfo=${libterminfo}/lib" ];
+  postPatch = lib.optionalString (!stdenv.isDarwin) ''
+    substituteInPlace $COMPONENT_PATH/printw.c \
+      --replace "funopen(win, NULL, __winwrite, NULL, NULL)" NULL \
+      --replace "__strong_alias(vwprintw, vw_printw)" 'extern int vwprintw(WINDOW*, const char*, va_list) __attribute__ ((alias ("vw_printw")));'
+    substituteInPlace $COMPONENT_PATH/scanw.c \
+      --replace "__strong_alias(vwscanw, vw_scanw)" 'extern int vwscanw(WINDOW*, const char*, va_list) __attribute__ ((alias ("vw_scanw")));'
+  '';
+}
diff --git a/pkgs/os-specific/bsd/netbsd/pkgs/libedit.nix b/pkgs/os-specific/bsd/netbsd/pkgs/libedit.nix
new file mode 100644
index 0000000000000..ee1e7bf79f964
--- /dev/null
+++ b/pkgs/os-specific/bsd/netbsd/pkgs/libedit.nix
@@ -0,0 +1,32 @@
+{
+  lib,
+  mkDerivation,
+  libterminfo,
+  libcurses,
+  compatIfNeeded,
+  defaultMakeFlags,
+}:
+
+mkDerivation {
+  path = "lib/libedit";
+  version = "9.2";
+  sha256 = "1wqhngraxwqk4jgrf5f18jy195yrp7c06n1gf31pbplq79mg1bcj";
+  buildInputs = [
+    libterminfo
+    libcurses
+  ];
+  propagatedBuildInputs = compatIfNeeded;
+  SHLIBINSTALLDIR = "$(out)/lib";
+  makeFlags = defaultMakeFlags ++ [ "LIBDO.terminfo=${libterminfo}/lib" ];
+  postPatch = ''
+    sed -i '1i #undef bool_t' $COMPONENT_PATH/el.h
+    substituteInPlace $COMPONENT_PATH/config.h \
+      --replace "#define HAVE_STRUCT_DIRENT_D_NAMLEN 1" ""
+    substituteInPlace $COMPONENT_PATH/readline/Makefile --replace /usr/include "$out/include"
+  '';
+  env.NIX_CFLAGS_COMPILE = toString [
+    "-D__noinline="
+    "-D__scanflike(a,b)="
+    "-D__va_list=va_list"
+  ];
+}
diff --git a/pkgs/os-specific/bsd/netbsd/pkgs/libm.nix b/pkgs/os-specific/bsd/netbsd/pkgs/libm.nix
new file mode 100644
index 0000000000000..f36e97f8e6ae0
--- /dev/null
+++ b/pkgs/os-specific/bsd/netbsd/pkgs/libm.nix
@@ -0,0 +1,14 @@
+{
+  lib,
+  mkDerivation,
+  sys,
+}:
+
+mkDerivation {
+  path = "lib/libm";
+  version = "9.2";
+  sha256 = "1apwfr26shdmbqqnmg7hxf7bkfxw44ynqnnnghrww9bnhqdnsy92";
+  SHLIBINSTALLDIR = "$(out)/lib";
+  meta.platforms = lib.platforms.netbsd;
+  extraPaths = [ sys.src ];
+}
diff --git a/pkgs/os-specific/bsd/netbsd/pkgs/libossaudio.nix b/pkgs/os-specific/bsd/netbsd/pkgs/libossaudio.nix
new file mode 100644
index 0000000000000..51bbc216e2046
--- /dev/null
+++ b/pkgs/os-specific/bsd/netbsd/pkgs/libossaudio.nix
@@ -0,0 +1,8 @@
+{ lib, mkDerivation }:
+
+mkDerivation {
+  path = "lib/libossaudio";
+  version = "9.2";
+  sha256 = "16l3bfy6dcwqnklvh3x0ps8ld1y504vf57v9rx8f9adzhb797jh0";
+  meta.platforms = lib.platforms.netbsd;
+}
diff --git a/pkgs/os-specific/bsd/netbsd/pkgs/libpci.nix b/pkgs/os-specific/bsd/netbsd/pkgs/libpci.nix
new file mode 100644
index 0000000000000..b0be4a2da723a
--- /dev/null
+++ b/pkgs/os-specific/bsd/netbsd/pkgs/libpci.nix
@@ -0,0 +1,15 @@
+{
+  lib,
+  mkDerivation,
+  sys,
+}:
+
+mkDerivation {
+  pname = "libpci";
+  path = "lib/libpci";
+  version = "9.2";
+  sha256 = "+IOEO1Bw3/H3iCp3uk3bwsFZbvCqN5Ciz70irnPl8E8=";
+  env.NIX_CFLAGS_COMPILE = toString [ "-I." ];
+  meta.platforms = lib.platforms.netbsd;
+  extraPaths = [ sys.src ];
+}
diff --git a/pkgs/os-specific/bsd/netbsd/pkgs/libpthread/base.nix b/pkgs/os-specific/bsd/netbsd/pkgs/libpthread/base.nix
new file mode 100644
index 0000000000000..d8ea7c553eba3
--- /dev/null
+++ b/pkgs/os-specific/bsd/netbsd/pkgs/libpthread/base.nix
@@ -0,0 +1,5 @@
+{
+  path = "lib/libpthread";
+  version = "9.2";
+  sha256 = "0mlmc31k509dwfmx5s2x010wxjc44mr6y0cbmk30cfipqh8c962h";
+}
diff --git a/pkgs/os-specific/bsd/netbsd/pkgs/libpthread/headers.nix b/pkgs/os-specific/bsd/netbsd/pkgs/libpthread/headers.nix
new file mode 100644
index 0000000000000..c3cc899017eee
--- /dev/null
+++ b/pkgs/os-specific/bsd/netbsd/pkgs/libpthread/headers.nix
@@ -0,0 +1,12 @@
+{ lib, mkDerivation }:
+
+mkDerivation (
+  import ./base.nix
+  // {
+    pname = "libpthread-headers";
+    installPhase = "includesPhase";
+    dontBuild = true;
+    noCC = true;
+    meta.platforms = lib.platforms.netbsd;
+  }
+)
diff --git a/pkgs/os-specific/bsd/netbsd/pkgs/libpthread/package.nix b/pkgs/os-specific/bsd/netbsd/pkgs/libpthread/package.nix
new file mode 100644
index 0000000000000..88d392e20b4a8
--- /dev/null
+++ b/pkgs/os-specific/bsd/netbsd/pkgs/libpthread/package.nix
@@ -0,0 +1,28 @@
+{
+  lib,
+  mkDerivation,
+  headers,
+  common,
+  libc,
+  librt,
+  sys,
+}:
+
+mkDerivation (
+  import ./base.nix
+  // {
+    pname = "libpthread";
+    installPhase = null;
+    noCC = false;
+    dontBuild = false;
+    buildInputs = [ headers ];
+    SHLIBINSTALLDIR = "$(out)/lib";
+    extraPaths = [
+      common
+      libc.src
+      librt.src
+      sys.src
+    ];
+    meta.platforms = lib.platforms.netbsd;
+  }
+)
diff --git a/pkgs/os-specific/bsd/netbsd/pkgs/libresolv.nix b/pkgs/os-specific/bsd/netbsd/pkgs/libresolv.nix
new file mode 100644
index 0000000000000..24bc4f2f9e002
--- /dev/null
+++ b/pkgs/os-specific/bsd/netbsd/pkgs/libresolv.nix
@@ -0,0 +1,13 @@
+{
+  lib,
+  mkDerivation,
+  libc,
+}:
+
+mkDerivation {
+  path = "lib/libresolv";
+  version = "9.2";
+  sha256 = "1am74s74mf1ynwz3p4ncjkg63f78a1zjm983q166x4sgzps15626";
+  meta.platforms = lib.platforms.netbsd;
+  extraPaths = [ libc.src ];
+}
diff --git a/pkgs/os-specific/bsd/netbsd/pkgs/librpcsvc.nix b/pkgs/os-specific/bsd/netbsd/pkgs/librpcsvc.nix
new file mode 100644
index 0000000000000..8d757a8a84304
--- /dev/null
+++ b/pkgs/os-specific/bsd/netbsd/pkgs/librpcsvc.nix
@@ -0,0 +1,31 @@
+{
+  lib,
+  mkDerivation,
+  defaultMakeFlags,
+  bsdSetupHook,
+  netbsdSetupHook,
+  makeMinimal,
+  install,
+  tsort,
+  lorder,
+  rpcgen,
+  statHook,
+}:
+
+mkDerivation {
+  path = "lib/librpcsvc";
+  version = "9.2";
+  sha256 = "1q34pfiyjbrgrdqm46jwrsqms49ly6z3b0xh1wg331zga900vq5n";
+  makeFlags = defaultMakeFlags ++ [ "INCSDIR=$(out)/include/rpcsvc" ];
+  meta.platforms = lib.platforms.netbsd;
+  nativeBuildInputs = [
+    bsdSetupHook
+    netbsdSetupHook
+    makeMinimal
+    install
+    tsort
+    lorder
+    rpcgen
+    statHook
+  ];
+}
diff --git a/pkgs/os-specific/bsd/netbsd/pkgs/librt.nix b/pkgs/os-specific/bsd/netbsd/pkgs/librt.nix
new file mode 100644
index 0000000000000..fa0229953b66b
--- /dev/null
+++ b/pkgs/os-specific/bsd/netbsd/pkgs/librt.nix
@@ -0,0 +1,18 @@
+{
+  lib,
+  mkDerivation,
+  libc,
+  headers,
+}:
+
+mkDerivation {
+  path = "lib/librt";
+  version = "9.2";
+  sha256 = "07f8mpjcqh5kig5z5sp97fg55mc4dz6aa1x5g01nv2pvbmqczxc6";
+  meta.platforms = lib.platforms.netbsd;
+  extraPaths = [ libc.src ] ++ libc.extraPaths;
+  postPatch = ''
+    sed -i 's,/usr\(/include/sys/syscall.h\),${headers}\1,g' \
+      $BSDSRCDIR/lib/{libc,librt}/sys/Makefile.inc
+  '';
+}
diff --git a/pkgs/os-specific/bsd/netbsd/pkgs/libterminfo.nix b/pkgs/os-specific/bsd/netbsd/pkgs/libterminfo.nix
new file mode 100644
index 0000000000000..6ac573d865b1a
--- /dev/null
+++ b/pkgs/os-specific/bsd/netbsd/pkgs/libterminfo.nix
@@ -0,0 +1,51 @@
+{
+  mkDerivation,
+  bsdSetupHook,
+  netbsdSetupHook,
+  makeMinimal,
+  install,
+  tsort,
+  lorder,
+  mandoc,
+  statHook,
+  nbperf,
+  tic,
+  rsync,
+  compatIfNeeded,
+  fetchNetBSD,
+}:
+
+mkDerivation {
+  path = "lib/libterminfo";
+  version = "9.2";
+  sha256 = "0pq05k3dj0dfsczv07frnnji92mazmy2qqngqbx2zgqc1x251414";
+  nativeBuildInputs = [
+    bsdSetupHook
+    netbsdSetupHook
+    makeMinimal
+    install
+    tsort
+    lorder
+    mandoc
+    statHook
+    nbperf
+    tic
+    rsync
+  ];
+  buildInputs = compatIfNeeded;
+  SHLIBINSTALLDIR = "$(out)/lib";
+  postPatch = ''
+    substituteInPlace $COMPONENT_PATH/term.c --replace /usr/share $out/share
+    substituteInPlace $COMPONENT_PATH/setupterm.c \
+      --replace '#include <curses.h>' 'void use_env(bool);'
+  '';
+  postBuild = ''
+    make -C $BSDSRCDIR/share/terminfo $makeFlags BINDIR=$out/share
+  '';
+  postInstall = ''
+    make -C $BSDSRCDIR/share/terminfo $makeFlags BINDIR=$out/share install
+  '';
+  extraPaths = [
+    (fetchNetBSD "share/terminfo" "9.2" "1vh9rl4w8118a9qdpblfxmv1wkpm83rm9gb4rzz5bpm56i6d7kk7")
+  ];
+}
diff --git a/pkgs/os-specific/bsd/netbsd/pkgs/libutil.nix b/pkgs/os-specific/bsd/netbsd/pkgs/libutil.nix
new file mode 100644
index 0000000000000..fdc57df9c231e
--- /dev/null
+++ b/pkgs/os-specific/bsd/netbsd/pkgs/libutil.nix
@@ -0,0 +1,42 @@
+{
+  mkDerivation,
+  common,
+  libc,
+  sys,
+  bsdSetupHook,
+  netbsdSetupHook,
+  makeMinimal,
+  byacc,
+  install,
+  tsort,
+  lorder,
+  mandoc,
+  statHook,
+  rsync,
+  headers,
+}:
+
+mkDerivation {
+  path = "lib/libutil";
+  version = "9.2";
+  sha256 = "02gm5a5zhh8qp5r5q5r7x8x6x50ir1i0ncgsnfwh1vnrz6mxbq7z";
+  extraPaths = [
+    common
+    libc.src
+    sys.src
+  ];
+  nativeBuildInputs = [
+    bsdSetupHook
+    netbsdSetupHook
+    makeMinimal
+    byacc
+    install
+    tsort
+    lorder
+    mandoc
+    statHook
+    rsync
+  ];
+  buildInputs = [ headers ];
+  SHLIBINSTALLDIR = "$(out)/lib";
+}
diff --git a/pkgs/os-specific/bsd/netbsd/locale.patch b/pkgs/os-specific/bsd/netbsd/pkgs/locale/locale.patch
index 4b7f478552879..4b7f478552879 100644
--- a/pkgs/os-specific/bsd/netbsd/locale.patch
+++ b/pkgs/os-specific/bsd/netbsd/pkgs/locale/locale.patch
diff --git a/pkgs/os-specific/bsd/netbsd/pkgs/locale/package.nix b/pkgs/os-specific/bsd/netbsd/pkgs/locale/package.nix
new file mode 100644
index 0000000000000..3c61e8517b35b
--- /dev/null
+++ b/pkgs/os-specific/bsd/netbsd/pkgs/locale/package.nix
@@ -0,0 +1,9 @@
+{ mkDerivation }:
+
+mkDerivation {
+  path = "usr.bin/locale";
+  version = "9.2";
+  sha256 = "0kk6v9k2bygq0wf9gbinliqzqpzs9bgxn0ndyl2wcv3hh2bmsr9p";
+  patches = [ ./locale.patch ];
+  env.NIX_CFLAGS_COMPILE = "-DYESSTR=__YESSTR -DNOSTR=__NOSTR";
+}
diff --git a/pkgs/os-specific/bsd/netbsd/pkgs/lorder.nix b/pkgs/os-specific/bsd/netbsd/pkgs/lorder.nix
new file mode 100644
index 0000000000000..0b99a794b07a0
--- /dev/null
+++ b/pkgs/os-specific/bsd/netbsd/pkgs/lorder.nix
@@ -0,0 +1,25 @@
+{
+  mkDerivation,
+  bsdSetupHook,
+  netbsdSetupHook,
+  makeMinimal,
+  install,
+  mandoc,
+  groff,
+  rsync,
+}:
+
+mkDerivation {
+  path = "usr.bin/lorder";
+  version = "9.2";
+  sha256 = "0rjf9blihhm0n699vr2bg88m4yjhkbxh6fxliaay3wxkgnydjwn2";
+  nativeBuildInputs = [
+    bsdSetupHook
+    netbsdSetupHook
+    makeMinimal
+    install
+    mandoc
+    groff
+    rsync
+  ];
+}
diff --git a/pkgs/os-specific/bsd/netbsd/pkgs/make-rules.nix b/pkgs/os-specific/bsd/netbsd/pkgs/make-rules.nix
new file mode 100644
index 0000000000000..66086c01c233f
--- /dev/null
+++ b/pkgs/os-specific/bsd/netbsd/pkgs/make-rules.nix
@@ -0,0 +1,74 @@
+{
+  lib,
+  mkDerivation,
+  stdenv,
+  bsdSetupHook,
+  netbsdSetupHook,
+  rsync,
+}:
+
+mkDerivation {
+  path = "share/mk";
+  sha256 = "0w9x77cfnm6zwy40slradzi0ip9gz80x6lk7pvnlxzsr2m5ra5sy";
+  version = "9.2";
+  noCC = true;
+
+  buildInputs = [ ];
+  nativeBuildInputs = [
+    bsdSetupHook
+    netbsdSetupHook
+    rsync
+  ];
+
+  dontBuild = true;
+
+  postPatch =
+    ''
+      substituteInPlace $BSDSRCDIR/share/mk/bsd.doc.mk \
+        --replace '-o ''${DOCOWN}' "" \
+        --replace '-g ''${DOCGRP}' ""
+      for mk in $BSDSRCDIR/share/mk/bsd.inc.mk $BSDSRCDIR/share/mk/bsd.kinc.mk; do
+        substituteInPlace $mk \
+          --replace '-o ''${BINOWN}' "" \
+          --replace '-g ''${BINGRP}' ""
+      done
+      substituteInPlace $BSDSRCDIR/share/mk/bsd.kmodule.mk \
+        --replace '-o ''${KMODULEOWN}' "" \
+        --replace '-g ''${KMODULEGRP}' ""
+      substituteInPlace $BSDSRCDIR/share/mk/bsd.lib.mk \
+        --replace '-o ''${LIBOWN}' "" \
+        --replace '-g ''${LIBGRP}' "" \
+        --replace '-o ''${DEBUGOWN}' "" \
+        --replace '-g ''${DEBUGGRP}' ""
+      substituteInPlace $BSDSRCDIR/share/mk/bsd.lua.mk \
+        --replace '-o ''${LIBOWN}' "" \
+        --replace '-g ''${LIBGRP}' ""
+      substituteInPlace $BSDSRCDIR/share/mk/bsd.man.mk \
+        --replace '-o ''${MANOWN}' "" \
+        --replace '-g ''${MANGRP}' ""
+      substituteInPlace $BSDSRCDIR/share/mk/bsd.nls.mk \
+        --replace '-o ''${NLSOWN}' "" \
+        --replace '-g ''${NLSGRP}' ""
+      substituteInPlace $BSDSRCDIR/share/mk/bsd.prog.mk \
+        --replace '-o ''${BINOWN}' "" \
+        --replace '-g ''${BINGRP}' "" \
+        --replace '-o ''${RUMPBINOWN}' "" \
+        --replace '-g ''${RUMPBINGRP}' "" \
+        --replace '-o ''${DEBUGOWN}' "" \
+        --replace '-g ''${DEBUGGRP}' ""
+
+       substituteInPlace $BSDSRCDIR/share/mk/bsd.lib.mk \
+         --replace '_INSTRANLIB=''${empty(PRESERVE):?-a "''${RANLIB} -t":}' '_INSTRANLIB='
+       substituteInPlace $BSDSRCDIR/share/mk/bsd.kinc.mk \
+         --replace /bin/rm rm
+    ''
+    + lib.optionalString stdenv.targetPlatform.isDarwin ''
+      substituteInPlace $BSDSRCDIR/share/mk/bsd.sys.mk \
+        --replace '-Wl,--fatal-warnings' "" \
+        --replace '-Wl,--warn-shared-textrel' ""
+    '';
+
+  installPhase = ''
+    cp -r . $out
+  '';
+}
diff --git a/pkgs/os-specific/bsd/netbsd/pkgs/make.nix b/pkgs/os-specific/bsd/netbsd/pkgs/make.nix
new file mode 100644
index 0000000000000..4d0b9f4b4cf22
--- /dev/null
+++ b/pkgs/os-specific/bsd/netbsd/pkgs/make.nix
@@ -0,0 +1,27 @@
+{
+  lib,
+  mkDerivation,
+  fetchNetBSD,
+  stdenv,
+  make-rules,
+}:
+
+mkDerivation {
+  path = "usr.bin/make";
+  sha256 = "0vi73yicbmbp522qzqvd979cx6zm5jakhy77xh73c1kygf8klccs";
+  version = "9.2";
+
+  postPatch =
+    make-rules.postPatch
+    + ''
+      # make needs this to pick up our sys make files
+      appendToVar NIX_CFLAGS_COMPILE "-D_PATH_DEFSYSPATH=\"$out/share/mk\""
+    '';
+
+  postInstall = ''
+    make -C $BSDSRCDIR/share/mk FILESDIR=$out/share/mk install
+  '';
+  extraPaths = [
+    (fetchNetBSD "share/mk" "9.2" "0w9x77cfnm6zwy40slradzi0ip9gz80x6lk7pvnlxzsr2m5ra5sy")
+  ];
+}
diff --git a/pkgs/os-specific/bsd/netbsd/pkgs/makeMinimal.nix b/pkgs/os-specific/bsd/netbsd/pkgs/makeMinimal.nix
new file mode 100644
index 0000000000000..62a4d4a6a1246
--- /dev/null
+++ b/pkgs/os-specific/bsd/netbsd/pkgs/makeMinimal.nix
@@ -0,0 +1,51 @@
+{
+  mkDerivation,
+  bsdSetupHook,
+  netbsdSetupHook,
+  rsync,
+  make,
+  make-rules,
+}:
+
+mkDerivation {
+  path = "tools/make";
+  sha256 = "0fh0nrnk18m613m5blrliq2aydciv51qhc0ihsj4k63incwbk90n";
+  version = "9.2";
+
+  buildInputs = [ ];
+  nativeBuildInputs = [
+    bsdSetupHook
+    netbsdSetupHook
+    rsync
+  ];
+
+  skipIncludesPhase = true;
+
+  postPatch = ''
+    patchShebangs $COMPONENT_PATH/configure
+
+    # make needs this to pick up our sys make files
+    appendToVar NIX_CFLAGS_COMPILE "-D_PATH_DEFSYSPATH=\"$out/share/mk\""
+  '';
+
+  buildPhase = ''
+    runHook preBuild
+
+    sh ./buildmake.sh
+
+    runHook postBuild
+  '';
+
+  installPhase = ''
+    runHook preInstall
+
+    install -D nbmake $out/bin/nbmake
+    ln -s $out/bin/nbmake $out/bin/make
+    mkdir -p $out/share
+    cp -r ${make-rules} $out/share/mk
+
+    runHook postInstall
+  '';
+
+  extraPaths = [ make.src ];
+}
diff --git a/pkgs/os-specific/bsd/netbsd/pkgs/man.nix b/pkgs/os-specific/bsd/netbsd/pkgs/man.nix
new file mode 100644
index 0000000000000..bce5bcee66946
--- /dev/null
+++ b/pkgs/os-specific/bsd/netbsd/pkgs/man.nix
@@ -0,0 +1,17 @@
+{ mkDerivation, defaultMakeFlags }:
+
+mkDerivation {
+  path = "share/man";
+  noCC = true;
+  version = "9.2";
+  sha256 = "1l4lmj4kmg8dl86x94sr45w0xdnkz8dn4zjx0ipgr9bnq98663zl";
+  # man0 generates a man.pdf using ps2pdf, but doesn't install it later,
+  # so we can avoid the dependency on ghostscript
+  postPatch = ''
+    substituteInPlace $COMPONENT_PATH/man0/Makefile --replace "ps2pdf" "echo noop "
+  '';
+  makeFlags = defaultMakeFlags ++ [
+    "FILESDIR=$(out)/share"
+    "MKRUMP=no" # would require to have additional path sys/rump/share/man
+  ];
+}
diff --git a/pkgs/os-specific/bsd/netbsd/pkgs/misc.nix b/pkgs/os-specific/bsd/netbsd/pkgs/misc.nix
new file mode 100644
index 0000000000000..7f96f4d1495ad
--- /dev/null
+++ b/pkgs/os-specific/bsd/netbsd/pkgs/misc.nix
@@ -0,0 +1,9 @@
+{ mkDerivation, defaultMakeFlags }:
+
+mkDerivation {
+  path = "share/misc";
+  noCC = true;
+  version = "9.2";
+  sha256 = "1j2cdssdx6nncv8ffj7f7ybl7m9hadjj8vm8611skqdvxnjg6nbc";
+  makeFlags = defaultMakeFlags ++ [ "BINDIR=$(out)/share" ];
+}
diff --git a/pkgs/os-specific/bsd/netbsd/pkgs/mkDerivation.nix b/pkgs/os-specific/bsd/netbsd/pkgs/mkDerivation.nix
new file mode 100644
index 0000000000000..849d2b1da3fbf
--- /dev/null
+++ b/pkgs/os-specific/bsd/netbsd/pkgs/mkDerivation.nix
@@ -0,0 +1,113 @@
+{
+  lib,
+  stdenvNoCC,
+  stdenv,
+  fetchNetBSD,
+  bsdSetupHook,
+  netbsdSetupHook,
+  makeMinimal,
+  install,
+  tsort,
+  lorder,
+  mandoc,
+  groff,
+  statHook,
+  rsync,
+  compatIfNeeded,
+  defaultMakeFlags,
+}:
+
+lib.makeOverridable (
+  attrs:
+  let
+    stdenv' = if attrs.noCC or false then stdenvNoCC else stdenv;
+  in
+  stdenv'.mkDerivation (
+    {
+      pname = "${attrs.pname or (baseNameOf attrs.path)}-netbsd";
+      inherit (attrs) version;
+      src = fetchNetBSD attrs.path attrs.version attrs.sha256;
+
+      extraPaths = [ ];
+
+      nativeBuildInputs = [
+        bsdSetupHook
+        netbsdSetupHook
+        makeMinimal
+        install
+        tsort
+        lorder
+        mandoc
+        groff
+        statHook
+        rsync
+      ];
+      buildInputs = compatIfNeeded;
+
+      HOST_SH = stdenv'.shell;
+
+      MACHINE_ARCH =
+        {
+          i486 = "i386";
+          i586 = "i386";
+          i686 = "i386";
+        }
+        .${stdenv'.hostPlatform.parsed.cpu.name} or stdenv'.hostPlatform.parsed.cpu.name;
+
+      MACHINE =
+        {
+          x86_64 = "amd64";
+          aarch64 = "evbarm64";
+          i486 = "i386";
+          i586 = "i386";
+          i686 = "i386";
+        }
+        .${stdenv'.hostPlatform.parsed.cpu.name} or stdenv'.hostPlatform.parsed.cpu.name;
+
+      COMPONENT_PATH = attrs.path;
+
+      makeFlags = defaultMakeFlags;
+
+      strictDeps = true;
+
+      meta = with lib; {
+        maintainers = with maintainers; [
+          matthewbauer
+          qyliss
+        ];
+        platforms = platforms.unix;
+        license = licenses.bsd2;
+      };
+    }
+    // lib.optionalAttrs stdenv'.hasCC {
+      # TODO should CC wrapper set this?
+      CPP = "${stdenv'.cc.targetPrefix}cpp";
+    }
+    // lib.optionalAttrs stdenv'.isDarwin { MKRELRO = "no"; }
+    // lib.optionalAttrs (stdenv'.cc.isClang or false) {
+      HAVE_LLVM = lib.versions.major (lib.getVersion stdenv'.cc.cc);
+    }
+    // lib.optionalAttrs (stdenv'.cc.isGNU or false) {
+      HAVE_GCC = lib.versions.major (lib.getVersion stdenv'.cc.cc);
+    }
+    // lib.optionalAttrs (stdenv'.isx86_32) { USE_SSP = "no"; }
+    // lib.optionalAttrs (attrs.headersOnly or false) {
+      installPhase = "includesPhase";
+      dontBuild = true;
+    }
+    // attrs
+    // {
+      # Files that use NetBSD-specific macros need to have nbtool_config.h
+      # included ahead of them on non-NetBSD platforms.
+      postPatch =
+        lib.optionalString (!stdenv'.hostPlatform.isNetBSD) ''
+          set +e
+          grep -Zlr "^__RCSID
+          ^__BEGIN_DECLS" $COMPONENT_PATH | xargs -0r grep -FLZ nbtool_config.h |
+              xargs -0tr sed -i '0,/^#/s//#include <nbtool_config.h>\n\0/'
+          set -e
+        ''
+        + attrs.postPatch or "";
+    }
+  )
+)
diff --git a/pkgs/os-specific/bsd/netbsd/pkgs/mknod.nix b/pkgs/os-specific/bsd/netbsd/pkgs/mknod.nix
new file mode 100644
index 0000000000000..5c4c172e40a7d
--- /dev/null
+++ b/pkgs/os-specific/bsd/netbsd/pkgs/mknod.nix
@@ -0,0 +1,7 @@
+{ mkDerivation }:
+
+mkDerivation {
+  path = "sbin/mknod";
+  version = "9.2";
+  sha256 = "1d9369shzwgixz3nph991i8q5vk7hr04py3n9avbfbhzy4gndqs2";
+}
diff --git a/pkgs/os-specific/bsd/netbsd/pkgs/mtree.nix b/pkgs/os-specific/bsd/netbsd/pkgs/mtree.nix
new file mode 100644
index 0000000000000..723da3ad891bc
--- /dev/null
+++ b/pkgs/os-specific/bsd/netbsd/pkgs/mtree.nix
@@ -0,0 +1,8 @@
+{ mkDerivation, mknod }:
+
+mkDerivation {
+  path = "usr.sbin/mtree";
+  version = "9.2";
+  sha256 = "04p7w540vz9npvyb8g8hcf2xa05phn1y88hsyrcz3vwanvpc0yv9";
+  extraPaths = [ mknod.src ];
+}
diff --git a/pkgs/os-specific/bsd/netbsd/pkgs/nbperf.nix b/pkgs/os-specific/bsd/netbsd/pkgs/nbperf.nix
new file mode 100644
index 0000000000000..a23c5dddfc9f8
--- /dev/null
+++ b/pkgs/os-specific/bsd/netbsd/pkgs/nbperf.nix
@@ -0,0 +1,7 @@
+{ mkDerivation }:
+
+mkDerivation {
+  path = "usr.bin/nbperf";
+  version = "9.2";
+  sha256 = "1nxc302vgmjhm3yqdivqyfzslrg0vjpbss44s74rcryrl19mma9r";
+}
diff --git a/pkgs/os-specific/bsd/netbsd/pkgs/netbsdSetupHook/package.nix b/pkgs/os-specific/bsd/netbsd/pkgs/netbsdSetupHook/package.nix
new file mode 100644
index 0000000000000..31368523ee6fc
--- /dev/null
+++ b/pkgs/os-specific/bsd/netbsd/pkgs/netbsdSetupHook/package.nix
@@ -0,0 +1,3 @@
+{ makeSetupHook }:
+
+makeSetupHook { name = "netbsd-setup-hook"; } ./setup-hook.sh
diff --git a/pkgs/os-specific/bsd/netbsd/setup-hook.sh b/pkgs/os-specific/bsd/netbsd/pkgs/netbsdSetupHook/setup-hook.sh
index fa8b19e7d8ce4..ef00ea418e535 100644
--- a/pkgs/os-specific/bsd/netbsd/setup-hook.sh
+++ b/pkgs/os-specific/bsd/netbsd/pkgs/netbsdSetupHook/setup-hook.sh
@@ -9,6 +9,7 @@ mergeNetBSDSourceDir() {
 
 addNetBSDMakeFlags() {
   makeFlags="INCSDIR=${!outputDev}/include $makeFlags"
+  makeFlags="MANDIR=${!outputMan}/share/man $makeFlags"
 }
 
 postUnpackHooks+=(mergeNetBSDSourceDir)
diff --git a/pkgs/os-specific/bsd/netbsd/pkgs/rpcgen.nix b/pkgs/os-specific/bsd/netbsd/pkgs/rpcgen.nix
new file mode 100644
index 0000000000000..b1482d4dff112
--- /dev/null
+++ b/pkgs/os-specific/bsd/netbsd/pkgs/rpcgen.nix
@@ -0,0 +1,7 @@
+{ mkDerivation }:
+
+mkDerivation {
+  path = "usr.bin/rpcgen";
+  version = "9.2";
+  sha256 = "1kfgfx54jg98wbg0d95p0rvf4w0302v8fz724b0bdackdsrd4988";
+}
diff --git a/pkgs/os-specific/bsd/netbsd/pkgs/stat/hook.nix b/pkgs/os-specific/bsd/netbsd/pkgs/stat/hook.nix
new file mode 100644
index 0000000000000..e38c53a3aac57
--- /dev/null
+++ b/pkgs/os-specific/bsd/netbsd/pkgs/stat/hook.nix
@@ -0,0 +1,17 @@
+{
+  makeSetupHook,
+  writeText,
+  stat,
+}:
+
+# stat isn't in POSIX, and NetBSD stat supports a completely
+# different range of flags than GNU stat, so including it in PATH
+# breaks stdenv.  Work around that with a hook that will point
+# NetBSD's build system and NetBSD stat without including it in
+# PATH.
+
+makeSetupHook { name = "netbsd-stat-hook"; } (
+  writeText "netbsd-stat-hook-impl" ''
+    makeFlagsArray+=(TOOL_STAT=${stat}/bin/stat)
+  ''
+)
diff --git a/pkgs/os-specific/bsd/netbsd/pkgs/stat/package.nix b/pkgs/os-specific/bsd/netbsd/pkgs/stat/package.nix
new file mode 100644
index 0000000000000..397b1f5303c15
--- /dev/null
+++ b/pkgs/os-specific/bsd/netbsd/pkgs/stat/package.nix
@@ -0,0 +1,28 @@
+{
+  mkDerivation,
+  bsdSetupHook,
+  netbsdSetupHook,
+  makeMinimal,
+  install,
+  mandoc,
+  groff,
+  rsync,
+}:
+
+# Don't add this to nativeBuildInputs directly.
+# Use statHook instead. See note in stat/hook.nix
+
+mkDerivation {
+  path = "usr.bin/stat";
+  version = "9.2";
+  sha256 = "18nqwlndfc34qbbgqx5nffil37jfq9aw663ippasfxd2hlyc106x";
+  nativeBuildInputs = [
+    bsdSetupHook
+    netbsdSetupHook
+    makeMinimal
+    install
+    mandoc
+    groff
+    rsync
+  ];
+}
diff --git a/pkgs/os-specific/bsd/netbsd/pkgs/sys/base.nix b/pkgs/os-specific/bsd/netbsd/pkgs/sys/base.nix
new file mode 100644
index 0000000000000..4c140fa3bdef7
--- /dev/null
+++ b/pkgs/os-specific/bsd/netbsd/pkgs/sys/base.nix
@@ -0,0 +1,93 @@
+{
+  lib,
+  mkDerivation,
+  include,
+  bsdSetupHook,
+  netbsdSetupHook,
+  makeMinimal,
+  install,
+  tsort,
+  lorder,
+  statHook,
+  rsync,
+  uudecode,
+  config,
+  genassym,
+  defaultMakeFlags,
+  common,
+}:
+{
+  path = "sys";
+  version = "9.2";
+  sha256 = "03s18q8d9giipf05bx199fajc2qwikji0djz7hw63d2lya6bfnpj";
+
+  # Make the build ignore linker warnings
+  prePatch = ''
+    substituteInPlace sys/conf/Makefile.kern.inc \
+      --replace "-Wa,--fatal-warnings" ""
+  '';
+
+  patches = [
+    # Fix this error when building bootia32.efi and bootx64.efi:
+    # error: PHDR segment not covered by LOAD segment
+    ./no-dynamic-linker.patch
+
+    # multiple header dirs, see above
+    ./sys-headers-incsdir.patch
+  ];
+
+  postPatch =
+    ''
+      substituteInPlace sys/arch/i386/stand/efiboot/Makefile.efiboot \
+        --replace "-nocombreloc" "-z nocombreloc"
+    ''
+    +
+      # multiple header dirs, see above
+      include.postPatch;
+
+  CONFIG = "GENERIC";
+
+  propagatedBuildInputs = [ include ];
+  nativeBuildInputs = [
+    bsdSetupHook
+    netbsdSetupHook
+    makeMinimal
+    install
+    tsort
+    lorder
+    statHook
+    rsync
+    uudecode
+    config
+    genassym
+  ];
+
+  postConfigure =
+    ''
+      pushd arch/$MACHINE/conf
+      config $CONFIG
+      popd
+    ''
+    # multiple header dirs, see above
+    + include.postConfigure;
+
+  makeFlags = defaultMakeFlags ++ [ "FIRMWAREDIR=$(out)/libdata/firmware" ];
+  hardeningDisable = [ "pic" ];
+  MKKMOD = "no";
+  env.NIX_CFLAGS_COMPILE = toString [
+    "-Wno-error=array-parameter"
+    "-Wno-error=array-bounds"
+    "-Wa,--no-warn"
+  ];
+
+  postBuild = ''
+    make -C arch/$MACHINE/compile/$CONFIG $makeFlags
+  '';
+
+  postInstall = ''
+    cp arch/$MACHINE/compile/$CONFIG/netbsd $out
+  '';
+
+  meta.platforms = lib.platforms.netbsd;
+  extraPaths = [ common ];
+}
diff --git a/pkgs/os-specific/bsd/netbsd/pkgs/sys/headers.nix b/pkgs/os-specific/bsd/netbsd/pkgs/sys/headers.nix
new file mode 100644
index 0000000000000..2df35efc199ad
--- /dev/null
+++ b/pkgs/os-specific/bsd/netbsd/pkgs/sys/headers.nix
@@ -0,0 +1,49 @@
+{
+  lib,
+  mkDerivation,
+  include,
+  bsdSetupHook,
+  netbsdSetupHook,
+  makeMinimal,
+  install,
+  tsort,
+  lorder,
+  statHook,
+  rsync,
+  uudecode,
+  config,
+  genassym,
+  defaultMakeFlags,
+  common,
+}:
+let
+  base = import ./base.nix {
+    inherit
+      lib
+      mkDerivation
+      include
+      bsdSetupHook
+      netbsdSetupHook
+      makeMinimal
+      install
+      tsort
+      lorder
+      statHook
+      rsync
+      uudecode
+      config
+      genassym
+      defaultMakeFlags
+      common
+      ;
+  };
+in
+mkDerivation (
+  base
+  // {
+    pname = "sys-headers";
+    installPhase = "includesPhase";
+    dontBuild = true;
+    noCC = true;
+  }
+)
diff --git a/pkgs/os-specific/bsd/netbsd/no-dynamic-linker.patch b/pkgs/os-specific/bsd/netbsd/pkgs/sys/no-dynamic-linker.patch
index b3e9f3c88a13c..b3e9f3c88a13c 100644
--- a/pkgs/os-specific/bsd/netbsd/no-dynamic-linker.patch
+++ b/pkgs/os-specific/bsd/netbsd/pkgs/sys/no-dynamic-linker.patch
diff --git a/pkgs/os-specific/bsd/netbsd/pkgs/sys/package.nix b/pkgs/os-specific/bsd/netbsd/pkgs/sys/package.nix
new file mode 100644
index 0000000000000..c8e6edab5f48f
--- /dev/null
+++ b/pkgs/os-specific/bsd/netbsd/pkgs/sys/package.nix
@@ -0,0 +1,49 @@
+{
+  lib,
+  mkDerivation,
+  include,
+  bsdSetupHook,
+  netbsdSetupHook,
+  makeMinimal,
+  install,
+  tsort,
+  lorder,
+  statHook,
+  rsync,
+  uudecode,
+  config,
+  genassym,
+  defaultMakeFlags,
+  common,
+}:
+let
+  base = import ./base.nix {
+    inherit
+      lib
+      mkDerivation
+      include
+      bsdSetupHook
+      netbsdSetupHook
+      makeMinimal
+      install
+      tsort
+      lorder
+      statHook
+      rsync
+      uudecode
+      config
+      genassym
+      defaultMakeFlags
+      common
+      ;
+  };
+in
+mkDerivation (
+  base
+  // {
+    pname = "sys";
+    installPhase = null;
+    noCC = false;
+    dontBuild = false;
+  }
+)
diff --git a/pkgs/os-specific/bsd/netbsd/sys-headers-incsdir.patch b/pkgs/os-specific/bsd/netbsd/pkgs/sys/sys-headers-incsdir.patch
index 5cfb2a54c8db2..5cfb2a54c8db2 100644
--- a/pkgs/os-specific/bsd/netbsd/sys-headers-incsdir.patch
+++ b/pkgs/os-specific/bsd/netbsd/pkgs/sys/sys-headers-incsdir.patch
diff --git a/pkgs/os-specific/bsd/netbsd/pkgs/tic.nix b/pkgs/os-specific/bsd/netbsd/pkgs/tic.nix
new file mode 100644
index 0000000000000..e0900652108fd
--- /dev/null
+++ b/pkgs/os-specific/bsd/netbsd/pkgs/tic.nix
@@ -0,0 +1,39 @@
+{
+  mkDerivation,
+  bsdSetupHook,
+  netbsdSetupHook,
+  makeMinimal,
+  install,
+  mandoc,
+  groff,
+  nbperf,
+  rsync,
+  compatIfNeeded,
+  defaultMakeFlags,
+  libterminfo,
+  fetchNetBSD,
+}:
+
+mkDerivation {
+  path = "tools/tic";
+  version = "9.2";
+  sha256 = "092y7db7k4kh2jq8qc55126r5qqvlb8lq8mhmy5ipbi36hwb4zrz";
+  HOSTPROG = "tic";
+  buildInputs = compatIfNeeded;
+  nativeBuildInputs = [
+    bsdSetupHook
+    netbsdSetupHook
+    makeMinimal
+    install
+    mandoc
+    groff
+    nbperf
+    rsync
+  ];
+  makeFlags = defaultMakeFlags ++ [ "TOOLDIR=$(out)" ];
+  extraPaths = [
+    libterminfo.src
+    (fetchNetBSD "usr.bin/tic" "9.2" "1mwdfg7yx1g43ss378qsgl5rqhsxskqvsd2mqvrn38qw54i8v5i1")
+    (fetchNetBSD "tools/Makefile.host" "9.2" "15b4ab0n36lqj00j5lz2xs83g7l8isk3wx1wcapbrn66qmzz2sxy")
+  ];
+}
diff --git a/pkgs/os-specific/bsd/netbsd/pkgs/tsort.nix b/pkgs/os-specific/bsd/netbsd/pkgs/tsort.nix
new file mode 100644
index 0000000000000..9200bc57a73e0
--- /dev/null
+++ b/pkgs/os-specific/bsd/netbsd/pkgs/tsort.nix
@@ -0,0 +1,25 @@
+{
+  mkDerivation,
+  bsdSetupHook,
+  netbsdSetupHook,
+  makeMinimal,
+  install,
+  mandoc,
+  groff,
+  rsync,
+}:
+
+mkDerivation {
+  path = "usr.bin/tsort";
+  version = "9.2";
+  sha256 = "1dqvf9gin29nnq3c4byxc7lfd062pg7m84843zdy6n0z63hnnwiq";
+  nativeBuildInputs = [
+    bsdSetupHook
+    netbsdSetupHook
+    makeMinimal
+    install
+    mandoc
+    groff
+    rsync
+  ];
+}
diff --git a/pkgs/os-specific/bsd/netbsd/pkgs/uudecode.nix b/pkgs/os-specific/bsd/netbsd/pkgs/uudecode.nix
new file mode 100644
index 0000000000000..7592db3eaf180
--- /dev/null
+++ b/pkgs/os-specific/bsd/netbsd/pkgs/uudecode.nix
@@ -0,0 +1,13 @@
+{
+  lib,
+  mkDerivation,
+  stdenv,
+}:
+
+mkDerivation {
+  path = "usr.bin/uudecode";
+  version = "9.2";
+  sha256 = "00a3zmh15pg4vx6hz0kaa5mi8d2b1sj4h512d7p6wbvxq6mznwcn";
+  env.NIX_CFLAGS_COMPILE = lib.optionalString stdenv.isLinux "-DNO_BASE64";
+  NIX_LDFLAGS = lib.optional stdenv.isDarwin "-lresolv";
+}
diff --git a/pkgs/os-specific/bsd/openbsd/default.nix b/pkgs/os-specific/bsd/openbsd/default.nix
new file mode 100644
index 0000000000000..00dba195b92f5
--- /dev/null
+++ b/pkgs/os-specific/bsd/openbsd/default.nix
@@ -0,0 +1,49 @@
+{
+  stdenv,
+  lib,
+  stdenvNoCC,
+  makeScopeWithSplicing',
+  generateSplicesForMkScope,
+  pkgs,
+  buildPackages,
+  netbsd,
+}:
+
+makeScopeWithSplicing' {
+  otherSplices = generateSplicesForMkScope "openbsd";
+  f = (
+    self:
+    lib.packagesFromDirectoryRecursive {
+      callPackage = self.callPackage;
+      directory = ./pkgs;
+    }
+    // {
+      libc = self.callPackage ./pkgs/libc/package.nix {
+        inherit (self) csu include lorder;
+        inherit (buildPackages.openbsd) makeMinimal;
+        inherit (buildPackages.netbsd)
+          install
+          gencat
+          rpcgen
+          tsort
+          ;
+      };
+      makeMinimal = buildPackages.netbsd.makeMinimal.override { inherit (self) make-rules; };
+      mkDerivation = self.callPackage ./pkgs/mkDerivation.nix {
+        inherit stdenv;
+        inherit (buildPackages.netbsd) install;
+      };
+      include = self.callPackage ./pkgs/include/package.nix {
+        inherit (buildPackages.openbsd) makeMinimal;
+        inherit (buildPackages.netbsd) install rpcgen mtree;
+      };
+      csu = self.callPackage ./pkgs/csu.nix {
+        inherit (self) include;
+        inherit (buildPackages.openbsd) makeMinimal;
+        inherit (buildPackages.netbsd) install;
+      };
+      make-rules = self.callPackage ./pkgs/make-rules/package.nix { };
+      lorder = self.callPackage ./pkgs/lorder.nix { inherit (buildPackages.netbsd) install; };
+    }
+  );
+}
diff --git a/pkgs/os-specific/bsd/openbsd/pkgs/csu.nix b/pkgs/os-specific/bsd/openbsd/pkgs/csu.nix
new file mode 100644
index 0000000000000..a2b2153a729b1
--- /dev/null
+++ b/pkgs/os-specific/bsd/openbsd/pkgs/csu.nix
@@ -0,0 +1,22 @@
+{
+  lib,
+  mkDerivation,
+  bsdSetupHook,
+  openbsdSetupHook,
+  makeMinimal,
+  install,
+  include,
+}:
+
+mkDerivation {
+  path = "lib/csu";
+  nativeBuildInputs = [
+    bsdSetupHook
+    openbsdSetupHook
+    makeMinimal
+    install
+  ];
+  buildInputs = [ include ];
+  meta.platforms = lib.platforms.openbsd;
+  extraPaths = [ "libexec/ld.so" ];
+}
diff --git a/pkgs/os-specific/bsd/openbsd/pkgs/include/package.nix b/pkgs/os-specific/bsd/openbsd/pkgs/include/package.nix
new file mode 100644
index 0000000000000..481e302065fc4
--- /dev/null
+++ b/pkgs/os-specific/bsd/openbsd/pkgs/include/package.nix
@@ -0,0 +1,57 @@
+{
+  lib,
+  mkDerivation,
+  makeMinimal,
+  bsdSetupHook,
+  openbsdSetupHook,
+  install,
+  rpcgen,
+  mtree,
+  pax,
+  buildPackages,
+}:
+mkDerivation {
+  path = "include";
+  noCC = true;
+
+  extraPaths = [
+    "lib"
+    #"sys"
+    "sys/arch"
+    # LDIRS from the mmakefile
+    "sys/crypto"
+    "sys/ddb"
+    "sys/dev"
+    "sys/isofs"
+    "sys/miscfs"
+    "sys/msdosfs"
+    "sys/net"
+    "sys/netinet"
+    "sys/netinet6"
+    "sys/netmpls"
+    "sys/net80211"
+    "sys/nfs"
+    "sys/ntfs"
+    "sys/scsi"
+    "sys/sys"
+    "sys/ufs"
+    "sys/uvm"
+  ];
+
+  nativeBuildInputs = [
+    bsdSetupHook
+    install
+    makeMinimal
+    mtree
+    openbsdSetupHook
+    pax
+    rpcgen
+  ];
+
+  makeFlags = [
+    "RPCGEN_CPP=${buildPackages.stdenv.cc.cc}/bin/cpp"
+    "-B"
+  ];
+
+  headersOnly = true;
+}
diff --git a/pkgs/os-specific/bsd/openbsd/pkgs/libc/disable-librebuild.patch b/pkgs/os-specific/bsd/openbsd/pkgs/libc/disable-librebuild.patch
new file mode 100644
index 0000000000000..58633861a826f
--- /dev/null
+++ b/pkgs/os-specific/bsd/openbsd/pkgs/libc/disable-librebuild.patch
@@ -0,0 +1,12 @@
+diff --git a/lib/libc/Makefile b/lib/libc/Makefile
+index 4bb4b67fcbb..1c8a8e08e60 100644
+--- a/lib/libc/Makefile
++++ b/lib/libc/Makefile
+@@ -6,7 +6,6 @@
+ .include <bsd.own.mk>
+
+ LIB=c
+-LIBREBUILD=y
+ CLEANFILES+=tags Symbols.map
+ CFLAGS+=-Wimplicit
+ #CFLAGS+=-Werror
diff --git a/pkgs/os-specific/bsd/openbsd/pkgs/libc/netbsd-make-to-lower.patch b/pkgs/os-specific/bsd/openbsd/pkgs/libc/netbsd-make-to-lower.patch
new file mode 100644
index 0000000000000..e8d016ceead5a
--- /dev/null
+++ b/pkgs/os-specific/bsd/openbsd/pkgs/libc/netbsd-make-to-lower.patch
@@ -0,0 +1,16 @@
+NetBSD's make uses `${variable:tl}` not `${variable:L}`.
+
+diff --git a/lib/libc/Makefile b/lib/libc/Makefile
+index 4bb4b67fcbb..ffb35c196ea 100644
+--- a/lib/libc/Makefile
++++ b/lib/libc/Makefile
+@@ -11,8 +11,8 @@ CLEANFILES+=tags Symbols.map
+ CFLAGS+=-Wimplicit
+ #CFLAGS+=-Werror
+ LDADD=-nostdlib
+-.if ${COMPILER_VERSION:L} == "clang"
++.if ${COMPILER_VERSION:tl} == "clang"
+ LDADD+=-lcompiler_rt
+ .else
+ LDADD+=-lgcc
+ .endif
diff --git a/pkgs/os-specific/bsd/openbsd/pkgs/libc/package.nix b/pkgs/os-specific/bsd/openbsd/pkgs/libc/package.nix
new file mode 100644
index 0000000000000..cf233c827840a
--- /dev/null
+++ b/pkgs/os-specific/bsd/openbsd/pkgs/libc/package.nix
@@ -0,0 +1,120 @@
+{
+  lib,
+  stdenv,
+  mkDerivation,
+  bsdSetupHook,
+  openbsdSetupHook,
+  makeMinimal,
+  install,
+  flex,
+  byacc,
+  gencat,
+  rpcgen,
+  lorder,
+  csu,
+  include,
+  ctags,
+  tsort,
+  llvmPackages,
+  fetchpatch,
+}:
+
+mkDerivation rec {
+  pname = "libc";
+  path = "lib/libc";
+  extraPaths = [
+    "lib/csu/os-note-elf.h"
+    "sys/arch"
+
+    "lib/libm"
+    "lib/libpthread"
+    "lib/librpcsvc"
+    "lib/librpcsvc"
+    "lib/librthread"
+    "lib/libutil"
+  ];
+
+  patches = [
+    ./netbsd-make-to-lower.patch
+    ./disable-librebuild.patch
+    (fetchpatch {
+      url = "https://marc.info/?l=openbsd-tech&m=171575286706032&q=raw";
+      sha256 = "sha256-2fqabJZLUvXUIWe5WZ4NrTOwgQCXqH49Wo0hAPu5lu0=";
+    })
+  ];
+
+  nativeBuildInputs = [
+    bsdSetupHook
+    openbsdSetupHook
+    makeMinimal
+    install
+    flex
+    byacc
+    gencat
+    rpcgen
+    ctags
+    lorder
+    tsort
+  ];
+
+  buildInputs = [
+    include
+    csu
+  ];
+
+  env.NIX_CFLAGS_COMPILE = builtins.toString [
+    "-B${csu}/lib"
+    "-Wno-error"
+  ];
+
+  # Suppress lld >= 16 undefined version errors
+  # https://github.com/freebsd/freebsd-src/commit/2ba84b4bcdd6012e8cfbf8a0d060a4438623a638
+  env.NIX_LDFLAGS = lib.optionalString (stdenv.hostPlatform.linker == "lld") "--undefined-version";
+
+  makeFlags = [
+    "STRIP=-s" # flag to install, not command
+    "COMPILER_VERSION=clang"
+    "LIBC_TAGS=no"
+  ];
+
+  postInstall = ''
+    symlink_so () {
+      pushd $out/lib
+      ln -s "lib$1".so.* "lib$1.so"
+      popd
+    }
+
+    symlink_so c
+
+    pushd ${include}
+    find . -type d -exec mkdir -p $out/\{} \;
+    find . \( -type f -o -type l \) -exec cp -pr \{} $out/\{} \;
+    popd
+    substituteInPlace $out/include/sys/time.h --replace "defined (_LIBC)" "true"
+
+    pushd ${csu}
+    find . -type d -exec mkdir -p $out/\{} \;
+    find . \( -type f -o -type l \) -exec cp -pr \{} $out/\{} \;
+    popd
+
+    NIX_CFLAGS_COMPILE+=" -B$out/lib"
+    NIX_CFLAGS_COMPILE+=" -I$out/include"
+    NIX_LDFLAGS+=" -L$out/lib"
+
+    make -C $BSDSRCDIR/lib/libm $makeFlags
+    make -C $BSDSRCDIR/lib/libm $makeFlags install
+    symlink_so m
+
+    make -C $BSDSRCDIR/lib/librthread $makeFlags
+    make -C $BSDSRCDIR/lib/librthread $makeFlags install
+    symlink_so pthread
+
+    make -C $BSDSRCDIR/lib/librpcsvc $makeFlags
+    make -C $BSDSRCDIR/lib/librpcsvc $makeFlags install
+    symlink_so rpcsv
+
+    make -C $BSDSRCDIR/lib/libutil $makeFlags
+    make -C $BSDSRCDIR/lib/libutil $makeFlags install
+    symlink_so util
+  '';
+}
diff --git a/pkgs/os-specific/bsd/openbsd/pkgs/lorder.nix b/pkgs/os-specific/bsd/openbsd/pkgs/lorder.nix
new file mode 100644
index 0000000000000..25ff1fcbd14f6
--- /dev/null
+++ b/pkgs/os-specific/bsd/openbsd/pkgs/lorder.nix
@@ -0,0 +1,20 @@
+{
+  lib,
+  mkDerivation,
+  bsdSetupHook,
+  openbsdSetupHook,
+  makeMinimal,
+  install,
+}:
+
+mkDerivation {
+  path = "usr.bin/lorder";
+  nativeBuildInputs = [
+    bsdSetupHook
+    openbsdSetupHook
+    makeMinimal
+    install
+  ];
+
+  meta.platforms = lib.platforms.unix;
+}
diff --git a/pkgs/os-specific/bsd/openbsd/pkgs/make-rules/netbsd-make-sinclude.patch b/pkgs/os-specific/bsd/openbsd/pkgs/make-rules/netbsd-make-sinclude.patch
new file mode 100644
index 0000000000000..daaaff56e9b7d
--- /dev/null
+++ b/pkgs/os-specific/bsd/openbsd/pkgs/make-rules/netbsd-make-sinclude.patch
@@ -0,0 +1,15 @@
+NetBSD make prefers `.-include` to `sinclude` (without a dot)
+
+diff --git a/share/mk/bsd.dep.mk b/share/mk/bsd.dep.mk
+index 7019adb57f7..277064eb5c2 100644
+--- a/share/mk/bsd.dep.mk
++++ b/share/mk/bsd.dep.mk
+@@ -11,7 +11,7 @@ depend:
+ # catch22: don't include potentially bogus files we are going to clean
+ .  if !(make(clean) || make(cleandir) || make(obj))
+ .    for o in ${DEPS}
+-       sinclude $o
++.      -include "$o"
+ .    endfor
+ .  endif
+ .endif
diff --git a/pkgs/os-specific/bsd/openbsd/pkgs/make-rules/package.nix b/pkgs/os-specific/bsd/openbsd/pkgs/make-rules/package.nix
new file mode 100644
index 0000000000000..1e7c705c0dfd0
--- /dev/null
+++ b/pkgs/os-specific/bsd/openbsd/pkgs/make-rules/package.nix
@@ -0,0 +1,36 @@
+{
+  fetchpatch,
+  lib,
+  mkDerivation,
+  stdenv,
+}:
+
+mkDerivation {
+  path = "share/mk";
+  noCC = true;
+
+  buildInputs = [ ];
+  nativeBuildInputs = [ ];
+
+  dontBuild = true;
+
+  patches = [
+    (fetchpatch {
+      url = "https://marc.info/?l=openbsd-tech&m=171575284906018&q=raw";
+      sha256 = "sha256-bigxJGbaf9mCmFXxLVzQpnUUaEMMDfF3eZkTXVzd6B8=";
+    })
+    ./netbsd-make-sinclude.patch
+  ];
+
+  postPatch = ''
+    sed -i -E \
+      -e 's|/usr/lib|\$\{LIBDIR\}|' \
+      share/mk/bsd.prog.mk
+  '';
+
+  installPhase = ''
+    cp -r share/mk $out
+  '';
+
+  meta.platforms = lib.platforms.unix;
+}
diff --git a/pkgs/os-specific/bsd/openbsd/pkgs/mkDerivation.nix b/pkgs/os-specific/bsd/openbsd/pkgs/mkDerivation.nix
new file mode 100644
index 0000000000000..6c5bc5cd17193
--- /dev/null
+++ b/pkgs/os-specific/bsd/openbsd/pkgs/mkDerivation.nix
@@ -0,0 +1,91 @@
+{
+  lib,
+  stdenv,
+  stdenvNoCC,
+  runCommand,
+  rsync,
+  source,
+  bsdSetupHook,
+  openbsdSetupHook,
+  makeMinimal,
+  install,
+}:
+
+lib.makeOverridable (
+  attrs:
+  let
+    stdenv' = if attrs.noCC or false then stdenvNoCC else stdenv;
+  in
+  stdenv'.mkDerivation (
+    rec {
+      pname = "${attrs.pname or (baseNameOf attrs.path)}-openbsd";
+      version = "0";
+      src = runCommand "${pname}-filtered-src" { nativeBuildInputs = [ rsync ]; } ''
+        for p in ${lib.concatStringsSep " " ([ attrs.path ] ++ attrs.extraPaths or [ ])}; do
+          set -x
+          path="$out/$p"
+          mkdir -p "$(dirname "$path")"
+          src_path="${source}/$p"
+          if [[ -d "$src_path" ]]; then src_path+=/; fi
+          rsync --chmod="+w" -r "$src_path" "$path"
+          set +x
+        done
+      '';
+
+      extraPaths = [ ];
+
+      nativeBuildInputs = [
+        bsdSetupHook
+        openbsdSetupHook
+        makeMinimal
+        install
+      ];
+
+      HOST_SH = stdenv'.shell;
+
+      # Since STRIP below is the flag
+      STRIPBIN = "${stdenv.cc.bintools.targetPrefix}strip";
+
+      makeFlags = [
+        "STRIP=-s" # flag to install, not command
+        "-B"
+      ];
+
+      MACHINE_ARCH =
+        {
+          # amd64 not x86_64 for this on unlike NetBSD
+          x86_64 = "amd64";
+          aarch64 = "arm64";
+          i486 = "i386";
+          i586 = "i386";
+          i686 = "i386";
+        }
+        .${stdenv'.hostPlatform.parsed.cpu.name} or stdenv'.hostPlatform.parsed.cpu.name;
+
+      MACHINE = MACHINE_ARCH;
+
+      MACHINE_CPU = MACHINE_ARCH;
+
+      MACHINE_CPUARCH = MACHINE_ARCH;
+
+      COMPONENT_PATH = attrs.path or null;
+
+      strictDeps = true;
+
+      meta = with lib; {
+        maintainers = with maintainers; [ ericson2314 ];
+        platforms = platforms.openbsd;
+        license = licenses.bsd2;
+      };
+    }
+    // lib.optionalAttrs stdenv'.hasCC {
+      # TODO should CC wrapper set this?
+      CPP = "${stdenv'.cc.targetPrefix}cpp";
+    }
+    // lib.optionalAttrs (attrs.headersOnly or false) {
+      installPhase = "includesPhase";
+      dontBuild = true;
+    }
+    // attrs
+  )
+)
diff --git a/pkgs/os-specific/bsd/openbsd/pkgs/openbsdSetupHook/package.nix b/pkgs/os-specific/bsd/openbsd/pkgs/openbsdSetupHook/package.nix
new file mode 100644
index 0000000000000..61147954812fd
--- /dev/null
+++ b/pkgs/os-specific/bsd/openbsd/pkgs/openbsdSetupHook/package.nix
@@ -0,0 +1,3 @@
+{ makeSetupHook }:
+
+makeSetupHook { name = "openbsd-setup-hook"; } ./setup-hook.sh
diff --git a/pkgs/os-specific/bsd/openbsd/pkgs/openbsdSetupHook/setup-hook.sh b/pkgs/os-specific/bsd/openbsd/pkgs/openbsdSetupHook/setup-hook.sh
new file mode 100644
index 0000000000000..50e79bc2928a9
--- /dev/null
+++ b/pkgs/os-specific/bsd/openbsd/pkgs/openbsdSetupHook/setup-hook.sh
@@ -0,0 +1,21 @@
+addOpenBSDMakeFlags() {
+  makeFlags="INCSDIR=${!outputDev}/include $makeFlags"
+  makeFlags="MANDIR=${!outputMan}/share/man $makeFlags"
+}
+
+fixOpenBSDInstallDirs() {
+  find "$BSDSRCDIR" -name Makefile -exec \
+    sed -i -E \
+      -e 's|/usr/include|${INCSDIR}|' \
+      -e 's|/usr/bin|${BINDIR}|' \
+      -e 's|/usr/lib|${LIBDIR}|' \
+      {} \;
+}
+
+setBinownBingrp() {
+  export BINOWN=$(id -u)
+  export BINGRP=$(id -g)
+}
+
+preConfigureHooks+=(addOpenBSDMakeFlags)
+postPatchHooks+=(fixOpenBSDInstallDirs setBinownBingrp)
diff --git a/pkgs/os-specific/bsd/openbsd/pkgs/source.nix b/pkgs/os-specific/bsd/openbsd/pkgs/source.nix
new file mode 100644
index 0000000000000..359c3f2fbc919
--- /dev/null
+++ b/pkgs/os-specific/bsd/openbsd/pkgs/source.nix
@@ -0,0 +1,8 @@
+{ fetchcvs }:
+
+fetchcvs {
+  cvsRoot = "anoncvs@anoncvs.fr.openbsd.org/cvs";
+  module = "src";
+  tag = "OPENBSD_7_5";
+  sha256 = "sha256-hzdATew6h/FQV72SWtg3YvUXdPoGjm2SoUS7m3c3fSU=";
+}
diff --git a/pkgs/os-specific/bsd/setup-hook.sh b/pkgs/os-specific/bsd/setup-hook.sh
index e0afefcd73f71..f9453708ab5db 100644
--- a/pkgs/os-specific/bsd/setup-hook.sh
+++ b/pkgs/os-specific/bsd/setup-hook.sh
@@ -49,7 +49,6 @@ addMakeFlags() {
   makeFlags="LIBDIR=${!outputLib}/lib $makeFlags"
   makeFlags="SHLIBDIR=${!outputLib}/lib $makeFlags"
   makeFlags="SHAREDIR=${!outputLib}/share $makeFlags"
-  makeFlags="MANDIR=${!outputMan}/share/man $makeFlags"
   makeFlags="INFODIR=${!outputInfo}/share/info $makeFlags"
   makeFlags="DOCDIR=${!outputDoc}/share/doc $makeFlags"
   makeFlags="LOCALEDIR=${!outputLib}/share/locale $makeFlags"
diff --git a/pkgs/os-specific/darwin/CoreSymbolication/default.nix b/pkgs/os-specific/darwin/CoreSymbolication/default.nix
index d9a2b378134a2..f6b0e2b79c3d3 100644
--- a/pkgs/os-specific/darwin/CoreSymbolication/default.nix
+++ b/pkgs/os-specific/darwin/CoreSymbolication/default.nix
@@ -1,8 +1,14 @@
-{ lib, fetchFromGitHub, fetchpatch, stdenv }:
+{
+  lib,
+  fetchFromGitHub,
+  fetchpatch,
+  stdenvNoCC,
+  darwin-stubs,
+}:
 
-stdenv.mkDerivation {
-  pname = "core-symbolication";
-  version = "unstable-2018-06-17";
+stdenvNoCC.mkDerivation (finalAttrs: {
+  pname = "CoreSymbolication";
+  inherit (darwin-stubs) version;
 
   src = fetchFromGitHub {
     repo = "CoreSymbolication";
@@ -12,15 +18,35 @@ stdenv.mkDerivation {
   };
 
   patches = [
-    # C99 compilation fix
-    # https://github.com/matthewbauer/CoreSymbolication/pull/1
+    # Add missing symbol definitions needed to build `zlog` in system_cmds.
+    # https://github.com/matthewbauer/CoreSymbolication/pull/2
     (fetchpatch {
-      url = "https://github.com/boltzmannrain/CoreSymbolication/commit/1c26cc93f260bda9230a93e91585284e80aa231f.patch";
-      hash = "sha256-d/ieDEnvZ9kVOjBVUdJzGmdvC1AF3Jk4fbwp04Q6l/I=";
+      url = "https://github.com/matthewbauer/CoreSymbolication/commit/ae7ac6a7043dbae8e63d6ce5e63dfaf02b5977fe.patch";
+      hash = "sha256-IuXGMsaR1LIGs+BpDU1b4YlznKm9VhK5DQ+Dthtb1mI=";
+    })
+    (fetchpatch {
+      url = "https://github.com/matthewbauer/CoreSymbolication/commit/6531da946949a94643e6d8424236174ae64fe0ca.patch";
+      hash = "sha256-+nDX04yY92yVT9KxiAFY2LxKcS7P8JpU539K+YVRqV4=";
     })
   ];
 
-  makeFlags = [ "PREFIX=$(out)" "CC=${stdenv.cc.targetPrefix}cc" ];
+  dontBuild = true;
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p $out/Library/Frameworks/CoreSymbolication.framework/Versions/A/Headers
+
+    ln -s A $out/Library/Frameworks/CoreSymbolication.framework/Versions/Current
+    ln -s Versions/Current/Headers $out/Library/Frameworks/CoreSymbolication.framework/Headers
+    ln -s Versions/Current/CoreSymbolication.tbd $out/Library/Frameworks/CoreSymbolication.framework/CoreSymbolication.tbd
+
+    cp *.h $out/Library/Frameworks/CoreSymbolication.framework/Versions/A/Headers
+    cp ${darwin-stubs}/System/Library/PrivateFrameworks/CoreSymbolication.framework/Versions/A/CoreSymbolication.tbd \
+      $out/Library/Frameworks/CoreSymbolication.framework/Versions/A/CoreSymbolication.tbd
+
+    runHook postInstall
+  '';
 
   meta = with lib; {
     description = "Reverse engineered headers for Apple's CoreSymbolication framework";
@@ -29,4 +55,4 @@ stdenv.mkDerivation {
     platforms = platforms.darwin;
     maintainers = with maintainers; [ matthewbauer ];
   };
-}
+})
diff --git a/pkgs/os-specific/darwin/apple-sdk-11.0/default.nix b/pkgs/os-specific/darwin/apple-sdk-11.0/default.nix
index 0e908d0179db1..238c1b7e460b0 100644
--- a/pkgs/os-specific/darwin/apple-sdk-11.0/default.nix
+++ b/pkgs/os-specific/darwin/apple-sdk-11.0/default.nix
@@ -105,6 +105,8 @@ let
     # conflicting LLVM modules.
     objc4 = stdenv.objc4 or (callPackage ./libobjc.nix { });
 
+    sdkRoot = pkgs.callPackage ../apple-sdk/sdkRoot.nix { sdkVersion = "11.0"; };
+
     # questionable aliases
     configd = pkgs.darwin.apple_sdk.frameworks.SystemConfiguration;
     inherit (pkgs.darwin.apple_sdk.frameworks) IOKit;
@@ -143,5 +145,16 @@ let
       });
       xcbuild = xcodebuild;
     }));
+
+    darwin-stubs = stdenvNoCC.mkDerivation {
+      pname = "darwin-stubs";
+      inherit (MacOSX-SDK) version;
+
+      buildCommand = ''
+        mkdir -p "$out"
+        ln -s ${MacOSX-SDK}/System "$out/System"
+        ln -s ${MacOSX-SDK}/usr "$out/usr"
+      '';
+    };
   };
 in packages
diff --git a/pkgs/os-specific/darwin/apple-sdk/default.nix b/pkgs/os-specific/darwin/apple-sdk/default.nix
index 5484ba5acb189..a3d1df0867a9a 100644
--- a/pkgs/os-specific/darwin/apple-sdk/default.nix
+++ b/pkgs/os-specific/darwin/apple-sdk/default.nix
@@ -350,5 +350,13 @@ in rec {
 
   frameworks = bareFrameworks // overrides bareFrameworks;
 
+  inherit darwin-stubs;
+
+  objc4 = pkgs.darwin.libobjc;
+
+  sdkRoot = pkgs.callPackage ./sdkRoot.nix { sdkVersion = "10.12"; };
+
+  inherit (pkgs.darwin) Libsystem;
+
   inherit sdk;
 }
diff --git a/pkgs/os-specific/darwin/apple-sdk/sdkRoot.nix b/pkgs/os-specific/darwin/apple-sdk/sdkRoot.nix
new file mode 100644
index 0000000000000..67d9cbe031059
--- /dev/null
+++ b/pkgs/os-specific/darwin/apple-sdk/sdkRoot.nix
@@ -0,0 +1,68 @@
+{
+  lib,
+  runCommand,
+  writeText,
+  sdkVersion,
+}:
+
+let
+  sdkName = "MacOSX${sdkVersion}";
+  toolchainName = "com.apple.dt.toolchain.XcodeDefault";
+  productBuildVer = null;
+
+  inherit (lib.generators) toPlist toJSON;
+
+  SDKSettings = {
+    CanonicalName = "macosx${sdkVersion}";
+    DisplayName = "macOS ${sdkVersion}";
+    Toolchains = [ toolchainName ];
+    Version = sdkVersion;
+    MaximumDeploymentTarget = "${sdkVersion}.99";
+    isBaseSDK = "YES";
+  };
+
+  SystemVersion =
+    lib.optionalAttrs (productBuildVer != null) { ProductBuildVersion = productBuildVer; }
+    // {
+      ProductName = "macOS";
+      ProductVersion = sdkVersion;
+    };
+in
+runCommand "sdkroot-${sdkVersion}" { } ''
+  sdk="$out/${sdkName}.sdk"
+
+  install -D ${writeText "SDKSettings.plist" (toPlist { } SDKSettings)} "$sdk/SDKSettings.plist"
+  install -D ${writeText "SDKSettings.json" (toJSON { } SDKSettings)} "$sdk/SDKSettings.json"
+  install -D ${
+    writeText "SystemVersion.plist" (toPlist { } SystemVersion)
+  } "$sdk/System/Library/CoreServices/SystemVersion.plist"
+
+  ln -s "$sdk" "$sdk/usr"
+
+  install -D '${../../../build-support/setup-hooks/role.bash}' "$out/nix-support/setup-hook"
+  cat >> "$out/nix-support/setup-hook" <<-hook
+  #
+  # See comments in cc-wrapper's setup hook. This works exactly the same way.
+  #
+  [[ -z \''${strictDeps-} ]] || (( "\$hostOffset" < 0 )) || return 0
+
+  sdkRootHook() {
+    # See ../../../build-support/setup-hooks/role.bash
+    local role_post
+    getHostRoleEnvHook
+
+    # Only set the SDK root if one has not been set via this hook or some other means.
+    if [[ ! \$NIX_CFLAGS_COMPILE =~ isysroot ]]; then
+      export NIX_CFLAGS_COMPILE\''${role_post}+=' -isysroot $out/${sdkName}.sdk'
+    fi
+  }
+
+  # See ../../../build-support/setup-hooks/role.bash
+  getTargetRole
+
+  addEnvHooks "\$targetOffset" sdkRootHook
+
+  # No local scope in sourced file
+  unset -v role_post
+  hook
+''
diff --git a/pkgs/os-specific/darwin/apple-source-releases/CarbonHeaders/default.nix b/pkgs/os-specific/darwin/apple-source-releases/CarbonHeaders/default.nix
index 25e1df3773dbf..f3ef0e9151f34 100644
--- a/pkgs/os-specific/darwin/apple-source-releases/CarbonHeaders/default.nix
+++ b/pkgs/os-specific/darwin/apple-source-releases/CarbonHeaders/default.nix
@@ -15,6 +15,6 @@ appleDerivation' stdenvNoCC {
   meta = with lib; {
     maintainers = with maintainers; [ copumpkin ];
     platforms   = platforms.darwin;
-    license     = licenses.apsl20;
+    license     = licenses.apple-psl20;
   };
 }
diff --git a/pkgs/os-specific/darwin/apple-source-releases/CommonCrypto/default.nix b/pkgs/os-specific/darwin/apple-source-releases/CommonCrypto/default.nix
index 36013fe307ce4..32e142981f2d3 100644
--- a/pkgs/os-specific/darwin/apple-source-releases/CommonCrypto/default.nix
+++ b/pkgs/os-specific/darwin/apple-source-releases/CommonCrypto/default.nix
@@ -37,6 +37,6 @@ appleDerivation' stdenvNoCC {
   meta = with lib; {
     maintainers = with maintainers; [ copumpkin ];
     platforms   = platforms.darwin;
-    license     = licenses.apsl20;
+    license     = licenses.apple-psl20;
   };
 }
diff --git a/pkgs/os-specific/darwin/apple-source-releases/Csu/default.nix b/pkgs/os-specific/darwin/apple-source-releases/Csu/default.nix
index cc73c0ac94157..8cb478d0874ce 100644
--- a/pkgs/os-specific/darwin/apple-source-releases/Csu/default.nix
+++ b/pkgs/os-specific/darwin/apple-source-releases/Csu/default.nix
@@ -24,6 +24,6 @@ appleDerivation' stdenv {
     description = "Apple's common startup stubs for darwin";
     maintainers = with maintainers; [ copumpkin ];
     platforms   = platforms.darwin;
-    license     = licenses.apsl20;
+    license     = licenses.apple-psl20;
   };
 }
diff --git a/pkgs/os-specific/darwin/apple-source-releases/IOKit/default.nix b/pkgs/os-specific/darwin/apple-source-releases/IOKit/default.nix
index aeeb5c06b34c4..3943e2b2a9b7a 100644
--- a/pkgs/os-specific/darwin/apple-source-releases/IOKit/default.nix
+++ b/pkgs/os-specific/darwin/apple-source-releases/IOKit/default.nix
@@ -183,6 +183,6 @@ appleDerivation' stdenv {
   meta = with lib; {
     maintainers = with maintainers; [ copumpkin ];
     platforms   = platforms.darwin;
-    license     = licenses.apsl20;
+    license     = licenses.apple-psl20;
   };
 }
diff --git a/pkgs/os-specific/darwin/apple-source-releases/Librpcsvc/default.nix b/pkgs/os-specific/darwin/apple-source-releases/Librpcsvc/default.nix
index 1bf6396d47fd9..3c71531515a17 100644
--- a/pkgs/os-specific/darwin/apple-source-releases/Librpcsvc/default.nix
+++ b/pkgs/os-specific/darwin/apple-source-releases/Librpcsvc/default.nix
@@ -17,6 +17,6 @@ appleDerivation {
   meta = with lib; {
     maintainers = with maintainers; [ matthewbauer ];
     platforms   = platforms.darwin;
-    license     = licenses.apsl20;
+    license     = licenses.apple-psl20;
   };
 }
diff --git a/pkgs/os-specific/darwin/apple-source-releases/Libsystem/default.nix b/pkgs/os-specific/darwin/apple-source-releases/Libsystem/default.nix
index c9cc99a6550e7..87fb8512fb646 100644
--- a/pkgs/os-specific/darwin/apple-source-releases/Libsystem/default.nix
+++ b/pkgs/os-specific/darwin/apple-source-releases/Libsystem/default.nix
@@ -10,24 +10,13 @@
 let
   darling.src = fetchzip {
     url = "https://github.com/darlinghq/darling/archive/d2cc5fa748003aaa70ad4180fff0a9a85dc65e9b.tar.gz";
-    sha256 = "11b51fw47nl505h63bgx5kqiyhf3glhp1q6jkpb6nqfislnzzkrf";
+    hash = "sha256-/YynrKJdi26Xj4lvp5wsN+TAhZjonOrNNHuk4L5tC7s=";
     postFetch = ''
-      # The archive contains both `src/opendirectory` and `src/OpenDirectory`,
-      # pre-create the directory to choose the canonical case on
-      # case-insensitive filesystems.
-      mkdir -p $out/src/OpenDirectory
-
-      cd $out
-      tar -xzf $downloadedFile --strip-components=1
-      rm -r $out/src/libm
-
-      # If `src/opendirectory` and `src/OpenDirectory` refer to different
-      # things, then combine them into `src/OpenDirectory` to match the result
-      # on case-insensitive filesystems.
-      if [ "$(stat -c %i src/opendirectory)" != "$(stat -c %i src/OpenDirectory)" ]; then
-        mv src/opendirectory/* src/OpenDirectory/
-        rmdir src/opendirectory
-      fi
+      # The archive contains both `src/opendirectory` and `src/OpenDirectory`.
+      # Since neither directory is used for anything, we just remove them to avoid
+      #  the potential issue where file systems with different case sensitivity produce
+      #  different hashes.
+      rm -rf $out/src/{OpenDirectory,opendirectory}
     '';
   };
 
@@ -181,6 +170,6 @@ appleDerivation' stdenv {
     description = "The Mac OS libc/libSystem (tapi library with pure headers)";
     maintainers = with maintainers; [ copumpkin gridaphobe ];
     platforms   = platforms.darwin;
-    license     = licenses.apsl20;
+    license     = licenses.apple-psl20;
   };
 }
diff --git a/pkgs/os-specific/darwin/apple-source-releases/architecture/default.nix b/pkgs/os-specific/darwin/apple-source-releases/architecture/default.nix
index e0e27255b72f4..86f58b6b5a3c4 100644
--- a/pkgs/os-specific/darwin/apple-source-releases/architecture/default.nix
+++ b/pkgs/os-specific/darwin/apple-source-releases/architecture/default.nix
@@ -34,6 +34,6 @@ appleDerivation' stdenvNoCC {
   meta = with lib; {
     maintainers = with maintainers; [ copumpkin ];
     platforms   = platforms.darwin;
-    license     = licenses.apsl20;
+    license     = licenses.apple-psl20;
   };
 }
diff --git a/pkgs/os-specific/darwin/apple-source-releases/default.nix b/pkgs/os-specific/darwin/apple-source-releases/default.nix
index ab13e91e37354..3eae8749c4e4d 100644
--- a/pkgs/os-specific/darwin/apple-source-releases/default.nix
+++ b/pkgs/os-specific/darwin/apple-source-releases/default.nix
@@ -6,9 +6,11 @@ let
   # a stdenv out of something like this. With some care we can probably get rid of this, but for
   # now it's staying here.
   versions = {
+    "macos-14.3" = {
+      system_cmds   = "970.0.4";
+    };
     "osx-10.12.6" = {
       xnu           = "3789.70.16";
-      libiconv      = "50";
       Libnotify     = "165.20.1";
       objc4         = "709.1";
       dyld          = "433.5";
@@ -35,7 +37,6 @@ let
       dtrace        = "168";
       xnu           = "3248.60.10";
       libpthread    = "138.10.4";
-      libiconv      = "44";
       Libnotify     = "150.40.1";
       objc4         = "680";
       eap8021x      = "222.40.1";
@@ -103,7 +104,6 @@ let
     };
     "osx-10.9.5" = {
       launchd            = "842.92.1";
-      libauto            = "185.5";
       Libc               = "997.90.3"; # We use this, but not from here
       Libsystem          = "1197.1.1";
       Security           = "55471.14.18";
@@ -155,7 +155,7 @@ let
     version = versions.${sdkName}.${pname};
   in fetchApple' pname version sha256;
 
-  appleDerivation'' = stdenv: pname: version: sdkName: sha256: attrs: stdenv.mkDerivation ({
+  appleDerivation'' = stdenv: pname: version: sdkName: sha256: attrs: stdenv.mkDerivation (finalAttrs: {
     inherit pname version;
 
     src = if attrs ? srcs then null else (fetchApple' pname version sha256);
@@ -181,10 +181,10 @@ let
       fi
     '';
 
-  } // attrs // {
+  } // (if builtins.isFunction attrs then attrs finalAttrs else attrs) // {
     meta = (with lib; {
       platforms = platforms.darwin;
-      license = licenses.apsl20;
+      license = licenses.apple-psl20;
     }) // (attrs.meta or {});
   });
 
@@ -226,7 +226,7 @@ let
       pname = builtins.head (lib.splitString "/" namePath);
       appleDerivation' = stdenv: appleDerivation'' stdenv pname version sdkName sha256;
       appleDerivation = appleDerivation' stdenv;
-      callPackage = self.newScope { inherit appleDerivation' appleDerivation; };
+      callPackage = self.newScope { inherit appleDerivation' appleDerivation; python3 = pkgs.buildPackages.python3Minimal; };
     in callPackage (./. + "/${namePath}");
 
   applePackage = namePath: sdkName: sha256: let
@@ -258,7 +258,6 @@ developerToolsPackages_11_3_1 // macosPackages_11_0_1 // {
     eap8021x        = applePackage "eap8021x"          "osx-10.11.6"     "sha256-54P3+YhVhOanoZQoqswDnr/GbR/AdEERse135nyuIQo=" {};
     IOKit           = applePackage "IOKit"             "osx-10.11.6"     "" { inherit IOKitSrcs; };
     launchd         = applePackage "launchd"           "osx-10.9.5"      "sha256-dmV0UK7hG9wvTr+F4Z47nCFXcVZCV+cQ46WbE0DBtJs=" {};
-    libauto         = applePackage "libauto"           "osx-10.9.5"      "sha256-GnRcKq8jRbEsI/PSDphwUjWtpEIEcnLlQL9yxYLgSsU=" {};
     Libc            = applePackage "Libc"              "osx-10.12.6"     "sha256-LSsL7S3KFgGU9qjK4atu/4wBh8ftgfsk6JOvg+ZTZOY=" {
       Libc_10-9 = fetchFromGitHub {
         owner  = "apple-oss-distributions";
@@ -269,14 +268,15 @@ developerToolsPackages_11_3_1 // macosPackages_11_0_1 // {
     };
     libclosure      = applePackage "libclosure"        "osx-10.11.6"     "sha256-L5rQ+UBpf3B+W1U+gZKk7fXulslHsc8lxnCsplV+nr0=" {};
     libdispatch     = applePackage "libdispatch"       "osx-10.10.5"     "sha256-jfAEk0OLrJa9AIZVikIoHomd+l+4rCfc320Xh50qK5M=" {};
-    libiconv        = applePackage "libiconv"          "osx-10.12.6"     "sha256-ZzPFkchK3EU95UQUVVrR0t8iilhi/VnIkjjtP6KT2oI=" {};
     Libinfo         = applePackage "Libinfo"           "osx-10.11.6"     "sha256-6F7wiwerv4nz/xXHtp1qCHSaFzZgzcRN+jbmXA5oWOQ=" {};
     Libm            = applePackage "Libm"              "osx-10.7.4"      "sha256-KjMETfT4qJm0m0Ux/F6Rq8bI4Q4UVnFx6IKbKxXd+Es=" {};
     Libnotify       = applePackage "Libnotify"         "osx-10.12.6"     "sha256-6wvMBxAUfiYcQtmlfYCj1d3kFmFM/jdboTd7hRvi3e4=" {};
     libmalloc       = if stdenv.isx86_64 then
       applePackage "libmalloc" "osx-10.12.6" "sha256-brfG4GEF2yZipKdhlPq6DhT2z5hKYSb2MAmffaikdO4=" {}
     else macosPackages_11_0_1.libmalloc;
-    libplatform     = applePackage "libplatform"       "osx-10.12.6"     "sha256-6McMTjw55xtnCsFI3AB1osRagnuB5pSTqeMKD3gpGtM=" {};
+    libplatform     = if stdenv.isx86_64 then
+      applePackage "libplatform"       "osx-10.12.6"     "sha256-6McMTjw55xtnCsFI3AB1osRagnuB5pSTqeMKD3gpGtM=" {}
+    else macosPackages_11_0_1.libplatform;
     libpthread      = applePackage "libpthread"        "osx-10.12.6"     "sha256-QvJ9PERmrCWBiDmOWrLvQUKZ4JxHuh8gS5nlZKDLqE8=" {};
     libresolv       = applePackage "libresolv"         "osx-10.12.6"     "sha256-FtvwjJKSFX6j9APYPC8WLXVOjbHLZa1Gcoc8yxLy8qE=" {};
     Libsystem       = applePackage "Libsystem"         "osx-10.12.6"     "sha256-zvRdCP//TjKCGAqm/5nJXPppshU1cv2fg/L/yK/olGQ=" {};
@@ -287,9 +287,7 @@ developerToolsPackages_11_3_1 // macosPackages_11_0_1 // {
     ppp             = applePackage "ppp"               "osx-10.12.6"     "sha256-M1zoEjjeKIDUEP6ACbpUJk3OXjobw4g/qzUmxGdX1J0=" {};
     removefile      = applePackage "removefile"        "osx-10.12.6"     "sha256-UpNk27kGXnZss1ZXWVJU9jLz/NW63ZAZEDLhyCYoi9M=" {};
     xnu             = if stdenv.isx86_64 then
-    applePackage "xnu"               "osx-10.12.6"     "sha256-C8TPQlUT3RbzAy8YnZPNtr70hpaVG9Llv0h42s3NENI=" {
-      python3 = pkgs.buildPackages.buildPackages.python3; # TODO(@Ericson2314) this shouldn't be needed.
-    }
+      applePackage "xnu" "osx-10.12.6" "sha256-C8TPQlUT3RbzAy8YnZPNtr70hpaVG9Llv0h42s3NENI=" {}
     else macosPackages_11_0_1.xnu;
     hfs             = applePackage "hfs"               "osx-10.12.6"     "sha256-eGi18HQFJrU5UHoBOE0LqO5gQ0xOf8+OJuAWQljfKE4=" {};
     Librpcsvc       = applePackage "Librpcsvc"         "osx-10.11.6"     "sha256-YHbGws901xONzAbo6sB5zSea4Wp0sgYUJ8YgwVfWxnE=" {};
@@ -304,7 +302,7 @@ developerToolsPackages_11_3_1 // macosPackages_11_0_1 // {
     else macosPackages_11_0_1.network_cmds;
     file_cmds       = applePackage "file_cmds"         "osx-10.11.6"     "sha256-JYy6HwmultKeZtLfaysbsyLoWg+OaTh7eJu54JkJC0Q=" {};
     shell_cmds      = applePackage "shell_cmds"        "osx-10.11.6"     "sha256-kmEOprkiJGMVcl7yHkGX8ymk/5KjE99gWuF8j2hK5hY=" {};
-    system_cmds     = applePackage "system_cmds"       "osx-10.11.6"     "sha256-KBdGlHeXo2PwgRQOOeElJ1RBqCY1Tdhn5KD42CMhdzI=" {};
+    system_cmds     = applePackage "system_cmds"       "macos-14.3"      "sha256-qFp9nkzsq9uQ7zoyfvO+3gvDlc7kaPvn6luvmO/Io30=" {};
     text_cmds       = applePackage "text_cmds"         "osx-10.11.6"     "sha256-KSebU7ZyUsPeqn51nzuGNaNxs9pvmlIQQdkWXIVzDxw=" {};
     top             = applePackage "top"               "osx-10.11.6"     "sha256-jbz64ODogtpNyLpXGSZj1jCBdFPVXcVcBkL1vc7g5qQ=" {};
     PowerManagement = applePackage "PowerManagement"   "osx-10.11.6"     "sha256-bYGtYnBOcE5W03AZzfVTJXPZ6GgryGAMt/LgLPxFkVk=" {};
diff --git a/pkgs/os-specific/darwin/apple-source-releases/diskdev_cmds/default.nix b/pkgs/os-specific/darwin/apple-source-releases/diskdev_cmds/default.nix
index e4431c68c9aad..b642b993df0e3 100644
--- a/pkgs/os-specific/darwin/apple-source-releases/diskdev_cmds/default.nix
+++ b/pkgs/os-specific/darwin/apple-source-releases/diskdev_cmds/default.nix
@@ -1,5 +1,5 @@
 { lib, appleDerivation, xcbuildHook, Libc, stdenv, macosPackages_11_0_1, xnu
-, fetchurl, libutil }:
+, libutil }:
 
 let
   xnu-src = if stdenv.isAarch64 then macosPackages_11_0_1.xnu.src else xnu.src;
diff --git a/pkgs/os-specific/darwin/apple-source-releases/dyld/default.nix b/pkgs/os-specific/darwin/apple-source-releases/dyld/default.nix
index ca3b70cd09264..e91d703602650 100644
--- a/pkgs/os-specific/darwin/apple-source-releases/dyld/default.nix
+++ b/pkgs/os-specific/darwin/apple-source-releases/dyld/default.nix
@@ -11,6 +11,6 @@ appleDerivation' stdenvNoCC {
     description = "Impure primitive symlinks to the Mac OS native dyld, along with headers";
     maintainers = with maintainers; [ copumpkin ];
     platforms   = platforms.darwin;
-    license     = licenses.apsl20;
+    license     = licenses.apple-psl20;
   };
 }
diff --git a/pkgs/os-specific/darwin/apple-source-releases/libauto/auto_dtrace.h b/pkgs/os-specific/darwin/apple-source-releases/libauto/auto_dtrace.h
deleted file mode 100644
index bf367a3cabb3f..0000000000000
--- a/pkgs/os-specific/darwin/apple-source-releases/libauto/auto_dtrace.h
+++ /dev/null
@@ -1,129 +0,0 @@
-/*
- * Generated by dtrace(1M).
- */
-
-#ifndef _AUTO_DTRACE_H
-#define _AUTO_DTRACE_H
-
-#include <unistd.h>
-
-#ifdef  __cplusplus
-extern "C" {
-#endif
-
-#define GARBAGE_COLLECTION_STABILITY "___dtrace_stability$garbage_collection$v1$1_1_0_1_1_0_1_1_0_1_1_0_1_1_0"
-
-#define GARBAGE_COLLECTION_TYPEDEFS "___dtrace_typedefs$garbage_collection$v2$6175746f5f636f6c6c656374696f6e5f70686173655f74$6175746f5f636f6c6c656374696f6e5f747970655f74$6d616c6c6f635f7a6f6e655f74"
-
-#if !defined(DTRACE_PROBES_DISABLED) || !DTRACE_PROBES_DISABLED
-
-#define GARBAGE_COLLECTION_AUTO_BLOCK_LOST_THREAD_LOCALITY(arg0, arg1) \
-do { \
-  __asm__ volatile(".reference " GARBAGE_COLLECTION_TYPEDEFS); \
-  __dtrace_probe$garbage_collection$auto_block_lost_thread_locality$v1$766f6964202a$75696e7436345f74(arg0, arg1); \
-  __asm__ volatile(".reference " GARBAGE_COLLECTION_STABILITY); \
-} while (0)
-#define GARBAGE_COLLECTION_AUTO_BLOCK_LOST_THREAD_LOCALITY_ENABLED() \
-  ({ int _r = __dtrace_isenabled$garbage_collection$auto_block_lost_thread_locality$v1(); \
-    __asm__ volatile(""); \
-    _r; })
-#define GARBAGE_COLLECTION_AUTO_REFCOUNT_ONE_ALLOCATION(arg0) \
-do { \
-  __asm__ volatile(".reference " GARBAGE_COLLECTION_TYPEDEFS); \
-  __dtrace_probe$garbage_collection$auto_refcount_one_allocation$v1$75696e7436345f74(arg0); \
-  __asm__ volatile(".reference " GARBAGE_COLLECTION_STABILITY); \
-} while (0)
-#define GARBAGE_COLLECTION_AUTO_REFCOUNT_ONE_ALLOCATION_ENABLED() \
-  ({ int _r = __dtrace_isenabled$garbage_collection$auto_refcount_one_allocation$v1(); \
-    __asm__ volatile(""); \
-    _r; })
-#define GARBAGE_COLLECTION_COLLECTION_BEGIN(arg0, arg1) \
-do { \
-  __asm__ volatile(".reference " GARBAGE_COLLECTION_TYPEDEFS); \
-  __dtrace_probe$garbage_collection$collection_begin$v1$6d616c6c6f635f7a6f6e655f74202a$6175746f5f636f6c6c656374696f6e5f747970655f74(arg0, arg1); \
-  __asm__ volatile(".reference " GARBAGE_COLLECTION_STABILITY); \
-} while (0)
-#define GARBAGE_COLLECTION_COLLECTION_BEGIN_ENABLED() \
-  ({ int _r = __dtrace_isenabled$garbage_collection$collection_begin$v1(); \
-    __asm__ volatile(""); \
-    _r; })
-#define GARBAGE_COLLECTION_COLLECTION_END(arg0, arg1, arg2, arg3, arg4) \
-do { \
-  __asm__ volatile(".reference " GARBAGE_COLLECTION_TYPEDEFS); \
-  __dtrace_probe$garbage_collection$collection_end$v1$6d616c6c6f635f7a6f6e655f74202a$75696e7436345f74$75696e7436345f74$75696e7436345f74$75696e7436345f74(arg0, arg1, arg2, arg3, arg4); \
-  __asm__ volatile(".reference " GARBAGE_COLLECTION_STABILITY); \
-} while (0)
-#define GARBAGE_COLLECTION_COLLECTION_END_ENABLED() \
-  ({ int _r = __dtrace_isenabled$garbage_collection$collection_end$v1(); \
-    __asm__ volatile(""); \
-    _r; })
-#define GARBAGE_COLLECTION_COLLECTION_PHASE_BEGIN(arg0, arg1) \
-do { \
-  __asm__ volatile(".reference " GARBAGE_COLLECTION_TYPEDEFS); \
-  __dtrace_probe$garbage_collection$collection_phase_begin$v1$6d616c6c6f635f7a6f6e655f74202a$6175746f5f636f6c6c656374696f6e5f70686173655f74(arg0, arg1); \
-  __asm__ volatile(".reference " GARBAGE_COLLECTION_STABILITY); \
-} while (0)
-#define GARBAGE_COLLECTION_COLLECTION_PHASE_BEGIN_ENABLED() \
-  ({ int _r = __dtrace_isenabled$garbage_collection$collection_phase_begin$v1(); \
-    __asm__ volatile(""); \
-    _r; })
-#define GARBAGE_COLLECTION_COLLECTION_PHASE_END(arg0, arg1, arg2, arg3) \
-do { \
-  __asm__ volatile(".reference " GARBAGE_COLLECTION_TYPEDEFS); \
-  __dtrace_probe$garbage_collection$collection_phase_end$v1$6d616c6c6f635f7a6f6e655f74202a$6175746f5f636f6c6c656374696f6e5f70686173655f74$75696e7436345f74$75696e7436345f74(arg0, arg1, arg2, arg3); \
-  __asm__ volatile(".reference " GARBAGE_COLLECTION_STABILITY); \
-} while (0)
-#define GARBAGE_COLLECTION_COLLECTION_PHASE_END_ENABLED() \
-  ({ int _r = __dtrace_isenabled$garbage_collection$collection_phase_end$v1(); \
-    __asm__ volatile(""); \
-    _r; })
-
-
-extern void __dtrace_probe$garbage_collection$auto_block_lost_thread_locality$v1$766f6964202a$75696e7436345f74(const void *, uint64_t);
-extern int __dtrace_isenabled$garbage_collection$auto_block_lost_thread_locality$v1(void);
-extern void __dtrace_probe$garbage_collection$auto_refcount_one_allocation$v1$75696e7436345f74(uint64_t);
-extern int __dtrace_isenabled$garbage_collection$auto_refcount_one_allocation$v1(void);
-extern void __dtrace_probe$garbage_collection$collection_begin$v1$6d616c6c6f635f7a6f6e655f74202a$6175746f5f636f6c6c656374696f6e5f747970655f74(const malloc_zone_t *, auto_collection_type_t);
-extern int __dtrace_isenabled$garbage_collection$collection_begin$v1(void);
-extern void __dtrace_probe$garbage_collection$collection_end$v1$6d616c6c6f635f7a6f6e655f74202a$75696e7436345f74$75696e7436345f74$75696e7436345f74$75696e7436345f74(const malloc_zone_t *, uint64_t, uint64_t, uint64_t, uint64_t);
-extern int __dtrace_isenabled$garbage_collection$collection_end$v1(void);
-extern void __dtrace_probe$garbage_collection$collection_phase_begin$v1$6d616c6c6f635f7a6f6e655f74202a$6175746f5f636f6c6c656374696f6e5f70686173655f74(const malloc_zone_t *, auto_collection_phase_t);
-extern int __dtrace_isenabled$garbage_collection$collection_phase_begin$v1(void);
-extern void __dtrace_probe$garbage_collection$collection_phase_end$v1$6d616c6c6f635f7a6f6e655f74202a$6175746f5f636f6c6c656374696f6e5f70686173655f74$75696e7436345f74$75696e7436345f74(const malloc_zone_t *, auto_collection_phase_t, uint64_t, uint64_t);
-extern int __dtrace_isenabled$garbage_collection$collection_phase_end$v1(void);
-
-#else
-
-#define GARBAGE_COLLECTION_AUTO_BLOCK_LOST_THREAD_LOCALITY(arg0, arg1) \
-do { \
-  } while (0)
-#define GARBAGE_COLLECTION_AUTO_BLOCK_LOST_THREAD_LOCALITY_ENABLED() (0)
-#define GARBAGE_COLLECTION_AUTO_REFCOUNT_ONE_ALLOCATION(arg0) \
-do { \
-  } while (0)
-#define GARBAGE_COLLECTION_AUTO_REFCOUNT_ONE_ALLOCATION_ENABLED() (0)
-#define GARBAGE_COLLECTION_COLLECTION_BEGIN(arg0, arg1) \
-do { \
-  } while (0)
-#define GARBAGE_COLLECTION_COLLECTION_BEGIN_ENABLED() (0)
-#define GARBAGE_COLLECTION_COLLECTION_END(arg0, arg1, arg2, arg3, arg4) \
-do { \
-  } while (0)
-#define GARBAGE_COLLECTION_COLLECTION_END_ENABLED() (0)
-#define GARBAGE_COLLECTION_COLLECTION_PHASE_BEGIN(arg0, arg1) \
-do { \
-  } while (0)
-#define GARBAGE_COLLECTION_COLLECTION_PHASE_BEGIN_ENABLED() (0)
-#define GARBAGE_COLLECTION_COLLECTION_PHASE_END(arg0, arg1, arg2, arg3) \
-do { \
-  } while (0)
-#define GARBAGE_COLLECTION_COLLECTION_PHASE_END_ENABLED() (0)
-
-#endif /* !defined(DTRACE_PROBES_DISABLED) || !DTRACE_PROBES_DISABLED */
-
-
-#ifdef  __cplusplus
-}
-#endif
-
-#endif  /* _AUTO_DTRACE_H */
diff --git a/pkgs/os-specific/darwin/apple-source-releases/libauto/default.nix b/pkgs/os-specific/darwin/apple-source-releases/libauto/default.nix
deleted file mode 100644
index 8a551dcc892ca..0000000000000
--- a/pkgs/os-specific/darwin/apple-source-releases/libauto/default.nix
+++ /dev/null
@@ -1,86 +0,0 @@
-{ lib, stdenv, appleDerivation, libdispatch, Libsystem }:
-
-appleDerivation {
-  # these are included in the pure libc
-  buildInputs = lib.optionals stdenv.cc.nativeLibc [ libdispatch Libsystem ];
-
-  buildPhase = ''
-    cp ${./auto_dtrace.h} ./auto_dtrace.h
-
-    substituteInPlace ThreadLocalCollector.h --replace SubZone.h Subzone.h
-
-    substituteInPlace auto_zone.cpp \
-      --replace "#include <msgtracer_client.h>" ''$'#include <asl.h>\nstatic void msgtracer_log_with_keys(...) { };'
-
-    substituteInPlace Definitions.h \
-      --replace "#include <System/pthread_machdep.h>" "" \
-      --replace 'void * const, void * const' 'void * const, void *'
-
-    # getspecific_direct is more efficient, but this should be equivalent...
-    substituteInPlace Zone.h \
-      --replace "_pthread_getspecific_direct" "pthread_getspecific" \
-      --replace "_pthread_has_direct_tsd()" "0" \
-      --replace "__PTK_FRAMEWORK_GC_KEY0" "110" \
-      --replace "__PTK_FRAMEWORK_GC_KEY1" "111" \
-      --replace "__PTK_FRAMEWORK_GC_KEY2" "112" \
-      --replace "__PTK_FRAMEWORK_GC_KEY3" "113" \
-      --replace "__PTK_FRAMEWORK_GC_KEY4" "114" \
-      --replace "__PTK_FRAMEWORK_GC_KEY5" "115" \
-      --replace "__PTK_FRAMEWORK_GC_KEY6" "116" \
-      --replace "__PTK_FRAMEWORK_GC_KEY7" "117" \
-      --replace "__PTK_FRAMEWORK_GC_KEY8" "118" \
-      --replace "__PTK_FRAMEWORK_GC_KEY9" "119"
-
-    substituteInPlace auto_zone.cpp \
-      --replace "__PTK_FRAMEWORK_GC_KEY9" "119" \
-      --replace "__PTK_FRAMEWORK_GC_KEY0" "110" \
-
-    substituteInPlace Zone.cpp \
-      --replace "_pthread_getspecific_direct" "pthread_getspecific" \
-      --replace "__PTK_FRAMEWORK_GC_KEY9" "119" \
-      --replace "__PTK_FRAMEWORK_GC_KEY0" "110" \
-      --replace "__PTK_LIBDISPATCH_KEY0"  "20" \
-      --replace "struct auto_zone_cursor {" ''$'extern "C" int pthread_key_init_np(int, void (*)(void *));\nstruct auto_zone_cursor {'
-
-    substituteInPlace auto_impl_utilities.c \
-      --replace "#   include <CrashReporterClient.h>" "void CRSetCrashLogMessage(void *msg) { };"
-
-    c++ -I. -O3 -c -Wno-c++11-extensions auto_zone.cpp
-    cc  -I. -O3 -Iauto_tester -c auto_impl_utilities.c
-    c++ -I. -O3 -c auto_weak.cpp
-    c++ -I. -O3 -c Admin.cpp
-    c++ -I. -O3 -c Bitmap.cpp
-    c++ -I. -O3 -c Definitions.cpp
-    c++ -I. -O3 -c Environment.cpp
-    c++ -I. -O3 -c Large.cpp
-    c++ -I. -O3 -c Region.cpp
-    c++ -I. -O3 -c Subzone.cpp
-    c++ -I. -O3 -c WriteBarrier.cpp
-    c++ -I. -O3 -c Zone.cpp
-    c++ -I. -O3 -c Thread.cpp
-    c++ -I. -O3 -c InUseEnumerator.cpp
-    c++ -I. -O3 -c auto_gdb_interface.cpp
-    c++ -I. -O3 -c PointerHash.cpp
-    c++ -I. -O3 -c ThreadLocalCollector.cpp
-    c++ -I. -O3 -c ZoneDump.cpp
-    c++ -I. -O3 -c ZoneCollectors.cpp
-    c++ -I. -O3 -c SubzonePartition.cpp
-    c++ -I. -O3 -c ZoneCollectionChecking.cpp
-    c++ -I. -O3 -c ZoneCompaction.cpp
-    c++ -I. -O3 -c BlockRef.cpp
-
-    c++ -Wl,-no_dtrace_dof --stdlib=libc++ -dynamiclib -install_name $out/lib/libauto.dylib -o libauto.dylib *.o
-  '';
-
-  installPhase = ''
-    mkdir -p $out/lib $out/include
-    cp auto_zone.h auto_weak.h auto_tester/auto_tester.h auto_gdb_interface.h $out/include
-    cp libauto.dylib $out/lib
-  '';
-
-  meta = {
-    # libauto is only used by objc4/pure.nix , but objc4 is now using the impure approach, so we don't bother to fix this.
-    broken = true;
-    platforms = lib.platforms.darwin;
-  };
-}
diff --git a/pkgs/os-specific/darwin/apple-source-releases/libdispatch/default.nix b/pkgs/os-specific/darwin/apple-source-releases/libdispatch/default.nix
index e91ee86cde08f..176cb8646f1e5 100644
--- a/pkgs/os-specific/darwin/apple-source-releases/libdispatch/default.nix
+++ b/pkgs/os-specific/darwin/apple-source-releases/libdispatch/default.nix
@@ -13,7 +13,7 @@ appleDerivation' stdenvNoCC {
     cp -r dispatch/*.h $out/include/dispatch
     cp -r os/object*.h  $out/include/os
 
-    # gcc compatability. Source: https://stackoverflow.com/a/28014302/3714556
+    # gcc compatibility. Source: https://stackoverflow.com/a/28014302/3714556
     substituteInPlace $out/include/dispatch/object.h \
       --replace 'typedef void (^dispatch_block_t)(void);' \
                 '#ifdef __clang__
diff --git a/pkgs/os-specific/darwin/apple-source-releases/libiconv/default.nix b/pkgs/os-specific/darwin/apple-source-releases/libiconv/default.nix
deleted file mode 100644
index 6a3bddc211e95..0000000000000
--- a/pkgs/os-specific/darwin/apple-source-releases/libiconv/default.nix
+++ /dev/null
@@ -1,38 +0,0 @@
-{ stdenv, appleDerivation, lib
-, enableStatic ? stdenv.hostPlatform.isStatic
-, enableShared ? !stdenv.hostPlatform.isStatic
-}:
-
-appleDerivation {
-  postUnpack = "sourceRoot=$sourceRoot/libiconv";
-
-  preConfigure = lib.optionalString stdenv.hostPlatform.isiOS ''
-    sed -i 's/darwin\*/ios\*/g' configure libcharset/configure
-  '';
-
-  configureFlags = [
-    (lib.enableFeature enableStatic "static")
-    (lib.enableFeature enableShared "shared")
-  ];
-
-  postInstall = lib.optionalString enableShared ''
-    mv $out/lib/libiconv.dylib $out/lib/libiconv-nocharset.dylib
-    ${stdenv.cc.bintools.targetPrefix}install_name_tool -id $out/lib/libiconv-nocharset.dylib $out/lib/libiconv-nocharset.dylib
-
-    # re-export one useless symbol; ld will reject a dylib that only reexports other dylibs
-    echo 'void dont_use_this(){}' | ${stdenv.cc.bintools.targetPrefix}clang -dynamiclib -x c - -current_version 2.4.0 \
-      -compatibility_version 7.0.0 -current_version 7.0.0 -o $out/lib/libiconv.dylib \
-      -Wl,-reexport_library -Wl,$out/lib/libiconv-nocharset.dylib \
-      -Wl,-reexport_library -Wl,$out/lib/libcharset.dylib
-  '';
-
-  setupHooks = [
-    ../../../../build-support/setup-hooks/role.bash
-    ../../../../development/libraries/libiconv/setup-hook.sh
-  ];
-
-  meta = {
-    mainProgram = "iconv";
-    platforms = lib.platforms.darwin;
-  };
-}
diff --git a/pkgs/os-specific/darwin/apple-source-releases/libplatform/default.nix b/pkgs/os-specific/darwin/apple-source-releases/libplatform/default.nix
index 39c801962692f..e0b25d27778a9 100644
--- a/pkgs/os-specific/darwin/apple-source-releases/libplatform/default.nix
+++ b/pkgs/os-specific/darwin/apple-source-releases/libplatform/default.nix
@@ -1,9 +1,10 @@
-{ appleDerivation', stdenvNoCC }:
+{ lib, appleDerivation', stdenvNoCC }:
 
-appleDerivation' stdenvNoCC {
+appleDerivation' stdenvNoCC (finalAttrs: {
   installPhase = ''
     mkdir $out
     cp -r include $out/include
+    test -d private && cp -r private/* $out/include
   '';
 
   appleHeaders = ''
@@ -27,6 +28,12 @@ appleDerivation' stdenvNoCC {
     platform/introspection_private.h
     platform/string.h
     setjmp.h
-    ucontext.h
-  '';
-}
+  '' + (
+    if lib.versionAtLeast finalAttrs.version "254.40.4" then ''
+      string_x86.h
+      ucontext.h
+    '' else ''
+      ucontext.h
+    ''
+  );
+})
diff --git a/pkgs/os-specific/darwin/apple-source-releases/libunwind/default.nix b/pkgs/os-specific/darwin/apple-source-releases/libunwind/default.nix
index 0d378f6089fb3..df3c5650452de 100644
--- a/pkgs/os-specific/darwin/apple-source-releases/libunwind/default.nix
+++ b/pkgs/os-specific/darwin/apple-source-releases/libunwind/default.nix
@@ -12,6 +12,6 @@ appleDerivation {
   meta = with lib; {
     maintainers = with maintainers; [ copumpkin lnl7 ];
     platforms   = platforms.darwin;
-    license     = licenses.apsl20;
+    license     = licenses.apple-psl20;
   };
 }
diff --git a/pkgs/os-specific/darwin/apple-source-releases/libutil/default.nix b/pkgs/os-specific/darwin/apple-source-releases/libutil/default.nix
index e7c8a6b1113b2..5cc8e0ffa28ab 100644
--- a/pkgs/os-specific/darwin/apple-source-releases/libutil/default.nix
+++ b/pkgs/os-specific/darwin/apple-source-releases/libutil/default.nix
@@ -38,6 +38,6 @@ appleDerivation' (if headersOnly then stdenvNoCC else stdenv) {
   meta = with lib; {
     maintainers = with maintainers; [ copumpkin ];
     platforms   = platforms.darwin;
-    license     = licenses.apsl20;
+    license     = licenses.apple-psl20;
   };
 }
diff --git a/pkgs/os-specific/darwin/apple-source-releases/macos-11.0.1.nix b/pkgs/os-specific/darwin/apple-source-releases/macos-11.0.1.nix
index 0a70e648695d5..2de90a0236761 100644
--- a/pkgs/os-specific/darwin/apple-source-releases/macos-11.0.1.nix
+++ b/pkgs/os-specific/darwin/apple-source-releases/macos-11.0.1.nix
@@ -27,7 +27,6 @@ file_cmds = applePackage' "file_cmds" "321.40.3" "macos-11.0.1" "0p077lnbcy8266m
 hfs = applePackage' "hfs" "556.41.1" "macos-11.0.1" "0a0s6b12b0q07wslfifna0bj51dml9v098i4crr2m1vivnx4xj75" {};
 libclosure = applePackage' "libclosure" "78" "macos-11.0.1" "0vf9n0k3m8dbprv1bf45zqg0g43bidy2i5z1v9a826bsf8lv7am7" {};
 libdispatch = applePackage' "libdispatch" "1271.40.12" "macos-11.0.1" "1ck5srcjapg18vqb8wl08gacs7ndc6xr067qjn3ngx39q1jdcywz" {};
-libiconv = applePackage' "libiconv" "59" "macos-11.0.1" "0lwa4brdwm4lvrdnxylzsn1yph4m7csgri2zkc4xb4xiisz32pwp" {};
 libmalloc = applePackage' "libmalloc" "317.40.8" "macos-11.0.1" "sha256-Tdhb0mq3w4Hwvp3xHB79Vr22hCOQK6h28HCsd7jvITI=" {};
 libplatform = applePackage' "libplatform" "254.40.4" "macos-11.0.1" "1qf3ri0yd8b1xjln1j1gyx7ks6k3a2jhd63blyvfby75y9s7flky" {};
 libpthread = applePackage' "libpthread" "454.40.3" "macos-11.0.1" "0zljbw8mpb80n1if65hhi9lkgwbgjr8vc9wvf7q1nl3mzyl35f8p" {};
@@ -40,7 +39,6 @@ objc4 = applePackage' "objc4" "818.2" "macos-11.0.1" "0m8mk1qd18wqjfn2jsq2lx6fxv
 ppp = applePackage' "ppp" "877.40.2" "macos-11.0.1" "06xznc77j45zzi12m4cmr3jj853qlc8dbmynbg1z6m9qf5phdbgk" {};
 removefile = applePackage' "removefile" "49.40.3" "macos-11.0.1" "0870ihxpmvj8ggaycwlismbgbw9768lz7w6mc9vxf8l6nlc43z4f" {};
 shell_cmds = applePackage' "shell_cmds" "216.40.4" "macos-11.0.1" "0wbysc9lwf1xgl686r3yn95rndcmqlp17zc1ig9gsl5fxyy5bghh" {};
-system_cmds = applePackage' "system_cmds" "880.40.5" "macos-11.0.1" "064yqf84ny0cjpqmzmnhz05faay6axb2r4i6knnyc8n21yiip5dc" {};
 text_cmds = applePackage' "text_cmds" "106" "macos-11.0.1" "17fn35m6i866zjrf8da6cq6crydp6vp4zq0aaab243rv1fx303yy" {};
 top = applePackage' "top" "129" "macos-11.0.1" "0d9pqmv3mwkfcv7c05hfvnvnn4rbsl92plr5hsazp854pshzqw2k" {};
 xnu = applePackage' "xnu" "7195.50.7.100.1" "macos-11.0.1" "11zjmpw11rcc6a0xlbwramra1rsr65s4ypnxwpajgbr2c657lipl" {};
diff --git a/pkgs/os-specific/darwin/apple-source-releases/objc4/pure.nix b/pkgs/os-specific/darwin/apple-source-releases/objc4/pure.nix
deleted file mode 100644
index 6a0c819a0a31a..0000000000000
--- a/pkgs/os-specific/darwin/apple-source-releases/objc4/pure.nix
+++ /dev/null
@@ -1,118 +0,0 @@
-{ stdenv, fetchapplesource, libauto, launchd, libc_old, libunwind }:
-
-stdenv.mkDerivation rec {
-  version = "551.1";
-  pname = "objc4";
-
-  src = fetchapplesource {
-    inherit version;
-    name   = "objc4";
-    sha256 = "1jrdb6yyb5jwwj27c1r0nr2y2ihqjln8ynj61mpkvp144c1cm5bg";
-  };
-
-  patches = [ ./spinlocks.patch ];
-
-  buildInputs = [ libauto launchd libc_old libunwind ];
-
-  buildPhase = ''
-    cp ${./objc-probes.h} runtime/objc-probes.h
-
-    mkdir -p build/include/objc
-
-    cp runtime/hashtable.h               build/include/objc/hashtable.h
-    cp runtime/OldClasses.subproj/List.h build/include/objc/List.h
-    cp runtime/hashtable2.h              build/include/objc/hashtable2.h
-    cp runtime/message.h                 build/include/objc/message.h
-    cp runtime/objc-api.h                build/include/objc/objc-api.h
-    cp runtime/objc-auto.h               build/include/objc/objc-auto.h
-    cp runtime/objc-class.h              build/include/objc/objc-class.h
-    cp runtime/objc-exception.h          build/include/objc/objc-exception.h
-    cp runtime/objc-load.h               build/include/objc/objc-load.h
-    cp runtime/objc-sync.h               build/include/objc/objc-sync.h
-    cp runtime/objc.h                    build/include/objc/objc.h
-    cp runtime/objc-runtime.h            build/include/objc/objc-runtime.h
-    cp runtime/Object.h                  build/include/objc/Object.h
-    cp runtime/Protocol.h                build/include/objc/Protocol.h
-    cp runtime/runtime.h                 build/include/objc/runtime.h
-    cp runtime/NSObject.h                build/include/objc/NSObject.h
-    cp runtime/NSObjCRuntime.h           build/include/objc/NSObjCRuntime.h
-
-    # These would normally be in local/include but we don't do local, so they're
-    # going in with the others
-    cp runtime/maptable.h                build/include/objc/maptable.h
-    cp runtime/objc-abi.h                build/include/objc/objc-abi.h
-    cp runtime/objc-auto-dump.h          build/include/objc/objc-auto-dump.h
-    cp runtime/objc-gdb.h                build/include/objc/objc-gdb.h
-    cp runtime/objc-internal.h           build/include/objc/objc-internal.h
-
-    cc -o markgc markgc.c
-
-    FLAGS="-Wno-deprecated-register -Wno-unknown-pragmas -Wno-deprecated-objc-isa-usage -Wno-invalid-offsetof -Wno-inline-new-delete  -Wno-cast-of-sel-type -Iruntime -Ibuild/include -Iruntime/Accessors.subproj -D_LIBCPP_VISIBLE= -DOS_OBJECT_USE_OBJC=0 -DNDEBUG=1"
-
-    cc -std=gnu++11 $FLAGS -c runtime/hashtable2.mm
-    cc -std=gnu++11 $FLAGS -c runtime/maptable.mm
-    cc -std=gnu++11 $FLAGS -c runtime/objc-auto.mm
-    cc -std=gnu++11 $FLAGS -c runtime/objc-cache.mm
-    cc -std=gnu++11 $FLAGS -c runtime/objc-class-old.mm
-    cc -std=gnu++11 $FLAGS -c runtime/objc-class.mm
-    cc -std=gnu++11 $FLAGS -c runtime/objc-errors.mm
-    cc -std=gnu++11 $FLAGS -c runtime/objc-exception.mm
-    cc -std=gnu++11 $FLAGS -c runtime/objc-file.mm
-    cc -std=gnu++11 $FLAGS -c runtime/objc-initialize.mm
-    cc -std=gnu++11 $FLAGS -c runtime/objc-layout.mm
-    cc -std=gnu++11 $FLAGS -c runtime/objc-load.mm
-    cc -std=gnu++11 $FLAGS -c runtime/objc-loadmethod.mm
-    cc -std=gnu++11 $FLAGS -c runtime/objc-lockdebug.mm
-    cc -std=gnu++11 $FLAGS -c runtime/objc-runtime-new.mm
-    cc -std=gnu++11 $FLAGS -c runtime/objc-runtime-old.mm
-    cc -std=gnu++11 $FLAGS -c runtime/objc-runtime.mm
-    cc -std=gnu++11 $FLAGS -c runtime/objc-sel-set.mm
-    cc -std=gnu++11 $FLAGS -c runtime/objc-sel.mm
-    cc -std=gnu++11 $FLAGS -c runtime/objc-sync.mm
-    cc -std=gnu++11 $FLAGS -c runtime/objc-typeencoding.mm
-    cc -std=gnu++11 $FLAGS -c runtime/Object.mm
-    cc -std=gnu++11 $FLAGS -c runtime/Protocol.mm
-
-    cc -std=gnu++11 $FLAGS -c runtime/objc-references.mm
-    cc -std=gnu++11 $FLAGS -c runtime/objc-os.mm
-    cc -std=gnu++11 $FLAGS -c runtime/objc-auto-dump.mm
-    cc -std=gnu++11 $FLAGS -c runtime/objc-file-old.mm
-    cc -std=gnu++11 $FLAGS -c runtime/objc-block-trampolines.mm
-    cc -std=gnu++11 $FLAGS -c runtime/objc-externalref.mm
-    cc -std=gnu++11 $FLAGS -c runtime/objc-weak.mm
-    cc -std=gnu++11 $FLAGS -c runtime/NSObject.mm
-    cc -std=gnu++11 $FLAGS -c runtime/objc-opt.mm
-    cc -std=gnu++11 $FLAGS -c runtime/objc-cache-old.mm
-    cc -std=gnu++11 $FLAGS -c runtime/objc-sel-old.mm
-
-    cc -std=gnu++11 $FLAGS -c runtime/Accessors.subproj/objc-accessors.mm
-
-    cc $FLAGS -c runtime/objc-sel-table.s
-
-    cc $FLAGS -c runtime/OldClasses.subproj/List.m
-    cc $FLAGS -c runtime/Messengers.subproj/objc-msg-arm.s
-    cc $FLAGS -c runtime/Messengers.subproj/objc-msg-i386.s
-    cc $FLAGS -c runtime/Messengers.subproj/objc-msg-x86_64.s
-    cc $FLAGS -c runtime/Messengers.subproj/objc-msg-simulator-i386.s
-
-    cc $FLAGS -c runtime/a1a2-blocktramps-i386.s
-    cc $FLAGS -c runtime/a2a3-blocktramps-i386.s
-
-    cc $FLAGS -c runtime/a1a2-blocktramps-x86_64.s
-    cc $FLAGS -c runtime/a2a3-blocktramps-x86_64.s
-
-    cc $FLAGS -c runtime/a1a2-blocktramps-arm.s
-    cc $FLAGS -c runtime/a2a3-blocktramps-arm.s
-
-    c++ -Wl,-no_dtrace_dof --stdlib=libc++ -dynamiclib -lauto -install_name $out/lib/libobjc.dylib -o libobjc.dylib *.o
-
-    ./markgc -p libobjc.dylib
-  '';
-
-  installPhase = ''
-    mkdir -p $out/include $out/lib
-
-    mv build/include/objc $out/include
-    mv libobjc.dylib $out/lib
-  '';
-}
diff --git a/pkgs/os-specific/darwin/apple-source-releases/system_cmds/default.nix b/pkgs/os-specific/darwin/apple-source-releases/system_cmds/default.nix
index f708d77409007..7bd3cae118eb2 100644
--- a/pkgs/os-specific/darwin/apple-source-releases/system_cmds/default.nix
+++ b/pkgs/os-specific/darwin/apple-source-releases/system_cmds/default.nix
@@ -1,114 +1,161 @@
-{ stdenv, appleDerivation, lib
-, libutil, Librpcsvc, apple_sdk, pam, CF, openbsm }:
-
-appleDerivation {
-  # xcbuild fails with:
-  # /nix/store/fc0rz62dh8vr648qi7hnqyik6zi5sqx8-xcbuild-wrapper/nix-support/setup-hook: line 1:  9083 Segmentation fault: 11  xcodebuild OTHER_CFLAGS="$NIX_CFLAGS_COMPILE" OTHER_CPLUSPLUSFLAGS="$NIX_CFLAGS_COMPILE" OTHER_LDFLAGS="$NIX_LDFLAGS" build
-  # see issue facebook/xcbuild#188
-  # buildInputs = [ xcbuild ];
-
-  buildInputs = [ libutil Librpcsvc apple_sdk.frameworks.OpenDirectory pam CF
-                  apple_sdk.frameworks.IOKit openbsm ];
-  # env.NIX_CFLAGS_COMPILE = lib.optionalString hostPlatform.isi686 "-D__i386__"
-  #                    + lib.optionalString hostPlatform.isx86_64 "-D__x86_64__"
-  #                    + lib.optionalString hostPlatform.isAarch32 "-D__arm__";
-  env.NIX_CFLAGS_COMPILE = toString ([ "-DDAEMON_UID=1"
-                         "-DDAEMON_GID=1"
-                         "-DDEFAULT_AT_QUEUE='a'"
-                         "-DDEFAULT_BATCH_QUEUE='b'"
-                         "-DPERM_PATH=\"/usr/lib/cron/\""
-                         "-DOPEN_DIRECTORY"
-                         "-DNO_DIRECT_RPC"
-                         "-DAPPLE_GETCONF_UNDERSCORE"
-                         "-DAPPLE_GETCONF_SPEC"
-                         "-DUSE_PAM"
-                         "-DUSE_BSM_AUDIT"
-                         "-D_PW_NAME_LEN=MAXLOGNAME"
-                         "-D_PW_YPTOKEN=\"__YP!\""
-                         "-DAHZV1=64 "
-                         "-DAU_SESSION_FLAG_HAS_TTY=0x4000"
-                         "-DAU_SESSION_FLAG_HAS_AUTHENTICATED=0x4000"
-                       ] ++ lib.optional (!stdenv.isLinux) " -D__FreeBSD__ ");
-
-  patches = [
-    # Fix implicit declarations that cause builds to fail when built with clang 16.
-    ./fix-implicit-declarations.patch
+{
+  lib,
+  stdenv,
+  stdenvNoCC,
+  appleDerivation,
+  fetchFromGitHub,
+  runCommand,
+  gawk,
+  meson,
+  ninja,
+  pkg-config,
+  libdispatch,
+  libmalloc,
+  libplatform,
+  Librpcsvc,
+  libutil,
+  ncurses,
+  openbsm,
+  pam,
+  xnu,
+  CoreFoundation,
+  CoreSymbolication,
+  DirectoryService,
+  IOKit,
+  Kernel,
+  Libc,
+  OpenDirectory,
+  WebKit,
+}:
+
+let
+  OpenDirectoryPrivate = stdenvNoCC.mkDerivation (finalAttrs: {
+    name = "apple-private-framework-OpenDirectory";
+    version = "146";
+
+    src = fetchFromGitHub {
+      owner = "apple-oss-distributions";
+      repo = "OpenDirectory";
+      rev = "OpenDirectory-${finalAttrs.version}";
+      hash = "sha256-6fSl8PasCZSBfe0ftaePcBuSEO3syb6kK+mfDI6iR7A=";
+    };
+
+    dontConfigure = true;
+    dontBuild = true;
+
+    installPhase = ''
+      runHook preInstall
+
+      mkdir -p "$out/include/CFOpenDirectory" "$out/include/OpenDirectory"
+      install -t "$out/include/CFOpenDirectory" \
+        Core/CFOpenDirectoryPriv.h \
+        Core/CFODTrigger.h
+      touch "$out/include/CFOpenDirectory/CFOpenDirectoryConstantsPriv.h"
+      install -t "$out/include/OpenDirectory" \
+        Framework/OpenDirectoryPriv.h \
+        Framework/NSOpenDirectoryPriv.h
+
+      runHook postInstall
+    '';
+  });
+
+  libmallocPrivate = stdenvNoCC.mkDerivation {
+    pname = "libmalloc-private";
+    version = lib.getVersion libmalloc;
+
+    inherit (libmalloc) src;
+
+    dontConfigure = true;
+    dontBuild = true;
+
+    installPhase = ''
+      runHook preInstall
+
+      mkdir -p "$out/include"
+      cp -r private/*.h "$out/include"
+
+      runHook postInstall
+    '';
+  };
+
+  # Private xnu headers that are part of the source tree but not in the xnu derivation.
+  xnuPrivate = stdenvNoCC.mkDerivation {
+    pname = "xnu-private";
+    version = lib.getVersion xnu;
+
+    inherit (xnu) src;
+
+    dontConfigure = true;
+    dontBuild = true;
+
+    installPhase = ''
+      runHook preInstall
+
+      mkdir -p "$out/include"
+      cp libsyscall/wrappers/spawn/spawn_private.h "$out/include"
+
+      runHook postInstall
+    '';
+  };
+in
+appleDerivation (finalAttrs: {
+  nativeBuildInputs = [
+    gawk
+    meson
+    ninja
+    pkg-config
+  ];
+
+  buildInputs = [
+    libdispatch
+    libplatform
+    Librpcsvc
+    libutil
+    ncurses
+    openbsm
+    pam
+    xnu
+    CoreFoundation
+    CoreSymbolication
+    DirectoryService
+    IOKit
+    Kernel
+    OpenDirectory
   ];
 
   postPatch = ''
-    substituteInPlace login.tproj/login.c \
-      --replace bsm/audit_session.h bsm/audit.h
-    substituteInPlace login.tproj/login_audit.c \
-      --replace bsm/audit_session.h bsm/audit.h
-  '' + lib.optionalString stdenv.isAarch64 ''
-    substituteInPlace sysctl.tproj/sysctl.c \
-      --replace "GPROF_STATE" "0"
-    substituteInPlace login.tproj/login.c \
-      --replace "defined(__arm__)" "defined(__arm__) || defined(__arm64__)"
+    # Replace hard-coded, impure system paths with the output path in the store.
+    sed -e "s|PATH=[^;]*|PATH='$out/bin'|" -i "pagesize/pagesize.sh"
   '';
 
-  buildPhase = ''
-    for dir in *.tproj; do
-      name=$(basename $dir)
-      name=''${name%.tproj}
-
-      CFLAGS=""
-      case $name in
-           arch) CFLAGS="-framework CoreFoundation";;
-           atrun) CFLAGS="-Iat.tproj";;
-           chkpasswd)
-             CFLAGS="-framework OpenDirectory -framework CoreFoundation -lpam";;
-           getconf)
-               for f in getconf.tproj/*.gperf; do
-                   cfile=''${f%.gperf}.c
-                   LC_ALL=C awk -f getconf.tproj/fake-gperf.awk $f > $cfile
-               done
-           ;;
-           iostat) CFLAGS="-framework IOKit -framework CoreFoundation";;
-           login) CFLAGS="-lbsm -lpam";;
-           nvram) CFLAGS="-framework CoreFoundation -framework IOKit";;
-           sadc) CFLAGS="-framework IOKit -framework CoreFoundation";;
-           sar) CFLAGS="-Isadc.tproj";;
-      esac
-
-      echo "Building $name"
-
-      case $name in
-
-           # These are all broken currently.
-           arch) continue;;
-           chpass) continue;;
-           dirhelper) continue;;
-           dynamic_pager) continue;;
-           fs_usage) continue;;
-           latency) continue;;
-           pagesize) continue;;
-           passwd) continue;;
-           reboot) continue;;
-           sc_usage) continue;;
-           shutdown) continue;;
-           trace) continue;;
-
-           *) cc $dir/*.c -I''${dir} $CFLAGS -o $name ;;
-      esac
-    done
+  # A vendored meson.build is used instead of the upstream Xcode project.
+  # This is done for a few reasons:
+  # - The upstream project causes `xcbuild` to crash.
+  #   See: https://github.com/facebookarchive/xcbuild/issues/188;
+  # - Achieving the same flexibility regarding SDK version would require modifying the
+  #   Xcode project, but modifying Xcode projects without using Xcode is painful; and
+  # - Using Meson allows the derivation to leverage the robust Meson support in nixpkgs,
+  #   and it allows it to use Meson features to simplify the build (e.g., generators).
+  preConfigure = ''
+    substitute '${./meson.build}' meson.build \
+      --subst-var-by kernel '${Kernel}' \
+      --subst-var-by libc_private '${Libc}' \
+      --subst-var-by libmalloc_private '${libmallocPrivate}' \
+      --subst-var-by opendirectory '${OpenDirectory}' \
+      --subst-var-by opendirectory_private '${OpenDirectoryPrivate}' \
+      --subst-var-by xnu '${xnu}' \
+      --subst-var-by xnu_private '${xnuPrivate}' \
+      --subst-var-by version '${finalAttrs.version}'
+    cp '${./meson.options}' meson.options
   '';
 
-  installPhase = ''
-    for dir in *.tproj; do
-      name=$(basename $dir)
-      name=''${name%.tproj}
-      [ -x $name ] && install -D $name $out/bin/$name
-      for n in 1 2 3 4 5 6 7 8 9; do
-        for f in $dir/*.$n; do
-          install -D $f $out/share/man/man$n/$(basename $f)
-        done
-      done
-    done
-  '';
+  mesonFlags = [ (lib.mesonOption "sdk_version" stdenv.hostPlatform.darwinSdkVersion) ];
 
   meta = {
     platforms = lib.platforms.darwin;
-    maintainers = with lib.maintainers; [ shlevy matthewbauer ];
+    maintainers = with lib.maintainers; [
+      shlevy
+      matthewbauer
+    ];
   };
-}
+})
diff --git a/pkgs/os-specific/darwin/apple-source-releases/system_cmds/fix-implicit-declarations.patch b/pkgs/os-specific/darwin/apple-source-releases/system_cmds/fix-implicit-declarations.patch
deleted file mode 100644
index b08f54045724f..0000000000000
--- a/pkgs/os-specific/darwin/apple-source-releases/system_cmds/fix-implicit-declarations.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-diff -ur a/getty.tproj/main.c b/getty.tproj/main.c
---- a/getty.tproj/main.c	2008-06-10 14:50:19.000000000 -0400
-+++ b/getty.tproj/main.c	2023-05-31 18:06:40.121028558 -0400
-@@ -67,6 +67,7 @@
- #include <syslog.h>
- #include <termios.h>
- #include <time.h>
-+#include <util.h>
- #include <unistd.h>
- 
- #ifdef __APPLE__
-@@ -152,7 +153,7 @@
- static void	putpad(const char *);
- static void	puts(const char *);
- static void	timeoverrun(int);
--static char	*getline(int);
-+static char	*get_line(int);
- static void	setttymode(int);
- static int	opentty(const char *, int);
- 
-@@ -352,7 +353,7 @@
- 			if ((fd = open(IF, O_RDONLY)) != -1) {
- 				char * cp;
- 
--				while ((cp = getline(fd)) != NULL) {
-+				while ((cp = get_line(fd)) != NULL) {
- 					  putf(cp);
- 				}
- 				close(fd);
-@@ -744,7 +745,7 @@
- 
- 
- static char *
--getline(int fd)
-+get_line(int fd)
- {
- 	int i = 0;
- 	static char linebuf[512];
---- a/newgrp.tproj/newgrp.c	2021-10-06 01:38:52.000000000 -0400
-+++ b/newgrp.tproj/newgrp.c	2023-05-31 22:26:50.656157841 -0400
-@@ -47,6 +47,7 @@
- #include <string.h>
- #include <unistd.h>
- #ifdef __APPLE__
-+#include <membership.h>
- #include <paths.h>
- #endif /* __APPLE__ */
- static void	 addgroup(const char *grpname);
diff --git a/pkgs/os-specific/darwin/apple-source-releases/system_cmds/meson.build b/pkgs/os-specific/darwin/apple-source-releases/system_cmds/meson.build
new file mode 100644
index 0000000000000..af08b5074bef1
--- /dev/null
+++ b/pkgs/os-specific/darwin/apple-source-releases/system_cmds/meson.build
@@ -0,0 +1,545 @@
+# Build settings based on the upstream Xcode project.
+# See: https://github.com/apple-oss-distributions/system_cmds/blob/main/system_cmds.xcodeproj/project.pbxproj
+
+
+# Project settings
+project('system_cmds', 'c', version : '@version@')
+
+if host_machine.system() != 'linux'
+  add_project_arguments('-D__FreeBSD__', language : 'c')
+endif
+
+sdk_version = get_option('sdk_version')
+
+
+# Dependencies
+cc = meson.get_compiler('c')
+# Upstream uses awk to process `.gperf` files instead of gperf, which can’t process them.
+fake_gperf = find_program('awk', required : true)
+
+## Frameworks
+core_foundation = dependency('appleframeworks', modules : 'CoreFoundation')
+core_symbolication = dependency('appleframeworks', modules : 'CoreSymbolication')
+directory_service = dependency('appleframeworks', modules : 'DirectoryService')
+iokit = dependency('appleframeworks', modules : 'IOKit')
+kernel = declare_dependency(include_directories : '@kernel@/Library/Frameworks/Kernel.framework/Headers')
+open_directory = dependency('appleframeworks', modules : 'OpenDirectory')
+
+## Private Headers
+cfopen_directory = declare_dependency(
+    dependencies : declare_dependency(
+        compile_args :[ '-iframework', '@opendirectory@/Library/Frameworks/OpenDirectory.framework/Frameworks' ],
+   ),
+    include_directories : '@opendirectory_private@/include',
+)
+libc_private = declare_dependency(include_directories : '@libc_private@/include')
+libmalloc_private = declare_dependency(include_directories : '@libmalloc_private@/include')
+
+xnu_include_dirs = [
+    '@xnu@/include/bsd',
+    '@xnu@/include/libkern',
+    '@xnu@/include/iokit',
+    '@xnu@/include/osfmk',
+    '@xnu_private@/include'
+]
+if sdk_version.version_compare('>=10.13')
+    xnu_include_dirs += '@xnu@/include/san'
+endif
+xnu_private = declare_dependency(
+    compile_args : [
+        # Suppresses suffixing symbols with '$UNIX2003', which causes link failures.
+        '-D__DARWIN_ONLY_UNIX_CONFORMANCE=1',
+        # Make sure Darwin is correctly detected as macOS
+        '-DPLATFORM_MacOSX=1',
+        # Access private definitions
+        '-DPRIVATE=1'
+    ],
+    include_directories : xnu_include_dirs
+)
+
+## Libraries
+ncurses = dependency('ncurses')
+openbsm = cc.find_library('bsm')
+pam = cc.find_library('pam')
+
+# Feature Tests
+if sdk_version.version_compare('<12')
+    add_project_arguments('-DkIOMainPortDefault=kIOMasterPortDefault', language : 'c')
+    add_project_arguments('-DIOMainPort=IOMasterPort', language : 'c')
+endif
+
+
+# Generators
+pgperf = generator(
+    fake_gperf,
+    arguments : [ '-f', meson.source_root() + '/getconf/fake-gperf.awk', '@INPUT@' ],
+    capture : true,
+    output : '@BASENAME@.gperf.c'
+)
+
+
+# Binaries
+executable('ac', install : true, sources : 'ac/ac.c')
+install_man('ac/ac.8')
+
+executable('accton', install : true, sources : 'accton/accton.c')
+install_man('accton/accton.8')
+
+executable(
+    'arch',
+    build_by_default : sdk_version.version_compare('>=11'),
+    dependencies : [ core_foundation ],
+    install : sdk_version.version_compare('>=11'),
+    sources : 'arch/arch.c'
+)
+install_man(
+    'arch/arch.1',
+    'arch/machine.1'
+)
+
+executable(
+    'at',
+    c_args : [
+        '-DDAEMON_UID=1',
+        '-DDAEMON_GID=1',
+        '-DDEFAULT_AT_QUEUE=\'a\'',
+        '-DDEFAULT_BATCH_QUEUE=\'b\'',
+        '-DPERM_PATH="/usr/lib/cron"',
+    ],
+    install : true,
+    sources : [
+        'at/at.c',
+        'at/panic.c',
+        'at/parsetime.c',
+        'at/perm.c'
+    ]
+)
+install_man('at/at.1')
+
+executable(
+    'atrun',
+    c_args : [ '-DDAEMON_UID=1', '-DDAEMON_GID=1' ],
+    include_directories : 'at',
+    install : true,
+    sources : [
+        'atrun/atrun.c',
+        'atrun/gloadavg.c'
+    ]
+)
+install_man('atrun/atrun.8')
+
+executable(
+    'chkpasswd',
+    c_args : '-DUSE_PAM',
+    dependencies : [ core_foundation, open_directory, pam ],
+    install : true,
+    sources : [
+        'chkpasswd/file_passwd.c',
+        'chkpasswd/nis_passwd.c',
+        'chkpasswd/od_passwd.c',
+        'chkpasswd/pam_passwd.c',
+        'chkpasswd/passwd.c',
+        'chkpasswd/stringops.c'
+    ]
+)
+install_man('chkpasswd/chkpasswd.8')
+
+executable(
+    'chpass',
+    dependencies : [ core_foundation, cfopen_directory, directory_service, open_directory ],
+    install : true,
+    sources : [
+        'chpass/chpass.c',
+        'chpass/edit.c',
+        'chpass/field.c',
+        'chpass/open_directory.c',
+        'chpass/table.c',
+        'chpass/util.c'
+    ]
+)
+install_man('chpass/chpass.1')
+
+executable('cpuctl', install : true, sources : 'cpuctl/cpuctl.c')
+install_man('cpuctl/cpuctl.8')
+
+executable('dmesg', install : true, sources : 'dmesg/dmesg.c')
+install_man('dmesg/dmesg.8')
+
+executable(
+    'dynamic_pager',
+    c_args : '-DNO_DIRECT_RPC',
+    install : true,
+    sources : 'dynamic_pager/dynamic_pager.c'
+)
+install_man('dynamic_pager/dynamic_pager.8')
+
+executable(
+    'fs_usage',
+    # Requires 'ktrace/session.h'
+    build_by_default : false,
+    install : false,
+    sources : 'fs_usage/fs_usage.c'
+)
+# install_man('fs_usage/fs_usage.1')
+
+executable(
+    'gcore',
+    # Requires XPC private APIs
+    build_by_default : false and sdk_version.version_compare('>=11'),
+    install : false and sdk_version.version_compare('>=11'),
+    sources : [
+        'gcore/convert.c',
+        'gcore/corefile.c',
+        'gcore/dyld.c',
+        'gcore/dyld_shared_cache.c',
+        'gcore/main.c',
+        'gcore/sparse.c',
+        'gcore/threads.c',
+        'gcore/utils.c',
+        'gcore/vanilla.c',
+        'gcore/vm.c'
+    ]
+)
+# install_man('gcore/gcore-internal.1', 'gcore/gcore.1')
+
+executable(
+    'getconf',
+    c_args : '-DAPPLE_GETCONF_UNDERSCORE',
+    include_directories : 'getconf',
+    install : true,
+    sources : [
+        'getconf/getconf.c',
+    ] + pgperf.process(
+        [
+            'getconf/confstr.gperf',
+            'getconf/limits.gperf',
+            'getconf/unsigned_limits.gperf',
+            'getconf/progenv.gperf',
+            'getconf/sysconf.gperf',
+            'getconf/pathconf.gperf'
+        ]
+   )
+)
+install_man('getconf/getconf.1')
+
+executable(
+    'getty',
+    install : true,
+    sources : [
+        'getty/chat.c',
+        'getty/init.c',
+        'getty/main.c',
+        'getty/subr.c'
+    ]
+)
+install_man(
+    'getty/getty.8',
+    'getty/gettytab.5',
+    'getty/ttys.5'
+)
+
+executable('hostinfo', install : true, sources : 'hostinfo/hostinfo.c')
+install_man('hostinfo/hostinfo.8')
+
+executable(
+    'iosim',
+    dependencies : [ core_foundation, iokit ],
+    include_directories : 'at',
+    install : true,
+    sources : 'iosim/iosim.c'
+)
+install_man('iosim/iosim.1')
+
+executable(
+    'iostat',
+    dependencies : [ core_foundation, iokit ],
+    install : true,
+    sources : 'iostat/iostat.c'
+)
+install_man('iostat/iostat.8')
+
+executable(
+    'kpgo',
+    dependencies : [ xnu_private ],
+    install : true,
+    sources : 'kpgo/kpgo.c'
+)
+# No man pages for `kpgo`
+
+executable(
+    'latency',
+    build_by_default : sdk_version.version_compare('>=12'),
+    dependencies : ncurses,
+    install : sdk_version.version_compare('>=12'),
+    sources : 'latency/latency.c'
+)
+if sdk_version.version_compare('>=12')
+    install_man('latency/latency.1')
+endif
+
+executable(
+    'login',
+    # Requires SoftLinking/WeakLinking.h and end-point security entitlements
+    build_by_default : false,
+    c_args : '-DUSE_BSM_AUDIT=1',
+    dependencies : [ openbsm, xnu_private ],
+    install : false,
+    sources : [
+        'login/login.c',
+        'login/login_audit.c'
+    ]
+)
+# install_man('login/login.1')
+
+executable(
+    'lskq',
+    build_by_default : sdk_version.version_compare('>=12'),
+    install : sdk_version.version_compare('>=12'),
+    sources : 'lskq/lskq.c'
+)
+if sdk_version.version_compare('>=12')
+    install_man('lskq/lskq.1')
+endif
+
+executable(
+    'lsmp',
+    build_by_default : sdk_version.version_compare('>=12'),
+    install : sdk_version.version_compare('>=12'),
+    sources : [
+        'lsmp/lsmp.c',
+        'lsmp/port_details.c',
+        'lsmp/task_details.c'
+    ]
+)
+if sdk_version.version_compare('>=12')
+    install_man('lsmp/lsmp.1')
+endif
+
+executable(
+    'ltop',
+    install : true,
+    sources : 'ltop/ltop.c'
+)
+install_man('ltop/ltop.1')
+
+executable('mean', install : true, sources : 'mean/mean.c')
+# No man pages for `mean`.
+
+executable(
+    'memory_pressure',
+    dependencies : [ xnu_private ],
+    install : true,
+    sources : 'memory_pressure/memory_pressure.c'
+)
+install_man('memory_pressure/memory_pressure.1')
+
+executable('mkfile', install : true, sources : 'mkfile/mkfile.c')
+install_man('mkfile/mkfile.8')
+
+executable(
+    'mslutil',
+    build_by_default : sdk_version.version_compare('>=10.13'),
+    dependencies : [ libmalloc_private ],
+    install : sdk_version.version_compare('>=10.13'),
+    sources : 'mslutil/mslutil.c'
+)
+if sdk_version.version_compare('>=10.13')
+    install_man('mslutil/mslutil.1')
+endif
+
+executable('newgrp', install : true, sources : 'newgrp/newgrp.c')
+install_man('newgrp/newgrp.1')
+
+executable('nologin', install : true, sources : 'nologin/nologin.c')
+install_man(
+    'nologin/nologin.5',
+    'nologin/nologin.8'
+)
+
+executable(
+    'nvram',
+    c_args : '-DTARGET_OS_BRIDGE=0',
+    dependencies : [ core_foundation, iokit, libc_private, xnu_private ],
+    install : true,
+    sources : 'nvram/nvram.c'
+)
+install_man('nvram/nvram.8')
+
+custom_target(
+    'pagesize',
+    command : [ 'cp', '@INPUT@', '@OUTPUT@' ],
+    install : true,
+    install_dir : get_option('bindir'),
+    install_mode : 'r-xr-xr-x',
+    input : 'pagesize/pagesize.sh',
+    output : 'pagesize'
+)
+install_man('pagesize/pagesize.1')
+
+executable(
+    'passwd',
+    dependencies : [ core_foundation, cfopen_directory, directory_service, open_directory, pam ],
+    install : true,
+    sources : [
+        'passwd/file_passwd.c',
+        'passwd/nis_passwd.c',
+        'passwd/od_passwd.c',
+        'passwd/pam_passwd.c',
+        'passwd/passwd.c'
+    ]
+)
+install_man('passwd/passwd.1')
+
+executable(
+    'proc_uuid_policy',
+    install : true,
+    sources : 'proc_uuid_policy/proc_uuid_policy.c'
+)
+install_man('proc_uuid_policy/proc_uuid_policy.1')
+
+executable('purge', install : true, sources : 'purge/purge.c')
+install_man('purge/purge.8')
+
+executable(
+    'pwd_mkdb',
+    c_args : [ '-D_PW_NAME_LEN=MAXLOGNAME', '-D_PW_YPTOKEN="__YP!"' ],
+    install : true,
+    sources : [
+        'pwd_mkdb/pw_scan.c',
+        'pwd_mkdb/pwd_mkdb.c'
+    ]
+)
+install_man('pwd_mkdb/pwd_mkdb.8')
+
+executable(
+    'reboot',
+    # Requires IOKitUser kext APIs
+    build_by_default : false,
+    install : false,
+    sources : 'reboot/reboot.c'
+)
+# install_man('reboot/reboot.8')
+
+executable(
+    'sa',
+    c_args : '-DAHZV1',
+    install : true,
+    sources : [
+        'sa/db.c',
+        'sa/main.c',
+        'sa/pdb.c',
+        'sa/usrdb.c'
+    ]
+)
+install_man('sa/sa.8')
+
+executable(
+    'sc_usage',
+    build_by_default : sdk_version.version_compare('>=12'),
+    dependencies : ncurses,
+    install : sdk_version.version_compare('>=12'),
+    sources : 'sc_usage/sc_usage.c'
+)
+if sdk_version.version_compare('>=12')
+    install_man('sc_usage/sc_usage.1')
+endif
+
+executable('shutdown',
+    # Requires IOKitUser kext APIs
+    build_by_default : false,
+    install : false,
+    sources : 'shutdown/shutdown.c'
+)
+# install_man('shutdown/shutdown.8')
+
+executable(
+    'stackshot',
+    build_by_default : sdk_version.version_compare('>=10.13'),
+    dependencies : [ xnu_private ],
+    install : sdk_version.version_compare('>=10.13'),
+    sources : 'stackshot/stackshot.c'
+)
+# No man pages for `stackshot`.
+
+executable('sync', install : true, sources : 'sync/sync.c')
+# No man pages for `sync`.
+
+executable('sysctl', install : true, sources : 'sysctl/sysctl.c')
+install_man(
+    'sysctl/sysctl.8',
+    'sysctl/sysctl.conf.5'
+)
+
+executable(
+    'taskpolicy',
+    build_by_default : sdk_version.version_compare('>=11'),
+    dependencies : [ xnu_private ],
+    install : sdk_version.version_compare('>=11'),
+    sources : 'taskpolicy/taskpolicy.c'
+)
+if sdk_version.version_compare('>=11')
+    install_man('taskpolicy/taskpolicy.8')
+endif
+
+executable('vifs', install : true, sources : 'vifs/vifs.c')
+install_man('vifs/vifs.8')
+
+executable(
+    'vipw',
+    install : true,
+    sources : [
+        'vipw/pw_util.c',
+        'vipw/vipw.c'
+    ]
+)
+install_man('vipw/vipw.8')
+
+executable('vm_purgeable_stat',
+    build_by_default : sdk_version.version_compare('>=11'),
+    install : sdk_version.version_compare('>=11'),
+    sources : 'vm_purgeable_stat/vm_purgeable_stat.c'
+)
+if sdk_version.version_compare('>=11')
+    install_man('vm_purgeable_stat/vm_purgeable_stat.1')
+endif
+
+executable('vm_stat', install : true, sources : 'vm_stat/vm_stat.c')
+install_man('vm_stat/vm_stat.1')
+
+executable('wait4path', install : true, sources : 'wait4path/wait4path.c')
+install_man('wait4path/wait4path.1')
+
+executable('wordexp-helper', install : true, sources : 'wordexp-helper/wordexp-helper.c')
+# No man pages for `wordexp-helper`.
+
+executable('zdump', include_directories : 'zic', install : true, sources : 'zdump/zdump.c')
+install_man('zdump/zdump.8')
+
+executable('zic', install : true, sources : 'zic/zic.c')
+install_man('zic/zic.8')
+
+executable(
+    'zlog',
+    build_by_default : sdk_version.version_compare('>=11'),
+    c_args : '-DKERN_NOT_FOUND=56',
+    dependencies : [ core_foundation, core_symbolication ],
+    install : sdk_version.version_compare('>=11'),
+    sources : [
+        'zlog/SymbolicationHelper.c',
+        'zlog/zlog.c',
+    ]
+)
+if sdk_version.version_compare('>=11')
+    install_man('zlog/zlog.1')
+endif
+
+executable(
+    'zprint',
+    # Requires IOKitUser kext APIs
+    build_by_default : false,
+    dependencies: [ kernel ],
+    install : false,
+    sources : 'zprint/zprint.c'
+)
+# install_man('zprint/zprint.1')
+
diff --git a/pkgs/os-specific/darwin/apple-source-releases/system_cmds/meson.options b/pkgs/os-specific/darwin/apple-source-releases/system_cmds/meson.options
new file mode 100644
index 0000000000000..8c4ce874c64c5
--- /dev/null
+++ b/pkgs/os-specific/darwin/apple-source-releases/system_cmds/meson.options
@@ -0,0 +1 @@
+option('sdk_version', type : 'string')
diff --git a/pkgs/os-specific/darwin/bartender/default.nix b/pkgs/os-specific/darwin/bartender/default.nix
index 011a356e54124..3650d0dcaf3cf 100644
--- a/pkgs/os-specific/darwin/bartender/default.nix
+++ b/pkgs/os-specific/darwin/bartender/default.nix
@@ -6,12 +6,12 @@
 
 stdenvNoCC.mkDerivation (finalAttrs: {
   pname = "bartender";
-  version = "5.0.49";
+  version = "5.0.52";
 
   src = fetchurl {
     name = "Bartender ${lib.versions.major finalAttrs.version}.dmg";
     url = "https://www.macbartender.com/B2/updates/${builtins.replaceStrings [ "." ] [ "-" ] finalAttrs.version}/Bartender%20${lib.versions.major finalAttrs.version}.dmg";
-    hash = "sha256-DOQLtdbwYFyRri3GBdjLfFNII65QJMvAQu9Be4ATBx0=";
+    hash = "sha256-gKsDD/4z397ZpT+8xu7BI1c9r+nledzrPfD/ACexFvQ=";
   };
 
   dontPatch = true;
@@ -32,7 +32,7 @@ stdenvNoCC.mkDerivation (finalAttrs: {
     runHook postInstall
   '';
 
-  meta = with lib; {
+  meta = {
     description = "Take control of your menu bar";
     longDescription = ''
       Bartender is an award-winning app for macOS that superpowers your menu bar, giving you total control over your menu bar items, what's displayed, and when, with menu bar items only showing when you need them.
@@ -40,9 +40,9 @@ stdenvNoCC.mkDerivation (finalAttrs: {
     '';
     homepage = "https://www.macbartender.com";
     changelog = "https://www.macbartender.com/Bartender${lib.versions.major finalAttrs.version}/release_notes/";
-    license = with licenses; [ unfree ];
-    sourceProvenance = with sourceTypes; [ binaryNativeCode ];
-    maintainers = with maintainers; [ stepbrobd ];
+    license = [ lib.licenses.unfree ];
+    sourceProvenance = [ lib.sourceTypes.binaryNativeCode ];
+    maintainers = with lib.maintainers; [ stepbrobd ];
     platforms = [ "aarch64-darwin" "x86_64-darwin" ];
   };
 })
diff --git a/pkgs/os-specific/darwin/binutils/default.nix b/pkgs/os-specific/darwin/binutils/default.nix
index d7bdac6ceea34..78c510f7da4cd 100644
--- a/pkgs/os-specific/darwin/binutils/default.nix
+++ b/pkgs/os-specific/darwin/binutils/default.nix
@@ -11,6 +11,7 @@ let
     "ld" "strip" "otool" "lipo" "nm" "strings" "size"
     "codesign_allocate"
   ];
+  isCCToolsLLVM = lib.getName cctools == "cctools-llvm";
 in
 
 # TODO: loop over targetPrefixed binaries too
@@ -33,7 +34,7 @@ stdenv.mkDerivation {
     # - strip: the binutils one seems to break mach-o files
     # - lipo: gcc build assumes it exists
     # - nm: the gnu one doesn't understand many new load commands
-    for i in ${lib.concatStringsSep " " (builtins.map (e: targetPrefix + e) cmds)}; do
+    for i in ${lib.concatStringsSep " " (map (e: targetPrefix + e) cmds)}; do
       ln -sf "${cctools}/bin/$i" "$out/bin/$i"
     done
 
@@ -41,51 +42,59 @@ stdenv.mkDerivation {
 
     ln -s ${binutils-unwrapped.out}/share $out/share
 
-    ln -s ${cctools}/libexec $out/libexec
-
     mkdir -p "$man"/share/man/man{1,5}
-    for i in ${builtins.concatStringsSep " " cmds}; do
+    for i in ${lib.concatStringsSep " " cmds}; do
       for path in "${cctools.man}"/share/man/man?/$i.*; do
         dest_path="$man''${path#${cctools.man}}"
         ln -sv "$path" "$dest_path"
       done
     done
   ''
-  # On aarch64-darwin we must use clang, because "as" from cctools just doesn't
-  # handle the arch. Proxying calls to clang produces quite a bit of warnings,
-  # and using clang directly here is a better option than relying on cctools.
-  # On x86_64-darwin the Clang version is too old to support this mode.
-  + lib.optionalString stdenv.isAarch64 ''
-    rm $out/bin/${targetPrefix}as
-    makeWrapper "${clang-unwrapped}/bin/clang" "$out/bin/${targetPrefix}as" \
-      --add-flags "-x assembler -integrated-as -c"
-  ''
-  # x86-64 Darwin gnat-bootstrap emits assembly
-  # with MOVQ as the mnemonic for quadword interunit moves
-  # such as `movq %rbp, %xmm0`.
-  # The clang integrated assembler recognises this as valid,
-  # but unfortunately the cctools-port GNU assembler does not;
-  # it instead uses MOVD as the mnemonic.
-  # The assembly that a GCC build emits is determined at build time
-  # and cannot be changed afterwards.
-  #
-  # To build GNAT on x86-64 Darwin, therefore,
-  # we need both the clang _and_ the cctools-port assemblers to be available:
-  # the former to build at least the stage1 compiler,
-  # and the latter at least to be detectable
-  # as the target for the final compiler.
-  #
-  # We choose to match the Aarch64 case above,
-  # wrapping the clang integrated assembler as `as`.
-  # It then seems sensible to wrap the cctools GNU assembler as `gas`.
-  #
-  + lib.optionalString (stdenv.isx86_64 && dualAs) ''
-    mv $out/bin/${targetPrefix}as $out/bin/${targetPrefix}gas
-    makeWrapper "${clang-unwrapped}/bin/clang" "$out/bin/${targetPrefix}as" \
-      --add-flags "-x assembler -integrated-as -c"
-  '';
+  + lib.optionalString (!isCCToolsLLVM) (
+    # cctools-port has a `libexec` folder for `as`, but cctools-llvm uses the clang
+    # assembler on both platforms. Only link it when cctools is cctools-port.
+    ''
+      ln -s ${cctools}/libexec $out/libexec
+    ''
+    # cctools-llvm uses the LLVM assembler on both architectures, so use the assembler
+    # from that instead of relinking it.
+    #
+    # On aarch64-darwin we must use clang, because "as" from cctools just doesn't
+    # handle the arch. Proxying calls to clang produces quite a bit of warnings,
+    # and using clang directly here is a better option than relying on cctools.
+    # On x86_64-darwin the Clang version is too old to support this mode.
+    + lib.optionalString stdenv.isAarch64 ''
+      rm $out/bin/${targetPrefix}as
+      makeWrapper "${clang-unwrapped}/bin/clang" "$out/bin/${targetPrefix}as" \
+        --add-flags "-x assembler -integrated-as -c"
+    ''
+    # x86-64 Darwin gnat-bootstrap emits assembly
+    # with MOVQ as the mnemonic for quadword interunit moves
+    # such as `movq %rbp, %xmm0`.
+    # The clang integrated assembler recognises this as valid,
+    # but unfortunately the cctools-port GNU assembler does not;
+    # it instead uses MOVD as the mnemonic.
+    # The assembly that a GCC build emits is determined at build time
+    # and cannot be changed afterwards.
+    #
+    # To build GNAT on x86-64 Darwin, therefore,
+    # we need both the clang _and_ the cctools-port assemblers to be available:
+    # the former to build at least the stage1 compiler,
+    # and the latter at least to be detectable
+    # as the target for the final compiler.
+    #
+    # We choose to match the Aarch64 case above,
+    # wrapping the clang integrated assembler as `as`.
+    # It then seems sensible to wrap the cctools GNU assembler as `gas`.
+    #
+    + lib.optionalString (stdenv.isx86_64 && dualAs) ''
+      mv $out/bin/${targetPrefix}as $out/bin/${targetPrefix}gas
+      makeWrapper "${clang-unwrapped}/bin/clang" "$out/bin/${targetPrefix}as" \
+        --add-flags "-x assembler -integrated-as -c"
+    ''
+  );
 
-  nativeBuildInputs = lib.optionals (stdenv.isAarch64 || dualAs) [ makeWrapper ];
+  nativeBuildInputs = lib.optionals (!isCCToolsLLVM && (stdenv.isAarch64 || dualAs)) [ makeWrapper ];
 
   passthru = {
     inherit targetPrefix;
diff --git a/pkgs/os-specific/darwin/cctools/apple.nix b/pkgs/os-specific/darwin/cctools/apple.nix
index 7adcfa9539a2d..dee4e20062560 100644
--- a/pkgs/os-specific/darwin/cctools/apple.nix
+++ b/pkgs/os-specific/darwin/cctools/apple.nix
@@ -116,7 +116,7 @@ symlinkJoin rec {
   meta = with lib; {
     description = "MacOS Compiler Tools";
     homepage = "http://www.opensource.apple.com/source/cctools/";
-    license = licenses.apsl20;
+    license = licenses.apple-psl20;
     platforms = platforms.darwin;
   };
 }
diff --git a/pkgs/os-specific/darwin/cctools/port.nix b/pkgs/os-specific/darwin/cctools/port.nix
index c9b11ee20155e..377d84d9bf731 100644
--- a/pkgs/os-specific/darwin/cctools/port.nix
+++ b/pkgs/os-specific/darwin/cctools/port.nix
@@ -186,7 +186,7 @@ stdenv.mkDerivation {
     broken = !stdenv.targetPlatform.isDarwin; # Only supports darwin targets
     homepage = "http://www.opensource.apple.com/source/cctools/";
     description = "MacOS Compiler Tools (cross-platform port)";
-    license = lib.licenses.apsl20;
+    license = lib.licenses.apple-psl20;
     maintainers = with lib.maintainers; [ matthewbauer ];
   };
 }
diff --git a/pkgs/os-specific/darwin/grandperspective/default.nix b/pkgs/os-specific/darwin/grandperspective/default.nix
index 0d57d4f277144..816440ec1155e 100644
--- a/pkgs/os-specific/darwin/grandperspective/default.nix
+++ b/pkgs/os-specific/darwin/grandperspective/default.nix
@@ -1,20 +1,24 @@
-{ stdenv, lib, fetchurl, undmg }:
+{ stdenv, lib, fetchurl, undmg, makeWrapper }:
 
 stdenv.mkDerivation (finalAttrs: {
-  version = "3.4.1";
+  version = "3.4.2";
   pname = "grandperspective";
 
   src = fetchurl {
     inherit (finalAttrs) version;
     url = "mirror://sourceforge/grandperspectiv/GrandPerspective-${lib.replaceStrings [ "." ] [ "_" ] finalAttrs.version}.dmg";
-    hash = "sha256-iTtvP6iONcfDWJ3qMh+TUJMN+3spwCQ/5S+A307BJCM=";
+    hash = "sha256-ZgyBeQCoixLGCFS8+UFoMilvtswplEC8MzK3BE4ocDg=";
   };
 
   sourceRoot = "GrandPerspective.app";
   buildInputs = [ undmg ];
+  nativeBuildInputs = [ makeWrapper ];
+  # Create a trampoline script in $out/bin/ because a symlink doesn’t work for
+  # this app.
   installPhase = ''
-    mkdir -p "$out/Applications/GrandPerspective.app";
-    cp -R . "$out/Applications/GrandPerspective.app";
+    mkdir -p "$out/Applications/GrandPerspective.app" "$out/bin"
+    cp -R . "$out/Applications/GrandPerspective.app"
+    makeWrapper "$out/Applications/GrandPerspective.app/Contents/MacOS/GrandPerspective" "$out/bin/grandperspective"
   '';
 
   meta = with lib; {
@@ -25,6 +29,7 @@ stdenv.mkDerivation (finalAttrs: {
       space. It uses a so called tree map for visualisation. Each file is shown as a rectangle with an area proportional to
       the file's size. Files in the same folder appear together, but their placement is otherwise arbitrary.
     '';
+    mainProgram = "grandperspective";
     homepage = "https://grandperspectiv.sourceforge.net";
     license = licenses.gpl2Only;
     sourceProvenance = with sourceTypes; [ binaryNativeCode ];
diff --git a/pkgs/os-specific/darwin/insert_dylib/default.nix b/pkgs/os-specific/darwin/insert_dylib/default.nix
deleted file mode 100644
index 7ab9692f0d427..0000000000000
--- a/pkgs/os-specific/darwin/insert_dylib/default.nix
+++ /dev/null
@@ -1,22 +0,0 @@
-{ lib, stdenv, fetchFromGitHub, xcbuildHook }:
-
-stdenv.mkDerivation {
-  pname = "insert_dylib";
-  version = "unstable-2016-08-28";
-
-  src = fetchFromGitHub {
-    owner = "Tyilo";
-    repo = "insert_dylib";
-    rev = "c8beef66a08688c2feeee2c9b6eaf1061c2e67a9";
-    sha256 = "0az38y06pvvy9jf2wnzdwp9mp98lj6nr0ldv0cs1df5p9x2qvbya";
-  };
-
-  nativeBuildInputs = [ xcbuildHook ];
-
-  installPhase = ''
-    mkdir -p $out/bin
-    install -m755 Products/Release/insert_dylib $out/bin
-  '';
-
-  meta.platforms = lib.platforms.darwin;
-}
diff --git a/pkgs/os-specific/darwin/moltenvk/default.nix b/pkgs/os-specific/darwin/moltenvk/default.nix
index 4e332e6fe5577..323096fd5c9ed 100644
--- a/pkgs/os-specific/darwin/moltenvk/default.nix
+++ b/pkgs/os-specific/darwin/moltenvk/default.nix
@@ -28,7 +28,7 @@ let
 in
 stdenv.mkDerivation (finalAttrs: {
   pname = "MoltenVK";
-  version = "1.2.7";
+  version = "1.2.9";
 
   buildInputs = [
     AppKit
@@ -56,7 +56,7 @@ stdenv.mkDerivation (finalAttrs: {
     owner = "KhronosGroup";
     repo = "MoltenVK";
     rev = "v${finalAttrs.version}";
-    hash = "sha256-0+S/kueV+AEVt+oFnh4cgcDRVtEbUH1QiHFPhGhimCA=";
+    hash = "sha256-9k7NMw2M6IqCUQNBekzDaS6VYAOKwPmuCfJkENQ7oiI=";
   };
 
   postPatch = ''
diff --git a/pkgs/os-specific/darwin/noah/default.nix b/pkgs/os-specific/darwin/noah/default.nix
index b8cb1424cdda2..ad63b796f1838 100644
--- a/pkgs/os-specific/darwin/noah/default.nix
+++ b/pkgs/os-specific/darwin/noah/default.nix
@@ -18,7 +18,7 @@ stdenv.mkDerivation rec {
     description = "Bash on Ubuntu on macOS";
     homepage = "https://github.com/linux-noah/noah";
     license = [ licenses.mit licenses.gpl2 ];
-    maintainers = [ maintainers.marsam ];
+    maintainers = [ ];
     platforms = platforms.darwin;
     # never built on aarch64-darwin since first introduction in nixpkgs
     broken = stdenv.isDarwin && stdenv.isAarch64;
diff --git a/pkgs/os-specific/darwin/openwith/default.nix b/pkgs/os-specific/darwin/openwith/default.nix
index eb78f7a1344c4..d28ed4942821c 100644
--- a/pkgs/os-specific/darwin/openwith/default.nix
+++ b/pkgs/os-specific/darwin/openwith/default.nix
@@ -1,6 +1,7 @@
-{ lib, stdenv, fetchFromGitHub, swift, AppKit, Foundation, UniformTypeIdentifiers }:
+{ lib, swiftPackages, fetchFromGitHub }:
 
 let
+  inherit (swiftPackages) apple_sdk stdenv swift;
   arch = if stdenv.isAarch64 then "arm64" else "x86_64";
 in
 stdenv.mkDerivation rec {
@@ -16,7 +17,7 @@ stdenv.mkDerivation rec {
 
   nativeBuildInputs = [ swift ];
 
-  buildInputs = [ AppKit Foundation UniformTypeIdentifiers ];
+  buildInputs = with apple_sdk.frameworks; [ AppKit Foundation UniformTypeIdentifiers ];
 
   makeFlags = [ "openwith_${arch}" ];
 
@@ -32,6 +33,5 @@ stdenv.mkDerivation rec {
     license = licenses.unlicense;
     maintainers = with maintainers; [ zowoq ];
     platforms = [ "aarch64-darwin" "x86_64-darwin" ];
-    broken = stdenv.isx86_64; # https://hydra.nixos.org/build/219354133/nixlog/3
   };
 }
diff --git a/pkgs/os-specific/darwin/raycast/default.nix b/pkgs/os-specific/darwin/raycast/default.nix
index 59c60b320f689..bcb3b93c21aec 100644
--- a/pkgs/os-specific/darwin/raycast/default.nix
+++ b/pkgs/os-specific/darwin/raycast/default.nix
@@ -1,17 +1,22 @@
-{ lib
-, stdenvNoCC
-, fetchurl
-, undmg
+{
+  lib,
+  stdenvNoCC,
+  fetchurl,
+  writeShellApplication,
+  curl,
+  jq,
+  common-updater-scripts,
+  undmg,
 }:
 
 stdenvNoCC.mkDerivation (finalAttrs: {
   pname = "raycast";
-  version = "1.70.2";
+  version = "1.75.1";
 
   src = fetchurl {
     name = "Raycast.dmg";
     url = "https://releases.raycast.com/releases/${finalAttrs.version}/download?build=universal";
-    hash = "sha256-t0lc59RcOF7umUjyxQll4RZNyboiuMaP8dZ15vcuaAE=";
+    hash = "sha256-lHGKWj4nn0GsviV83MKgCaQ6HW/CfeP8gg4VXlVXaXg=";
   };
 
   dontPatch = true;
@@ -32,12 +37,34 @@ stdenvNoCC.mkDerivation (finalAttrs: {
     runHook postInstall
   '';
 
-  meta = with lib; {
+  passthru.updateScript = lib.getExe (writeShellApplication {
+    name = "raycast-update-script";
+    runtimeInputs = [
+      curl
+      jq
+      common-updater-scripts
+    ];
+    text = ''
+      set -eo pipefail
+      url=$(curl --silent "https://releases.raycast.com/releases/latest?build=universal")
+      version=$(echo "$url" | jq -r '.version')
+      update-source-version raycast "$version" --file=./pkgs/os-specific/darwin/raycast/default.nix
+    '';
+  });
+
+  meta = {
     description = "Control your tools with a few keystrokes";
     homepage = "https://raycast.app/";
-    license = with licenses; [ unfree ];
-    sourceProvenance = with sourceTypes; [ binaryNativeCode ];
-    maintainers = with maintainers; [ lovesegfault stepbrobd ];
-    platforms = [ "aarch64-darwin" "x86_64-darwin" ];
+    license = lib.licenses.unfree;
+    maintainers = with lib.maintainers; [
+      lovesegfault
+      stepbrobd
+      donteatoreo
+    ];
+    platforms = [
+      "aarch64-darwin"
+      "x86_64-darwin"
+    ];
+    sourceProvenance = with lib.sourceTypes; [ binaryNativeCode ];
   };
 })
diff --git a/pkgs/os-specific/darwin/raycast/update.sh b/pkgs/os-specific/darwin/raycast/update.sh
deleted file mode 100755
index e33f8421597d9..0000000000000
--- a/pkgs/os-specific/darwin/raycast/update.sh
+++ /dev/null
@@ -1,20 +0,0 @@
-#!/usr/bin/env nix-shell
-#!nix-shell -I nixpkgs=../../../../. -i bash -p common-updater-scripts jq
-
-set -eo pipefail
-
-new_version=$(curl --silent https://releases.raycast.com/releases/latest?build=universal | jq -r '.version')
-old_version=$(sed -nE 's/\s*version = "(.*)".*/\1/p' ./default.nix)
-
-if [[ $new_version == $old_version ]]; then
-    echo "Already up to date."
-    exit 0
-else
-    echo "raycast: $old_version -> $new_version"
-    sed -Ei.bak '/ *version = "/s/".+"/"'"$new_version"'"/' ./default.nix
-    rm ./default.nix.bak
-fi
-
-hash=$(nix --extra-experimental-features nix-command store prefetch-file --json --hash-type sha256 "https://releases.raycast.com/releases/$new_version/download?build=universal" | jq -r '.hash')
-sed -Ei.bak '/ *hash = /{N;N; s@("sha256-)[^;"]+@"'"$hash"'@}' ./default.nix
-rm ./default.nix.bak
diff --git a/pkgs/os-specific/darwin/rectangle/default.nix b/pkgs/os-specific/darwin/rectangle/default.nix
index 0ada82d0e7580..af7bb58e54a17 100644
--- a/pkgs/os-specific/darwin/rectangle/default.nix
+++ b/pkgs/os-specific/darwin/rectangle/default.nix
@@ -7,11 +7,11 @@
 
 stdenvNoCC.mkDerivation rec {
   pname = "rectangle";
-  version = "0.76";
+  version = "0.79";
 
   src = fetchurl {
     url = "https://github.com/rxhanson/Rectangle/releases/download/v${version}/Rectangle${version}.dmg";
-    hash = "sha256-oHq5mLMWloi6Tf81rjcmUFGwIggtMdyLPqbD/gOzNHU=";
+    hash = "sha256-XczwgLONTt7wL+oW1ruw6wBwZTMd5VyN+79xJy0NUIg=";
   };
 
   sourceRoot = ".";
diff --git a/pkgs/os-specific/darwin/sketchybar/default.nix b/pkgs/os-specific/darwin/sketchybar/default.nix
deleted file mode 100644
index 3081e40622c54..0000000000000
--- a/pkgs/os-specific/darwin/sketchybar/default.nix
+++ /dev/null
@@ -1,72 +0,0 @@
-{ lib
-, stdenv
-, fetchFromGitHub
-, AppKit
-, Carbon
-, CoreAudio
-, CoreWLAN
-, CoreVideo
-, DisplayServices
-, IOKit
-, MediaRemote
-, SkyLight
-, testers
-}:
-
-let
-  inherit (stdenv.hostPlatform) system;
-  target = {
-    "aarch64-darwin" = "arm64";
-    "x86_64-darwin" = "x86";
-  }.${system} or (throw "Unsupported system: ${system}");
-in
-stdenv.mkDerivation (finalAttrs: {
-  pname = "sketchybar";
-  version = "2.21.0";
-
-  src = fetchFromGitHub {
-    owner = "FelixKratz";
-    repo = "SketchyBar";
-    rev = "v${finalAttrs.version}";
-    hash = "sha256-hTfQQjx6ai83zYFfccsz/KaoZUIj5Dfz4ENe59gS02E=";
-  };
-
-  buildInputs = [
-    AppKit
-    Carbon
-    CoreAudio
-    CoreWLAN
-    CoreVideo
-    DisplayServices
-    IOKit
-    MediaRemote
-    SkyLight
-  ];
-
-  makeFlags = [
-    target
-  ];
-
-  installPhase = ''
-    runHook preInstall
-
-    mkdir -p $out/bin
-    cp ./bin/sketchybar $out/bin/sketchybar
-
-    runHook postInstall
-  '';
-
-  passthru.tests.version = testers.testVersion {
-    package = finalAttrs.finalPackage;
-    version = "sketchybar-v${finalAttrs.version}";
-  };
-
-  meta = {
-    description = "A highly customizable macOS status bar replacement";
-    homepage = "https://github.com/FelixKratz/SketchyBar";
-    license = lib.licenses.gpl3;
-    mainProgram = "sketchybar";
-    maintainers = with lib.maintainers; [ azuwis khaneliman ];
-    platforms = lib.platforms.darwin;
-  };
-})
diff --git a/pkgs/os-specific/darwin/skhd/default.nix b/pkgs/os-specific/darwin/skhd/default.nix
deleted file mode 100644
index f979f7ec020e7..0000000000000
--- a/pkgs/os-specific/darwin/skhd/default.nix
+++ /dev/null
@@ -1,50 +0,0 @@
-{ lib
-, stdenv
-, fetchFromGitHub
-, Carbon
-, Cocoa
-, testers
-}:
-
-stdenv.mkDerivation (finalAttrs: {
-  pname = "skhd";
-  version = "0.3.9";
-
-  src = fetchFromGitHub {
-    owner = "koekeishiya";
-    repo = "skhd";
-    rev = "v${finalAttrs.version}";
-    hash = "sha256-fnkWws/g4BdHKDRhqoCpdPFUavOHdk8R7h7H1dAdAYI=";
-  };
-
-  buildInputs = [
-    Carbon
-    Cocoa
-  ];
-
-  makeFlags = [
-    "BUILD_PATH=$(out)/bin"
-  ];
-
-  env.NIX_CFLAGS_COMPILE = "-Wno-error=implicit-function-declaration";
-
-  postInstall = ''
-    mkdir -p $out/Library/LaunchDaemons
-    cp ${./org.nixos.skhd.plist} $out/Library/LaunchDaemons/org.nixos.skhd.plist
-    substituteInPlace $out/Library/LaunchDaemons/org.nixos.skhd.plist --subst-var out
-  '';
-
-  passthru.tests.version = testers.testVersion {
-    package = finalAttrs.finalPackage;
-    version = "skhd-v${finalAttrs.version}";
-  };
-
-  meta = {
-    description = "Simple hotkey daemon for macOS";
-    homepage = "https://github.com/koekeishiya/skhd";
-    license = lib.licenses.mit;
-    mainProgram = "skhd";
-    maintainers = with lib.maintainers; [ cmacrae lnl7 periklis khaneliman ];
-    platforms = lib.platforms.darwin;
-  };
-})
diff --git a/pkgs/os-specific/darwin/skhd/org.nixos.skhd.plist b/pkgs/os-specific/darwin/skhd/org.nixos.skhd.plist
deleted file mode 100644
index e6624487740bc..0000000000000
--- a/pkgs/os-specific/darwin/skhd/org.nixos.skhd.plist
+++ /dev/null
@@ -1,23 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<plist version="1.0">
-<dict>
-  <key>Label</key>
-  <string>org.nixos.skhd</string>
-  <key>ProgramArguments</key>
-  <array>
-    <string>@out@/bin/skhd</string>
-  </array>
-  <key>ProcessType</key>
-  <string>Interactive</string>
-  <key>EnvironmentVariables</key>
-  <dict>
-    <key>PATH</key>
-    <string>@out@/bin:/nix/var/nix/profiles/default/bin:/usr/bin:/bin:/usr/sbin:/sbin</string>
-  </dict>
-  <key>RunAtLoad</key>
-  <true/>
-  <key>KeepAlive</key>
-  <true/>
-</dict>
-</plist>
diff --git a/pkgs/os-specific/darwin/utm/default.nix b/pkgs/os-specific/darwin/utm/default.nix
index 50f84a254dfc2..050a725b2cb8b 100644
--- a/pkgs/os-specific/darwin/utm/default.nix
+++ b/pkgs/os-specific/darwin/utm/default.nix
@@ -7,11 +7,11 @@
 
 stdenvNoCC.mkDerivation rec {
   pname = "utm";
-  version = "4.4.5";
+  version = "4.5.3";
 
   src = fetchurl {
     url = "https://github.com/utmapp/UTM/releases/download/v${version}/UTM.dmg";
-    hash = "sha256-FlIPSWqY2V1akd/InS6BPEBfc8pomJ8jgDns7wvaOm8=";
+    hash = "sha256-7hpWTe6TvnNodFt1rSRGougeZuEjvSeuVzBWFfYo53Y=";
   };
 
   nativeBuildInputs = [ undmg makeWrapper ];
@@ -57,7 +57,7 @@ stdenvNoCC.mkDerivation rec {
       See https://docs.getutm.app/ for more information.
     '';
     homepage = "https://mac.getutm.app/";
-    changelog = "https://github.com/utmapp/${pname}/releases/tag/v${version}";
+    changelog = "https://github.com/utmapp/utm/releases/tag/v${version}";
     mainProgram = "UTM";
     license = licenses.asl20;
     platforms = platforms.darwin; # 11.3 is the minimum supported version as of UTM 4.
diff --git a/pkgs/os-specific/darwin/xcode/default.nix b/pkgs/os-specific/darwin/xcode/default.nix
index 54250001d9eb0..1b7949dcb124d 100644
--- a/pkgs/os-specific/darwin/xcode/default.nix
+++ b/pkgs/os-specific/darwin/xcode/default.nix
@@ -3,7 +3,7 @@
 let requireXcode = version: sha256:
   let
     xip = "Xcode_" + version +  ".xip";
-    # TODO(alexfmpe): Find out how to validate the .xip signature in Linux
+
     unxip = if stdenv.buildPlatform.isDarwin
             then ''
               open -W ${xip}
@@ -14,7 +14,9 @@ let requireXcode = version: sha256:
               rm -rf ${xip}
               pbzx -n Content | cpio -i
               rm Content Metadata
+              rcodesign verify Xcode.app/Contents/MacOS/Xcode
             '';
+
     app = requireFile rec {
       name     = "Xcode.app";
       url      = "https://developer.apple.com/services-account/download?path=/Developer_Tools/Xcode_${version}/${xip}";
@@ -83,4 +85,3 @@ in lib.makeExtensible (self: {
   xcode_15_1 = requireXcode "15.1" "sha256-0djqoSamU87rCpjo50Un3cFg9wKf+pSczRko6uumGM0=";
   xcode = self."xcode_${lib.replaceStrings ["."] ["_"] (if (stdenv.targetPlatform ? xcodeVer) then stdenv.targetPlatform.xcodeVer else "12.3")}";
 })
-
diff --git a/pkgs/os-specific/darwin/yabai/default.nix b/pkgs/os-specific/darwin/yabai/default.nix
deleted file mode 100644
index 8e2ff3b548e63..0000000000000
--- a/pkgs/os-specific/darwin/yabai/default.nix
+++ /dev/null
@@ -1,141 +0,0 @@
-{ lib
-, stdenv
-, fetchFromGitHub
-, fetchzip
-, installShellFiles
-, testers
-, writeShellScript
-, common-updater-scripts
-, curl
-, jq
-, xcodebuild
-, xxd
-, yabai
-, Carbon
-, Cocoa
-, ScriptingBridge
-, SkyLight
-}:
-
-stdenv.mkDerivation (finalAttrs: {
-  pname = "yabai";
-  version = "7.0.3";
-
-  src = finalAttrs.passthru.sources.${stdenv.hostPlatform.system} or (throw "Unsupported system: ${stdenv.hostPlatform.system}");
-
-  env = {
-    # silence service.h error
-    NIX_CFLAGS_COMPILE = "-Wno-implicit-function-declaration";
-  };
-
-  nativeBuildInputs = [
-    installShellFiles
-  ]
-  ++ lib.optionals stdenv.isx86_64 [
-    xcodebuild
-    xxd
-  ];
-
-  buildInputs = [ ] ++ lib.optionals stdenv.isx86_64 [
-    Carbon
-    Cocoa
-    ScriptingBridge
-    SkyLight
-  ];
-
-  dontConfigure = true;
-  dontBuild = stdenv.isAarch64;
-  enableParallelBuilding = true;
-
-  installPhase = ''
-    runHook preInstall
-
-    mkdir -p $out/{bin,share/icons/hicolor/scalable/apps}
-
-    cp ./bin/yabai $out/bin/yabai
-    ${lib.optionalString stdenv.isx86_64 "cp ./assets/icon/icon.svg $out/share/icons/hicolor/scalable/apps/yabai.svg"}
-    installManPage ./doc/yabai.1
-
-    runHook postInstall
-  '';
-
-  postPatch = lib.optionalString stdenv.isx86_64 /* bash */ ''
-    # aarch64 code is compiled on all targets, which causes our Apple SDK headers to error out.
-    # Since multilib doesnt work on darwin i dont know of a better way of handling this.
-    substituteInPlace makefile \
-    --replace "-arch arm64e" "" \
-    --replace "-arch arm64" "" \
-    --replace "clang" "${stdenv.cc.targetPrefix}clang"
-
-    # `NSScreen::safeAreaInsets` is only available on macOS 12.0 and above, which frameworks arent packaged.
-    # When a lower OS version is detected upstream just returns 0, so we can hardcode that at compiletime.
-    # https://github.com/koekeishiya/yabai/blob/v4.0.2/src/workspace.m#L109
-    substituteInPlace src/workspace.m \
-    --replace 'return screen.safeAreaInsets.top;' 'return 0;'
-  '';
-
-  passthru = {
-    tests.version = testers.testVersion {
-      package = yabai;
-      version = "yabai-v${finalAttrs.version}";
-    };
-
-    sources = {
-      # Unfortunately compiling yabai from source on aarch64-darwin is a bit complicated. We use the precompiled binary instead for now.
-      # See the comments on https://github.com/NixOS/nixpkgs/pull/188322 for more information.
-      "aarch64-darwin" = fetchzip {
-        url = "https://github.com/koekeishiya/yabai/releases/download/v${finalAttrs.version}/yabai-v${finalAttrs.version}.tar.gz";
-        hash = "sha256-EvtKYYjEmLkJTnc9q6f37hMD1T3DBO+I1LfBvPjCgfc=";
-      };
-      "x86_64-darwin" = fetchFromGitHub
-        {
-          owner = "koekeishiya";
-          repo = "yabai";
-          rev = "v${finalAttrs.version}";
-          hash = "sha256-oxQsCvTZqfKZoTuY1NC6h+Fzvyl0gJDhljFY2KrjRQ8=";
-        };
-    };
-
-    updateScript = writeShellScript "update-yabai" ''
-      set -o errexit
-      export PATH="${lib.makeBinPath [ curl jq common-updater-scripts ]}"
-      NEW_VERSION=$(curl --silent https://api.github.com/repos/koekeishiya/yabai/releases/latest | jq '.tag_name | ltrimstr("v")' --raw-output)
-      if [[ "${finalAttrs.version}" = "$NEW_VERSION" ]]; then
-          echo "The new version same as the old version."
-          exit 0
-      fi
-      for platform in ${lib.escapeShellArgs finalAttrs.meta.platforms}; do
-        update-source-version "yabai" "0" "${lib.fakeHash}" --source-key="sources.$platform"
-        update-source-version "yabai" "$NEW_VERSION" --source-key="sources.$platform"
-      done
-    '';
-  };
-
-  meta = {
-    description = "A tiling window manager for macOS based on binary space partitioning";
-    longDescription = ''
-      yabai is a window management utility that is designed to work as an extension to the built-in
-      window manager of macOS. yabai allows you to control your windows, spaces and displays freely
-      using an intuitive command line interface and optionally set user-defined keyboard shortcuts
-      using skhd and other third-party software.
-    '';
-    homepage = "https://github.com/koekeishiya/yabai";
-    changelog = "https://github.com/koekeishiya/yabai/blob/v${finalAttrs.version}/CHANGELOG.md";
-    license = lib.licenses.mit;
-    platforms = builtins.attrNames finalAttrs.passthru.sources;
-    mainProgram = "yabai";
-    maintainers = with lib.maintainers; [
-      cmacrae
-      shardy
-      ivar
-      khaneliman
-    ];
-    sourceProvenance = with lib.sourceTypes; [ ]
-      ++ lib.optionals stdenv.isx86_64 [
-      fromSource
-    ] ++ lib.optionals stdenv.isAarch64 [
-      binaryNativeCode
-    ];
-  };
-})
-
diff --git a/pkgs/os-specific/linux/akvcam/default.nix b/pkgs/os-specific/linux/akvcam/default.nix
index 2bfe82e70358e..3fdb247a33ebb 100644
--- a/pkgs/os-specific/linux/akvcam/default.nix
+++ b/pkgs/os-specific/linux/akvcam/default.nix
@@ -2,13 +2,13 @@
 
 stdenv.mkDerivation rec {
   pname = "akvcam";
-  version = "1.2.5";
+  version = "1.2.6";
 
   src = fetchFromGitHub {
     owner = "webcamoid";
     repo = "akvcam";
     rev = version;
-    sha256 = "sha256-SzyamP6kcJI/GEeFp3uf1APdoBtwoUj0/9Otwtmygvs=";
+    sha256 = "sha256-8jQxBvWRE9Bsh0oz76gO7o+ROm6Z5QGAIe3WERIouUw=";
   };
   sourceRoot = "${src.name}/src";
 
diff --git a/pkgs/os-specific/linux/anbox/default.nix b/pkgs/os-specific/linux/anbox/default.nix
index a3724c792482e..3a5649d9f2882 100644
--- a/pkgs/os-specific/linux/anbox/default.nix
+++ b/pkgs/os-specific/linux/anbox/default.nix
@@ -1,4 +1,4 @@
-{ lib, stdenv, fetchFromGitHub, fetchurl
+{ lib, stdenv, fetchFromGitHub
 , callPackage
 , fetchpatch
 , cmake, pkg-config, dbus, makeWrapper
diff --git a/pkgs/os-specific/linux/apfs/default.nix b/pkgs/os-specific/linux/apfs/default.nix
index 68265f9f826c4..8d34d57d4f24c 100644
--- a/pkgs/os-specific/linux/apfs/default.nix
+++ b/pkgs/os-specific/linux/apfs/default.nix
@@ -6,7 +6,7 @@
 }:
 
 let
-  tag = "0.3.8";
+  tag = "0.3.9";
 in
 stdenv.mkDerivation {
   pname = "apfs";
@@ -16,7 +16,7 @@ stdenv.mkDerivation {
     owner = "linux-apfs";
     repo = "linux-apfs-rw";
     rev = "v${tag}";
-    hash = "sha256-I/wuS4//bUiUW8NGW6aNVPzDtuY2lMUeFiv5y2c7TYY=";
+    hash = "sha256-KZ/B3sR9x58DTUeHUI0ZPW6bb7vFkPMVXaEZ25m3cP0=";
   };
 
   hardeningDisable = [ "pic" ];
diff --git a/pkgs/os-specific/linux/batman-adv/version.nix b/pkgs/os-specific/linux/batman-adv/version.nix
index 545285a6cf422..6292552dd5546 100644
--- a/pkgs/os-specific/linux/batman-adv/version.nix
+++ b/pkgs/os-specific/linux/batman-adv/version.nix
@@ -1,16 +1,16 @@
 {
-  version = "2024.0";
+  version = "2024.1";
 
   # To get these, run:
   #
   # ```
   # for tool in alfred batctl batman-adv; do
-  #   nix-prefetch-url https://downloads.open-mesh.org/batman/releases/batman-adv-2024.0/$tool-2024.0.tar.gz --type sha256 | xargs nix hash to-sri --type sha256
+  #   nix-prefetch-url https://downloads.open-mesh.org/batman/releases/batman-adv-2024.1/$tool-2024.1.tar.gz --type sha256 | xargs nix hash to-sri --type sha256
   # done
   # ```
   sha256 = {
-    alfred = "sha256-0CmkNjirFnceX3HhNLyEPRcT10BBxlvNoYox0Y9VMb0=";
-    batctl = "sha256-doU+hyAa9jxBHbFS/QxiWnKalzMRWJfRMxYE4sWmfH0=";
-    batman-adv = "sha256-YREGl7V5n2RqKoKk3Pl/rtS7EqfMQ79Gg9LE3k9rQOc=";
+    alfred = "sha256-Ji2tOcm+EirH8GFwXIo+O21GJ4K74zcubfyazgw4Tbk=";
+    batctl = "sha256-aD3anWBU6yYKGsACLGQnmP9ASNbFOmcuoLMXjmt1egk=";
+    batman-adv = "sha256-pxQynGJR9IMOnPA/U8v7IoDwZ4RxtUxdRvrmGngtQyU=";
   };
 }
diff --git a/pkgs/os-specific/linux/bcc/absolute-ausyscall.patch b/pkgs/os-specific/linux/bcc/absolute-ausyscall.patch
deleted file mode 100644
index 7480e9c5d97b3..0000000000000
--- a/pkgs/os-specific/linux/bcc/absolute-ausyscall.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From 01e793163231c5085afced37471df32b94a313f5 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
-Date: Thu, 30 Dec 2021 06:34:41 +0100
-Subject: [PATCH] absolute ausyscall
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Signed-off-by: Jörg Thalheim <joerg@thalheim.io>
----
- libbpf-tools/syscall_helpers.c | 2 +-
- src/python/bcc/syscall.py      | 2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/libbpf-tools/syscall_helpers.c b/libbpf-tools/syscall_helpers.c
-index e114a08f..62adea78 100644
---- a/libbpf-tools/syscall_helpers.c
-+++ b/libbpf-tools/syscall_helpers.c
-@@ -47,7 +47,7 @@ void init_syscall_names(void)
- 	int err;
- 	FILE *f;
- 
--	f = popen("ausyscall --dump 2>/dev/null", "r");
-+	f = popen("@ausyscall@ --dump 2>/dev/null", "r");
- 	if (!f) {
- 		warn("popen: ausyscall --dump: %s\n", strerror(errno));
- 		return;
-diff --git a/src/python/bcc/syscall.py b/src/python/bcc/syscall.py
-index 1346b4e8..e7e29a11 100644
---- a/src/python/bcc/syscall.py
-+++ b/src/python/bcc/syscall.py
-@@ -376,7 +376,7 @@ def _parse_syscall(line):
- try:
-     # Skip the first line, which is a header. The rest of the lines are simply
-     # SYSCALL_NUM\tSYSCALL_NAME pairs.
--    out = subprocess.check_output(['ausyscall', '--dump'], stderr=subprocess.STDOUT)
-+    out = subprocess.check_output(['@ausyscall@', '--dump'], stderr=subprocess.STDOUT)
-     # remove the first line of expected output
-     out = out.split(b'\n',1)[1]
-     syscalls = dict(map(_parse_syscall, out.strip().split(b'\n')))
--- 
-2.34.0
-
diff --git a/pkgs/os-specific/linux/bcc/default.nix b/pkgs/os-specific/linux/bcc/default.nix
deleted file mode 100644
index a0b91f6d778b7..0000000000000
--- a/pkgs/os-specific/linux/bcc/default.nix
+++ /dev/null
@@ -1,122 +0,0 @@
-{ audit
-, bash
-, bison
-, cmake
-, elfutils
-, fetchFromGitHub
-, flex
-, iperf
-, lib
-, libbpf
-, llvmPackages
-, luajit
-, makeWrapper
-, netperf
-, nixosTests
-, python3
-, stdenv
-, zip
-}:
-
-python3.pkgs.buildPythonApplication rec {
-  pname = "bcc";
-  version = "0.29.1";
-
-  disabled = !stdenv.isLinux;
-
-  src = fetchFromGitHub {
-    owner = "iovisor";
-    repo = "bcc";
-    rev = "v${version}";
-    hash = "sha256-+HYCweAI5axx0ZNFd/jLRXkUinRLDmKWMpLTk7FrEe0=";
-  };
-  format = "other";
-
-  buildInputs = with llvmPackages; [
-    llvm llvm.dev libclang
-    elfutils luajit netperf iperf
-    flex bash libbpf
-  ];
-
-  patches = [
-    # This is needed until we fix
-    # https://github.com/NixOS/nixpkgs/issues/40427
-    ./fix-deadlock-detector-import.patch
-  ];
-
-  propagatedBuildInputs = [ python3.pkgs.netaddr ];
-  nativeBuildInputs = [
-    bison
-    cmake
-    flex
-    llvmPackages.llvm.dev
-    makeWrapper
-    python3.pkgs.setuptools
-    zip
-  ];
-
-  cmakeFlags = [
-    "-DBCC_KERNEL_MODULES_DIR=/run/booted-system/kernel-modules/lib/modules"
-    "-DREVISION=${version}"
-    "-DENABLE_USDT=ON"
-    "-DENABLE_CPP_API=ON"
-    "-DCMAKE_USE_LIBBPF_PACKAGE=ON"
-    "-DENABLE_LIBDEBUGINFOD=OFF"
-  ];
-
-  # to replace this executable path:
-  # https://github.com/iovisor/bcc/blob/master/src/python/bcc/syscall.py#L384
-  ausyscall = "${audit}/bin/ausyscall";
-
-  postPatch = ''
-    substituteAll ${./libbcc-path.patch} ./libbcc-path.patch
-    patch -p1 < libbcc-path.patch
-
-    substituteAll ${./absolute-ausyscall.patch} ./absolute-ausyscall.patch
-    patch -p1 < absolute-ausyscall.patch
-
-    # https://github.com/iovisor/bcc/issues/3996
-    substituteInPlace src/cc/libbcc.pc.in \
-      --replace '$'{exec_prefix}/@CMAKE_INSTALL_LIBDIR@ @CMAKE_INSTALL_FULL_LIBDIR@
-  '';
-
-  preInstall = ''
-    # required for setuptool during install
-    export PYTHONPATH=$out/${python3.sitePackages}:$PYTHONPATH
-  '';
-  postInstall = ''
-    mkdir -p $out/bin $out/share
-    rm -r $out/share/bcc/tools/old
-    mv $out/share/bcc/tools/doc $out/share
-    mv $out/share/bcc/man $out/share/
-
-    find $out/share/bcc/tools -type f -executable -print0 | \
-    while IFS= read -r -d ''$'\0' f; do
-      bin=$out/bin/$(basename $f)
-      if [ ! -e $bin ]; then
-        ln -s $f $bin
-      fi
-      substituteInPlace "$f" \
-        --replace '$(dirname $0)/lib' "$out/share/bcc/tools/lib"
-    done
-
-    sed -i -e "s!lib=.*!lib=$out/bin!" $out/bin/{java,ruby,node,python}gc
-  '';
-
-  postFixup = ''
-    wrapPythonProgramsIn "$out/share/bcc/tools" "$out $pythonPath"
-  '';
-
-  outputs = [ "out" "man" ];
-
-  passthru.tests = {
-    bpf = nixosTests.bpf;
-  };
-
-  meta = with lib; {
-    description = "Dynamic Tracing Tools for Linux";
-    homepage    = "https://iovisor.github.io/bcc/";
-    license     = licenses.asl20;
-    maintainers = with maintainers; [ ragge mic92 thoughtpolice martinetd ];
-  };
-}
diff --git a/pkgs/os-specific/linux/bcc/fix-deadlock-detector-import.patch b/pkgs/os-specific/linux/bcc/fix-deadlock-detector-import.patch
deleted file mode 100644
index 1c422635f4fef..0000000000000
--- a/pkgs/os-specific/linux/bcc/fix-deadlock-detector-import.patch
+++ /dev/null
@@ -1,14 +0,0 @@
---- source.org/tools/deadlock.py	1980-01-02 00:00:00.000000000 +0000
-+++ source/tools/deadlock.py	2018-05-29 13:57:11.807126673 +0100
-@@ -44,9 +44,8 @@
- #
- # 01-Feb-2017   Kenny Yu   Created this.
- 
--from __future__ import (
--    absolute_import, division, unicode_literals, print_function
--)
-+from __future__ import absolute_import, division, unicode_literals, print_function
-+
- from bcc import BPF
- from collections import defaultdict
- import argparse
diff --git a/pkgs/os-specific/linux/bcc/libbcc-path.patch b/pkgs/os-specific/linux/bcc/libbcc-path.patch
deleted file mode 100644
index 187bb3aadd00d..0000000000000
--- a/pkgs/os-specific/linux/bcc/libbcc-path.patch
+++ /dev/null
@@ -1,11 +0,0 @@
---- source.org/src/python/bcc/libbcc.py	2018-05-13 08:35:06.850522883 +0100
-+++ source/src/python/bcc/libbcc.py	2018-05-13 08:36:24.602733151 +0100
-@@ -14,7 +14,7 @@
- 
- import ctypes as ct
- 
--lib = ct.CDLL("libbcc.so.0", use_errno=True)
-+lib = ct.CDLL("@out@/lib/libbcc.so.0", use_errno=True)
- 
- # keep in sync with bpf_common.h
- lib.bpf_module_create_b.restype = ct.c_void_p
diff --git a/pkgs/os-specific/linux/below/default.nix b/pkgs/os-specific/linux/below/default.nix
index 3204bd7dcf277..5efc80357d8f1 100644
--- a/pkgs/os-specific/linux/below/default.nix
+++ b/pkgs/os-specific/linux/below/default.nix
@@ -11,16 +11,16 @@
 
 rustPlatform.buildRustPackage rec {
   pname = "below";
-  version = "0.7.1";
+  version = "0.8.1";
 
   src = fetchFromGitHub {
     owner = "facebookincubator";
     repo = "below";
     rev = "v${version}";
-    sha256 = "sha256-2mZBpvLPY6yrEAvB1YlFuaXJlmmNuZqhu3xWADNHbx0=";
+    sha256 = "sha256-87Fdx3Jqi3dNWM5DZl+UYs031qn2DoiiWd3IysT/glQ=";
   };
 
-  cargoHash = "sha256-cTNxWCd4YH5VuZh0GRfBNtHmLqCQ75uyHqROkv1jbRA=";
+  cargoHash = "sha256-y2fNypA0MrCdUI/K6QrZWw/5mkYafj2s6jrGHU2zGXw=";
 
   prePatch = ''sed -i "s,ExecStart=.*/bin,ExecStart=$out/bin," etc/below.service'';
   postInstall = ''
diff --git a/pkgs/os-specific/linux/bpftrace/default.nix b/pkgs/os-specific/linux/bpftrace/default.nix
deleted file mode 100644
index 068f4532451b0..0000000000000
--- a/pkgs/os-specific/linux/bpftrace/default.nix
+++ /dev/null
@@ -1,71 +0,0 @@
-{ lib, stdenv, fetchFromGitHub, fetchpatch
-, llvmPackages, elfutils, bcc
-, libbpf, libbfd, libopcodes
-, cereal, asciidoctor
-, cmake, pkg-config, flex, bison
-, util-linux
-, nixosTests
-}:
-
-stdenv.mkDerivation rec {
-  pname = "bpftrace";
-  version = "0.20.3";
-
-  src = fetchFromGitHub {
-    owner = "iovisor";
-    repo  = "bpftrace";
-    rev   = "v${version}";
-    hash  = "sha256-B4BxoZSPSpDWLUgcYgQEmuhVr2mX04hrFCLu04vp1so=";
-  };
-
-
-  buildInputs = with llvmPackages; [
-    llvm libclang
-    elfutils bcc
-    libbpf libbfd libopcodes
-    cereal asciidoctor
-  ];
-
-  nativeBuildInputs = [
-    cmake pkg-config flex bison
-    llvmPackages.llvm.dev
-    util-linux
-  ];
-
-  # tests aren't built, due to gtest shenanigans. see:
-  #
-  #     https://github.com/iovisor/bpftrace/issues/161#issuecomment-453606728
-  #     https://github.com/iovisor/bpftrace/pull/363
-  #
-  cmakeFlags = [
-    "-DBUILD_TESTING=FALSE"
-    "-DLIBBCC_INCLUDE_DIRS=${bcc}/include"
-    "-DINSTALL_TOOL_DOCS=OFF"
-    "-DUSE_SYSTEM_BPF_BCC=ON"
-  ];
-
-
-  # Pull BPF scripts into $PATH (next to their bcc program equivalents), but do
-  # not move them to keep `${pkgs.bpftrace}/share/bpftrace/tools/...` working.
-  postInstall = ''
-    ln -sr $out/share/bpftrace/tools/*.bt $out/bin/
-    # do not use /usr/bin/env for shipped tools
-    # If someone can get patchShebangs to work here please fix.
-    sed -i -e "1s:#!/usr/bin/env bpftrace:#!$out/bin/bpftrace:" $out/share/bpftrace/tools/*.bt
-  '';
-
-  outputs = [ "out" "man" ];
-
-  passthru.tests = {
-    bpf = nixosTests.bpf;
-  };
-
-  meta = with lib; {
-    description = "High-level tracing language for Linux eBPF";
-    homepage    = "https://github.com/iovisor/bpftrace";
-    changelog   = "https://github.com/iovisor/bpftrace/releases/tag/v${version}";
-    mainProgram = "bpftrace";
-    license     = licenses.asl20;
-    maintainers = with maintainers; [ rvl thoughtpolice martinetd mfrw ];
-  };
-}
diff --git a/pkgs/os-specific/linux/bpftune/default.nix b/pkgs/os-specific/linux/bpftune/default.nix
index 517cd04a455d8..8747ef3d928f2 100644
--- a/pkgs/os-specific/linux/bpftune/default.nix
+++ b/pkgs/os-specific/linux/bpftune/default.nix
@@ -12,13 +12,13 @@
 
 stdenv.mkDerivation rec {
   pname = "bpftune";
-  version = "unstable-2023-12-20";
+  version = "0-unstable-2024-05-17";
 
   src = fetchFromGitHub {
     owner = "oracle";
     repo = "bpftune";
-    rev = "0e6bca2e5880fcbaac6478c4042f5f9314e61463";
-    hash = "sha256-y9WQrQb9U5YdzKAR63FzC8V1+jZL027pzAmQPpgM3jM=";
+    rev = "83115c56cf9620fe5669f4a3be67ab779d8f4536";
+    hash = "sha256-er2i7CEUXF3BpWTG//s8C0xfIk5gSVOHB8nE1r7PX78=";
   };
 
   postPatch = ''
diff --git a/pkgs/os-specific/linux/busybox/default.nix b/pkgs/os-specific/linux/busybox/default.nix
index c72be801aeeae..33fa7663f46dd 100644
--- a/pkgs/os-specific/linux/busybox/default.nix
+++ b/pkgs/os-specific/linux/busybox/default.nix
@@ -159,12 +159,14 @@ stdenv.mkDerivation rec {
 
   doCheck = false; # tries to access the net
 
+  passthru.shellPath = "/bin/ash";
+
   meta = with lib; {
     description = "Tiny versions of common UNIX utilities in a single small executable";
     homepage = "https://busybox.net/";
     license = licenses.gpl2Only;
     maintainers = with maintainers; [ TethysSvensson qyliss ];
     platforms = platforms.linux;
-    priority = 10;
+    priority = 15; # below systemd (halt, init, poweroff, reboot) and coreutils
   };
 }
diff --git a/pkgs/os-specific/linux/cpuid/default.nix b/pkgs/os-specific/linux/cpuid/default.nix
index 396baa4b98c18..d74d25398f645 100644
--- a/pkgs/os-specific/linux/cpuid/default.nix
+++ b/pkgs/os-specific/linux/cpuid/default.nix
@@ -1,27 +1,24 @@
-{ lib
-, stdenv
-, fetchurl
-, perl
+{
+  lib,
+  stdenv,
+  fetchurl,
+  perl,
 }:
 
 stdenv.mkDerivation rec {
   pname = "cpuid";
-  version = "20230614";
+  version = "20240324";
 
   src = fetchurl {
     url = "http://etallen.com/cpuid/${pname}-${version}.src.tar.gz";
-    sha256 = "sha256-scgwRe/CYHYwd1HgZi1YAnf1+b+JzwJyMaeBIAPDpOg=";
+    sha256 = "sha256-3fvFudgBUbsEl16d7BMFEDQZeY0i7/LiRJCD3AhiGEw=";
   };
 
   # For pod2man during the build process.
-  nativeBuildInputs = [
-    perl
-  ];
+  nativeBuildInputs = [ perl ];
 
   # As runtime dependency for cpuinfo2cpuid.
-  buildInputs = [
-    perl
-  ];
+  buildInputs = [ perl ];
 
   # The Makefile hardcodes $(BUILDROOT)/usr as installation
   # destination. Just nuke all mentions of /usr to get the right
@@ -50,6 +47,9 @@ stdenv.mkDerivation rec {
     homepage = "http://etallen.com/cpuid.html";
     license = licenses.gpl2Plus;
     maintainers = with maintainers; [ blitz ];
-    platforms = [ "i686-linux" "x86_64-linux" ];
+    platforms = [
+      "i686-linux"
+      "x86_64-linux"
+    ];
   };
 }
diff --git a/pkgs/os-specific/linux/cpupower-gui/default.nix b/pkgs/os-specific/linux/cpupower-gui/default.nix
index 02a781d1f0cf0..754f8e1396152 100644
--- a/pkgs/os-specific/linux/cpupower-gui/default.nix
+++ b/pkgs/os-specific/linux/cpupower-gui/default.nix
@@ -19,7 +19,7 @@
 , pygobject3
 , pyxdg
 , systemd
-, wrapGAppsHook
+, wrapGAppsHook3
 }:
 
 buildPythonApplication rec {
@@ -55,7 +55,7 @@ buildPythonApplication rec {
     meson
     ninja
     pkg-config
-    wrapGAppsHook
+    wrapGAppsHook3
 
     # Python packages
     dbus-python
diff --git a/pkgs/os-specific/linux/cpupower/default.nix b/pkgs/os-specific/linux/cpupower/default.nix
index 13e2fc78b8219..7c1b031d83349 100644
--- a/pkgs/os-specific/linux/cpupower/default.nix
+++ b/pkgs/os-specific/linux/cpupower/default.nix
@@ -39,6 +39,7 @@ stdenv.mkDerivation {
     description = "Tool to examine and tune power saving features";
     homepage = "https://www.kernel.org/";
     license = licenses.gpl2;
+    mainProgram = "cpupower";
     platforms = platforms.linux;
   };
 }
diff --git a/pkgs/os-specific/linux/cryptodev/default.nix b/pkgs/os-specific/linux/cryptodev/default.nix
index cacef99afd748..bb3c0cdd3891c 100644
--- a/pkgs/os-specific/linux/cryptodev/default.nix
+++ b/pkgs/os-specific/linux/cryptodev/default.nix
@@ -1,4 +1,10 @@
-{ fetchFromGitHub, lib, stdenv, kernel ? false }:
+{
+  lib,
+  stdenv,
+  fetchFromGitHub,
+  fetchpatch,
+  kernel ? false,
+}:
 
 stdenv.mkDerivation rec {
   pname = "cryptodev-linux-1.13";
@@ -11,6 +17,13 @@ stdenv.mkDerivation rec {
     hash = "sha256-EzTPoKYa+XWOAa/Dk7ru02JmlymHeXVX7RMmEoJ1OT0=";
   };
 
+  patches = [
+    (fetchpatch {
+      url = "https://github.com/cryptodev-linux/cryptodev-linux/compare/cryptodev-linux-1.13...5e7121e45ff283d30097da381fd7e97c4bb61364.patch";
+      hash = "sha256-GLWpiInBrUcVhpvEjTmD5KLCrrFZnlJGnmLU0QYz+4A=";
+    })
+  ];
+
   nativeBuildInputs = kernel.moduleBuildDependencies;
   hardeningDisable = [ "pic" ];
 
diff --git a/pkgs/os-specific/linux/cryptsetup/default.nix b/pkgs/os-specific/linux/cryptsetup/default.nix
index 33edbc0a4f732..0e32966615ac1 100644
--- a/pkgs/os-specific/linux/cryptsetup/default.nix
+++ b/pkgs/os-specific/linux/cryptsetup/default.nix
@@ -14,14 +14,14 @@
 
 stdenv.mkDerivation rec {
   pname = "cryptsetup";
-  version = "2.7.0";
+  version = "2.7.1";
 
   outputs = [ "bin" "out" "dev" "man" ];
   separateDebugInfo = true;
 
   src = fetchurl {
     url = "mirror://kernel/linux/utils/cryptsetup/v${lib.versions.majorMinor version}/${pname}-${version}.tar.xz";
-    hash = "sha256-lAA6AM1agZRPRejcUp4M/Spv9im9LNIc9eV05GXa95U=";
+    hash = "sha256-2l0UGeKobgGqMv15WCzVTSCIV8tUG8ov1Cal/xqqu8M=";
   };
 
   patches = [
diff --git a/pkgs/os-specific/linux/dbus-broker/default.nix b/pkgs/os-specific/linux/dbus-broker/default.nix
index 5180917623e93..784024f8754d0 100644
--- a/pkgs/os-specific/linux/dbus-broker/default.nix
+++ b/pkgs/os-specific/linux/dbus-broker/default.nix
@@ -40,13 +40,13 @@ in
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "dbus-broker";
-  version = "35";
+  version = "36";
 
   src = fetchFromGitHub {
     owner = "bus1";
     repo = "dbus-broker";
     rev = "v${finalAttrs.version}";
-    hash = "sha256-Qwi9X5jXHiQ3TOWefzv/p7x8/JkQW1QgdYji5SpLej0=";
+    hash = "sha256-5dAMKjybqrHG57vArbtWEPR/svSj2ION75JrjvnnpVM=";
   };
 
   patches = [
diff --git a/pkgs/os-specific/linux/dbus-broker/disable-test.patch b/pkgs/os-specific/linux/dbus-broker/disable-test.patch
index 487967aea8406..14faf1907cc20 100644
--- a/pkgs/os-specific/linux/dbus-broker/disable-test.patch
+++ b/pkgs/os-specific/linux/dbus-broker/disable-test.patch
@@ -1,11 +1,14 @@
---- b/src/meson.build
-+++ a/src/meson.build
-@@ -196,9 +195,6 @@
- test_fdlist = executable('test-fdlist', ['util/test-fdlist.c'], dependencies: dep_bus)
- test('Utility File-Desciptor Lists', test_fdlist)
-
--test_fs = executable('test-fs', ['util/test-fs.c'], dependencies: dep_bus)
--test('File System Helpers', test_fs)
+diff --git a/src/meson.build b/src/meson.build
+index 4b9bc71..221ed5c 100644
+--- a/src/meson.build
++++ b/src/meson.build
+@@ -202,9 +202,6 @@ test('Error Handling', test_error, suite: 'unit')
+ test_fdlist = executable('test-fdlist', sources: ['util/test-fdlist.c'], kwargs: test_kwargs)
+ test('Utility File-Desciptor Lists', test_fdlist, suite: 'unit')
+ 
+-test_fs = executable('test-fs', sources: ['util/test-fs.c'], kwargs: test_kwargs)
+-test('File System Helpers', test_fs, suite: 'unit')
 -
- test_match = executable('test-match', ['bus/test-match.c'], dependencies: dep_bus)
- test('D-Bus Match Handling', test_match)
+ test_match = executable('test-match', sources: ['bus/test-match.c'], kwargs: test_kwargs)
+ test('D-Bus Match Handling', test_match, suite: 'unit')
+ 
diff --git a/pkgs/os-specific/linux/dcgm/default.nix b/pkgs/os-specific/linux/dcgm/default.nix
index cc9e26d2b7073..a7f3511b3f4ba 100644
--- a/pkgs/os-specific/linux/dcgm/default.nix
+++ b/pkgs/os-specific/linux/dcgm/default.nix
@@ -1,6 +1,7 @@
 { lib
 , gcc11Stdenv
 , fetchFromGitHub
+, autoAddDriverRunpath
 , catch2
 , cmake
 , cudaPackages_10_2
@@ -108,7 +109,7 @@ in gcc11Stdenv.mkDerivation rec {
     # autoAddDriverRunpath does not actually depend on or incur any dependency
     # of cudaPackages. It merely adds an impure, non-Nix PATH to the RPATHs of
     # executables that need to use cuda at runtime.
-    cudaPackages_12.autoAddDriverRunpath
+    autoAddDriverRunpath
 
     cmake
     git
diff --git a/pkgs/os-specific/linux/ddcci/default.nix b/pkgs/os-specific/linux/ddcci/default.nix
index ce435b3874f3f..4d1c9bd935581 100644
--- a/pkgs/os-specific/linux/ddcci/default.nix
+++ b/pkgs/os-specific/linux/ddcci/default.nix
@@ -1,4 +1,4 @@
-{ lib, stdenv, fetchFromGitLab, kernel }:
+{ lib, stdenv, fetchFromGitLab, kernel, fetchpatch }:
 
 stdenv.mkDerivation rec {
   pname = "ddcci-driver";
@@ -12,6 +12,15 @@ stdenv.mkDerivation rec {
     hash = "sha256-4pCfXJcteWwU6cK8OOSph4XlhKTk289QqLxsSWY7cac=";
   };
 
+  patches = [
+    # See https://gitlab.com/ddcci-driver-linux/ddcci-driver-linux/-/merge_requests/15
+    (fetchpatch {
+      name = "fix-build-with-linux68.patch";
+      url = "https://gitlab.com/ddcci-driver-linux/ddcci-driver-linux/-/commit/3eb20df68a545d07b8501f13fa9d20e9c6f577ed.patch";
+      hash = "sha256-Y1ktYaJTd9DtT/mwDqtjt/YasW9cVm0wI43wsQhl7Bg=";
+    })
+  ];
+
   hardeningDisable = [ "pic" ];
 
   nativeBuildInputs = kernel.moduleBuildDependencies;
@@ -36,7 +45,7 @@ stdenv.mkDerivation rec {
     description = "Kernel module driver for DDC/CI monitors";
     homepage = "https://gitlab.com/ddcci-driver-linux/ddcci-driver-linux";
     license = licenses.gpl2Plus;
-    maintainers = with maintainers; [ ];
+    maintainers = with maintainers; [ kiike ];
     platforms = platforms.linux;
     broken = kernel.kernelOlder "5.1";
   };
diff --git a/pkgs/os-specific/linux/decklink/default.nix b/pkgs/os-specific/linux/decklink/default.nix
index 63bfe4a63af20..a2811ddae8a57 100644
--- a/pkgs/os-specific/linux/decklink/default.nix
+++ b/pkgs/os-specific/linux/decklink/default.nix
@@ -1,5 +1,6 @@
 { stdenv
 , lib
+, fetchpatch
 , blackmagic-desktop-video
 , kernel
 }:
@@ -17,9 +18,26 @@ stdenv.mkDerivation rec {
 
   nativeBuildInputs =  kernel.moduleBuildDependencies;
 
-  postUnpack = ''
-    tar xf Blackmagic_Desktop_Video_Linux_${lib.versions.majorMinor version}/other/${stdenv.hostPlatform.uname.processor}/desktopvideo-${version}-${stdenv.hostPlatform.uname.processor}.tar.gz
+  patches = lib.optionals (lib.versionAtLeast kernel.version "6.8") [
+    (fetchpatch {
+      name = "decklink-addMutex.patch";
+      url = "https://aur.archlinux.org/cgit/aur.git/plain/01-addMutex.patch?h=decklink&id=132ce45a76e230cbfec4a3daac237ffe9b8a377a";
+      sha256 = "sha256-YLIjO3wMrMoEZwMX5Fs9W4uRu9Xo8klzsjfhxS2wRfQ=";
+    })
+    (fetchpatch {
+      name = "decklink-changeMaxOrder.patch";
+      url = "https://aur.archlinux.org/cgit/aur.git/plain/02-changeMaxOrder.patch?h=decklink&id=132ce45a76e230cbfec4a3daac237ffe9b8a377a";
+      sha256 = "sha256-/erUVYjpTuyaQaCSzSxwKgNocxijc1uNaUjnrJEMa6g=";
+    })
+  ];
+
+
+  postUnpack = let
+    arch = stdenv.hostPlatform.uname.processor;
+  in ''
+    tar xf Blackmagic_Desktop_Video_Linux_${lib.head (lib.splitString "a" version)}/other/${arch}/desktopvideo-${version}-${arch}.tar.gz
     moduleRoot=$NIX_BUILD_TOP/desktopvideo-${version}-${stdenv.hostPlatform.uname.processor}/usr/src
+    sourceRoot=$moduleRoot
   '';
 
 
diff --git a/pkgs/os-specific/linux/device-tree/default.nix b/pkgs/os-specific/linux/device-tree/default.nix
index 1a50d799b4b12..a15a9e32137cd 100644
--- a/pkgs/os-specific/linux/device-tree/default.nix
+++ b/pkgs/os-specific/linux/device-tree/default.nix
@@ -32,7 +32,7 @@ with lib; {
     in ''
       mkdir -p $out
       cd "${base}"
-      find . -type f -name '*.dtb' -print0 \
+      find -L . -type f -name '*.dtb' -print0 \
         | xargs -0 cp -v --no-preserve=mode --target-directory "$out" --parents
 
       for dtb in $(find "$out" -type f -name '*.dtb'); do
diff --git a/pkgs/os-specific/linux/digimend/default.nix b/pkgs/os-specific/linux/digimend/default.nix
index 11756dcbe85cd..a30d7cbe3a32a 100644
--- a/pkgs/os-specific/linux/digimend/default.nix
+++ b/pkgs/os-specific/linux/digimend/default.nix
@@ -1,14 +1,19 @@
-{ lib, stdenv, fetchFromGitHub, kernel }:
+{
+  lib,
+  stdenv,
+  fetchFromGitHub,
+  kernel,
+}:
 
 stdenv.mkDerivation rec {
   pname = "digimend";
-  version = "unstable-2023-05-03";
+  version = "13";
 
   src = fetchFromGitHub {
     owner = "digimend";
     repo = "digimend-kernel-drivers";
-    rev = "eca6e1b701bffb80a293234a485ebf6b4bc85562";
-    hash = "sha256-0mjIUgHvbNcVQVzU3xzaloe5R41a4eknDhdhruJH+6c=";
+    rev = "v${version}";
+    hash = "sha256-YYCxTyoZGMnqC2nKkRi5Z1uofldGvJDGY2/sO9iMNIo=";
   };
 
   postPatch = ''
diff --git a/pkgs/os-specific/linux/dmidecode/default.nix b/pkgs/os-specific/linux/dmidecode/default.nix
index f09dec758f740..3bfaad303516a 100644
--- a/pkgs/os-specific/linux/dmidecode/default.nix
+++ b/pkgs/os-specific/linux/dmidecode/default.nix
@@ -2,11 +2,11 @@
 
 stdenv.mkDerivation rec {
   pname = "dmidecode";
-  version = "3.5";
+  version = "3.6";
 
   src = fetchurl {
     url = "mirror://savannah/dmidecode/dmidecode-${version}.tar.xz";
-    sha256 = "sha256-eddnNe6OJRluKnIpZM+Wg/WglYFQNTeISyVrATicwHM=";
+    sha256 = "sha256-5Axl8+w9r+Ma2DSaTvGpcSLTj2UATtZldeGo1XXdi64=";
   };
 
   makeFlags = [
@@ -19,6 +19,6 @@ stdenv.mkDerivation rec {
     description = "A tool that reads information about your system's hardware from the BIOS according to the SMBIOS/DMI standard";
     license = licenses.gpl2Plus;
     platforms = platforms.linux;
-    maintainers = with maintainers; [ delroth ];
+    maintainers = with maintainers; [ ];
   };
 }
diff --git a/pkgs/os-specific/linux/dpdk-kmods/default.nix b/pkgs/os-specific/linux/dpdk-kmods/default.nix
index 1dc026125c3dd..ec5fda7aa4195 100644
--- a/pkgs/os-specific/linux/dpdk-kmods/default.nix
+++ b/pkgs/os-specific/linux/dpdk-kmods/default.nix
@@ -32,6 +32,5 @@ stdenv.mkDerivation rec {
     license = licenses.gpl2Only;
     maintainers = [ maintainers.mic92 ];
     platforms = platforms.linux;
-    broken = kernel.isHardened;
   };
 }
diff --git a/pkgs/os-specific/linux/drbd/driver.nix b/pkgs/os-specific/linux/drbd/driver.nix
new file mode 100644
index 0000000000000..106bcf71cd98c
--- /dev/null
+++ b/pkgs/os-specific/linux/drbd/driver.nix
@@ -0,0 +1,68 @@
+{ stdenv, lib, fetchurl, kernel, flex, coccinelle, python3 }:
+
+stdenv.mkDerivation rec {
+  name = "drbd-${version}-${kernel.version}";
+  version = "9.2.8";
+
+  src = fetchurl {
+    url = "https://pkg.linbit.com//downloads/drbd/9/drbd-${version}.tar.gz";
+    hash = "sha256-LqK1lPucab7wKvcB4VKGdvBIq+K9XtuO2m0DP5XtK3M=";
+  };
+
+  hardeningDisable = [ "pic" ];
+
+  nativeBuildInputs = [
+    kernel.moduleBuildDependencies
+    flex
+    coccinelle
+    python3
+  ];
+
+  makeFlags = [
+    "KDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+    "SPAAS=false"
+  ];
+
+  # 6.4 and newer provide a in-tree version of the handshake module https://www.kernel.org/doc/html/v6.4/networking/tls-handshake.html
+  installPhase = ''
+    runHook preInstall
+    install -D drbd/drbd.ko -t $out/lib/modules/${kernel.modDirVersion}/kernel/drivers/block/drbd9
+    install -D drbd/drbd_transport_tcp.ko -t $out/lib/modules/${kernel.modDirVersion}/kernel/drivers/block/drbd9
+    install -D drbd/drbd_transport_lb-tcp.ko -t $out/lib/modules/${kernel.modDirVersion}/kernel/drivers/block/drbd9
+    install -D drbd/drbd_transport_rdma.ko -t $out/lib/modules/${kernel.modDirVersion}/kernel/drivers/block/drbd9
+    ${lib.optionalString (lib.versionOlder kernel.version "6.4") ''
+      install -D drbd/drbd-kernel-compat/handshake/handshake.ko -t $out/lib/modules/${kernel.modDirVersion}/kernel/drivers/block/drbd9
+    ''}
+    runHook postInstall
+  '';
+
+  postPatch = ''
+    patchShebangs .
+    substituteInPlace Makefile --replace 'SHELL=/bin/bash' 'SHELL=${builtins.getEnv "SHELL"}'
+  '';
+
+  # builder.pl had complained about the same file (drbd.ko.xz) provided by two different packages
+  # builder.pl also had complained about different permissions between the files from the two packages
+  # The compression is required because the kernel has the CONFIG_MODULE_COMPRESS_XZ option enabled
+  postFixup = ''
+    for ko in $out/lib/modules/${kernel.modDirVersion}/kernel/drivers/block/drbd9/*.ko; do
+      xz --compress -6 --threads=0 $ko
+      chmod 0444 $ko.xz
+    done
+  '';
+
+  enableParallelBuilding = true;
+
+  meta = with lib; {
+    homepage = "https://github.com/LINBIT/drbd";
+    description = "LINBIT DRBD kernel module";
+    license = licenses.gpl2Plus;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ birkb ];
+    longDescription = ''
+       DRBD is a software-based, shared-nothing, replicated storage solution
+       mirroring the content of block devices (hard disks, partitions, logical volumes, and so on) between hosts.
+    '';
+    broken = lib.versionAtLeast kernel.version "6.8"; # wait until next DRBD release for 6.8 support https://github.com/LINBIT/drbd/issues/87#issuecomment-2059323084
+  };
+}
diff --git a/pkgs/os-specific/linux/drbd/default.nix b/pkgs/os-specific/linux/drbd/utils.nix
index 0c5acd0ac0645..ad50c2c3e50a5 100644
--- a/pkgs/os-specific/linux/drbd/default.nix
+++ b/pkgs/os-specific/linux/drbd/utils.nix
@@ -10,7 +10,9 @@
 , libxslt
 , nixosTests
 , perl
+, perlPackages
 , systemd
+, keyutils
 
 # drbd-utils are compiled twice, once with forOCF = true to extract
 # its OCF definitions for use in the ocf-resource-agents derivation,
@@ -22,11 +24,11 @@
 
 stdenv.mkDerivation rec {
   pname = "drbd";
-  version = "9.19.1";
+  version = "9.27.0";
 
   src = fetchurl {
     url = "https://pkg.linbit.com/downloads/drbd/utils/${pname}-utils-${version}.tar.gz";
-    sha256 = "1l99kcrb0j85wxxmrdihpx9bk1a4sdi7wlp5m1x5l24k8ck1m5cf";
+    sha256 = "1qwdrjrgas8z8vc6c85xcrqaczjwyqd61yig01n44wa5z0j3v4aq";
   };
 
   nativeBuildInputs = [
@@ -34,11 +36,12 @@ stdenv.mkDerivation rec {
     libxslt
     docbook_xsl
     asciidoctor
+    keyutils
   ];
 
   buildInputs = [
     perl
-    # perlPackages.Po4a used by ja documentation
+    perlPackages.Po4a
   ];
 
   configureFlags = [
@@ -123,6 +126,10 @@ stdenv.mkDerivation rec {
     description = "Distributed Replicated Block Device, a distributed storage system for Linux (userspace utilities)";
     license = licenses.gpl2Plus;
     platforms = platforms.linux;
-    maintainers = with maintainers; [ ryantm astro ];
+    maintainers = with maintainers; [ ryantm astro birkb ];
+    longDescription = ''
+       DRBD is a software-based, shared-nothing, replicated storage solution
+       mirroring the content of block devices (hard disks, partitions, logical volumes, and so on) between hosts.
+    '';
   };
 }
diff --git a/pkgs/os-specific/linux/earlyoom/default.nix b/pkgs/os-specific/linux/earlyoom/default.nix
deleted file mode 100644
index d1d95b4d3f959..0000000000000
--- a/pkgs/os-specific/linux/earlyoom/default.nix
+++ /dev/null
@@ -1,38 +0,0 @@
-{ lib, stdenv, fetchFromGitHub, pandoc, installShellFiles, withManpage ? false, nixosTests }:
-
-stdenv.mkDerivation rec {
-  pname = "earlyoom";
-  version = "1.7";
-
-  src = fetchFromGitHub {
-    owner = "rfjakob";
-    repo = "earlyoom";
-    rev = "v${version}";
-    sha256 = "sha256-8YcT1TTlAet7F1U9Ginda4IApNqkudegOXqm8rnRGfc=";
-  };
-
-  nativeBuildInputs = lib.optionals withManpage [ pandoc installShellFiles ];
-
-  patches = [ ./fix-dbus-path.patch ];
-
-  makeFlags = [ "VERSION=${version}" ];
-
-  installPhase = ''
-    install -D earlyoom $out/bin/earlyoom
-  '' + lib.optionalString withManpage ''
-    installManPage earlyoom.1
-  '';
-
-  passthru.tests = {
-    inherit (nixosTests) earlyoom;
-  };
-
-  meta = with lib; {
-    description = "Early OOM Daemon for Linux";
-    mainProgram = "earlyoom";
-    homepage = "https://github.com/rfjakob/earlyoom";
-    license = licenses.mit;
-    platforms = platforms.linux;
-    maintainers = with maintainers; [];
-  };
-}
diff --git a/pkgs/os-specific/linux/earlyoom/fix-dbus-path.patch b/pkgs/os-specific/linux/earlyoom/fix-dbus-path.patch
deleted file mode 100644
index e1c10cf82f96e..0000000000000
--- a/pkgs/os-specific/linux/earlyoom/fix-dbus-path.patch
+++ /dev/null
@@ -1,11 +0,0 @@
---- a/kill.c
-+++ b/kill.c
-@@ -55,7 +55,7 @@ static void notify(const char* summary, const char* body)
-     }
-     // Complete command line looks like this:
-     // dbus-send --system / net.nuetzlich.SystemNotifications.Notify 'string:summary text' 'string:and body text'
--    execl("/usr/bin/dbus-send", "dbus-send", "--system", "/", "net.nuetzlich.SystemNotifications.Notify",
-+    execlp("dbus-send", "dbus-send", "--system", "/", "net.nuetzlich.SystemNotifications.Notify",
-         summary2, body2, NULL);
-     warn("notify: exec failed: %s\n", strerror(errno));
-     exit(1);
diff --git a/pkgs/os-specific/linux/ell/default.nix b/pkgs/os-specific/linux/ell/default.nix
index 9175f477bd607..9c16a341a478f 100644
--- a/pkgs/os-specific/linux/ell/default.nix
+++ b/pkgs/os-specific/linux/ell/default.nix
@@ -9,14 +9,14 @@
 
 stdenv.mkDerivation rec {
   pname = "ell";
-  version = "0.63";
+  version = "0.64";
 
   outputs = [ "out" "dev" ];
 
   src = fetchgit {
     url = "https://git.kernel.org/pub/scm/libs/ell/ell.git";
     rev = version;
-    hash = "sha256-husK3eurfL1NhRHgJUdFP6sYLqeZ4NSHa/tU8PUWmGo=";
+    hash = "sha256-LONfgFgPg8KCDwtw//WTOYQT9RpnIskdHAWcgafOhcg=";
   };
 
   nativeBuildInputs = [
@@ -50,6 +50,6 @@ stdenv.mkDerivation rec {
     changelog = "https://git.kernel.org/pub/scm/libs/ell/ell.git/tree/ChangeLog?h=${version}";
     license = licenses.lgpl21Plus;
     platforms = platforms.linux;
-    maintainers = with maintainers; [ mic92 dtzWill amaxine ];
+    maintainers = with maintainers; [ mic92 dtzWill ];
   };
 }
diff --git a/pkgs/os-specific/linux/ena/default.nix b/pkgs/os-specific/linux/ena/default.nix
index b6ed869a71f52..9ce71745cdcfd 100644
--- a/pkgs/os-specific/linux/ena/default.nix
+++ b/pkgs/os-specific/linux/ena/default.nix
@@ -1,14 +1,14 @@
 { lib, stdenv, fetchFromGitHub, kernel }:
 
 stdenv.mkDerivation rec {
-  version = "2.8.9";
+  version = "2.12.0";
   name = "ena-${version}-${kernel.version}";
 
   src = fetchFromGitHub {
     owner = "amzn";
     repo = "amzn-drivers";
     rev = "ena_linux_${version}";
-    hash = "sha256-9Csrq9wM7Q99qPj7+NlnQgP6KcciNHMbAAb+Wg7eYAU=";
+    hash = "sha256-Z/eeIUY7Yl2l/IqK3Z2nxPhn+JLvP976IZ9ZXPBqoSo=";
   };
 
   hardeningDisable = [ "pic" ];
@@ -19,6 +19,12 @@ stdenv.mkDerivation rec {
   # linux 3.12
   env.NIX_CFLAGS_COMPILE = "-Wno-error=implicit-function-declaration";
 
+  patches = [
+    # Use kernel version checks instead of API feature detection
+    # See https://github.com/NixOS/nixpkgs/pull/310680
+    ./override-features-api-detection.patch
+  ];
+
   configurePhase = ''
     runHook preConfigure
     cd kernel/linux/ena
diff --git a/pkgs/os-specific/linux/ena/override-features-api-detection.patch b/pkgs/os-specific/linux/ena/override-features-api-detection.patch
new file mode 100644
index 0000000000000..099530b121717
--- /dev/null
+++ b/pkgs/os-specific/linux/ena/override-features-api-detection.patch
@@ -0,0 +1,55 @@
+diff --git a/kernel/linux/ena/kcompat.h b/kernel/linux/ena/kcompat.h
+index 32a9cc5..8d39362 100644
+--- a/kernel/linux/ena/kcompat.h
++++ b/kernel/linux/ena/kcompat.h
+@@ -888,21 +888,6 @@ xdp_prepare_buff(struct xdp_buff *xdp, unsigned char *hard_start,
+ #define ENA_XDP_XMIT_FREES_FAILED_DESCS_INTERNALLY
+ #endif
+ 
+-#if (LINUX_VERSION_CODE < KERNEL_VERSION(5, 15, 0) && \
+-	!(LINUX_VERSION_CODE >= KERNEL_VERSION(5, 10, 188) && \
+-	 LINUX_VERSION_CODE < KERNEL_VERSION(5, 11, 0)) && \
+-	!(LINUX_VERSION_CODE >= KERNEL_VERSION(5, 4, 251) && \
+-	 LINUX_VERSION_CODE < KERNEL_VERSION(5, 5, 0))) && \
+-	!(defined(RHEL_RELEASE_CODE) && RHEL_RELEASE_CODE >= RHEL_RELEASE_VERSION(8, 6)) && \
+-	!(defined(SUSE_VERSION) && (SUSE_VERSION == 15 && SUSE_PATCHLEVEL >= 4)) && \
+-	!(defined(SUSE_VERSION) && (SUSE_VERSION == 15 && SUSE_PATCHLEVEL == 3) && \
+-	  ENA_KERNEL_VERSION_GTE(5, 3, 18, 150300, 59, 43))
+-static inline void eth_hw_addr_set(struct net_device *dev, const u8 *addr)
+-{
+-	memcpy(dev->dev_addr, addr, ETH_ALEN);
+-}
+-#endif
+-
+ #if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 15, 0) || \
+ 	(defined(RHEL_RELEASE_CODE) && \
+ 	RHEL_RELEASE_CODE >= RHEL_RELEASE_VERSION(8, 6) && \
+@@ -1112,7 +1097,7 @@ static inline void ena_dma_unmap_page_attrs(struct device *dev,
+ #define pci_dev_id(pdev) ((((u16)(pdev->bus->number)) << 8) | (pdev->devfn))
+ #endif /* ENA_HAVE_PCI_DEV_ID */
+ 
+-#ifndef ENA_HAVE_XDP_DO_FLUSH
++#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 6, 0)
+ #define xdp_do_flush xdp_do_flush_map
+ #endif /* ENA_HAVE_XDP_DO_FLUSH */
+ 
+@@ -1147,15 +1132,15 @@ static inline unsigned int cpumask_local_spread(unsigned int i, int node)
+ }
+ #endif /* ENA_HAVE_CPUMASK_LOCAL_SPREAD */
+ 
+-#ifndef ENA_HAVE_UPDATE_AFFINITY_HINT
++#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 17, 0)
+ static inline int irq_update_affinity_hint(unsigned int irq, const struct cpumask *m)
+ {
+ 	return 0;
+ }
+-#endif /* ENA_HAVE_UPDATE_AFFINITY_HINT */
++#endif /* LINUX_VERSION_CODE < KERNEL_VERSION(5.17.0) */
+ 
+-#ifndef ENA_HAVE_ETHTOOL_PUTS
++#if LINUX_VERSION_CODE < KERNEL_VERSION(6, 8, 0)
+ #define ethtool_puts ethtool_sprintf
+-#endif /* ENA_HAVE_ETHTOOL_PUTS */
++#endif
+ 
+ #endif /* _KCOMPAT_H_ */
diff --git a/pkgs/os-specific/linux/ethq/default.nix b/pkgs/os-specific/linux/ethq/default.nix
index 5936447ac9351..581382e4faf2d 100644
--- a/pkgs/os-specific/linux/ethq/default.nix
+++ b/pkgs/os-specific/linux/ethq/default.nix
@@ -28,6 +28,6 @@ stdenv.mkDerivation rec {
     homepage = "https://github.com/isc-projects/ethq";
     license = licenses.mpl20;
     platforms = platforms.linux;
-    maintainers = with maintainers; [ delroth ];
+    maintainers = with maintainers; [ ];
   };
 }
diff --git a/pkgs/os-specific/linux/evdi/default.nix b/pkgs/os-specific/linux/evdi/default.nix
index 059c7891a52be..25a82b1806ca5 100644
--- a/pkgs/os-specific/linux/evdi/default.nix
+++ b/pkgs/os-specific/linux/evdi/default.nix
@@ -13,13 +13,13 @@ let
 in
 stdenv.mkDerivation (finalAttrs: {
   pname = "evdi";
-  version = "1.14.1-unstable-2024-01-30";
+  version = "1.14.4";
 
   src = fetchFromGitHub {
     owner = "DisplayLink";
     repo = "evdi";
-    rev = "d21a6ea3c69ba180457966a04b6545d321cf46ca";
-    hash = "sha256-Txa9yX9h3GfmHRRNvhrfrsUoQhqRWbBt4gJYAZTNe0w=";
+    rev = "refs/tags/v${finalAttrs.version}";
+    hash = "sha256-+T2shA6n+A0c20+/ZZoXmspH7uPdIRaHT1Cj7BxpL+U=";
   };
 
   env.NIX_CFLAGS_COMPILE = toString [
@@ -54,7 +54,7 @@ stdenv.mkDerivation (finalAttrs: {
 
   meta = with lib; {
     broken = kernel.kernelOlder "4.19";
-    changelog = "https://github.com/DisplayLink/evdi/releases/tag/v${version}";
+    changelog = "https://github.com/DisplayLink/evdi/releases/tag/v${finalAttrs.version}";
     description = "Extensible Virtual Display Interface";
     homepage = "https://www.displaylink.com/";
     license = with licenses; [ lgpl21Only gpl2Only ];
diff --git a/pkgs/os-specific/linux/facetimehd/default.nix b/pkgs/os-specific/linux/facetimehd/default.nix
index 30d232f6eb88e..ceba075758a6a 100644
--- a/pkgs/os-specific/linux/facetimehd/default.nix
+++ b/pkgs/os-specific/linux/facetimehd/default.nix
@@ -2,7 +2,7 @@
 
 stdenv.mkDerivation rec {
   name = "facetimehd-${version}-${kernel.version}";
-  version = "0.6.8";
+  version = "0.6.8.1";
 
   # Note: When updating this revision:
   # 1. Also update pkgs/os-specific/linux/firmware/facetimehd-firmware/
@@ -18,7 +18,7 @@ stdenv.mkDerivation rec {
     owner = "patjak";
     repo = "facetimehd";
     rev = version;
-    sha256 = "sha256-Tze85Hx1YmStAKenmF/S1JuMDq5eVjBcs3LSWXjyE7w=";
+    sha256 = "sha256-h5Erga2hlDIWdDKQbkmkLY1aNCibFM7SVSnxVcoToaM=";
   };
 
   preConfigure = ''
diff --git a/pkgs/os-specific/linux/ffado/default.nix b/pkgs/os-specific/linux/ffado/default.nix
index dfa974e3e683c..610f9d31353e2 100644
--- a/pkgs/os-specific/linux/ffado/default.nix
+++ b/pkgs/os-specific/linux/ffado/default.nix
@@ -8,7 +8,6 @@
 , fetchurl
 , fetchpatch
 , glibmm
-, kernel
 , libavc1394
 , libconfig
 , libiec61883
@@ -22,7 +21,6 @@
 }:
 
 let
-  inherit (python3.pkgs) pyqt5 dbus-python;
   python = python3.withPackages (pkgs: with pkgs; [ pyqt5 dbus-python ]);
 in
 mkDerivation rec {
@@ -61,7 +59,7 @@ mkDerivation rec {
     pkg-config
     which
     python
-    pyqt5
+    python3.pkgs.pyqt5
     wrapQtAppsHook
   ];
 
diff --git a/pkgs/os-specific/linux/firmware/firmware-manager/default.nix b/pkgs/os-specific/linux/firmware/firmware-manager/default.nix
index af455e7ef61fa..1682f16c39035 100644
--- a/pkgs/os-specific/linux/firmware/firmware-manager/default.nix
+++ b/pkgs/os-specific/linux/firmware/firmware-manager/default.nix
@@ -8,7 +8,7 @@
 , openssl
 , udev
 , gtk3
-, wrapGAppsHook
+, wrapGAppsHook3
 }:
 
 stdenv.mkDerivation rec {
@@ -39,7 +39,7 @@ stdenv.mkDerivation rec {
     rustc
     pkg-config
     rustPlatform.cargoSetupHook
-    wrapGAppsHook
+    wrapGAppsHook3
   ];
 
   buildInputs = [
@@ -53,7 +53,8 @@ stdenv.mkDerivation rec {
   meta = {
     description = "Graphical frontend for firmware management";
     homepage = "https://github.com/pop-os/firmware-manager";
-    license = lib.licenses.gpl3;
+    license = with lib.licenses; [ gpl3Plus cc0 ];
+    mainProgram = "com.system76.FirmwareManager";
     maintainers = [ lib.maintainers.shlevy ];
     platforms = lib.platforms.linux;
   };
diff --git a/pkgs/os-specific/linux/firmware/firmware-updater/default.nix b/pkgs/os-specific/linux/firmware/firmware-updater/default.nix
index 98b9ff5d33881..952139bb35e20 100644
--- a/pkgs/os-specific/linux/firmware/firmware-updater/default.nix
+++ b/pkgs/os-specific/linux/firmware/firmware-updater/default.nix
@@ -6,10 +6,16 @@
 
 flutter.buildFlutterApplication rec {
   pname = "firmware-updater";
-  version = "unstable-2023-09-17";
+  version = "unstable-2024-18-04";
 
   pubspecLock = lib.importJSON ./pubspec.lock.json;
 
+  patches = [
+    ./upgrade-file.patch
+  ];
+
+  sourceRoot = "./source/packages/firmware_updater";
+
   gitHashes = {
     fwupd = "sha256-l/+HrrJk1mE2Mrau+NmoQ7bu9qhHU6wX68+m++9Hjd4=";
   };
@@ -17,23 +23,10 @@ flutter.buildFlutterApplication rec {
   src = fetchFromGitHub {
     owner = "canonical";
     repo = "firmware-updater";
-    rev = "855999da8d3d0c9930e06f2d296d82b55aeff79e";
-    hash = "sha256-tIeEuHl+sCKd756NYPmxXiV1Sg2m9W0eGUtM/Iskeu8=";
+    rev = "e48bb3f693e5d76656a3e7bbc07be0fcbfa19f23";
+    hash = "sha256-SO3sDIsJCK4Sh51pXO4u6WX4zcFa6jQYu9E+WtVrjDE=";
   };
 
-  postPatch = ''
-    rm -f pubspec.lock
-    ln -s "${writeText "${pname}-overrides.yaml" (builtins.toJSON {
-      dependency_overrides = {
-        yaru = "^1.1.0";
-        yaru_icons = "^2.2.1";
-        yaru_widgets = "^3.1.0";
-        mockito = "^5.4.2";
-        test_api = "^0.6.1";
-      };
-    })}" pubspec_overrides.yaml
-  '';
-
   meta = with lib; {
     description = "Firmware Updater for Linux";
     mainProgram = "firmware-updater";
diff --git a/pkgs/os-specific/linux/firmware/firmware-updater/pubspec.lock.json b/pkgs/os-specific/linux/firmware/firmware-updater/pubspec.lock.json
index 0ad3deb2394eb..2212f02278688 100644
--- a/pkgs/os-specific/linux/firmware/firmware-updater/pubspec.lock.json
+++ b/pkgs/os-specific/linux/firmware/firmware-updater/pubspec.lock.json
@@ -20,25 +20,15 @@
       "source": "hosted",
       "version": "5.13.0"
     },
-    "ansi_styles": {
-      "dependency": "transitive",
-      "description": {
-        "name": "ansi_styles",
-        "sha256": "9c656cc12b3c27b17dd982b2cc5c0cfdfbdabd7bc8f3ae5e8542d9867b47ce8a",
-        "url": "https://pub.dev"
-      },
-      "source": "hosted",
-      "version": "0.3.2+1"
-    },
     "args": {
       "dependency": "transitive",
       "description": {
         "name": "args",
-        "sha256": "eef6c46b622e0494a36c5a12d10d77fb4e855501a91c1b9ef9339326e58f0596",
+        "sha256": "7cf60b9f0cc88203c5a190b4cd62a99feea42759a7fa695010eb5de1c0b2252a",
         "url": "https://pub.dev"
       },
       "source": "hosted",
-      "version": "2.4.2"
+      "version": "2.5.0"
     },
     "async": {
       "dependency": "transitive",
@@ -84,31 +74,31 @@
       "dependency": "transitive",
       "description": {
         "name": "build_daemon",
-        "sha256": "5f02d73eb2ba16483e693f80bee4f088563a820e47d1027d4cdfe62b5bb43e65",
+        "sha256": "0343061a33da9c5810b2d6cee51945127d8f4c060b7fbdd9d54917f0a3feaaa1",
         "url": "https://pub.dev"
       },
       "source": "hosted",
-      "version": "4.0.0"
+      "version": "4.0.1"
     },
     "build_resolvers": {
       "dependency": "transitive",
       "description": {
         "name": "build_resolvers",
-        "sha256": "6c4dd11d05d056e76320b828a1db0fc01ccd376922526f8e9d6c796a5adbac20",
+        "sha256": "339086358431fa15d7eca8b6a36e5d783728cf025e559b834f4609a1fcfb7b0a",
         "url": "https://pub.dev"
       },
       "source": "hosted",
-      "version": "2.2.1"
+      "version": "2.4.2"
     },
     "build_runner": {
       "dependency": "direct dev",
       "description": {
         "name": "build_runner",
-        "sha256": "10c6bcdbf9d049a0b666702cf1cee4ddfdc38f02a19d35ae392863b47519848b",
+        "sha256": "3ac61a79bfb6f6cc11f693591063a7f19a7af628dc52f141743edac5c16e8c22",
         "url": "https://pub.dev"
       },
       "source": "hosted",
-      "version": "2.4.6"
+      "version": "2.4.9"
     },
     "build_runner_core": {
       "dependency": "transitive",
@@ -134,11 +124,11 @@
       "dependency": "transitive",
       "description": {
         "name": "built_value",
-        "sha256": "ff627b645b28fb8bdb69e645f910c2458fd6b65f6585c3a53e0626024897dedf",
+        "sha256": "c7913a9737ee4007efedaffc968c049fd0f3d0e49109e778edc10de9426005cb",
         "url": "https://pub.dev"
       },
       "source": "hosted",
-      "version": "8.6.2"
+      "version": "8.9.2"
     },
     "characters": {
       "dependency": "transitive",
@@ -150,16 +140,6 @@
       "source": "hosted",
       "version": "1.3.0"
     },
-    "charcode": {
-      "dependency": "transitive",
-      "description": {
-        "name": "charcode",
-        "sha256": "fb98c0f6d12c920a02ee2d998da788bca066ca5f148492b7085ee23372b12306",
-        "url": "https://pub.dev"
-      },
-      "source": "hosted",
-      "version": "1.3.1"
-    },
     "checked_yaml": {
       "dependency": "transitive",
       "description": {
@@ -170,26 +150,6 @@
       "source": "hosted",
       "version": "2.0.3"
     },
-    "cli_launcher": {
-      "dependency": "transitive",
-      "description": {
-        "name": "cli_launcher",
-        "sha256": "5e7e0282b79e8642edd6510ee468ae2976d847a0a29b3916e85f5fa1bfe24005",
-        "url": "https://pub.dev"
-      },
-      "source": "hosted",
-      "version": "0.3.1"
-    },
-    "cli_util": {
-      "dependency": "transitive",
-      "description": {
-        "name": "cli_util",
-        "sha256": "b8db3080e59b2503ca9e7922c3df2072cf13992354d5e944074ffa836fba43b7",
-        "url": "https://pub.dev"
-      },
-      "source": "hosted",
-      "version": "0.4.0"
-    },
     "clock": {
       "dependency": "transitive",
       "description": {
@@ -204,31 +164,21 @@
       "dependency": "transitive",
       "description": {
         "name": "code_builder",
-        "sha256": "4ad01d6e56db961d29661561effde45e519939fdaeb46c351275b182eac70189",
+        "sha256": "f692079e25e7869c14132d39f223f8eec9830eb76131925143b2129c4bb01b37",
         "url": "https://pub.dev"
       },
       "source": "hosted",
-      "version": "4.5.0"
+      "version": "4.10.0"
     },
     "collection": {
       "dependency": "direct main",
       "description": {
         "name": "collection",
-        "sha256": "f092b211a4319e98e5ff58223576de6c2803db36221657b46c82574721240687",
+        "sha256": "ee67cb0715911d28db6bf4af1026078bd6f0128b07a5f66fb2ed94ec6783c09a",
         "url": "https://pub.dev"
       },
       "source": "hosted",
-      "version": "1.17.2"
-    },
-    "conventional_commit": {
-      "dependency": "transitive",
-      "description": {
-        "name": "conventional_commit",
-        "sha256": "dec15ad1118f029c618651a4359eb9135d8b88f761aa24e4016d061cd45948f2",
-        "url": "https://pub.dev"
-      },
-      "source": "hosted",
-      "version": "0.6.0+1"
+      "version": "1.18.0"
     },
     "convert": {
       "dependency": "transitive",
@@ -274,31 +224,31 @@
       "dependency": "direct main",
       "description": {
         "name": "dbus",
-        "sha256": "6f07cba3f7b3448d42d015bfd3d53fe12e5b36da2423f23838efc1d5fb31a263",
+        "sha256": "365c771ac3b0e58845f39ec6deebc76e3276aa9922b0cc60840712094d9047ac",
         "url": "https://pub.dev"
       },
       "source": "hosted",
-      "version": "0.7.8"
+      "version": "0.7.10"
     },
     "diacritic": {
       "dependency": "transitive",
       "description": {
         "name": "diacritic",
-        "sha256": "a84e03ec2779375fb86430dbe9d8fba62c68376f2499097a5f6e75556babe706",
+        "sha256": "96db5db6149cbe4aa3cfcbfd170aca9b7648639be7e48025f9d458517f807fe4",
         "url": "https://pub.dev"
       },
       "source": "hosted",
-      "version": "0.1.4"
+      "version": "0.1.5"
     },
     "dio": {
       "dependency": "direct main",
       "description": {
         "name": "dio",
-        "sha256": "7d328c4d898a61efc3cd93655a0955858e29a0aa647f0f9e02d59b3bb275e2e8",
+        "sha256": "11e40df547d418cc0c4900a9318b26304e665da6fa4755399a9ff9efd09034b5",
         "url": "https://pub.dev"
       },
       "source": "hosted",
-      "version": "4.0.6"
+      "version": "5.4.3+1"
     },
     "fake_async": {
       "dependency": "transitive",
@@ -314,21 +264,21 @@
       "dependency": "transitive",
       "description": {
         "name": "ffi",
-        "sha256": "7bf0adc28a23d395f19f3f1eb21dd7cfd1dd9f8e1c50051c069122e6853bc878",
+        "sha256": "493f37e7df1804778ff3a53bd691d8692ddf69702cf4c1c1096a2e41b4779e21",
         "url": "https://pub.dev"
       },
       "source": "hosted",
-      "version": "2.1.0"
+      "version": "2.1.2"
     },
     "file": {
       "dependency": "direct main",
       "description": {
         "name": "file",
-        "sha256": "1b92bec4fc2a72f59a8e15af5f52cd441e4a7860b49499d69dfa817af20e925d",
+        "sha256": "5fc22d7c25582e38ad9a8515372cd9a93834027aacf1801cf01164dac0ffa08c",
         "url": "https://pub.dev"
       },
       "source": "hosted",
-      "version": "6.1.4"
+      "version": "7.0.0"
     },
     "fixnum": {
       "dependency": "transitive",
@@ -363,14 +313,14 @@
       "version": "3.0.0-beta.2"
     },
     "flutter_lints": {
-      "dependency": "direct dev",
+      "dependency": "transitive",
       "description": {
         "name": "flutter_lints",
-        "sha256": "2118df84ef0c3ca93f96123a616ae8540879991b8b57af2f81b76a7ada49b2a4",
+        "sha256": "9e8c3858111da373efc5aa341de011d9bd23e2c5c5e0c62bccf32438e192d7b1",
         "url": "https://pub.dev"
       },
       "source": "hosted",
-      "version": "2.0.2"
+      "version": "3.0.2"
     },
     "flutter_localizations": {
       "dependency": "direct main",
@@ -382,21 +332,21 @@
       "dependency": "transitive",
       "description": {
         "name": "flutter_markdown",
-        "sha256": "2b206d397dd7836ea60035b2d43825c8a303a76a5098e66f42d55a753e18d431",
+        "sha256": "04c4722cc36ec5af38acc38ece70d22d3c2123c61305d555750a091517bbe504",
         "url": "https://pub.dev"
       },
       "source": "hosted",
-      "version": "0.6.17+1"
+      "version": "0.6.23"
     },
     "flutter_svg": {
       "dependency": "transitive",
       "description": {
         "name": "flutter_svg",
-        "sha256": "8c5d68a82add3ca76d792f058b186a0599414f279f00ece4830b9b231b570338",
+        "sha256": "7b4ca6cf3304575fe9c8ec64813c8d02ee41d2afe60bcfe0678bcb5375d596a2",
         "url": "https://pub.dev"
       },
       "source": "hosted",
-      "version": "2.0.7"
+      "version": "2.0.10+1"
     },
     "flutter_test": {
       "dependency": "direct dev",
@@ -414,11 +364,11 @@
       "dependency": "direct dev",
       "description": {
         "name": "freezed",
-        "sha256": "2df89855fe181baae3b6d714dc3c4317acf4fccd495a6f36e5e00f24144c6c3b",
+        "sha256": "a434911f643466d78462625df76fd9eb13e57348ff43fe1f77bbe909522c67a1",
         "url": "https://pub.dev"
       },
       "source": "hosted",
-      "version": "2.4.1"
+      "version": "2.5.2"
     },
     "freezed_annotation": {
       "dependency": "direct main",
@@ -434,11 +384,11 @@
       "dependency": "transitive",
       "description": {
         "name": "frontend_server_client",
-        "sha256": "408e3ca148b31c20282ad6f37ebfa6f4bdc8fede5b74bc2f08d9d92b55db3612",
+        "sha256": "f64a0333a82f30b0cca061bc3d143813a486dc086b574bfb233b7c1372427694",
         "url": "https://pub.dev"
       },
       "source": "hosted",
-      "version": "3.2.0"
+      "version": "4.0.0"
     },
     "fuchsia_remote_debug_protocol": {
       "dependency": "transitive",
@@ -461,11 +411,11 @@
       "dependency": "transitive",
       "description": {
         "name": "get_it",
-        "sha256": "529de303c739fca98cd7ece5fca500d8ff89649f1bb4b4e94fb20954abcd7468",
+        "sha256": "d85128a5dae4ea777324730dc65edd9c9f43155c109d5cc0a69cab74139fbac1",
         "url": "https://pub.dev"
       },
       "source": "hosted",
-      "version": "7.6.0"
+      "version": "7.7.0"
     },
     "glob": {
       "dependency": "transitive",
@@ -521,11 +471,11 @@
       "dependency": "transitive",
       "description": {
         "name": "http",
-        "sha256": "759d1a329847dd0f39226c688d3e06a6b8679668e350e2891a6474f8b4bb8525",
+        "sha256": "761a297c042deedc1ffbb156d6e2af13886bb305c2a343a4d972504cd67dd938",
         "url": "https://pub.dev"
       },
       "source": "hosted",
-      "version": "1.1.0"
+      "version": "1.2.1"
     },
     "http_multi_server": {
       "dependency": "transitive",
@@ -577,31 +527,61 @@
       "dependency": "transitive",
       "description": {
         "name": "js",
-        "sha256": "f2c445dce49627136094980615a031419f7f3eb393237e4ecd97ac15dea343f3",
+        "sha256": "c1b2e9b5ea78c45e1a0788d29606ba27dc5f71f019f32ca5140f61ef071838cf",
         "url": "https://pub.dev"
       },
       "source": "hosted",
-      "version": "0.6.7"
+      "version": "0.7.1"
     },
     "json_annotation": {
       "dependency": "transitive",
       "description": {
         "name": "json_annotation",
-        "sha256": "b10a7b2ff83d83c777edba3c6a0f97045ddadd56c944e1a23a3fdf43a1bf4467",
+        "sha256": "1ce844379ca14835a50d2f019a3099f419082cfdd231cd86a142af94dd5c6bb1",
+        "url": "https://pub.dev"
+      },
+      "source": "hosted",
+      "version": "4.9.0"
+    },
+    "leak_tracker": {
+      "dependency": "transitive",
+      "description": {
+        "name": "leak_tracker",
+        "sha256": "78eb209deea09858f5269f5a5b02be4049535f568c07b275096836f01ea323fa",
+        "url": "https://pub.dev"
+      },
+      "source": "hosted",
+      "version": "10.0.0"
+    },
+    "leak_tracker_flutter_testing": {
+      "dependency": "transitive",
+      "description": {
+        "name": "leak_tracker_flutter_testing",
+        "sha256": "b46c5e37c19120a8a01918cfaf293547f47269f7cb4b0058f21531c2465d6ef0",
+        "url": "https://pub.dev"
+      },
+      "source": "hosted",
+      "version": "2.0.1"
+    },
+    "leak_tracker_testing": {
+      "dependency": "transitive",
+      "description": {
+        "name": "leak_tracker_testing",
+        "sha256": "a597f72a664dbd293f3bfc51f9ba69816f84dcd403cdac7066cb3f6003f3ab47",
         "url": "https://pub.dev"
       },
       "source": "hosted",
-      "version": "4.8.1"
+      "version": "2.0.1"
     },
     "lints": {
       "dependency": "transitive",
       "description": {
         "name": "lints",
-        "sha256": "0a217c6c989d21039f1498c3ed9f3ed71b354e69873f13a8dfc3c9fe76f1b452",
+        "sha256": "cbf8d4b858bb0134ef3ef87841abdf8d63bfc255c266b7bf6b39daa1085c4290",
         "url": "https://pub.dev"
       },
       "source": "hosted",
-      "version": "2.1.1"
+      "version": "3.0.0"
     },
     "list_counter": {
       "dependency": "transitive",
@@ -637,61 +617,51 @@
       "dependency": "transitive",
       "description": {
         "name": "markdown",
-        "sha256": "acf35edccc0463a9d7384e437c015a3535772e09714cf60e07eeef3a15870dcd",
+        "sha256": "ef2a1298144e3f985cc736b22e0ccdaf188b5b3970648f2d9dc13efd1d9df051",
         "url": "https://pub.dev"
       },
       "source": "hosted",
-      "version": "7.1.1"
+      "version": "7.2.2"
     },
     "matcher": {
       "dependency": "transitive",
       "description": {
         "name": "matcher",
-        "sha256": "1803e76e6653768d64ed8ff2e1e67bea3ad4b923eb5c56a295c3e634bad5960e",
+        "sha256": "d2323aa2060500f906aa31a895b4030b6da3ebdcc5619d14ce1aada65cd161cb",
         "url": "https://pub.dev"
       },
       "source": "hosted",
-      "version": "0.12.16"
+      "version": "0.12.16+1"
     },
     "material_color_utilities": {
       "dependency": "transitive",
       "description": {
         "name": "material_color_utilities",
-        "sha256": "9528f2f296073ff54cb9fee677df673ace1218163c3bc7628093e7eed5203d41",
+        "sha256": "0e0a020085b65b6083975e499759762399b4475f766c21668c4ecca34ea74e5a",
         "url": "https://pub.dev"
       },
       "source": "hosted",
-      "version": "0.5.0"
-    },
-    "melos": {
-      "dependency": "direct dev",
-      "description": {
-        "name": "melos",
-        "sha256": "3f22f6cc629d72acf3acc8a7f8563384550290fa30790efa328c9cf606aa17d7",
-        "url": "https://pub.dev"
-      },
-      "source": "hosted",
-      "version": "3.1.1"
+      "version": "0.8.0"
     },
     "meta": {
       "dependency": "direct main",
       "description": {
         "name": "meta",
-        "sha256": "3c74dbf8763d36539f114c799d8a2d87343b5067e9d796ca22b5eb8437090ee3",
+        "sha256": "d584fa6707a52763a52446f02cc621b077888fb63b93bbcb1143a7be5a0c0c04",
         "url": "https://pub.dev"
       },
       "source": "hosted",
-      "version": "1.9.1"
+      "version": "1.11.0"
     },
     "mime": {
       "dependency": "transitive",
       "description": {
         "name": "mime",
-        "sha256": "e4ff8e8564c03f255408decd16e7899da1733852a9110a58fe6d1b817684a63e",
+        "sha256": "2e123074287cc9fd6c09de8336dae606d1ddb88d9ac47358826db698c176a1f2",
         "url": "https://pub.dev"
       },
       "source": "hosted",
-      "version": "1.0.4"
+      "version": "1.0.5"
     },
     "mockito": {
       "dependency": "direct dev",
@@ -703,16 +673,6 @@
       "source": "hosted",
       "version": "5.4.2"
     },
-    "mustache_template": {
-      "dependency": "transitive",
-      "description": {
-        "name": "mustache_template",
-        "sha256": "a46e26f91445bfb0b60519be280555b06792460b27b19e2b19ad5b9740df5d1c",
-        "url": "https://pub.dev"
-      },
-      "source": "hosted",
-      "version": "2.0.0"
-    },
     "nested": {
       "dependency": "transitive",
       "description": {
@@ -737,11 +697,11 @@
       "dependency": "direct main",
       "description": {
         "name": "path",
-        "sha256": "8829d8a55c13fc0e37127c29fedf290c102f4e40ae94ada574091fe0ff96c917",
+        "sha256": "087ce49c3f0dc39180befefc60fdb4acd8f8620e5682fe2476afd0b3688bb4af",
         "url": "https://pub.dev"
       },
       "source": "hosted",
-      "version": "1.8.3"
+      "version": "1.9.0"
     },
     "path_parsing": {
       "dependency": "transitive",
@@ -757,31 +717,31 @@
       "dependency": "transitive",
       "description": {
         "name": "petitparser",
-        "sha256": "cb3798bef7fc021ac45b308f4b51208a152792445cce0448c9a4ba5879dd8750",
+        "sha256": "c15605cd28af66339f8eb6fbe0e541bfe2d1b72d5825efc6598f3e0a31b9ad27",
         "url": "https://pub.dev"
       },
       "source": "hosted",
-      "version": "5.4.0"
+      "version": "6.0.2"
     },
     "platform": {
       "dependency": "transitive",
       "description": {
         "name": "platform",
-        "sha256": "4a451831508d7d6ca779f7ac6e212b4023dd5a7d08a27a63da33756410e32b76",
+        "sha256": "12220bb4b65720483f8fa9450b4332347737cf8213dd2840d8b2c823e47243ec",
         "url": "https://pub.dev"
       },
       "source": "hosted",
-      "version": "3.1.0"
+      "version": "3.1.4"
     },
     "plugin_platform_interface": {
       "dependency": "transitive",
       "description": {
         "name": "plugin_platform_interface",
-        "sha256": "43798d895c929056255600343db8f049921cbec94d31ec87f1dc5c16c01935dd",
+        "sha256": "4820fbfdb9478b1ebae27888254d445073732dae3d6ea81f0b7e06d5dedc3f02",
         "url": "https://pub.dev"
       },
       "source": "hosted",
-      "version": "2.1.5"
+      "version": "2.1.8"
     },
     "pool": {
       "dependency": "transitive",
@@ -797,31 +757,21 @@
       "dependency": "transitive",
       "description": {
         "name": "process",
-        "sha256": "53fd8db9cec1d37b0574e12f07520d582019cb6c44abf5479a01505099a34a09",
-        "url": "https://pub.dev"
-      },
-      "source": "hosted",
-      "version": "4.2.4"
-    },
-    "prompts": {
-      "dependency": "transitive",
-      "description": {
-        "name": "prompts",
-        "sha256": "3773b845e85a849f01e793c4fc18a45d52d7783b4cb6c0569fad19f9d0a774a1",
+        "sha256": "21e54fd2faf1b5bdd5102afd25012184a6793927648ea81eea80552ac9405b32",
         "url": "https://pub.dev"
       },
       "source": "hosted",
-      "version": "2.0.0"
+      "version": "5.0.2"
     },
     "provider": {
       "dependency": "direct main",
       "description": {
         "name": "provider",
-        "sha256": "cdbe7530b12ecd9eb455bdaa2fcb8d4dad22e80b8afb4798b41479d5ce26847f",
+        "sha256": "c8a055ee5ce3fd98d6fc872478b03823ffdb448699c6ebdbbc71d59b596fd48c",
         "url": "https://pub.dev"
       },
       "source": "hosted",
-      "version": "6.0.5"
+      "version": "6.1.2"
     },
     "pub_semver": {
       "dependency": "transitive",
@@ -833,26 +783,6 @@
       "source": "hosted",
       "version": "2.1.4"
     },
-    "pub_updater": {
-      "dependency": "transitive",
-      "description": {
-        "name": "pub_updater",
-        "sha256": "b06600619c8c219065a548f8f7c192b3e080beff95488ed692780f48f69c0625",
-        "url": "https://pub.dev"
-      },
-      "source": "hosted",
-      "version": "0.3.1"
-    },
-    "pubspec": {
-      "dependency": "transitive",
-      "description": {
-        "name": "pubspec",
-        "sha256": "f534a50a2b4d48dc3bc0ec147c8bd7c304280fff23b153f3f11803c4d49d927e",
-        "url": "https://pub.dev"
-      },
-      "source": "hosted",
-      "version": "2.3.0"
-    },
     "pubspec_parse": {
       "dependency": "transitive",
       "description": {
@@ -863,25 +793,15 @@
       "source": "hosted",
       "version": "1.2.3"
     },
-    "quiver": {
-      "dependency": "transitive",
-      "description": {
-        "name": "quiver",
-        "sha256": "b1c1ac5ce6688d77f65f3375a9abb9319b3cb32486bdc7a1e0fdf004d7ba4e47",
-        "url": "https://pub.dev"
-      },
-      "source": "hosted",
-      "version": "3.2.1"
-    },
     "safe_change_notifier": {
       "dependency": "direct main",
       "description": {
         "name": "safe_change_notifier",
-        "sha256": "e69034655ea33aa7dce3c5bb33cf12fc7c07a0ce7d59b7291fd030b70d059570",
+        "sha256": "8d0645ec2706f580912c38de488439ddb491be48247826927b7bc2e54ea8f7af",
         "url": "https://pub.dev"
       },
       "source": "hosted",
-      "version": "0.2.0"
+      "version": "0.3.2"
     },
     "screen_retriever": {
       "dependency": "transitive",
@@ -923,11 +843,11 @@
       "dependency": "transitive",
       "description": {
         "name": "source_gen",
-        "sha256": "fc0da689e5302edb6177fdd964efcb7f58912f43c28c2047a808f5bfff643d16",
+        "sha256": "14658ba5f669685cd3d63701d01b31ea748310f7ab854e471962670abcf57832",
         "url": "https://pub.dev"
       },
       "source": "hosted",
-      "version": "1.4.0"
+      "version": "1.5.0"
     },
     "source_span": {
       "dependency": "transitive",
@@ -943,21 +863,31 @@
       "dependency": "transitive",
       "description": {
         "name": "stack_trace",
-        "sha256": "c3c7d8edb15bee7f0f74debd4b9c5f3c2ea86766fe4178eb2a18eb30a0bdaed5",
+        "sha256": "73713990125a6d93122541237550ee3352a2d84baad52d375a4cad2eb9b7ce0b",
         "url": "https://pub.dev"
       },
       "source": "hosted",
-      "version": "1.11.0"
+      "version": "1.11.1"
+    },
+    "state_notifier": {
+      "dependency": "transitive",
+      "description": {
+        "name": "state_notifier",
+        "sha256": "b8677376aa54f2d7c58280d5a007f9e8774f1968d1fb1c096adcb4792fba29bb",
+        "url": "https://pub.dev"
+      },
+      "source": "hosted",
+      "version": "1.0.0"
     },
     "stream_channel": {
       "dependency": "transitive",
       "description": {
         "name": "stream_channel",
-        "sha256": "83615bee9045c1d322bbbd1ba209b7a749c2cbcdcb3fdd1df8eb488b3279c1c8",
+        "sha256": "ba2aa5d8cc609d96bbb2899c28934f9e1af5cddbd60a827822ea467161eb54e7",
         "url": "https://pub.dev"
       },
       "source": "hosted",
-      "version": "2.1.1"
+      "version": "2.1.2"
     },
     "stream_transform": {
       "dependency": "transitive",
@@ -1000,7 +930,7 @@
       "version": "1.2.1"
     },
     "test_api": {
-      "dependency": "direct overridden",
+      "dependency": "transitive",
       "description": {
         "name": "test_api",
         "sha256": "5c2f730018264d276c20e4f1503fd1308dfbbae39ec8ee63c5236311ac06954b",
@@ -1029,55 +959,55 @@
       "source": "hosted",
       "version": "1.3.2"
     },
+    "ubuntu_lints": {
+      "dependency": "direct dev",
+      "description": {
+        "name": "ubuntu_lints",
+        "sha256": "1c9fd31f3b3e24969f4c5e5ccf19e1665df3e27ce9ff22ca000e4f687c4772c4",
+        "url": "https://pub.dev"
+      },
+      "source": "hosted",
+      "version": "0.3.0"
+    },
     "ubuntu_localizations": {
       "dependency": "transitive",
       "description": {
         "name": "ubuntu_localizations",
-        "sha256": "a75e87b9f1c3dc678f69a943eb4cee8ccbd5b0db64d491750325950e311adab0",
+        "sha256": "eca4f43453339acca16b4b23a70b93315ab92b1500f98156a8f95af5e5078def",
         "url": "https://pub.dev"
       },
       "source": "hosted",
-      "version": "0.3.4"
+      "version": "0.3.6"
     },
     "ubuntu_logger": {
       "dependency": "direct main",
       "description": {
         "name": "ubuntu_logger",
-        "sha256": "f6d663e5b9c33e90a7a77a2f15b7f76e90be1dd98a94b6640d7bd74db262060f",
+        "sha256": "90de0c496c2c35757e0d6a32d2e3555cb37e9c2d4aab356bad589f64234bcdcc",
         "url": "https://pub.dev"
       },
       "source": "hosted",
-      "version": "0.0.3"
+      "version": "0.1.1"
     },
     "ubuntu_service": {
       "dependency": "direct main",
       "description": {
         "name": "ubuntu_service",
-        "sha256": "f6ad4dfb099af41e750c59aad00d67a96e22df00f4962d2e25d56ae3db78be49",
+        "sha256": "b9845f972bcc919df79381b0eb42cceee1834b3232b3f444c0e4943d66d01901",
         "url": "https://pub.dev"
       },
       "source": "hosted",
-      "version": "0.2.4"
-    },
-    "ubuntu_session": {
-      "dependency": "direct main",
-      "description": {
-        "name": "ubuntu_session",
-        "sha256": "ce79fdd31faf7982b061b2e4a1cdd0815baf3b6b976e9c16c72609749511f3a1",
-        "url": "https://pub.dev"
-      },
-      "source": "hosted",
-      "version": "0.0.4"
+      "version": "0.3.2"
     },
     "ubuntu_test": {
       "dependency": "direct main",
       "description": {
         "name": "ubuntu_test",
-        "sha256": "2361b741808a11d95c64a50666151d536133e75cade17b8feccca1e67364be88",
+        "sha256": "ed8e277575e74057e59363eced7c86b5c9cb172b560b7590ab911eed738e32e5",
         "url": "https://pub.dev"
       },
       "source": "hosted",
-      "version": "0.1.0-beta.6"
+      "version": "0.1.0-beta.9"
     },
     "upower": {
       "dependency": "direct main",
@@ -1089,45 +1019,35 @@
       "source": "hosted",
       "version": "0.7.0"
     },
-    "uri": {
-      "dependency": "transitive",
-      "description": {
-        "name": "uri",
-        "sha256": "889eea21e953187c6099802b7b4cf5219ba8f3518f604a1033064d45b1b8268a",
-        "url": "https://pub.dev"
-      },
-      "source": "hosted",
-      "version": "1.0.0"
-    },
     "vector_graphics": {
       "dependency": "transitive",
       "description": {
         "name": "vector_graphics",
-        "sha256": "670f6e07aca990b4a2bcdc08a784193c4ccdd1932620244c3a86bb72a0eac67f",
+        "sha256": "32c3c684e02f9bc0afb0ae0aa653337a2fe022e8ab064bcd7ffda27a74e288e3",
         "url": "https://pub.dev"
       },
       "source": "hosted",
-      "version": "1.1.7"
+      "version": "1.1.11+1"
     },
     "vector_graphics_codec": {
       "dependency": "transitive",
       "description": {
         "name": "vector_graphics_codec",
-        "sha256": "7451721781d967db9933b63f5733b1c4533022c0ba373a01bdd79d1a5457f69f",
+        "sha256": "c86987475f162fadff579e7320c7ddda04cd2fdeffbe1129227a85d9ac9e03da",
         "url": "https://pub.dev"
       },
       "source": "hosted",
-      "version": "1.1.7"
+      "version": "1.1.11+1"
     },
     "vector_graphics_compiler": {
       "dependency": "transitive",
       "description": {
         "name": "vector_graphics_compiler",
-        "sha256": "80a13c613c8bde758b1464a1755a7b3a8f2b6cec61fbf0f5a53c94c30f03ba2e",
+        "sha256": "12faff3f73b1741a36ca7e31b292ddeb629af819ca9efe9953b70bd63fc8cd81",
         "url": "https://pub.dev"
       },
       "source": "hosted",
-      "version": "1.1.7"
+      "version": "1.1.11+1"
     },
     "vector_math": {
       "dependency": "transitive",
@@ -1143,11 +1063,11 @@
       "dependency": "transitive",
       "description": {
         "name": "vm_service",
-        "sha256": "c620a6f783fa22436da68e42db7ebbf18b8c44b9a46ab911f666ff09ffd9153f",
+        "sha256": "b3d56ff4341b8f182b96aceb2fa20e3dcb336b9f867bc0eafc0de10f1048e957",
         "url": "https://pub.dev"
       },
       "source": "hosted",
-      "version": "11.7.1"
+      "version": "13.0.0"
     },
     "watcher": {
       "dependency": "transitive",
@@ -1163,54 +1083,54 @@
       "dependency": "transitive",
       "description": {
         "name": "web",
-        "sha256": "dc8ccd225a2005c1be616fe02951e2e342092edf968cf0844220383757ef8f10",
+        "sha256": "97da13628db363c635202ad97068d47c5b8aa555808e7a9411963c533b449b27",
         "url": "https://pub.dev"
       },
       "source": "hosted",
-      "version": "0.1.4-beta"
+      "version": "0.5.1"
     },
     "web_socket_channel": {
       "dependency": "transitive",
       "description": {
         "name": "web_socket_channel",
-        "sha256": "d88238e5eac9a42bb43ca4e721edba3c08c6354d4a53063afaa568516217621b",
+        "sha256": "58c6666b342a38816b2e7e50ed0f1e261959630becd4c879c4f26bfa14aa5a42",
         "url": "https://pub.dev"
       },
       "source": "hosted",
-      "version": "2.4.0"
+      "version": "2.4.5"
     },
     "webdriver": {
       "dependency": "transitive",
       "description": {
         "name": "webdriver",
-        "sha256": "3c923e918918feeb90c4c9fdf1fe39220fa4c0e8e2c0fffaded174498ef86c49",
+        "sha256": "003d7da9519e1e5f329422b36c4dcdf18d7d2978d1ba099ea4e45ba490ed845e",
         "url": "https://pub.dev"
       },
       "source": "hosted",
-      "version": "3.0.2"
+      "version": "3.0.3"
     },
     "window_manager": {
       "dependency": "transitive",
       "description": {
         "name": "window_manager",
-        "sha256": "6ee795be9124f90660ea9d05e581a466de19e1c89ee74fc4bf528f60c8600edd",
+        "sha256": "b3c895bdf936c77b83c5254bec2e6b3f066710c1f89c38b20b8acc382b525494",
         "url": "https://pub.dev"
       },
       "source": "hosted",
-      "version": "0.3.6"
+      "version": "0.3.8"
     },
     "xml": {
       "dependency": "transitive",
       "description": {
         "name": "xml",
-        "sha256": "5bc72e1e45e941d825fd7468b9b4cc3b9327942649aeb6fc5cdbf135f0a86e84",
+        "sha256": "b015a8ad1c488f66851d762d3090a21c600e479dc75e68328c52774040cf9226",
         "url": "https://pub.dev"
       },
       "source": "hosted",
-      "version": "6.3.0"
+      "version": "6.5.0"
     },
     "yaml": {
-      "dependency": "transitive",
+      "dependency": "direct main",
       "description": {
         "name": "yaml",
         "sha256": "75769501ea3489fca56601ff33454fe45507ea3bfb014161abc3b43ae25989d5",
@@ -1219,25 +1139,15 @@
       "source": "hosted",
       "version": "3.1.2"
     },
-    "yaml_edit": {
-      "dependency": "transitive",
-      "description": {
-        "name": "yaml_edit",
-        "sha256": "1579d4a0340a83cf9e4d580ea51a16329c916973bffd5bd4b45e911b25d46bfd",
-        "url": "https://pub.dev"
-      },
-      "source": "hosted",
-      "version": "2.1.1"
-    },
     "yaru": {
       "dependency": "direct main",
       "description": {
         "name": "yaru",
-        "sha256": "24047f0de452784840a326874192d26cb5ebd8cf5eac7864086e5bc9272a28db",
+        "sha256": "e9ccb22cb283ecf3f6b21d64dee9764d4abff65a44f48ce21aa13b9eae3e3be5",
         "url": "https://pub.dev"
       },
       "source": "hosted",
-      "version": "1.1.0"
+      "version": "1.2.2"
     },
     "yaru_color_generator": {
       "dependency": "transitive",
@@ -1263,51 +1173,51 @@
       "dependency": "direct main",
       "description": {
         "name": "yaru_icons",
-        "sha256": "cbb0b5945f407116fd8a1fbe7265e7ffa0d568249d496343a69cb5c55360bba1",
+        "sha256": "2dff89ee31c2dd888e1ce146f0faef1c8de4ffbc90cb6466aacd55c3a9ad0674",
         "url": "https://pub.dev"
       },
       "source": "hosted",
-      "version": "2.2.1"
+      "version": "2.4.0"
     },
     "yaru_test": {
       "dependency": "transitive",
       "description": {
         "name": "yaru_test",
-        "sha256": "9396269fbe026bb9c398b9d4308c76982090ddeca102e4846bd4ba595333ff0a",
+        "sha256": "a62539bd03465065e4067e1c88472d5789a7215bd4a0873f051abb7896ff0934",
         "url": "https://pub.dev"
       },
       "source": "hosted",
-      "version": "0.1.4"
+      "version": "0.1.5"
     },
     "yaru_widgets": {
       "dependency": "direct main",
       "description": {
         "name": "yaru_widgets",
-        "sha256": "482a71ef5566c6cb4135272f0041bf8a9c35729bf9079b0d304eedfa2fa0cc0c",
+        "sha256": "0bade922090f25eedcc88cdc15b8a6adbaba4e4b56d793e999224b22c95a19d2",
         "url": "https://pub.dev"
       },
       "source": "hosted",
-      "version": "3.1.0"
+      "version": "3.6.0"
     },
     "yaru_window": {
       "dependency": "transitive",
       "description": {
         "name": "yaru_window",
-        "sha256": "55c8f039d13aaa1b211a8cf0b7731ae2fdcac9b1be1e0994eb14ad1d17fecaf7",
+        "sha256": "c9d16f78962652ad71aa160ab0a1e2e5924359439303394f980fd00eefc905eb",
         "url": "https://pub.dev"
       },
       "source": "hosted",
-      "version": "0.1.3"
+      "version": "0.2.1"
     },
     "yaru_window_linux": {
       "dependency": "transitive",
       "description": {
         "name": "yaru_window_linux",
-        "sha256": "c45606cf75880ae6427bbe176dc5313356f16c876c7013a19aeee782882c40c2",
+        "sha256": "3676355492eba0461f03acf1b7420f7885982d1bffe113fccdca9415fbe39f5d",
         "url": "https://pub.dev"
       },
       "source": "hosted",
-      "version": "0.1.3"
+      "version": "0.2.0"
     },
     "yaru_window_manager": {
       "dependency": "transitive",
@@ -1341,7 +1251,7 @@
     }
   },
   "sdks": {
-    "dart": ">=3.1.0-185.0.dev <4.0.0",
-    "flutter": ">=3.10.0"
+    "dart": ">=3.3.0 <4.0.0",
+    "flutter": ">=3.19.0"
   }
 }
diff --git a/pkgs/os-specific/linux/firmware/firmware-updater/upgrade-file.patch b/pkgs/os-specific/linux/firmware/firmware-updater/upgrade-file.patch
new file mode 100644
index 0000000000000..2c82fa8bbaf94
--- /dev/null
+++ b/pkgs/os-specific/linux/firmware/firmware-updater/upgrade-file.patch
@@ -0,0 +1,13 @@
+diff --git a/pubspec.yaml b/pubspec.yaml
+index e9dfa1f..ec9f2f2 100644
+--- a/pubspec.yaml
++++ b/pubspec.yaml
+@@ -10,7 +10,7 @@ dependencies:
+   collection: ^1.17.2
+   dbus: ^0.7.8
+   dio: ^5.3.3
+-  file: ^6.1.4
++  file: ^7.0.0
+   flutter:
+     sdk: flutter
+   flutter_html: ^3.0.0-beta.2
diff --git a/pkgs/os-specific/linux/firmware/fwupd-efi/default.nix b/pkgs/os-specific/linux/firmware/fwupd-efi/default.nix
index acbc0d556224c..1c6cc0e57e09a 100644
--- a/pkgs/os-specific/linux/firmware/fwupd-efi/default.nix
+++ b/pkgs/os-specific/linux/firmware/fwupd-efi/default.nix
@@ -1,8 +1,7 @@
 { lib
 , stdenv
 , fetchurl
-, fetchFromGitHub
-, substituteAll
+, fetchpatch
 , pkg-config
 , meson
 , ninja
@@ -13,13 +12,21 @@
 
 stdenv.mkDerivation rec {
   pname = "fwupd-efi";
-  version = "1.5";
+  version = "1.6";
 
   src = fetchurl {
-    url = "https://people.freedesktop.org/~hughsient/releases/${pname}-${version}.tar.xz";
-    sha256 = "sha256-RdKneTGzYkFt7CY22r9O/w0doQvBzMoayYDoMv7buhI=";
+    url = "https://github.com/fwupd/fwupd-efi/releases/download/${version}/fwupd-efi-${version}.tar.xz";
+    hash = "sha256-r9CAWirQgafK/y71vABM46AUe1OAFejsqWY0FxaxJg4=";
   };
 
+  patches = [
+    (fetchpatch {
+      url = "https://github.com/fwupd/fwupd-efi/commit/26c6ec5c1e7765fb5dc6a4df511ab21ee6c6e67a.patch";
+      revert = true;
+      hash = "sha256-vTdYExd7OlrrZ/LhlEO1zcvpKzeT5OeOeosD8/LUkMg=";
+    })
+  ];
+
   nativeBuildInputs = [
     meson
     ninja
@@ -51,7 +58,7 @@ stdenv.mkDerivation rec {
 
   meta = with lib; {
     homepage = "https://fwupd.org/";
-    maintainers = with maintainers; [ amaxine ];
+    maintainers = with maintainers; [ ];
     license = licenses.lgpl21Plus;
     platforms = platforms.linux;
   };
diff --git a/pkgs/os-specific/linux/firmware/ipu6-camera-bins/default.nix b/pkgs/os-specific/linux/firmware/ipu6-camera-bins/default.nix
index 71a7cd9e947b5..31ac23df39606 100644
--- a/pkgs/os-specific/linux/firmware/ipu6-camera-bins/default.nix
+++ b/pkgs/os-specific/linux/firmware/ipu6-camera-bins/default.nix
@@ -52,9 +52,7 @@ stdenv.mkDerivation (finalAttrs: {
     sourceProvenance = with sourceTypes; [
       binaryFirmware
     ];
-    maintainers = with maintainers; [
-      hexa
-    ];
+    maintainers = with maintainers; [ ];
     platforms = [ "x86_64-linux" ];
   };
 })
diff --git a/pkgs/os-specific/linux/firmware/ivsc-firmware/default.nix b/pkgs/os-specific/linux/firmware/ivsc-firmware/default.nix
index e2f2fd4f9fee0..3ad52b314537d 100644
--- a/pkgs/os-specific/linux/firmware/ivsc-firmware/default.nix
+++ b/pkgs/os-specific/linux/firmware/ivsc-firmware/default.nix
@@ -40,9 +40,7 @@ stdenv.mkDerivation {
     sourceProvenance = with sourceTypes; [
       binaryFirmware
     ];
-    maintainers = with maintainers; [
-      hexa
-    ];
+    maintainers = with maintainers; [ ];
     platforms = [ "x86_64-linux" ];
   };
 }
diff --git a/pkgs/os-specific/linux/firmware/linux-firmware/default.nix b/pkgs/os-specific/linux/firmware/linux-firmware/default.nix
index 283e04b475458..ae04c6a9ce32a 100644
--- a/pkgs/os-specific/linux/firmware/linux-firmware/default.nix
+++ b/pkgs/os-specific/linux/firmware/linux-firmware/default.nix
@@ -40,8 +40,5 @@ stdenvNoCC.mkDerivation rec {
     priority = 6; # give precedence to kernel firmware
   };
 
-  passthru = {
-    inherit version;
-    updateScript = ./update.sh;
-  };
+  passthru.updateScript = ./update.sh;
 }
diff --git a/pkgs/os-specific/linux/firmware/linux-firmware/source.nix b/pkgs/os-specific/linux/firmware/linux-firmware/source.nix
index 5088c1dc33205..7098f1f3203e6 100644
--- a/pkgs/os-specific/linux/firmware/linux-firmware/source.nix
+++ b/pkgs/os-specific/linux/firmware/linux-firmware/source.nix
@@ -1,7 +1,7 @@
 # This file is autogenerated! Run ./update.sh to regenerate.
 {
-  version = "20240312";
-  revision = "20240312";
-  sourceHash = "sha256-fDrnI7H87vG4OpcmjMcRTio01oHI0Z2KUfe3NNeY3JY=";
-  outputHash = "sha256-GYmRaW6wsOR+pqeQDyGYUDh6HfEs+sEi5vQoBHEeX9I=";
+  version = "20240513";
+  revision = "20240513";
+  sourceHash = "sha256-8yzs8lgPHG3zbUvlsWSuP1O/4s28dRFbju2c9kbaFsg=";
+  outputHash = "sha256-LDd6FU1/16X7KoCCDq0yPvwJzK4H9NxHgrEdhEfaUGY=";
 }
diff --git a/pkgs/os-specific/linux/firmware/sof-firmware/default.nix b/pkgs/os-specific/linux/firmware/sof-firmware/default.nix
index d84fb2a873d08..e4aa0b353acae 100644
--- a/pkgs/os-specific/linux/firmware/sof-firmware/default.nix
+++ b/pkgs/os-specific/linux/firmware/sof-firmware/default.nix
@@ -5,11 +5,11 @@
 
 stdenvNoCC.mkDerivation rec {
   pname = "sof-firmware";
-  version = "2023.12.1";
+  version = "2024.03";
 
   src = fetchurl {
     url = "https://github.com/thesofproject/sof-bin/releases/download/v${version}/sof-bin-${version}.tar.gz";
-    sha256 = "sha256-6ied38mcWxHWNPH10jN/bVwNw4HOMxR5D3tVDkCI5nQ=";
+    sha256 = "sha256-T9ky97vBUXsG+nkR5tVmgU1dxP7FYIvbROfE/kkp+/Y=";
   };
 
   dontFixup = true; # binaries must not be stripped or patchelfed
@@ -21,6 +21,7 @@ stdenvNoCC.mkDerivation rec {
     cp -av sof-tplg $out/lib/firmware/intel/sof-tplg
     cp -av sof-ace-tplg $out/lib/firmware/intel/sof-ace-tplg
     cp -av sof-ipc4 $out/lib/firmware/intel/sof-ipc4
+    cp -av sof-ipc4-tplg $out/lib/firmware/intel/sof-ipc4-tplg
     runHook postInstall
   '';
 
diff --git a/pkgs/os-specific/linux/fnotifystat/default.nix b/pkgs/os-specific/linux/fnotifystat/default.nix
index 18afaaa6d29b5..4961450fa36e3 100644
--- a/pkgs/os-specific/linux/fnotifystat/default.nix
+++ b/pkgs/os-specific/linux/fnotifystat/default.nix
@@ -5,13 +5,13 @@
 
 stdenv.mkDerivation rec {
   pname = "fnotifystat";
-  version = "0.02.11";
+  version = "0.03.00";
 
   src = fetchFromGitHub {
     owner = "ColinIanKing";
     repo = pname;
     rev = "V${version}";
-    hash = "sha256-CwjaDL5pt2HMUhq0Q3s6Ssp3jr9uwCdVhT1JzlKcQQw=";
+    hash = "sha256-UGww0/m+JMftQyAguc8UpPrtIphjCq9TINabFaAKN0A=";
   };
 
   installFlags = [
diff --git a/pkgs/os-specific/linux/framework-laptop-kmod/default.nix b/pkgs/os-specific/linux/framework-laptop-kmod/default.nix
index 088e30e91f8ca..b5cb505e09a2c 100644
--- a/pkgs/os-specific/linux/framework-laptop-kmod/default.nix
+++ b/pkgs/os-specific/linux/framework-laptop-kmod/default.nix
@@ -7,13 +7,13 @@
 
 stdenv.mkDerivation rec {
   pname = "framework-laptop-kmod";
-  version = "unstable-2023-12-03";
+  version = "0-unstable-2024-01-02";
 
   src = fetchFromGitHub {
     owner = "DHowett";
     repo = "framework-laptop-kmod";
-    rev = "d5367eb9e5b5542407494d04ac1a0e77f10cc89d";
-    hash = "sha256-t8F4XHPkuCjWBrsEjW97ielYtf3V6hlLsrasvyab198=";
+    rev = "a9e8db9ba2959b75c1fb820ffac8fa189f0f63c3";
+    hash = "sha256-Ai/OxvkaKPltri8R0oyfmxQLUVfaj6Q8vebrhmWYhUU=";
   };
 
   nativeBuildInputs = kernel.moduleBuildDependencies;
diff --git a/pkgs/os-specific/linux/fscrypt/default.nix b/pkgs/os-specific/linux/fscrypt/default.nix
index 8b54a1f9a7456..2cf5243422e15 100644
--- a/pkgs/os-specific/linux/fscrypt/default.nix
+++ b/pkgs/os-specific/linux/fscrypt/default.nix
@@ -4,13 +4,13 @@
 
 buildGoModule rec {
   pname = "fscrypt";
-  version = "0.3.4";
+  version = "0.3.5";
 
   src = fetchFromGitHub {
     owner = "google";
     repo = "fscrypt";
     rev = "v${version}";
-    hash = "sha256-4Im3YWhLs5Q+o4DtpSuSMuKtKqXaICL9/EB0q5um6mQ=";
+    hash = "sha256-US1jw0XK1BcP037XPhttzBloDU62m4BVSIbsGs9LaJU=";
   };
 
   postPatch = ''
@@ -19,7 +19,7 @@ buildGoModule rec {
       --replace "/usr/local" "$out"
   '';
 
-  vendorHash = "sha256-APW0XM6fTQOCw4tE1NA5VNN3fBUmsvn99NqqJnB3Q0s=";
+  vendorHash = "sha256-FuVWV3Rimhd+Pm9wrKGLWQWtbP1hWvoWa22pQT+m2go=";
 
   doCheck = false;
 
diff --git a/pkgs/os-specific/linux/fsverity-utils/default.nix b/pkgs/os-specific/linux/fsverity-utils/default.nix
index 232fc14704652..7d0f1f48e7e54 100644
--- a/pkgs/os-specific/linux/fsverity-utils/default.nix
+++ b/pkgs/os-specific/linux/fsverity-utils/default.nix
@@ -9,13 +9,13 @@
 
 stdenv.mkDerivation rec {
   pname = "fsverity-utils";
-  version = "1.5";
+  version = "1.6";
 
   outputs = [ "out" "lib" "dev" ] ++ lib.optional enableManpages "man";
 
   src = fetchzip {
     url = "https://git.kernel.org/pub/scm/fs/fsverity/fsverity-utils.git/snapshot/fsverity-utils-v${version}.tar.gz";
-    sha256 = "sha256-ygBOkp2PBe8Z2ak6SXEJ6HHuT4NRKmIsbJDHcY+h8PQ=";
+    sha256 = "sha256-FZN4MKNmymIXZ2Q0woA0SLzPf4SaUJkj4ssKPsY4xXc=";
   };
 
   patches = lib.optionals (!enableShared) [
diff --git a/pkgs/os-specific/linux/fw-ectool/default.nix b/pkgs/os-specific/linux/fw-ectool/default.nix
index a73cc1896ecdc..dd24730104f36 100644
--- a/pkgs/os-specific/linux/fw-ectool/default.nix
+++ b/pkgs/os-specific/linux/fw-ectool/default.nix
@@ -1,38 +1,43 @@
 { stdenv
 , lib
-, fetchFromGitHub
+, fetchFromGitLab
+, cmake
 , pkg-config
-, hostname
+, libusb1
+, libftdi1
 }:
 
 stdenv.mkDerivation {
   pname = "fw-ectool";
-  version = "unstable-2022-12-03";
+  version = "0-unstable-2024-04-23";
 
-  src = fetchFromGitHub {
+  src = fetchFromGitLab {
+    domain = "gitlab.howett.net";
     owner = "DHowett";
-    repo = "fw-ectool";
-    rev = "54c140399bbc3e6a3dce6c9f842727c4128367be";
-    hash = "sha256-2teJFz4zcA+USpbVPXMEIHLdmMLem8ik7YrmrSxr/n0=";
+    repo = "ectool";
+    rev = "abdd574ebe3640047988cb928bb6789a15dd1390";
+    hash = "sha256-j0Z2Uo1LBXlHZVHPm4Xjx3LZaI6Qq0nSdViyC/CjWC8=";
   };
 
   nativeBuildInputs = [
+    cmake
     pkg-config
-    hostname
   ];
 
-  buildPhase = ''
-    patchShebangs util
-    make out=out utils
-  '';
+  buildInputs = [
+    libusb1
+    libftdi1
+  ];
 
   installPhase = ''
-    install -D out/util/ectool $out/bin/ectool
+    runHook preInstall
+    install -Dm555 src/ectool "$out/bin/ectool"
+    runHook postInstall
   '';
 
   meta = with lib; {
     description = "EC-Tool adjusted for usage with framework embedded controller";
-    homepage = "https://github.com/DHowett/framework-ec";
+    homepage = "https://gitlab.howett.net/DHowett/ectool";
     license = licenses.bsd3;
     maintainers = [ maintainers.mkg20001 ];
     platforms = platforms.linux;
diff --git a/pkgs/os-specific/linux/fwts/default.nix b/pkgs/os-specific/linux/fwts/default.nix
index f04b8fcd21089..5a06fac5d6c16 100644
--- a/pkgs/os-specific/linux/fwts/default.nix
+++ b/pkgs/os-specific/linux/fwts/default.nix
@@ -3,11 +3,11 @@
 
 stdenv.mkDerivation rec {
   pname = "fwts";
-  version = "24.01.00";
+  version = "24.03.00";
 
   src = fetchzip {
     url = "https://fwts.ubuntu.com/release/${pname}-V${version}.tar.gz";
-    sha256 = "sha256-MXWmKxcxgSVCSeeGlWsa8JTBa5hLyvGPZ0811w+s+yA=";
+    sha256 = "sha256-UKL5q5sURSVXvEOzoZdG+wWBSS5f9YWo5stViY3F2vg=";
     stripRoot = false;
   };
 
diff --git a/pkgs/os-specific/linux/g15daemon/default.nix b/pkgs/os-specific/linux/g15daemon/default.nix
index 90a818be49472..e1d310a995b45 100644
--- a/pkgs/os-specific/linux/g15daemon/default.nix
+++ b/pkgs/os-specific/linux/g15daemon/default.nix
@@ -1,6 +1,5 @@
 { stdenv
 , lib
-, fetchFromGitHub
 , fetchurl
 , fetchpatch
 , patchelf
diff --git a/pkgs/os-specific/linux/game-devices-udev-rules/default.nix b/pkgs/os-specific/linux/game-devices-udev-rules/default.nix
index daaf23db6ce2c..ca2ef7a4498e5 100644
--- a/pkgs/os-specific/linux/game-devices-udev-rules/default.nix
+++ b/pkgs/os-specific/linux/game-devices-udev-rules/default.nix
@@ -6,20 +6,20 @@
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "game-devices-udev-rules";
-  version = "0.22";
+  version = "0.23";
 
   src = fetchFromGitea {
     domain = "codeberg.org";
     owner = "fabiscafe";
     repo = "game-devices-udev";
     rev = finalAttrs.version;
-    hash = "sha256-1aOb8pJxB+/PM7spcvZcy/cwdEolHQ4+lwBLij+6iDk=";
+    hash = "sha256-dWWo3qXnxdLP68NuFKM4/Cw5yE6uAsWzj0vZa9UTT0U=";
   };
 
   postInstall = ''
     install -Dm444 -t "$out/lib/udev/rules.d" *.rules
     substituteInPlace $out/lib/udev/rules.d/71-powera-controllers.rules \
-    --replace "/bin/sh" "${bash}/bin/bash"
+    --replace-fail "/bin/sh" "${bash}/bin/bash"
   '';
 
   meta = with lib; {
diff --git a/pkgs/os-specific/linux/google-authenticator/default.nix b/pkgs/os-specific/linux/google-authenticator/default.nix
index 02ca3d30d238c..11791a664c8bb 100644
--- a/pkgs/os-specific/linux/google-authenticator/default.nix
+++ b/pkgs/os-specific/linux/google-authenticator/default.nix
@@ -2,13 +2,13 @@
 
 stdenv.mkDerivation rec {
   pname = "google-authenticator-libpam";
-  version = "1.09";
+  version = "1.10";
 
   src = fetchFromGitHub {
     owner = "google";
     repo = "google-authenticator-libpam";
     rev = version;
-    hash = "sha256-DS0h6FWMNKnSSj039bH6iyWrERa5M7LBSkbyig6pyxY=";
+    hash = "sha256-KEfwQeJIuRF+S3gPn+maDb8Fu0FRXLs2/Nlbjj2d3AE=";
   };
 
   nativeBuildInputs = [ autoreconfHook ];
diff --git a/pkgs/os-specific/linux/guvcview/default.nix b/pkgs/os-specific/linux/guvcview/default.nix
index e082038730111..d274c375fb42c 100644
--- a/pkgs/os-specific/linux/guvcview/default.nix
+++ b/pkgs/os-specific/linux/guvcview/default.nix
@@ -21,7 +21,7 @@
 # can be turned off if used as a library
 , useGtk ? true
 , gtk3 ? null
-, wrapGAppsHook ? null
+, wrapGAppsHook3 ? null
 }:
 
 assert pulseaudioSupport -> libpulseaudio != null;
@@ -39,7 +39,7 @@ stdenv.mkDerivation rec {
     intltool
     pkg-config
   ]
-    ++ lib.optionals (useGtk) [ wrapGAppsHook ]
+    ++ lib.optionals (useGtk) [ wrapGAppsHook3 ]
     ++ lib.optionals (useQt) [ wrapQtAppsHook ]
   ;
 
diff --git a/pkgs/os-specific/linux/hwdata/default.nix b/pkgs/os-specific/linux/hwdata/default.nix
index f7303b182ec74..320f10d551380 100644
--- a/pkgs/os-specific/linux/hwdata/default.nix
+++ b/pkgs/os-specific/linux/hwdata/default.nix
@@ -2,13 +2,13 @@
 
 stdenv.mkDerivation rec {
   pname = "hwdata";
-  version = "0.380";
+  version = "0.382";
 
   src = fetchFromGitHub {
     owner = "vcrhonek";
     repo = "hwdata";
     rev = "v${version}";
-    hash = "sha256-Ioa0tUiwgOZO3qrtwAr9A/yGfYTBk83OON8Sr47J9Mg=";
+    hash = "sha256-j7ITcLilcnV8QCUFC/Ybv1dX6Kl36P0G9vBlrzifhFQ=";
   };
 
   configureFlags = [ "--datadir=${placeholder "out"}/share" ];
diff --git a/pkgs/os-specific/linux/intel-compute-runtime/default.nix b/pkgs/os-specific/linux/intel-compute-runtime/default.nix
index c175916b9008f..8f5655a90cbdf 100644
--- a/pkgs/os-specific/linux/intel-compute-runtime/default.nix
+++ b/pkgs/os-specific/linux/intel-compute-runtime/default.nix
@@ -11,13 +11,13 @@
 
 stdenv.mkDerivation rec {
   pname = "intel-compute-runtime";
-  version = "24.05.28454.6";
+  version = "24.17.29377.6";
 
   src = fetchFromGitHub {
     owner = "intel";
     repo = "compute-runtime";
     rev = version;
-    hash = "sha256-gX6zvZcwZXcSj3ch/eIWqIefccKuab0voh2vHHJTTso=";
+    hash = "sha256-+bx6P1vZlgolHrINzkH4ukXT+hgAtH18DOX6vb9vPVs=";
   };
 
   nativeBuildInputs = [ cmake pkg-config ];
diff --git a/pkgs/os-specific/linux/iproute/default.nix b/pkgs/os-specific/linux/iproute/default.nix
index 03eb1959c9b27..597989c5a0641 100644
--- a/pkgs/os-specific/linux/iproute/default.nix
+++ b/pkgs/os-specific/linux/iproute/default.nix
@@ -1,16 +1,16 @@
 { lib, stdenv, fetchurl
 , buildPackages, bison, flex, pkg-config
-, db, iptables, libelf, libmnl
+, db, iptables, elfutils, libmnl
 , gitUpdater
 }:
 
 stdenv.mkDerivation rec {
   pname = "iproute2";
-  version = "6.7.0";
+  version = "6.8.0";
 
   src = fetchurl {
     url = "mirror://kernel/linux/utils/net/${pname}/${pname}-${version}.tar.xz";
-    hash = "sha256-/5Qt2YKNfR+Gf2H+cs5DMHjDHl2OSnjiDwLLWJLohB0=";
+    hash = "sha256-A6bMo9cakI0fFfe0lb4rj+hR+UFFjcRmSQDX9F/PaM4=";
   };
 
   postPatch = ''
@@ -23,6 +23,10 @@ stdenv.mkDerivation rec {
 
   outputs = [ "out" "dev" ];
 
+  configureFlags = [
+    "--color" "auto"
+  ];
+
   makeFlags = [
     "PREFIX=$(out)"
     "SBINDIR=$(out)/sbin"
@@ -46,7 +50,9 @@ stdenv.mkDerivation rec {
 
   depsBuildBuild = [ buildPackages.stdenv.cc ]; # netem requires $HOSTCC
   nativeBuildInputs = [ bison flex pkg-config ];
-  buildInputs = [ db iptables libelf libmnl ];
+  buildInputs = [ db iptables libmnl ]
+    # needed to uploaded bpf programs
+    ++ lib.optionals (!stdenv.hostPlatform.isStatic) [ elfutils ];
 
   enableParallelBuilding = true;
 
diff --git a/pkgs/os-specific/linux/ipu6-drivers/default.nix b/pkgs/os-specific/linux/ipu6-drivers/default.nix
index fe9cb1da018c6..276926fef8aa6 100644
--- a/pkgs/os-specific/linux/ipu6-drivers/default.nix
+++ b/pkgs/os-specific/linux/ipu6-drivers/default.nix
@@ -45,7 +45,7 @@ stdenv.mkDerivation {
     homepage = "https://github.com/intel/ipu6-drivers";
     description = "IPU6 kernel driver";
     license = lib.licenses.gpl2;
-    maintainers = with lib.maintainers; [ hexa ];
+    maintainers = with lib.maintainers; [ ];
     platforms = [ "x86_64-linux" ];
     # requires 6.1.7 https://github.com/intel/ipu6-drivers/pull/84
     broken = kernel.kernelOlder "6.1.7";
diff --git a/pkgs/os-specific/linux/ivsc-driver/default.nix b/pkgs/os-specific/linux/ivsc-driver/default.nix
index 72173de49baa5..5612c9170abd4 100644
--- a/pkgs/os-specific/linux/ivsc-driver/default.nix
+++ b/pkgs/os-specific/linux/ivsc-driver/default.nix
@@ -36,7 +36,7 @@ stdenv.mkDerivation {
     homepage = "https://github.com/intel/ivsc-driver";
     description = "Intel Vision Sensing Controller kernel driver";
     license = lib.licenses.gpl2;
-    maintainers = with lib.maintainers; [ hexa ];
+    maintainers = with lib.maintainers; [ ];
     platforms = [ "x86_64-linux" ];
     broken = kernel.kernelOlder "5.15";
   };
diff --git a/pkgs/os-specific/linux/iw/default.nix b/pkgs/os-specific/linux/iw/default.nix
deleted file mode 100644
index 4c1d94f02e6bc..0000000000000
--- a/pkgs/os-specific/linux/iw/default.nix
+++ /dev/null
@@ -1,31 +0,0 @@
-{ lib, stdenv, fetchurl, pkg-config, libnl }:
-
-stdenv.mkDerivation rec {
-  pname = "iw";
-  version = "5.19";
-
-  src = fetchurl {
-    url = "https://www.kernel.org/pub/software/network/${pname}/${pname}-${version}.tar.xz";
-    sha256 = "sha256-8We76UfdU7uevAwdzvXbatc6wdYITyxvk3bFw2DMTU4=";
-  };
-
-  nativeBuildInputs = [ pkg-config ];
-  buildInputs = [ libnl ];
-
-  makeFlags = [ "PREFIX=${placeholder "out"}" ];
-
-  meta = {
-    description = "Tool to use nl80211";
-    mainProgram = "iw";
-    longDescription = ''
-      iw is a new nl80211 based CLI configuration utility for wireless devices.
-      It supports all new drivers that have been added to the kernel recently.
-      The old tool iwconfig, which uses Wireless Extensions interface, is
-      deprecated and it's strongly recommended to switch to iw and nl80211.
-    '';
-    homepage = "https://wireless.wiki.kernel.org/en/users/Documentation/iw";
-    license = lib.licenses.isc;
-    maintainers = with lib.maintainers; [ viric primeos ];
-    platforms = with lib.platforms; linux;
-  };
-}
diff --git a/pkgs/os-specific/linux/iwd/default.nix b/pkgs/os-specific/linux/iwd/default.nix
index a15d21f2c3a1b..5c1d153b83fc9 100644
--- a/pkgs/os-specific/linux/iwd/default.nix
+++ b/pkgs/os-specific/linux/iwd/default.nix
@@ -13,12 +13,12 @@
 
 stdenv.mkDerivation rec {
   pname = "iwd";
-  version = "2.16";
+  version = "2.17";
 
   src = fetchgit {
     url = "https://git.kernel.org/pub/scm/network/wireless/iwd.git";
     rev = version;
-    hash = "sha256-YWtiI2HkGyIdUeBXerQtN5UvgaMaUs9eoG88ZUQRrDg=";
+    hash = "sha256-o/Q8vUtB4Yiz1x+/6+8LUKUQNtiAmwcdh++/tTUN4mM=";
   };
 
   outputs = [ "out" "man" "doc" ]
@@ -81,9 +81,9 @@ stdenv.mkDerivation rec {
 
   postFixup = ''
     substituteInPlace $out/share/dbus-1/system-services/net.connman.ead.service \
-      --replace /bin/false ${coreutils}/bin/false
+      --replace-fail /bin/false ${coreutils}/bin/false
     substituteInPlace $out/share/dbus-1/system-services/net.connman.iwd.service \
-      --replace /bin/false ${coreutils}/bin/false
+      --replace-fail /bin/false ${coreutils}/bin/false
   '';
 
   enableParallelBuilding = true;
@@ -98,6 +98,6 @@ stdenv.mkDerivation rec {
     description = "Wireless daemon for Linux";
     license = licenses.lgpl21Plus;
     platforms = platforms.linux;
-    maintainers = with maintainers; [ dtzWill fpletz amaxine ];
+    maintainers = with maintainers; [ dtzWill fpletz ];
   };
 }
diff --git a/pkgs/os-specific/linux/kernel/common-config.nix b/pkgs/os-specific/linux/kernel/common-config.nix
index 4cfc548f952d8..c9bf296160629 100644
--- a/pkgs/os-specific/linux/kernel/common-config.nix
+++ b/pkgs/os-specific/linux/kernel/common-config.nix
@@ -122,6 +122,13 @@ let
       # Default SATA link power management to "medium with device initiated PM"
       # for some extra power savings.
       SATA_MOBILE_LPM_POLICY           = whenAtLeast "5.18" (freeform "3");
+
+      # GPIO power management
+      POWER_RESET_GPIO                 = option yes;
+      POWER_RESET_GPIO_RESTART         = option yes;
+
+      # Enable Pulse-Width-Modulation support, commonly used for fan and backlight.
+      PWM                              = yes;
     } // optionalAttrs (stdenv.hostPlatform.isx86) {
       INTEL_IDLE                       = yes;
       INTEL_RAPL                       = whenAtLeast "5.3" module;
@@ -434,7 +441,8 @@ let
       # (stable) amdgpu support for bonaire and newer chipsets
       DRM_AMDGPU_CIK = yes;
       # Allow device firmware updates
-      DRM_DP_AUX_CHARDEV = yes;
+      DRM_DP_AUX_CHARDEV = whenOlder "6.10" yes;
+      DRM_DISPLAY_DP_AUX_CHARDEV = whenAtLeast "6.10" yes;
       # amdgpu display core (DC) support
       DRM_AMD_DC_DCN1_0 = whenOlder "5.6" yes;
       DRM_AMD_DC_DCN2_0 = whenBetween "5.3" "5.6" yes;
@@ -463,7 +471,8 @@ let
       MEDIA_CEC_RC = whenAtLeast "5.10" yes;
 
       # Enable CEC over DisplayPort
-      DRM_DP_CEC = yes;
+      DRM_DP_CEC = whenOlder "6.10" yes;
+      DRM_DISPLAY_DP_AUX_CEC = whenAtLeast "6.10" yes;
     } // optionalAttrs (stdenv.hostPlatform.system == "x86_64-linux") {
       # Intel GVT-g graphics virtualization supports 64-bit only
       DRM_I915_GVT = yes;
@@ -608,8 +617,8 @@ let
       F2FS_FS_COMPRESSION = whenAtLeast "5.6" yes;
       UDF_FS              = module;
 
-      NFSD_V2_ACL            = whenOlder "6.1" yes;
-      NFSD_V3                = whenOlder "5.18" yes;
+      NFSD_V2_ACL            = whenOlder "5.15" yes;
+      NFSD_V3                = whenOlder "5.15" yes;
       NFSD_V3_ACL            = yes;
       NFSD_V4                = yes;
       NFSD_V4_SECURITY_LABEL = yes;
@@ -864,11 +873,14 @@ let
     };
 
     zram = {
-      ZRAM           = module;
-      ZRAM_WRITEBACK = option yes;
-      ZSWAP          = option yes;
-      ZPOOL          = yes;
-      ZBUD           = option yes;
+      ZRAM                          = module;
+      ZRAM_WRITEBACK                = option yes;
+      ZRAM_MULTI_COMP               = whenAtLeast "6.2" yes;
+      ZRAM_DEF_COMP_ZSTD            = whenAtLeast "5.11" yes;
+      ZSWAP                         = option yes;
+      ZSWAP_COMPRESSOR_DEFAULT_ZSTD = whenAtLeast "5.7" (mkOptionDefault yes);
+      ZPOOL                         = yes;
+      ZSMALLOC                      = option yes;
     };
 
     brcmfmac = {
@@ -917,8 +929,10 @@ let
       # i686 issues: https://github.com/NixOS/nixpkgs/pull/117961#issuecomment-812106375
       useZstd = stdenv.buildPlatform.is64bit && versionAtLeast version "5.9";
     in {
-      KERNEL_XZ            = mkIf (!useZstd) yes;
-      KERNEL_ZSTD          = mkIf useZstd yes;
+      # stdenv.hostPlatform.linux-kernel.target assumes uncompressed on RISC-V.
+      KERNEL_UNCOMPRESSED  = mkIf stdenv.hostPlatform.isRiscV yes;
+      KERNEL_XZ            = mkIf (!stdenv.hostPlatform.isRiscV && !useZstd) yes;
+      KERNEL_ZSTD          = mkIf (!stdenv.hostPlatform.isRiscV && useZstd) yes;
 
       HID_BATTERY_STRENGTH = yes;
       # enabled by default in x86_64 but not arm64, so we do that here
@@ -940,8 +954,8 @@ let
       THRUSTMASTER_FF    = yes;
       ZEROPLUS_FF        = yes;
 
-      MODULE_COMPRESS    = whenOlder "5.13" yes;
-      MODULE_COMPRESS_XZ = yes;
+      MODULE_COMPRESS      = whenOlder "5.13" yes;
+      MODULE_COMPRESS_XZ   = yes;
 
       SYSVIPC            = yes;  # System-V IPC
 
@@ -1045,6 +1059,21 @@ let
 
       NVME_MULTIPATH = yes;
 
+      NVME_AUTH = mkMerge [
+        (whenBetween "6.0" "6.7" yes)
+        (whenAtLeast "6.7" module)
+      ];
+
+      NVME_HOST_AUTH = whenAtLeast "6.7" yes;
+      NVME_TCP_TLS = whenAtLeast "6.7" yes;
+
+      NVME_TARGET = module;
+      NVME_TARGET_PASSTHRU = whenAtLeast "5.9" yes;
+      NVME_TARGET_AUTH = whenAtLeast "6.0" yes;
+      NVME_TARGET_TCP_TLS = whenAtLeast "6.7" yes;
+
+      PCI_P2PDMA = mkIf (stdenv.hostPlatform.is64bit && versionAtLeast version "4.20") yes;
+
       PSI = whenAtLeast "4.20" yes;
 
       MOUSE_ELAN_I2C_SMBUS = yes;
@@ -1101,6 +1130,7 @@ let
       FW_LOADER_USER_HELPER_FALLBACK = option no;
 
       FW_LOADER_COMPRESS = whenAtLeast "5.3" yes;
+      FW_LOADER_COMPRESS_ZSTD = whenAtLeast "5.19" yes;
 
       HOTPLUG_PCI_ACPI = yes; # PCI hotplug using ACPI
       HOTPLUG_PCI_PCIE = yes; # PCI-Expresscard hotplug support
diff --git a/pkgs/os-specific/linux/kernel/generic.nix b/pkgs/os-specific/linux/kernel/generic.nix
index ae602ee0c112f..37c138402d006 100644
--- a/pkgs/os-specific/linux/kernel/generic.nix
+++ b/pkgs/os-specific/linux/kernel/generic.nix
@@ -12,9 +12,13 @@
 , rustc
 , rustPlatform
 , rust-bindgen
+# testing
+, emptyFile
+, nixos
 , nixosTests
-}:
+}@args':
 
+let overridableKernel =
 lib.makeOverridable ({ # The kernel source tarball.
   src
 
@@ -68,6 +72,10 @@ lib.makeOverridable ({ # The kernel source tarball.
 , preferBuiltin ? stdenv.hostPlatform.linux-kernel.preferBuiltin or false
 , kernelArch ? stdenv.hostPlatform.linuxArch
 , kernelTests ? []
+
+, stdenv ? args'.stdenv
+, buildPackages ? args'.buildPackages
+
 , ...
 }@args:
 
@@ -207,11 +215,15 @@ let
   }; # end of configfile derivation
 
   kernel = (callPackage ./manual-config.nix { inherit lib stdenv buildPackages; }) (basicArgs // {
-    inherit kernelPatches randstructSeed extraMakeFlags extraMeta configfile;
+    inherit kernelPatches randstructSeed extraMakeFlags extraMeta configfile modDirVersion;
     pos = builtins.unsafeGetAttrPos "version" args;
 
-    config = { CONFIG_MODULES = "y"; CONFIG_FW_LOADER = "m"; } // lib.optionalAttrs withRust { CONFIG_RUST = "y"; };
-  } // lib.optionalAttrs (modDirVersion != null) { inherit modDirVersion; });
+    config = {
+      CONFIG_MODULES = "y";
+      CONFIG_FW_LOADER = "m";
+      CONFIG_RUST = if withRust then "y" else "n";
+    };
+  });
 
 in
 kernel.overrideAttrs (finalAttrs: previousAttrs: {
@@ -237,7 +249,41 @@ kernel.overrideAttrs (finalAttrs: previousAttrs: {
             + toString (lib.attrNames (lib.toFunction args { }))
           ) overridableKernel;
       };
-    in [ (nixosTests.kernel-generic.passthru.testsForKernel overridableKernel) ] ++ kernelTests;
+      /* Certain arguments must be evaluated lazily; so that only the output(s) depend on them.
+         Original reproducer / simplified use case:
+       */
+      versionDoesNotDependOnPatchesEtcNixOS =
+        builtins.seq
+          (nixos ({ config, pkgs, ... }: {
+              boot.kernelPatches = [
+                (builtins.seq config.boot.kernelPackages.kernel.version { patch = pkgs.emptyFile; })
+              ];
+          })).config.boot.kernelPackages.kernel.outPath
+          emptyFile;
+      versionDoesNotDependOnPatchesEtc =
+        builtins.seq
+          (import ./generic.nix args' (args // (
+          let explain = attrName:
+            ''
+              The ${attrName} attribute must be able to access the kernel.version attribute without an infinite recursion.
+              That means that the kernel attrset (attrNames) and the kernel.version attribute must not depend on the ${attrName} argument.
+              The fact that this exception is raised shows that such a dependency does exist.
+              This is a problem for the configurability of ${attrName} in version-aware logic such as that in NixOS.
+              Strictness can creep in through optional attributes, or assertions and warnings that run as part of code that shouldn't access what is checked.
+            '';
+          in {
+            kernelPatches = throw (explain "kernelPatches");
+            structuredExtraConfig = throw (explain "structuredExtraConfig");
+            modDirVersion = throw (explain "modDirVersion");
+          }))).version
+          emptyFile;
+    in [
+      (nixosTests.kernel-generic.passthru.testsForKernel overridableKernel)
+      versionDoesNotDependOnPatchesEtc
+      # Disabled by default, because the infinite recursion is hard to understand. The other test's error is better and produces a shorter trace.
+      # versionDoesNotDependOnPatchesEtcNixOS
+    ] ++ kernelTests;
   };
 
-}))
+}));
+in overridableKernel
diff --git a/pkgs/os-specific/linux/kernel/hardened/config.nix b/pkgs/os-specific/linux/kernel/hardened/config.nix
index dec6a757c5290..d687366dbe2f8 100644
--- a/pkgs/os-specific/linux/kernel/hardened/config.nix
+++ b/pkgs/os-specific/linux/kernel/hardened/config.nix
@@ -88,7 +88,7 @@ assert (versionAtLeast version "4.9");
   UBSAN      = yes;
   UBSAN_TRAP = whenAtLeast "5.7" yes;
   UBSAN_BOUNDS = whenAtLeast "5.7" yes;
-  UBSAN_SANITIZE_ALL = yes;
+  UBSAN_SANITIZE_ALL = whenOlder "6.9" yes;
   UBSAN_LOCAL_BOUNDS = option yes; # clang only
   CFI_CLANG = option yes; # clang only Control Flow Integrity since 6.1
 
@@ -97,7 +97,7 @@ assert (versionAtLeast version "4.9");
   RANDSTRUCT_PERFORMANCE = whenAtLeast "5.19" yes;
 
   # Disable various dangerous settings
-  ACPI_CUSTOM_METHOD = no; # Allows writing directly to physical memory
+  ACPI_CUSTOM_METHOD = whenOlder "6.9" no; # Allows writing directly to physical memory
   PROC_KCORE         = no; # Exposes kernel text image layout
   INET_DIAG          = no; # Has been used for heap based attacks in the past
 
diff --git a/pkgs/os-specific/linux/kernel/hardened/patches.json b/pkgs/os-specific/linux/kernel/hardened/patches.json
index 21772b2e03eb0..62f1fcdda20c6 100644
--- a/pkgs/os-specific/linux/kernel/hardened/patches.json
+++ b/pkgs/os-specific/linux/kernel/hardened/patches.json
@@ -2,81 +2,81 @@
     "4.19": {
         "patch": {
             "extra": "-hardened1",
-            "name": "linux-hardened-4.19.309-hardened1.patch",
-            "sha256": "1hww72w5anmfr9czqbl31glzl70s34492k9qz9zax141zg1sf6sp",
-            "url": "https://github.com/anthraxx/linux-hardened/releases/download/4.19.309-hardened1/linux-hardened-4.19.309-hardened1.patch"
+            "name": "linux-hardened-4.19.315-hardened1.patch",
+            "sha256": "1w17mwsv618pw5bkahmz6in0i5zjjxd3d14gggafqdd3dgfr1h8q",
+            "url": "https://github.com/anthraxx/linux-hardened/releases/download/4.19.315-hardened1/linux-hardened-4.19.315-hardened1.patch"
         },
-        "sha256": "1yc45kfiwdqsqa11sxafs82b0day6qvgjcll8rx9vipidsmagbcm",
-        "version": "4.19.309"
+        "sha256": "1j1j8awy0237jp2r211qpa305c10y7rlcbkxkzdvzbgyhwy4spkc",
+        "version": "4.19.315"
     },
     "5.10": {
         "patch": {
             "extra": "-hardened1",
-            "name": "linux-hardened-5.10.212-hardened1.patch",
-            "sha256": "0h04i94vshhcli5m4qpnqg4vsi5v1ifvdhhklk7c0bvkfk35cbml",
-            "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.10.212-hardened1/linux-hardened-5.10.212-hardened1.patch"
+            "name": "linux-hardened-5.10.218-hardened1.patch",
+            "sha256": "1ah4pznha17ngg3w7l0j74h4910gjv8qj503adrap7plvapf82m4",
+            "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.10.218-hardened1/linux-hardened-5.10.218-hardened1.patch"
         },
-        "sha256": "14vll2bghd52wngjxy78hgglydcxka59yziji0w56dcdpmky9wqc",
-        "version": "5.10.212"
+        "sha256": "1mmj5hwm5i16gc1y4nzr1cs882vi6vrihrincdcivv63x11v4dlw",
+        "version": "5.10.218"
     },
     "5.15": {
         "patch": {
             "extra": "-hardened1",
-            "name": "linux-hardened-5.15.151-hardened1.patch",
-            "sha256": "040jc5n9qsdz2wv5ksfvc28vd72nmya2i2f0ps0jiras6l2wlhjz",
-            "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.15.151-hardened1/linux-hardened-5.15.151-hardened1.patch"
+            "name": "linux-hardened-5.15.160-hardened1.patch",
+            "sha256": "1r10ylx886rslsmrixlijjm4crhwzkl3wj6kpyn2344qik1gxpqr",
+            "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.15.160-hardened1/linux-hardened-5.15.160-hardened1.patch"
         },
-        "sha256": "0jby224ncdardjwmf8c59s5j71inpvdlzah984ilf2b6y85pc7la",
-        "version": "5.15.151"
+        "sha256": "018v19a7rhzc4szybzzn86jlnk42x7jm6xkadfd2d3xq6f7727pl",
+        "version": "5.15.160"
     },
     "5.4": {
         "patch": {
             "extra": "-hardened1",
-            "name": "linux-hardened-5.4.271-hardened1.patch",
-            "sha256": "0rw5il7885d0d3k2hmh46541svib6rp32g00fcl5bw37ydmq3z8b",
-            "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.4.271-hardened1/linux-hardened-5.4.271-hardened1.patch"
+            "name": "linux-hardened-5.4.277-hardened1.patch",
+            "sha256": "1zjw5wl8lj69j402qm8dg3m4dxgq3ppx2jyz8jks976vyhh8fsg4",
+            "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.4.277-hardened1/linux-hardened-5.4.277-hardened1.patch"
         },
-        "sha256": "0l2qv4xlhnry9crs90rkihsxyny6jz8kxw08bfad7nys9hrn3g6d",
-        "version": "5.4.271"
+        "sha256": "0l8zq3k07hdprfpvw69ykkf2pdg8wiv28xz733yxsjcfb0l5n7vy",
+        "version": "5.4.277"
     },
     "6.1": {
         "patch": {
             "extra": "-hardened1",
-            "name": "linux-hardened-6.1.81-hardened1.patch",
-            "sha256": "0af9dxdsa858zyqc0vsrzg098afhg5vpb2wpr6gj2ykwc13iaf07",
-            "url": "https://github.com/anthraxx/linux-hardened/releases/download/6.1.81-hardened1/linux-hardened-6.1.81-hardened1.patch"
+            "name": "linux-hardened-6.1.92-hardened1.patch",
+            "sha256": "0cw87ygmisi823y3f7xrck12b6zh3mq1qmb7lcmr3hg6w3xskmn3",
+            "url": "https://github.com/anthraxx/linux-hardened/releases/download/6.1.92-hardened1/linux-hardened-6.1.92-hardened1.patch"
         },
-        "sha256": "0arl96yrqplbmp2gjyqcfma1lgc30kbn95m0sflv0yyldwf8dg8f",
-        "version": "6.1.81"
+        "sha256": "1j9n8gk76nn4gw42iba5zgghr360gb9n1mslr5dyv76wpwkz86ch",
+        "version": "6.1.92"
     },
-    "6.5": {
+    "6.6": {
         "patch": {
             "extra": "-hardened1",
-            "name": "linux-hardened-6.5.13-hardened1.patch",
-            "sha256": "1fj6yaq2gdjlj2h19vkm13jrx0yiczj6pvric1kq1r6cprqrkkki",
-            "url": "https://github.com/anthraxx/linux-hardened/releases/download/6.5.13-hardened1/linux-hardened-6.5.13-hardened1.patch"
+            "name": "linux-hardened-6.6.32-hardened1.patch",
+            "sha256": "19362a6lxs3cnaw19jvda7n791y95lfgn9ki4wmaxnw2qbpi0bgg",
+            "url": "https://github.com/anthraxx/linux-hardened/releases/download/6.6.32-hardened1/linux-hardened-6.6.32-hardened1.patch"
         },
-        "sha256": "1dfbbydmayfj9npx3z0g38p574pmcx3qgs49dv0npigl48wd9yvq",
-        "version": "6.5.13"
+        "sha256": "1qbc8dqmk2xs1cz968rysw5xvhq3lj8g0pxp48fr2qbzy3m29a5a",
+        "version": "6.6.32"
     },
-    "6.6": {
+    "6.8": {
         "patch": {
             "extra": "-hardened1",
-            "name": "linux-hardened-6.6.21-hardened1.patch",
-            "sha256": "0k35s5pj92lvfp6kw3isg78zc3gijsg0xbzcyvxdkmhzaq8j6i1i",
-            "url": "https://github.com/anthraxx/linux-hardened/releases/download/6.6.21-hardened1/linux-hardened-6.6.21-hardened1.patch"
+            "name": "linux-hardened-6.8.11-hardened1.patch",
+            "sha256": "08i03dmri9h6jxcjd9g6s7pv0spqi3f4fgch1ars68cgngikvbpq",
+            "url": "https://github.com/anthraxx/linux-hardened/releases/download/6.8.11-hardened1/linux-hardened-6.8.11-hardened1.patch"
         },
-        "sha256": "0mz420w99agr7jv1jgqfr4fjhzbv005xif086sqx556s900l62zf",
-        "version": "6.6.21"
+        "sha256": "1di8kr596sf68sm61kp5rz6bn3sb0q5ag1qc5hm8f9dpyq4wv3dp",
+        "version": "6.8.11"
     },
-    "6.7": {
+    "6.9": {
         "patch": {
             "extra": "-hardened1",
-            "name": "linux-hardened-6.7.6-hardened1.patch",
-            "sha256": "063yrs3g0knlz37aq979jhng9k6l19873nbi1jy167xfqmpqqajr",
-            "url": "https://github.com/anthraxx/linux-hardened/releases/download/6.7.6-hardened1/linux-hardened-6.7.6-hardened1.patch"
+            "name": "linux-hardened-6.9.2-hardened1.patch",
+            "sha256": "0ph1m0pnlqrhvddz2mjgcwvs0ddcpzigz8kgi9zi063qinlfbm3q",
+            "url": "https://github.com/anthraxx/linux-hardened/releases/download/6.9.2-hardened1/linux-hardened-6.9.2-hardened1.patch"
         },
-        "sha256": "1lrp7pwnxnqyy8c2l4n4nz997039gbnssrfm8ss8kl3h2c7fr2g4",
-        "version": "6.7.6"
+        "sha256": "1yg5j284y1gz7zwxjz2abvlnas259m1y1vzd9lmcqqar5kgmnv6l",
+        "version": "6.9.2"
     }
 }
diff --git a/pkgs/os-specific/linux/kernel/hardened/update.py b/pkgs/os-specific/linux/kernel/hardened/update.py
index cb624ebe86b93..1e34ca209aa90 100755
--- a/pkgs/os-specific/linux/kernel/hardened/update.py
+++ b/pkgs/os-specific/linux/kernel/hardened/update.py
@@ -211,6 +211,7 @@ with open(NIXPKGS_KERNEL_PATH / "kernels-org.json") as kernel_versions_json:
 
 # Remove patches for unpackaged kernel versions.
 for kernel_key in sorted(patches.keys() - kernel_versions.keys()):
+    del patches[kernel_key]
     commit_patches(kernel_key=kernel_key, message="remove")
 
 g = Github(os.environ.get("GITHUB_TOKEN"))
diff --git a/pkgs/os-specific/linux/kernel/htmldocs.nix b/pkgs/os-specific/linux/kernel/htmldocs.nix
index ba641347c839e..b811cf12bb01d 100644
--- a/pkgs/os-specific/linux/kernel/htmldocs.nix
+++ b/pkgs/os-specific/linux/kernel/htmldocs.nix
@@ -6,7 +6,6 @@
 , makeFontsConf
 , perl
 , python3
-, sphinx
 , which
 }:
 
@@ -18,7 +17,8 @@ stdenv.mkDerivation {
   postPatch = ''
     patchShebangs \
       Documentation/sphinx/parse-headers.pl \
-      scripts/{get_abi.pl,get_feat.pl,kernel-doc,sphinx-pre-install}
+      scripts/{get_abi.pl,get_feat.pl,kernel-doc,sphinx-pre-install} \
+      tools/net/ynl/ynl-gen-rst.py
   '';
 
   FONTCONFIG_FILE = makeFontsConf {
@@ -31,6 +31,7 @@ stdenv.mkDerivation {
     perl
     python3.pkgs.sphinx
     python3.pkgs.sphinx-rtd-theme
+    python3.pkgs.pyyaml
     which
   ];
 
@@ -46,11 +47,11 @@ stdenv.mkDerivation {
     cp -r Documentation/* $out/share/doc/linux-doc/
   '';
 
-  meta = with lib; {
+  meta = {
     description = "Linux kernel html documentation";
     homepage = "https://www.kernel.org/doc/htmldocs/";
-    platforms = platforms.linux;
+    platforms = lib.platforms.linux;
     inherit (linux_latest.meta) license;
-    maintainers = with maintainers; [ ];
+    maintainers = with lib.maintainers; [ sigmanificient ];
   };
 }
diff --git a/pkgs/os-specific/linux/kernel/kernels-org.json b/pkgs/os-specific/linux/kernel/kernels-org.json
index d0940be80ba3e..38e82c9838007 100644
--- a/pkgs/os-specific/linux/kernel/kernels-org.json
+++ b/pkgs/os-specific/linux/kernel/kernels-org.json
@@ -1,38 +1,38 @@
 {
     "testing": {
-        "version": "6.9-rc1",
-        "hash": "sha256:05hi2vfmsjwl5yhqmy4h5a954090nv48z9gabhvh16xlaqlfh8nz"
+        "version": "6.10-rc1",
+        "hash": "sha256:006frl76cwi9a4mw7x6vsyazgrjfiz1gn4q4hvpykqql5mar3a05"
     },
     "6.1": {
-        "version": "6.1.83",
-        "hash": "sha256:145iw3wii7znhrqdmgnwhswk235g6gw8axjjji2cw4rn148rddl8"
+        "version": "6.1.92",
+        "hash": "sha256:1j9n8gk76nn4gw42iba5zgghr360gb9n1mslr5dyv76wpwkz86ch"
     },
     "5.15": {
-        "version": "5.15.153",
-        "hash": "sha256:1g44gjcwcdq5552vwinljqwiy90bxax72jjvdasp71x88khv3pfp"
+        "version": "5.15.160",
+        "hash": "sha256:018v19a7rhzc4szybzzn86jlnk42x7jm6xkadfd2d3xq6f7727pl"
     },
     "5.10": {
-        "version": "5.10.214",
-        "hash": "sha256:0n7m82hw2rkw5mhdqw0vvmq7kq0s43jalr53sbv09wl17vai9w20"
+        "version": "5.10.218",
+        "hash": "sha256:1mmj5hwm5i16gc1y4nzr1cs882vi6vrihrincdcivv63x11v4dlw"
     },
     "5.4": {
-        "version": "5.4.273",
-        "hash": "sha256:0hs7af3mcnk5mmp3c5vjl187nva2kzsdx487nd12a8m7zb9wz84b"
+        "version": "5.4.277",
+        "hash": "sha256:0l8zq3k07hdprfpvw69ykkf2pdg8wiv28xz733yxsjcfb0l5n7vy"
     },
     "4.19": {
-        "version": "4.19.311",
-        "hash": "sha256:10dww3cyazcf3wjzh8igpa0frb8gvl6amnksh42zfkji4mskh2r6"
+        "version": "4.19.315",
+        "hash": "sha256:1j1j8awy0237jp2r211qpa305c10y7rlcbkxkzdvzbgyhwy4spkc"
     },
     "6.6": {
-        "version": "6.6.23",
-        "hash": "sha256:1fd824ia3ngy65c5qaaln7m66ca4p80bwlnvvk76pw4yrccx23r0"
-    },
-    "6.7": {
-        "version": "6.7.11",
-        "hash": "sha256:0jhb175nlcncrp0y8md7p83yydlx6qqql6llav8djbv3f74rfr1c"
+        "version": "6.6.32",
+        "hash": "sha256:1qbc8dqmk2xs1cz968rysw5xvhq3lj8g0pxp48fr2qbzy3m29a5a"
     },
     "6.8": {
-        "version": "6.8.2",
-        "hash": "sha256:013xs37cnan72baqvmn2qrcbs5bbcv1gaafrcx3a166gbgc25hws"
+        "version": "6.8.12",
+        "hash": "sha256:0fb0m0fv4521g63gq04d7lm6hy8169s1rykiav5bkd99s9b1kcqr"
+    },
+    "6.9": {
+        "version": "6.9.3",
+        "hash": "sha256:1bnzxparybwh320019pr2msaapas41dhjmvg4gy791rn05jc88f3"
     }
 }
diff --git a/pkgs/os-specific/linux/kernel/linux-libre.nix b/pkgs/os-specific/linux/kernel/linux-libre.nix
index 01daee4015f02..4bb2ebda3d028 100644
--- a/pkgs/os-specific/linux/kernel/linux-libre.nix
+++ b/pkgs/os-specific/linux/kernel/linux-libre.nix
@@ -1,8 +1,8 @@
 { stdenv, lib, fetchsvn, linux
 , scripts ? fetchsvn {
     url = "https://www.fsfla.org/svn/fsfla/software/linux-libre/releases/branches/";
-    rev = "19509";
-    sha256 = "0dkjvpb075jdasvic8sfpy0dj48fsxgj2yl0zrply7gkaahgns8q";
+    rev = "19575";
+    sha256 = "1f826x8a6nmqcjcplg5x4rcqkr3p886abxhyqir8a102ymnh7wkw";
   }
 , ...
 }:
diff --git a/pkgs/os-specific/linux/kernel/linux-rt-5.10.nix b/pkgs/os-specific/linux/kernel/linux-rt-5.10.nix
index 337594115fa6f..d2cc98b8159dc 100644
--- a/pkgs/os-specific/linux/kernel/linux-rt-5.10.nix
+++ b/pkgs/os-specific/linux/kernel/linux-rt-5.10.nix
@@ -6,7 +6,7 @@
 , ... } @ args:
 
 let
-  version = "5.10.213-rt105"; # updated by ./update-rt.sh
+  version = "5.10.217-rt109"; # updated by ./update-rt.sh
   branch = lib.versions.majorMinor version;
   kversion = builtins.elemAt (lib.splitString "-" version) 0;
 in buildLinux (args // {
@@ -17,14 +17,14 @@ in buildLinux (args // {
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v5.x/linux-${kversion}.tar.xz";
-    sha256 = "105df7w6m5a3fngi6ajqs5qblaq4lbxsgcppllrk7v1r68i31kw4";
+    sha256 = "0qhzqrjci45vcbzjch7vq75i6hpyap6yb7jw6g71phcnqgzw2ay5";
   };
 
   kernelPatches = let rt-patch = {
     name = "rt";
     patch = fetchurl {
       url = "mirror://kernel/linux/kernel/projects/rt/${branch}/older/patch-${version}.patch.xz";
-      sha256 = "1q5kz3mfvwb4fd5i2mbklsa6gifb8g3wbq0wi2478q097dvmb6gi";
+      sha256 = "1cszl9414vbycswx2gjv12wdghhw5s6amd9mjmx619r2a1r0gnb7";
     };
   }; in [ rt-patch ] ++ kernelPatches;
 
diff --git a/pkgs/os-specific/linux/kernel/linux-rt-5.15.nix b/pkgs/os-specific/linux/kernel/linux-rt-5.15.nix
index 189a211c8e488..5e43eca364d42 100644
--- a/pkgs/os-specific/linux/kernel/linux-rt-5.15.nix
+++ b/pkgs/os-specific/linux/kernel/linux-rt-5.15.nix
@@ -6,7 +6,7 @@
 , ... } @ args:
 
 let
-  version = "5.15.148-rt74"; # updated by ./update-rt.sh
+  version = "5.15.158-rt76"; # updated by ./update-rt.sh
   branch = lib.versions.majorMinor version;
   kversion = builtins.elemAt (lib.splitString "-" version) 0;
 in buildLinux (args // {
@@ -18,14 +18,14 @@ in buildLinux (args // {
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v5.x/linux-${kversion}.tar.xz";
-    sha256 = "1n75lrck581mppx84cds1a1l5vj05cdkp8ahpry7dx6rgz4pb1f4";
+    sha256 = "1inmdpif3qf1blmvjj4i7y42bylvhv0wyj3b0apq12zxlj1iq1zr";
   };
 
   kernelPatches = let rt-patch = {
     name = "rt";
     patch = fetchurl {
       url = "mirror://kernel/linux/kernel/projects/rt/${branch}/older/patch-${version}.patch.xz";
-      sha256 = "0vbwqrkzigjfwmyxfbhq5n1g1qvyis949r97zqxhnmanq7c4njdk";
+      sha256 = "17kw7cs1p0qgqf911prn3472c1j7r01g0mzqxsxpkdvhawxps7wy";
     };
   }; in [ rt-patch ] ++ kernelPatches;
 
diff --git a/pkgs/os-specific/linux/kernel/linux-rt-6.1.nix b/pkgs/os-specific/linux/kernel/linux-rt-6.1.nix
index 6547a8e5e5098..f7f21a71263bd 100644
--- a/pkgs/os-specific/linux/kernel/linux-rt-6.1.nix
+++ b/pkgs/os-specific/linux/kernel/linux-rt-6.1.nix
@@ -6,7 +6,7 @@
 , ... } @ args:
 
 let
-  version = "6.1.82-rt27"; # updated by ./update-rt.sh
+  version = "6.1.92-rt32"; # updated by ./update-rt.sh
   branch = lib.versions.majorMinor version;
   kversion = builtins.elemAt (lib.splitString "-" version) 0;
 in buildLinux (args // {
@@ -18,14 +18,14 @@ in buildLinux (args // {
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v6.x/linux-${kversion}.tar.xz";
-    sha256 = "01pcrcjp5mifjjmfz7j1jb8nhq8nkxspavxmv1l7d1qnskcx4l6i";
+    sha256 = "1j9n8gk76nn4gw42iba5zgghr360gb9n1mslr5dyv76wpwkz86ch";
   };
 
   kernelPatches = let rt-patch = {
     name = "rt";
     patch = fetchurl {
       url = "mirror://kernel/linux/kernel/projects/rt/${branch}/older/patch-${version}.patch.xz";
-      sha256 = "03mj6p9z5c2hzdl46479gb9x41papq91g86yyc61fv8hj8kxgysc";
+      sha256 = "00qa6l4jvkdny276jnwnra5dkagnp3qr43amf2mpqx3kdfw28g1q";
     };
   }; in [ rt-patch ] ++ kernelPatches;
 
diff --git a/pkgs/os-specific/linux/kernel/linux-rt-6.6.nix b/pkgs/os-specific/linux/kernel/linux-rt-6.6.nix
index d84f95ccbc1fa..2f035b259b602 100644
--- a/pkgs/os-specific/linux/kernel/linux-rt-6.6.nix
+++ b/pkgs/os-specific/linux/kernel/linux-rt-6.6.nix
@@ -6,7 +6,7 @@
 , ... } @ args:
 
 let
-  version = "6.6.22-rt27"; # updated by ./update-rt.sh
+  version = "6.6.32-rt32"; # updated by ./update-rt.sh
   branch = lib.versions.majorMinor version;
   kversion = builtins.elemAt (lib.splitString "-" version) 0;
 in buildLinux (args // {
@@ -18,14 +18,14 @@ in buildLinux (args // {
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v6.x/linux-${kversion}.tar.xz";
-    sha256 = "1x52c6ywmspp3naishzsknhy7i0b7mv9baxx25a0y987cjsygqr3";
+    sha256 = "1qbc8dqmk2xs1cz968rysw5xvhq3lj8g0pxp48fr2qbzy3m29a5a";
   };
 
   kernelPatches = let rt-patch = {
     name = "rt";
     patch = fetchurl {
       url = "mirror://kernel/linux/kernel/projects/rt/${branch}/older/patch-${version}.patch.xz";
-      sha256 = "01n9khj51xf8dj2hhxhlkha4f8hwf6w5marc227ljm9w5hlza12g";
+      sha256 = "0hv2z6d2gw7hqfzw6dgrzxlirk4yifcxbmx71hxlvd9l2vgp72q5";
     };
   }; in [ rt-patch ] ++ kernelPatches;
 
diff --git a/pkgs/os-specific/linux/kernel/manual-config.nix b/pkgs/os-specific/linux/kernel/manual-config.nix
index baf0231f13e16..0c176d3e12d93 100644
--- a/pkgs/os-specific/linux/kernel/manual-config.nix
+++ b/pkgs/os-specific/linux/kernel/manual-config.nix
@@ -26,7 +26,7 @@ in lib.makeOverridable ({
   extraMakeFlags ? [],
   # The name of the kernel module directory
   # Needs to be X.Y.Z[-extra], so pad with zeros if needed.
-  modDirVersion ? lib.versions.pad 3 version,
+  modDirVersion ? null /* derive from version */,
   # The kernel source (tarball, git checkout, etc.)
   src,
   # a list of { name=..., patch=..., extraConfig=...} patches
@@ -54,11 +54,45 @@ in lib.makeOverridable ({
 }:
 
 let
+  # Provide defaults. Note that we support `null` so that callers don't need to use optionalAttrs,
+  # which can lead to unnecessary strictness and infinite recursions.
+  modDirVersion_ = if modDirVersion == null then lib.versions.pad 3 version else modDirVersion;
+in
+let
+  # Shadow the un-defaulted parameter; don't want null.
+  modDirVersion = modDirVersion_;
   inherit (lib)
     hasAttr getAttr optional optionals optionalString optionalAttrs maintainers platforms;
 
   drvAttrs = config_: kernelConf: kernelPatches: configfile:
     let
+      # Folding in `ubootTools` in the default nativeBuildInputs is problematic, as
+      # it makes updating U-Boot cumbersome, since it will go above the current
+      # threshold of rebuilds
+      #
+      # To prevent these needless rounds of staging for U-Boot builds, we can
+      # limit the inclusion of ubootTools to target platforms where uImage *may*
+      # be produced.
+      #
+      # This command lists those (kernel-named) platforms:
+      #     .../linux $ grep -l uImage ./arch/*/Makefile | cut -d'/' -f3 | sort
+      #
+      # This is still a guesstimation, but since none of our cached platforms
+      # coincide in that list, this gives us "perfect" decoupling here.
+      linuxPlatformsUsingUImage = [
+        "arc"
+        "arm"
+        "csky"
+        "mips"
+        "powerpc"
+        "sh"
+        "sparc"
+        "xtensa"
+      ];
+      needsUbootTools =
+        lib.elem stdenv.hostPlatform.linuxArch linuxPlatformsUsingUImage
+      ;
+
       config = let attrName = attr: "CONFIG_" + attr; in {
         isSet = attr: hasAttr (attrName attr) config;
 
@@ -106,7 +140,8 @@ let
       inherit src;
 
       depsBuildBuild = [ buildPackages.stdenv.cc ];
-      nativeBuildInputs = [ perl bc nettools openssl rsync gmp libmpc mpfr zstd python3Minimal kmod ubootTools ]
+      nativeBuildInputs = [ perl bc nettools openssl rsync gmp libmpc mpfr zstd python3Minimal kmod ]
+                          ++ optional  needsUbootTools ubootTools
                           ++ optional  (lib.versionOlder version "5.8") libelf
                           ++ optionals (lib.versionAtLeast version "4.16") [ bison flex ]
                           ++ optionals (lib.versionAtLeast version "5.2")  [ cpio pahole zlib ]
@@ -266,10 +301,10 @@ let
         export HOME=${installkernel}
       '';
 
-      # Some image types need special install targets (e.g. uImage is installed with make uinstall)
+      # Some image types need special install targets (e.g. uImage is installed with make uinstall on arm)
       installTargets = [
         (kernelConf.installTarget or (
-          /**/ if kernelConf.target == "uImage" then "uinstall"
+          /**/ if kernelConf.target == "uImage" && stdenv.hostPlatform.linuxArch == "arm" then "uinstall"
           else if kernelConf.target == "zImage" || kernelConf.target == "Image.gz" then "zinstall"
           else "install"))
       ];
diff --git a/pkgs/os-specific/linux/kernel/patches.nix b/pkgs/os-specific/linux/kernel/patches.nix
index 9c2b50f95952a..20100774395e1 100644
--- a/pkgs/os-specific/linux/kernel/patches.nix
+++ b/pkgs/os-specific/linux/kernel/patches.nix
@@ -66,15 +66,6 @@
     patch = ./export-rt-sched-migrate.patch;
   };
 
-  rust_1_74 = {
-    name = "rust-1.74.patch";
-    patch = fetchpatch {
-      name = "rust-1.74.patch";
-      url = "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/patch/?id=80fe9e51510b23472ad0f97175556490549ed714";
-      hash = "sha256-yGt7PwqN/G+ZtZSt6eARvVFdkC8tnUiu0Fz4cFCyguM=";
-    };
-  };
-
   rust_1_75 = {
     name = "rust-1.75.patch";
     patch = ./rust-1.75.patch;
@@ -88,4 +79,18 @@
       hash = "sha256-q3iNBo8t4b1Rn5k5lau2myqOAqdA/9V9A+ok2jGkLdY=";
     };
   };
+
+  rust_1_77-6_8 = {
+    name = "rust-1.77.patch";
+    patch = fetchurl {
+      name = "rust-1.77.patch";
+      url = "https://lore.kernel.org/rust-for-linux/20240217002717.57507-1-ojeda@kernel.org/raw";
+      hash = "sha256-0KW9nHpJeMSDssCPXWZbrN8kxq5bA434t+XuPfwslUc=";
+    };
+  };
+
+  rust_1_77-6_9 = {
+    name = "rust-1.77.patch";
+    patch = ./rust-1.77.patch;
+  };
 }
diff --git a/pkgs/os-specific/linux/kernel/rust-1.77.patch b/pkgs/os-specific/linux/kernel/rust-1.77.patch
new file mode 100644
index 0000000000000..8bd0a5e337154
--- /dev/null
+++ b/pkgs/os-specific/linux/kernel/rust-1.77.patch
@@ -0,0 +1,792 @@
+From d69265b7d756931b2e763a3262f22ba4100895a0 Mon Sep 17 00:00:00 2001
+From: Miguel Ojeda <ojeda@kernel.org>
+Date: Sat, 17 Feb 2024 01:27:17 +0100
+Subject: [PATCH] rust: upgrade to Rust 1.77.0
+
+This is the next upgrade to the Rust toolchain, from 1.76.0 to 1.77.0
+(i.e. the latest) [1].
+
+See the upgrade policy [2] and the comments on the first upgrade in
+commit 3ed03f4da06e ("rust: upgrade to Rust 1.68.2").
+
+The `offset_of` feature (single-field `offset_of!`) that we were using
+got stabilized in Rust 1.77.0 [3].
+
+Therefore, now the only unstable features allowed to be used outside the
+`kernel` crate is `new_uninit`, though other code to be upstreamed may
+increase the list.
+
+Please see [4] for details.
+
+Rust 1.77.0 merged the `unused_tuple_struct_fields` lint into `dead_code`,
+thus upgrading it from `allow` to `warn` [5]. In turn, this makes `rustc`
+complain about the `ThisModule`'s pointer field being never read. Thus
+locally `allow` it for the moment, since we will have users later on
+(e.g. Binder needs a `as_ptr` method [6]).
+
+Rust 1.77.0 introduces the `--check-cfg` feature [7], for which there
+is a Call for Testing going on [8]. We were requested to test it and
+we found it useful [9] -- we will likely enable it in the future.
+
+The vast majority of changes are due to our `alloc` fork being upgraded
+at once.
+
+There are two kinds of changes to be aware of: the ones coming from
+upstream, which we should follow as closely as possible, and the updates
+needed in our added fallible APIs to keep them matching the newer
+infallible APIs coming from upstream.
+
+Instead of taking a look at the diff of this patch, an alternative
+approach is reviewing a diff of the changes between upstream `alloc` and
+the kernel's. This allows to easily inspect the kernel additions only,
+especially to check if the fallible methods we already have still match
+the infallible ones in the new version coming from upstream.
+
+Another approach is reviewing the changes introduced in the additions in
+the kernel fork between the two versions. This is useful to spot
+potentially unintended changes to our additions.
+
+To apply these approaches, one may follow steps similar to the following
+to generate a pair of patches that show the differences between upstream
+Rust and the kernel (for the subset of `alloc` we use) before and after
+applying this patch:
+
+    # Get the difference with respect to the old version.
+    git -C rust checkout $(linux/scripts/min-tool-version.sh rustc)
+    git -C linux ls-tree -r --name-only HEAD -- rust/alloc |
+        cut -d/ -f3- |
+        grep -Fv README.md |
+        xargs -IPATH cp rust/library/alloc/src/PATH linux/rust/alloc/PATH
+    git -C linux diff --patch-with-stat --summary -R > old.patch
+    git -C linux restore rust/alloc
+
+    # Apply this patch.
+    git -C linux am rust-upgrade.patch
+
+    # Get the difference with respect to the new version.
+    git -C rust checkout $(linux/scripts/min-tool-version.sh rustc)
+    git -C linux ls-tree -r --name-only HEAD -- rust/alloc |
+        cut -d/ -f3- |
+        grep -Fv README.md |
+        xargs -IPATH cp rust/library/alloc/src/PATH linux/rust/alloc/PATH
+    git -C linux diff --patch-with-stat --summary -R > new.patch
+    git -C linux restore rust/alloc
+
+Now one may check the `new.patch` to take a look at the additions (first
+approach) or at the difference between those two patches (second
+approach). For the latter, a side-by-side tool is recommended.
+
+Link: https://github.com/rust-lang/rust/blob/stable/RELEASES.md#version-1770-2024-03-21 [1]
+Link: https://rust-for-linux.com/rust-version-policy [2]
+Link: https://github.com/rust-lang/rust/pull/118799 [3]
+Link: https://github.com/Rust-for-Linux/linux/issues/2 [4]
+Link: https://github.com/rust-lang/rust/pull/118297 [5]
+Link: https://lore.kernel.org/rust-for-linux/20231101-rust-binder-v1-2-08ba9197f637@google.com/#Z31rust:kernel:lib.rs [6]
+Link: https://doc.rust-lang.org/nightly/unstable-book/compiler-flags/check-cfg.html [7]
+Link: https://github.com/rust-lang/rfcs/pull/3013#issuecomment-1936648479 [8]
+Link: https://github.com/rust-lang/rust/issues/82450#issuecomment-1947462977 [9]
+Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
+Link: https://lore.kernel.org/r/20240217002717.57507-1-ojeda@kernel.org
+Link: https://github.com/Rust-for-Linux/linux/commit/d69265b7d756931b2e763a3262f22ba4100895a0
+Signed-off-by: Alyssa Ross <hi@alyssa.is>
+---
+ Documentation/process/changes.rst |   2 +-
+ rust/alloc/alloc.rs               |   6 +-
+ rust/alloc/boxed.rs               |   4 +-
+ rust/alloc/lib.rs                 |   7 +-
+ rust/alloc/raw_vec.rs             |  13 ++--
+ rust/alloc/slice.rs               |   4 +-
+ rust/alloc/vec/into_iter.rs       | 108 +++++++++++++++++++-----------
+ rust/alloc/vec/mod.rs             | 101 +++++++++++++++++++---------
+ rust/kernel/lib.rs                |   3 +-
+ scripts/Makefile.build            |   2 +-
+ scripts/min-tool-version.sh       |   2 +-
+ 11 files changed, 161 insertions(+), 91 deletions(-)
+
+diff --git a/Documentation/process/changes.rst b/Documentation/process/changes.rst
+index 7ef8de58f7f892..879ee628893ae1 100644
+--- a/Documentation/process/changes.rst
++++ b/Documentation/process/changes.rst
+@@ -31,7 +31,7 @@ you probably needn't concern yourself with pcmciautils.
+ ====================== ===============  ========================================
+ GNU C                  5.1              gcc --version
+ Clang/LLVM (optional)  13.0.1           clang --version
+-Rust (optional)        1.76.0           rustc --version
++Rust (optional)        1.77.0           rustc --version
+ bindgen (optional)     0.65.1           bindgen --version
+ GNU make               3.82             make --version
+ bash                   4.2              bash --version
+diff --git a/rust/alloc/alloc.rs b/rust/alloc/alloc.rs
+index abb791cc23715a..b1204f87227b23 100644
+--- a/rust/alloc/alloc.rs
++++ b/rust/alloc/alloc.rs
+@@ -5,7 +5,7 @@
+ #![stable(feature = "alloc_module", since = "1.28.0")]
+ 
+ #[cfg(not(test))]
+-use core::intrinsics;
++use core::hint;
+ 
+ #[cfg(not(test))]
+ use core::ptr::{self, NonNull};
+@@ -210,7 +210,7 @@ impl Global {
+                 let new_size = new_layout.size();
+ 
+                 // `realloc` probably checks for `new_size >= old_layout.size()` or something similar.
+-                intrinsics::assume(new_size >= old_layout.size());
++                hint::assert_unchecked(new_size >= old_layout.size());
+ 
+                 let raw_ptr = realloc(ptr.as_ptr(), old_layout, new_size);
+                 let ptr = NonNull::new(raw_ptr).ok_or(AllocError)?;
+@@ -301,7 +301,7 @@ unsafe impl Allocator for Global {
+             // SAFETY: `new_size` is non-zero. Other conditions must be upheld by the caller
+             new_size if old_layout.align() == new_layout.align() => unsafe {
+                 // `realloc` probably checks for `new_size <= old_layout.size()` or something similar.
+-                intrinsics::assume(new_size <= old_layout.size());
++                hint::assert_unchecked(new_size <= old_layout.size());
+ 
+                 let raw_ptr = realloc(ptr.as_ptr(), old_layout, new_size);
+                 let ptr = NonNull::new(raw_ptr).ok_or(AllocError)?;
+diff --git a/rust/alloc/boxed.rs b/rust/alloc/boxed.rs
+index c93a22a5c97f14..5fc39dfeb8e7bf 100644
+--- a/rust/alloc/boxed.rs
++++ b/rust/alloc/boxed.rs
+@@ -26,6 +26,7 @@
+ //! Creating a recursive data structure:
+ //!
+ //! ```
++//! ##[allow(dead_code)]
+ //! #[derive(Debug)]
+ //! enum List<T> {
+ //!     Cons(T, Box<List<T>>),
+@@ -194,8 +195,7 @@ mod thin;
+ #[fundamental]
+ #[stable(feature = "rust1", since = "1.0.0")]
+ // The declaration of the `Box` struct must be kept in sync with the
+-// `alloc::alloc::box_free` function or ICEs will happen. See the comment
+-// on `box_free` for more details.
++// compiler or ICEs will happen.
+ pub struct Box<
+     T: ?Sized,
+     #[unstable(feature = "allocator_api", issue = "32838")] A: Allocator = Global,
+diff --git a/rust/alloc/lib.rs b/rust/alloc/lib.rs
+index 36f79c07559338..39afd55ec0749e 100644
+--- a/rust/alloc/lib.rs
++++ b/rust/alloc/lib.rs
+@@ -105,7 +105,6 @@
+ #![feature(allocator_api)]
+ #![feature(array_chunks)]
+ #![feature(array_into_iter_constructors)]
+-#![feature(array_methods)]
+ #![feature(array_windows)]
+ #![feature(ascii_char)]
+ #![feature(assert_matches)]
+@@ -122,7 +121,6 @@
+ #![feature(const_size_of_val)]
+ #![feature(const_waker)]
+ #![feature(core_intrinsics)]
+-#![feature(core_panic)]
+ #![feature(deprecated_suggestion)]
+ #![feature(dispatch_from_dyn)]
+ #![feature(error_generic_member_access)]
+@@ -132,6 +130,7 @@
+ #![feature(fmt_internals)]
+ #![feature(fn_traits)]
+ #![feature(hasher_prefixfree_extras)]
++#![feature(hint_assert_unchecked)]
+ #![feature(inline_const)]
+ #![feature(inplace_iteration)]
+ #![feature(iter_advance_by)]
+@@ -141,6 +140,8 @@
+ #![feature(maybe_uninit_slice)]
+ #![feature(maybe_uninit_uninit_array)]
+ #![feature(maybe_uninit_uninit_array_transpose)]
++#![feature(non_null_convenience)]
++#![feature(panic_internals)]
+ #![feature(pattern)]
+ #![feature(ptr_internals)]
+ #![feature(ptr_metadata)]
+@@ -149,7 +150,6 @@
+ #![feature(set_ptr_value)]
+ #![feature(sized_type_properties)]
+ #![feature(slice_from_ptr_range)]
+-#![feature(slice_group_by)]
+ #![feature(slice_ptr_get)]
+ #![feature(slice_ptr_len)]
+ #![feature(slice_range)]
+@@ -182,6 +182,7 @@
+ #![feature(const_ptr_write)]
+ #![feature(const_trait_impl)]
+ #![feature(const_try)]
++#![feature(decl_macro)]
+ #![feature(dropck_eyepatch)]
+ #![feature(exclusive_range_pattern)]
+ #![feature(fundamental)]
+diff --git a/rust/alloc/raw_vec.rs b/rust/alloc/raw_vec.rs
+index 98b6abf30af6e4..1839d1c8ee7a04 100644
+--- a/rust/alloc/raw_vec.rs
++++ b/rust/alloc/raw_vec.rs
+@@ -4,7 +4,7 @@
+ 
+ use core::alloc::LayoutError;
+ use core::cmp;
+-use core::intrinsics;
++use core::hint;
+ use core::mem::{self, ManuallyDrop, MaybeUninit, SizedTypeProperties};
+ use core::ptr::{self, NonNull, Unique};
+ use core::slice;
+@@ -317,7 +317,7 @@ impl<T, A: Allocator> RawVec<T, A> {
+     ///
+     /// # Panics
+     ///
+-    /// Panics if the new capacity exceeds `isize::MAX` bytes.
++    /// Panics if the new capacity exceeds `isize::MAX` _bytes_.
+     ///
+     /// # Aborts
+     ///
+@@ -358,7 +358,7 @@ impl<T, A: Allocator> RawVec<T, A> {
+         }
+         unsafe {
+             // Inform the optimizer that the reservation has succeeded or wasn't needed
+-            core::intrinsics::assume(!self.needs_to_grow(len, additional));
++            hint::assert_unchecked(!self.needs_to_grow(len, additional));
+         }
+         Ok(())
+     }
+@@ -381,7 +381,7 @@ impl<T, A: Allocator> RawVec<T, A> {
+     ///
+     /// # Panics
+     ///
+-    /// Panics if the new capacity exceeds `isize::MAX` bytes.
++    /// Panics if the new capacity exceeds `isize::MAX` _bytes_.
+     ///
+     /// # Aborts
+     ///
+@@ -402,7 +402,7 @@ impl<T, A: Allocator> RawVec<T, A> {
+         }
+         unsafe {
+             // Inform the optimizer that the reservation has succeeded or wasn't needed
+-            core::intrinsics::assume(!self.needs_to_grow(len, additional));
++            hint::assert_unchecked(!self.needs_to_grow(len, additional));
+         }
+         Ok(())
+     }
+@@ -553,7 +553,7 @@ where
+         debug_assert_eq!(old_layout.align(), new_layout.align());
+         unsafe {
+             // The allocator checks for alignment equality
+-            intrinsics::assume(old_layout.align() == new_layout.align());
++            hint::assert_unchecked(old_layout.align() == new_layout.align());
+             alloc.grow(ptr, old_layout, new_layout)
+         }
+     } else {
+@@ -591,7 +591,6 @@ fn handle_reserve(result: Result<(), TryReserveError>) {
+ // `> isize::MAX` bytes will surely fail. On 32-bit and 16-bit we need to add
+ // an extra guard for this in case we're running on a platform which can use
+ // all 4GB in user-space, e.g., PAE or x32.
+-
+ #[inline]
+ fn alloc_guard(alloc_size: usize) -> Result<(), TryReserveError> {
+     if usize::BITS < 64 && alloc_size > isize::MAX as usize {
+diff --git a/rust/alloc/slice.rs b/rust/alloc/slice.rs
+index 1181836da5f462..a36b072c95195f 100644
+--- a/rust/alloc/slice.rs
++++ b/rust/alloc/slice.rs
+@@ -53,14 +53,14 @@ pub use core::slice::{from_mut, from_ref};
+ pub use core::slice::{from_mut_ptr_range, from_ptr_range};
+ #[stable(feature = "rust1", since = "1.0.0")]
+ pub use core::slice::{from_raw_parts, from_raw_parts_mut};
++#[stable(feature = "slice_group_by", since = "1.77.0")]
++pub use core::slice::{ChunkBy, ChunkByMut};
+ #[stable(feature = "rust1", since = "1.0.0")]
+ pub use core::slice::{Chunks, Windows};
+ #[stable(feature = "chunks_exact", since = "1.31.0")]
+ pub use core::slice::{ChunksExact, ChunksExactMut};
+ #[stable(feature = "rust1", since = "1.0.0")]
+ pub use core::slice::{ChunksMut, Split, SplitMut};
+-#[unstable(feature = "slice_group_by", issue = "80552")]
+-pub use core::slice::{GroupBy, GroupByMut};
+ #[stable(feature = "rust1", since = "1.0.0")]
+ pub use core::slice::{Iter, IterMut};
+ #[stable(feature = "rchunks", since = "1.31.0")]
+diff --git a/rust/alloc/vec/into_iter.rs b/rust/alloc/vec/into_iter.rs
+index 136bfe94af6c83..0f11744c44b34c 100644
+--- a/rust/alloc/vec/into_iter.rs
++++ b/rust/alloc/vec/into_iter.rs
+@@ -20,6 +20,17 @@ use core::ops::Deref;
+ use core::ptr::{self, NonNull};
+ use core::slice::{self};
+ 
++macro non_null {
++    (mut $place:expr, $t:ident) => {{
++        #![allow(unused_unsafe)] // we're sometimes used within an unsafe block
++        unsafe { &mut *(ptr::addr_of_mut!($place) as *mut NonNull<$t>) }
++    }},
++    ($place:expr, $t:ident) => {{
++        #![allow(unused_unsafe)] // we're sometimes used within an unsafe block
++        unsafe { *(ptr::addr_of!($place) as *const NonNull<$t>) }
++    }},
++}
++
+ /// An iterator that moves out of a vector.
+ ///
+ /// This `struct` is created by the `into_iter` method on [`Vec`](super::Vec)
+@@ -43,10 +54,12 @@ pub struct IntoIter<
+     // the drop impl reconstructs a RawVec from buf, cap and alloc
+     // to avoid dropping the allocator twice we need to wrap it into ManuallyDrop
+     pub(super) alloc: ManuallyDrop<A>,
+-    pub(super) ptr: *const T,
+-    pub(super) end: *const T, // If T is a ZST, this is actually ptr+len. This encoding is picked so that
+-                              // ptr == end is a quick test for the Iterator being empty, that works
+-                              // for both ZST and non-ZST.
++    pub(super) ptr: NonNull<T>,
++    /// If T is a ZST, this is actually ptr+len. This encoding is picked so that
++    /// ptr == end is a quick test for the Iterator being empty, that works
++    /// for both ZST and non-ZST.
++    /// For non-ZSTs the pointer is treated as `NonNull<T>`
++    pub(super) end: *const T,
+ }
+ 
+ #[stable(feature = "vec_intoiter_debug", since = "1.13.0")]
+@@ -70,7 +83,7 @@ impl<T, A: Allocator> IntoIter<T, A> {
+     /// ```
+     #[stable(feature = "vec_into_iter_as_slice", since = "1.15.0")]
+     pub fn as_slice(&self) -> &[T] {
+-        unsafe { slice::from_raw_parts(self.ptr, self.len()) }
++        unsafe { slice::from_raw_parts(self.ptr.as_ptr(), self.len()) }
+     }
+ 
+     /// Returns the remaining items of this iterator as a mutable slice.
+@@ -99,7 +112,7 @@ impl<T, A: Allocator> IntoIter<T, A> {
+     }
+ 
+     fn as_raw_mut_slice(&mut self) -> *mut [T] {
+-        ptr::slice_from_raw_parts_mut(self.ptr as *mut T, self.len())
++        ptr::slice_from_raw_parts_mut(self.ptr.as_ptr(), self.len())
+     }
+ 
+     /// Drops remaining elements and relinquishes the backing allocation.
+@@ -126,7 +139,7 @@ impl<T, A: Allocator> IntoIter<T, A> {
+         // this creates less assembly
+         self.cap = 0;
+         self.buf = unsafe { NonNull::new_unchecked(RawVec::NEW.ptr()) };
+-        self.ptr = self.buf.as_ptr();
++        self.ptr = self.buf;
+         self.end = self.buf.as_ptr();
+ 
+         // Dropping the remaining elements can panic, so this needs to be
+@@ -138,9 +151,9 @@ impl<T, A: Allocator> IntoIter<T, A> {
+ 
+     /// Forgets to Drop the remaining elements while still allowing the backing allocation to be freed.
+     pub(crate) fn forget_remaining_elements(&mut self) {
+-        // For th ZST case, it is crucial that we mutate `end` here, not `ptr`.
++        // For the ZST case, it is crucial that we mutate `end` here, not `ptr`.
+         // `ptr` must stay aligned, while `end` may be unaligned.
+-        self.end = self.ptr;
++        self.end = self.ptr.as_ptr();
+     }
+ 
+     #[cfg(not(no_global_oom_handling))]
+@@ -162,7 +175,7 @@ impl<T, A: Allocator> IntoIter<T, A> {
+                 // say that they're all at the beginning of the "allocation".
+                 0..this.len()
+             } else {
+-                this.ptr.sub_ptr(buf)..this.end.sub_ptr(buf)
++                this.ptr.sub_ptr(this.buf)..this.end.sub_ptr(buf)
+             };
+             let cap = this.cap;
+             let alloc = ManuallyDrop::take(&mut this.alloc);
+@@ -189,29 +202,35 @@ impl<T, A: Allocator> Iterator for IntoIter<T, A> {
+ 
+     #[inline]
+     fn next(&mut self) -> Option<T> {
+-        if self.ptr == self.end {
+-            None
+-        } else if T::IS_ZST {
+-            // `ptr` has to stay where it is to remain aligned, so we reduce the length by 1 by
+-            // reducing the `end`.
+-            self.end = self.end.wrapping_byte_sub(1);
+-
+-            // Make up a value of this ZST.
+-            Some(unsafe { mem::zeroed() })
++        if T::IS_ZST {
++            if self.ptr.as_ptr() == self.end as *mut _ {
++                None
++            } else {
++                // `ptr` has to stay where it is to remain aligned, so we reduce the length by 1 by
++                // reducing the `end`.
++                self.end = self.end.wrapping_byte_sub(1);
++
++                // Make up a value of this ZST.
++                Some(unsafe { mem::zeroed() })
++            }
+         } else {
+-            let old = self.ptr;
+-            self.ptr = unsafe { self.ptr.add(1) };
++            if self.ptr == non_null!(self.end, T) {
++                None
++            } else {
++                let old = self.ptr;
++                self.ptr = unsafe { old.add(1) };
+ 
+-            Some(unsafe { ptr::read(old) })
++                Some(unsafe { ptr::read(old.as_ptr()) })
++            }
+         }
+     }
+ 
+     #[inline]
+     fn size_hint(&self) -> (usize, Option<usize>) {
+         let exact = if T::IS_ZST {
+-            self.end.addr().wrapping_sub(self.ptr.addr())
++            self.end.addr().wrapping_sub(self.ptr.as_ptr().addr())
+         } else {
+-            unsafe { self.end.sub_ptr(self.ptr) }
++            unsafe { non_null!(self.end, T).sub_ptr(self.ptr) }
+         };
+         (exact, Some(exact))
+     }
+@@ -219,7 +238,7 @@ impl<T, A: Allocator> Iterator for IntoIter<T, A> {
+     #[inline]
+     fn advance_by(&mut self, n: usize) -> Result<(), NonZeroUsize> {
+         let step_size = self.len().min(n);
+-        let to_drop = ptr::slice_from_raw_parts_mut(self.ptr as *mut T, step_size);
++        let to_drop = ptr::slice_from_raw_parts_mut(self.ptr.as_ptr(), step_size);
+         if T::IS_ZST {
+             // See `next` for why we sub `end` here.
+             self.end = self.end.wrapping_byte_sub(step_size);
+@@ -261,7 +280,7 @@ impl<T, A: Allocator> Iterator for IntoIter<T, A> {
+             // Safety: `len` indicates that this many elements are available and we just checked that
+             // it fits into the array.
+             unsafe {
+-                ptr::copy_nonoverlapping(self.ptr, raw_ary.as_mut_ptr() as *mut T, len);
++                ptr::copy_nonoverlapping(self.ptr.as_ptr(), raw_ary.as_mut_ptr() as *mut T, len);
+                 self.forget_remaining_elements();
+                 return Err(array::IntoIter::new_unchecked(raw_ary, 0..len));
+             }
+@@ -270,7 +289,7 @@ impl<T, A: Allocator> Iterator for IntoIter<T, A> {
+         // Safety: `len` is larger than the array size. Copy a fixed amount here to fully initialize
+         // the array.
+         return unsafe {
+-            ptr::copy_nonoverlapping(self.ptr, raw_ary.as_mut_ptr() as *mut T, N);
++            ptr::copy_nonoverlapping(self.ptr.as_ptr(), raw_ary.as_mut_ptr() as *mut T, N);
+             self.ptr = self.ptr.add(N);
+             Ok(raw_ary.transpose().assume_init())
+         };
+@@ -288,7 +307,7 @@ impl<T, A: Allocator> Iterator for IntoIter<T, A> {
+         // Also note the implementation of `Self: TrustedRandomAccess` requires
+         // that `T: Copy` so reading elements from the buffer doesn't invalidate
+         // them for `Drop`.
+-        unsafe { if T::IS_ZST { mem::zeroed() } else { ptr::read(self.ptr.add(i)) } }
++        unsafe { if T::IS_ZST { mem::zeroed() } else { self.ptr.add(i).read() } }
+     }
+ }
+ 
+@@ -296,18 +315,25 @@ impl<T, A: Allocator> Iterator for IntoIter<T, A> {
+ impl<T, A: Allocator> DoubleEndedIterator for IntoIter<T, A> {
+     #[inline]
+     fn next_back(&mut self) -> Option<T> {
+-        if self.end == self.ptr {
+-            None
+-        } else if T::IS_ZST {
+-            // See above for why 'ptr.offset' isn't used
+-            self.end = self.end.wrapping_byte_sub(1);
+-
+-            // Make up a value of this ZST.
+-            Some(unsafe { mem::zeroed() })
++        if T::IS_ZST {
++            if self.end as *mut _ == self.ptr.as_ptr() {
++                None
++            } else {
++                // See above for why 'ptr.offset' isn't used
++                self.end = self.end.wrapping_byte_sub(1);
++
++                // Make up a value of this ZST.
++                Some(unsafe { mem::zeroed() })
++            }
+         } else {
+-            self.end = unsafe { self.end.sub(1) };
++            if non_null!(self.end, T) == self.ptr {
++                None
++            } else {
++                let new_end = unsafe { non_null!(self.end, T).sub(1) };
++                *non_null!(mut self.end, T) = new_end;
+ 
+-            Some(unsafe { ptr::read(self.end) })
++                Some(unsafe { ptr::read(new_end.as_ptr()) })
++            }
+         }
+     }
+ 
+@@ -333,7 +359,11 @@ impl<T, A: Allocator> DoubleEndedIterator for IntoIter<T, A> {
+ #[stable(feature = "rust1", since = "1.0.0")]
+ impl<T, A: Allocator> ExactSizeIterator for IntoIter<T, A> {
+     fn is_empty(&self) -> bool {
+-        self.ptr == self.end
++        if T::IS_ZST {
++            self.ptr.as_ptr() == self.end as *mut _
++        } else {
++            self.ptr == non_null!(self.end, T)
++        }
+     }
+ }
+ 
+diff --git a/rust/alloc/vec/mod.rs b/rust/alloc/vec/mod.rs
+index 220fb9d6f45b3f..0be27fff4554a1 100644
+--- a/rust/alloc/vec/mod.rs
++++ b/rust/alloc/vec/mod.rs
+@@ -360,7 +360,7 @@ mod spec_extend;
+ ///
+ /// `vec![x; n]`, `vec![a, b, c, d]`, and
+ /// [`Vec::with_capacity(n)`][`Vec::with_capacity`], will all produce a `Vec`
+-/// with exactly the requested capacity. If <code>[len] == [capacity]</code>,
++/// with at least the requested capacity. If <code>[len] == [capacity]</code>,
+ /// (as is the case for the [`vec!`] macro), then a `Vec<T>` can be converted to
+ /// and from a [`Box<[T]>`][owned slice] without reallocating or moving the elements.
+ ///
+@@ -447,7 +447,7 @@ impl<T> Vec<T> {
+     ///
+     /// # Panics
+     ///
+-    /// Panics if the new capacity exceeds `isize::MAX` bytes.
++    /// Panics if the new capacity exceeds `isize::MAX` _bytes_.
+     ///
+     /// # Examples
+     ///
+@@ -690,7 +690,7 @@ impl<T, A: Allocator> Vec<T, A> {
+     ///
+     /// # Panics
+     ///
+-    /// Panics if the new capacity exceeds `isize::MAX` bytes.
++    /// Panics if the new capacity exceeds `isize::MAX` _bytes_.
+     ///
+     /// # Examples
+     ///
+@@ -1013,7 +1013,7 @@ impl<T, A: Allocator> Vec<T, A> {
+     ///
+     /// # Panics
+     ///
+-    /// Panics if the new capacity exceeds `isize::MAX` bytes.
++    /// Panics if the new capacity exceeds `isize::MAX` _bytes_.
+     ///
+     /// # Examples
+     ///
+@@ -1043,7 +1043,7 @@ impl<T, A: Allocator> Vec<T, A> {
+     ///
+     /// # Panics
+     ///
+-    /// Panics if the new capacity exceeds `isize::MAX` bytes.
++    /// Panics if the new capacity exceeds `isize::MAX` _bytes_.
+     ///
+     /// # Examples
+     ///
+@@ -1140,8 +1140,11 @@ impl<T, A: Allocator> Vec<T, A> {
+ 
+     /// Shrinks the capacity of the vector as much as possible.
+     ///
+-    /// It will drop down as close as possible to the length but the allocator
+-    /// may still inform the vector that there is space for a few more elements.
++    /// The behavior of this method depends on the allocator, which may either shrink the vector
++    /// in-place or reallocate. The resulting vector might still have some excess capacity, just as
++    /// is the case for [`with_capacity`]. See [`Allocator::shrink`] for more details.
++    ///
++    /// [`with_capacity`]: Vec::with_capacity
+     ///
+     /// # Examples
+     ///
+@@ -1191,10 +1194,10 @@ impl<T, A: Allocator> Vec<T, A> {
+ 
+     /// Converts the vector into [`Box<[T]>`][owned slice].
+     ///
+-    /// If the vector has excess capacity, its items will be moved into a
+-    /// newly-allocated buffer with exactly the right capacity.
++    /// Before doing the conversion, this method discards excess capacity like [`shrink_to_fit`].
+     ///
+     /// [owned slice]: Box
++    /// [`shrink_to_fit`]: Vec::shrink_to_fit
+     ///
+     /// # Examples
+     ///
+@@ -2017,7 +2020,7 @@ impl<T, A: Allocator> Vec<T, A> {
+     ///
+     /// # Panics
+     ///
+-    /// Panics if the new capacity exceeds `isize::MAX` bytes.
++    /// Panics if the new capacity exceeds `isize::MAX` _bytes_.
+     ///
+     /// # Examples
+     ///
+@@ -2133,7 +2136,7 @@ impl<T, A: Allocator> Vec<T, A> {
+         } else {
+             unsafe {
+                 self.len -= 1;
+-                core::intrinsics::assume(self.len < self.capacity());
++                core::hint::assert_unchecked(self.len < self.capacity());
+                 Some(ptr::read(self.as_ptr().add(self.len())))
+             }
+         }
+@@ -2143,7 +2146,7 @@ impl<T, A: Allocator> Vec<T, A> {
+     ///
+     /// # Panics
+     ///
+-    /// Panics if the new capacity exceeds `isize::MAX` bytes.
++    /// Panics if the new capacity exceeds `isize::MAX` _bytes_.
+     ///
+     /// # Examples
+     ///
+@@ -2315,6 +2318,12 @@ impl<T, A: Allocator> Vec<T, A> {
+     /// `[at, len)`. After the call, the original vector will be left containing
+     /// the elements `[0, at)` with its previous capacity unchanged.
+     ///
++    /// - If you want to take ownership of the entire contents and capacity of
++    ///   the vector, see [`mem::take`] or [`mem::replace`].
++    /// - If you don't need the returned vector at all, see [`Vec::truncate`].
++    /// - If you want to take ownership of an arbitrary subslice, or you don't
++    ///   necessarily want to store the removed items in a vector, see [`Vec::drain`].
++    ///
+     /// # Panics
+     ///
+     /// Panics if `at > len`.
+@@ -2346,14 +2355,6 @@ impl<T, A: Allocator> Vec<T, A> {
+             assert_failed(at, self.len());
+         }
+ 
+-        if at == 0 {
+-            // the new vector can take over the original buffer and avoid the copy
+-            return mem::replace(
+-                self,
+-                Vec::with_capacity_in(self.capacity(), self.allocator().clone()),
+-            );
+-        }
+-
+         let other_len = self.len - at;
+         let mut other = Vec::with_capacity_in(other_len, self.allocator().clone());
+ 
+@@ -3027,6 +3028,50 @@ impl<T, I: SliceIndex<[T]>, A: Allocator> IndexMut<I> for Vec<T, A> {
+     }
+ }
+ 
++/// Collects an iterator into a Vec, commonly called via [`Iterator::collect()`]
++///
++/// # Allocation behavior
++///
++/// In general `Vec` does not guarantee any particular growth or allocation strategy.
++/// That also applies to this trait impl.
++///
++/// **Note:** This section covers implementation details and is therefore exempt from
++/// stability guarantees.
++///
++/// Vec may use any or none of the following strategies,
++/// depending on the supplied iterator:
++///
++/// * preallocate based on [`Iterator::size_hint()`]
++///   * and panic if the number of items is outside the provided lower/upper bounds
++/// * use an amortized growth strategy similar to `pushing` one item at a time
++/// * perform the iteration in-place on the original allocation backing the iterator
++///
++/// The last case warrants some attention. It is an optimization that in many cases reduces peak memory
++/// consumption and improves cache locality. But when big, short-lived allocations are created,
++/// only a small fraction of their items get collected, no further use is made of the spare capacity
++/// and the resulting `Vec` is moved into a longer-lived structure, then this can lead to the large
++/// allocations having their lifetimes unnecessarily extended which can result in increased memory
++/// footprint.
++///
++/// In cases where this is an issue, the excess capacity can be discarded with [`Vec::shrink_to()`],
++/// [`Vec::shrink_to_fit()`] or by collecting into [`Box<[T]>`][owned slice] instead, which additionally reduces
++/// the size of the long-lived struct.
++///
++/// [owned slice]: Box
++///
++/// ```rust
++/// # use std::sync::Mutex;
++/// static LONG_LIVED: Mutex<Vec<Vec<u16>>> = Mutex::new(Vec::new());
++///
++/// for i in 0..10 {
++///     let big_temporary: Vec<u16> = (0..1024).collect();
++///     // discard most items
++///     let mut result: Vec<_> = big_temporary.into_iter().filter(|i| i % 100 == 0).collect();
++///     // without this a lot of unused capacity might be moved into the global
++///     result.shrink_to_fit();
++///     LONG_LIVED.lock().unwrap().push(result);
++/// }
++/// ```
+ #[cfg(not(no_global_oom_handling))]
+ #[stable(feature = "rust1", since = "1.0.0")]
+ impl<T> FromIterator<T> for Vec<T> {
+@@ -3069,14 +3114,8 @@ impl<T, A: Allocator> IntoIterator for Vec<T, A> {
+                 begin.add(me.len()) as *const T
+             };
+             let cap = me.buf.capacity();
+-            IntoIter {
+-                buf: NonNull::new_unchecked(begin),
+-                phantom: PhantomData,
+-                cap,
+-                alloc,
+-                ptr: begin,
+-                end,
+-            }
++            let buf = NonNull::new_unchecked(begin);
++            IntoIter { buf, phantom: PhantomData, cap, alloc, ptr: buf, end }
+         }
+     }
+ }
+@@ -3598,8 +3637,10 @@ impl<T, A: Allocator> From<Box<[T], A>> for Vec<T, A> {
+ impl<T, A: Allocator> From<Vec<T, A>> for Box<[T], A> {
+     /// Convert a vector into a boxed slice.
+     ///
+-    /// If `v` has excess capacity, its items will be moved into a
+-    /// newly-allocated buffer with exactly the right capacity.
++    /// Before doing the conversion, this method discards excess capacity like [`Vec::shrink_to_fit`].
++    ///
++    /// [owned slice]: Box
++    /// [`Vec::shrink_to_fit`]: Vec::shrink_to_fit
+     ///
+     /// # Examples
+     ///
+diff --git a/rust/kernel/lib.rs b/rust/kernel/lib.rs
+index be68d5e567b1a1..71f95e5aa09abd 100644
+--- a/rust/kernel/lib.rs
++++ b/rust/kernel/lib.rs
+@@ -16,7 +16,6 @@
+ #![feature(coerce_unsized)]
+ #![feature(dispatch_from_dyn)]
+ #![feature(new_uninit)]
+-#![feature(offset_of)]
+ #![feature(receiver_trait)]
+ #![feature(unsize)]
+ 
+@@ -78,7 +77,7 @@ pub trait Module: Sized + Sync {
+ /// Equivalent to `THIS_MODULE` in the C API.
+ ///
+ /// C header: [`include/linux/export.h`](srctree/include/linux/export.h)
+-pub struct ThisModule(*mut bindings::module);
++pub struct ThisModule(#[allow(dead_code)] *mut bindings::module);
+ 
+ // SAFETY: `THIS_MODULE` may be used from all threads within a module.
+ unsafe impl Sync for ThisModule {}
+diff --git a/scripts/Makefile.build b/scripts/Makefile.build
+index baf86c0880b6d7..367cfeea74c5f5 100644
+--- a/scripts/Makefile.build
++++ b/scripts/Makefile.build
+@@ -263,7 +263,7 @@ $(obj)/%.lst: $(src)/%.c FORCE
+ # Compile Rust sources (.rs)
+ # ---------------------------------------------------------------------------
+ 
+-rust_allowed_features := new_uninit,offset_of
++rust_allowed_features := new_uninit
+ 
+ # `--out-dir` is required to avoid temporaries being created by `rustc` in the
+ # current working directory, which may be not accessible in the out-of-tree
+diff --git a/scripts/min-tool-version.sh b/scripts/min-tool-version.sh
+index 5927cc6b7de338..cc5141b67b4a71 100755
+--- a/scripts/min-tool-version.sh
++++ b/scripts/min-tool-version.sh
+@@ -33,7 +33,7 @@ llvm)
+ 	fi
+ 	;;
+ rustc)
+-	echo 1.76.0
++	echo 1.77.0
+ 	;;
+ bindgen)
+ 	echo 0.65.1
diff --git a/pkgs/os-specific/linux/kernel/update-mainline.py b/pkgs/os-specific/linux/kernel/update-mainline.py
index 020e55c5fe402..bf5001ee378aa 100755
--- a/pkgs/os-specific/linux/kernel/update-mainline.py
+++ b/pkgs/os-specific/linux/kernel/update-mainline.py
@@ -130,6 +130,13 @@ def main():
             continue
 
         if old_version is None:
+            if kernel.eol:
+                print(
+                    f"{kernel.branch} is EOL, not adding...",
+                    file=sys.stderr
+                )
+                continue
+
             message = f"linux_{nixpkgs_branch}: init at {kernel.version}"
         else:
             message = f"linux_{nixpkgs_branch}: {old_version} -> {kernel.version}"
diff --git a/pkgs/os-specific/linux/kernel/xanmod-kernels.nix b/pkgs/os-specific/linux/kernel/xanmod-kernels.nix
index 7477ba323ca7b..545bb02e95ec0 100644
--- a/pkgs/os-specific/linux/kernel/xanmod-kernels.nix
+++ b/pkgs/os-specific/linux/kernel/xanmod-kernels.nix
@@ -6,14 +6,14 @@ let
   # NOTE: When updating these, please also take a look at the changes done to
   # kernel config in the xanmod version commit
   ltsVariant = {
-    version = "6.6.23";
-    hash = "sha256-RaHM7eZDuOtEdISO6trTLE1QN91VFyXe0NuwLvvz9p4=";
+    version = "6.6.32";
+    hash = "sha256-DdBkfDq+bed1WdaAtxX16xjZO10jjqJ74ccY9Wq6ryM=";
     variant = "lts";
   };
 
   mainVariant = {
-    version = "6.7.11";
-    hash = "sha256-QmboeWBdhAgesgYoVUbBWrP8toY6fMt9+FhzglEmtiE=";
+    version = "6.8.11";
+    hash = "sha256-nEAUw7qFXab7J6x8coSsoB2meeOX4TQver2WztkFJJI=";
     variant = "main";
   };
 
@@ -33,6 +33,10 @@ let
       CPU_FREQ_DEFAULT_GOV_PERFORMANCE = lib.mkOverride 60 yes;
       CPU_FREQ_DEFAULT_GOV_SCHEDUTIL = lib.mkOverride 60 no;
 
+      # Full preemption
+      PREEMPT = lib.mkOverride 60 yes;
+      PREEMPT_VOLUNTARY = lib.mkOverride 60 no;
+
       # Google's BBRv3 TCP congestion Control
       TCP_CONG_BBR = yes;
       DEFAULT_BBR = yes;
diff --git a/pkgs/os-specific/linux/kernel/zen-kernels.nix b/pkgs/os-specific/linux/kernel/zen-kernels.nix
index 25043ac7ff0a3..89c776e611e5c 100644
--- a/pkgs/os-specific/linux/kernel/zen-kernels.nix
+++ b/pkgs/os-specific/linux/kernel/zen-kernels.nix
@@ -4,16 +4,16 @@ let
   # comments with variant added for update script
   # ./update-zen.py zen
   zenVariant = {
-    version = "6.8.2"; #zen
-    suffix = "zen2"; #zen
-    sha256 = "0v8y7d7mn0y5g8bbw2nm89a7jsvdwfjg6d3zqyga9mpr16xpsssa"; #zen
+    version = "6.9.2"; #zen
+    suffix = "zen1"; #zen
+    sha256 = "1fsmpryk7an6xqppvilcf3bmxs41mqpc3v4f4c81jgrikg21gxbb"; #zen
     isLqx = false;
   };
   # ./update-zen.py lqx
   lqxVariant = {
-    version = "6.7.11"; #lqx
+    version = "6.8.11"; #lqx
     suffix = "lqx1"; #lqx
-    sha256 = "180a39qrpldq4y2gn12pynhk62w46bzqi7zgciawznxyp8rr673x"; #lqx
+    sha256 = "1dj4znir4wp6jqs680dcxn8z6p02d518993rmrx54ch04jyy5brj"; #lqx
     isLqx = true;
   };
   zenKernelsFor = { version, suffix, sha256, isLqx }: buildLinux (args // {
@@ -84,8 +84,8 @@ let
       SCHED_PDS = yes;
 
       # Swap storage is compressed with LZ4 using zswap
-      ZSWAP_COMPRESSOR_DEFAULT_LZ4 = yes;
-      ZSWAP_COMPRESSOR_DEFAULT = freeform "lz4";
+      ZSWAP_COMPRESSOR_DEFAULT_LZ4  = lib.mkOptionDefault yes;
+      ZSWAP_COMPRESSOR_DEFAULT_ZSTD = lib.mkDefault no;
 
       # Fix error: unused option: XXX.
       CFS_BANDWIDTH = lib.mkForce (option no);
@@ -93,6 +93,8 @@ let
       RT_GROUP_SCHED = lib.mkForce (option no);
       SCHED_AUTOGROUP = lib.mkForce (option no);
       SCHED_CORE = lib.mkForce (option no);
+      UCLAMP_TASK = lib.mkForce (option no);
+      UCLAMP_TASK_GROUP = lib.mkForce (option no);
 
       # ERROR: modpost: "sched_numa_hop_mask" [drivers/net/ethernet/mellanox/mlx5/core/mlx5_core.ko] undefined!
       MLX5_CORE = no;
diff --git a/pkgs/os-specific/linux/kexec-tools/default.nix b/pkgs/os-specific/linux/kexec-tools/default.nix
index c62f9047fc60b..530fd767bb909 100644
--- a/pkgs/os-specific/linux/kexec-tools/default.nix
+++ b/pkgs/os-specific/linux/kexec-tools/default.nix
@@ -2,14 +2,14 @@
 
 stdenv.mkDerivation rec {
   pname = "kexec-tools";
-  version = "2.0.26";
+  version = "2.0.28";
 
   src = fetchurl {
     urls = [
       "mirror://kernel/linux/utils/kernel/kexec/${pname}-${version}.tar.xz"
       "http://horms.net/projects/kexec/kexec-tools/${pname}-${version}.tar.xz"
     ];
-    sha256 = "sha256-f+NqBkEBzVxRXkGyvjk9zjyoitzlnW7maOCvfAxFcM0=";
+    sha256 = "sha256-0vDvhy854v5LGwH+tisAATgyByObn4BB+YqVVkFh0FM=";
   };
 
   patches = [
diff --git a/pkgs/os-specific/linux/ksmbd-tools/default.nix b/pkgs/os-specific/linux/ksmbd-tools/default.nix
index dd429b2959902..b81f581c07aaa 100644
--- a/pkgs/os-specific/linux/ksmbd-tools/default.nix
+++ b/pkgs/os-specific/linux/ksmbd-tools/default.nix
@@ -13,13 +13,13 @@
 
 stdenv.mkDerivation rec {
   pname = "ksmbd-tools";
-  version = "3.5.1";
+  version = "3.5.2";
 
   src = fetchFromGitHub {
     owner = "cifsd-team";
     repo = pname;
     rev = version;
-    sha256 = "sha256-1Htky39oggDqPYSbF4it2UMIxuoLp0aK+IjGojPgaiU=";
+    sha256 = "sha256-QE/Pnba4zgeInlVqOEjT3EqV6NPkQTp6xeYU3dsIl4M=";
   };
 
   buildInputs = [ glib libnl ] ++ lib.optional withKerberos libkrb5;
diff --git a/pkgs/os-specific/linux/kvdo/default.nix b/pkgs/os-specific/linux/kvdo/default.nix
index e2390b68a5ca2..3258295be58a6 100644
--- a/pkgs/os-specific/linux/kvdo/default.nix
+++ b/pkgs/os-specific/linux/kvdo/default.nix
@@ -3,13 +3,13 @@
 stdenv.mkDerivation rec {
   inherit (vdo);
   pname = "kvdo";
-  version = "8.2.1.6"; # bump this version with vdo
+  version = "8.2.3.3"; # bump this version with vdo
 
   src = fetchFromGitHub {
     owner = "dm-vdo";
     repo = "kvdo";
     rev = version;
-    hash = "sha256-S5r2Rgx5pWk4IsdIwmfZkuGL/oEQ3prquyVqxjR3cO0=";
+    hash = "sha256-y7uVgWFV6uWRoRqfiu0arG9731mgWijXjcp9KSaZ5X0=";
   };
 
   nativeBuildInputs = kernel.moduleBuildDependencies;
diff --git a/pkgs/os-specific/linux/kvmfr/default.nix b/pkgs/os-specific/linux/kvmfr/default.nix
index a77d1290ca803..3224fc137db1b 100644
--- a/pkgs/os-specific/linux/kvmfr/default.nix
+++ b/pkgs/os-specific/linux/kvmfr/default.nix
@@ -6,9 +6,6 @@ stdenv.mkDerivation {
 
   src = looking-glass-client.src;
   sourceRoot = "${looking-glass-client.src.name}/module";
-  patches = lib.optional (kernel.kernelAtLeast "6.4") [
-    ./linux-6-4-compat.patch
-  ];
   hardeningDisable = [ "pic" "format" ];
   nativeBuildInputs = kernel.moduleBuildDependencies;
 
diff --git a/pkgs/os-specific/linux/kvmfr/linux-6-4-compat.patch b/pkgs/os-specific/linux/kvmfr/linux-6-4-compat.patch
deleted file mode 100644
index e57d1d27c36cd..0000000000000
--- a/pkgs/os-specific/linux/kvmfr/linux-6-4-compat.patch
+++ /dev/null
@@ -1,16 +0,0 @@
-diff --git a/kvmfr.c b/kvmfr.c
-index 121aae5b..2f4c9e1a 100644
---- a/kvmfr.c
-+++ b/kvmfr.c
-@@ -539,7 +539,11 @@ static int __init kvmfr_module_init(void)
-   if (kvmfr->major < 0)
-     goto out_free;
- 
-+#if LINUX_VERSION_CODE < KERNEL_VERSION(6, 4, 0)
-   kvmfr->pClass = class_create(THIS_MODULE, KVMFR_DEV_NAME);
-+#else
-+  kvmfr->pClass = class_create(KVMFR_DEV_NAME);
-+#endif
-   if (IS_ERR(kvmfr->pClass))
-     goto out_unreg;
- 
diff --git a/pkgs/os-specific/linux/ledger-udev-rules/default.nix b/pkgs/os-specific/linux/ledger-udev-rules/default.nix
index 3a6bf9e5d51c0..8201f12480c39 100644
--- a/pkgs/os-specific/linux/ledger-udev-rules/default.nix
+++ b/pkgs/os-specific/linux/ledger-udev-rules/default.nix
@@ -2,13 +2,13 @@
 
 stdenv.mkDerivation {
   pname = "ledger-udev-rules";
-  version = "unstable-2021-09-10";
+  version = "0-unstable-2024-02-12";
 
   src = fetchFromGitHub {
     owner = "LedgerHQ";
     repo = "udev-rules";
-    rev = "2776324af6df36c2af4d2e8e92a1c98c281117c9";
-    sha256 = "sha256-yTYI81PXMc32lMfI5uhD14nP20zAI7ZF33V1LRDWg2Y=";
+    rev = "f474382e370c9fa2a2207e6e675b9b364441aed7";
+    sha256 = "sha256-5jN9xy3+kk540PAyfsxIqck9hdI3t2CNpgqKxLbAsDg=";
   };
 
   dontBuild = true;
@@ -22,7 +22,7 @@ stdenv.mkDerivation {
   meta = with lib; {
     description = "udev rules for Ledger devices";
     license = licenses.asl20;
-    maintainers = with maintainers; [ asymmetric ];
+    maintainers = with maintainers; [ asymmetric toasteruwu ];
     platforms = platforms.linux;
     homepage = "https://github.com/LedgerHQ/udev-rules";
   };
diff --git a/pkgs/os-specific/linux/lenovo-legion/app.nix b/pkgs/os-specific/linux/lenovo-legion/app.nix
index 6d6c604b1c054..eeccf301ee95b 100644
--- a/pkgs/os-specific/linux/lenovo-legion/app.nix
+++ b/pkgs/os-specific/linux/lenovo-legion/app.nix
@@ -2,13 +2,13 @@
 
 python3.pkgs.buildPythonApplication rec {
   pname = "lenovo-legion-app";
-  version = "0.0.9";
+  version = "0.0.12";
 
   src = fetchFromGitHub {
     owner = "johnfanv2";
     repo = "LenovoLegionLinux";
     rev = "v${version}-prerelease";
-    hash = "sha256-PQdxfDfW3sn0wWjmsPoAt3HZ43PS3Tyez3/0KEVVZQg=";
+    hash = "sha256-BNrRv9EBmNINQbAw+BzVxKl/XoDgH1tsNZHJxfSpNoU=";
   };
 
   sourceRoot = "${src.name}/python/legion_linux";
@@ -17,6 +17,7 @@ python3.pkgs.buildPythonApplication rec {
 
   propagatedBuildInputs = with python3.pkgs; [
     pyqt5
+    pyqt6
     argcomplete
     pyyaml
     darkdetect
@@ -26,13 +27,13 @@ python3.pkgs.buildPythonApplication rec {
 
   postPatch = ''
     substituteInPlace ./setup.cfg \
-      --replace "_VERSION" "${version}"
+      --replace-fail "_VERSION" "${version}"
     substituteInPlace ../../extra/service/fancurve-set \
-      --replace "FOLDER=/etc/legion_linux/" "FOLDER=$out/share/legion_linux"
+      --replace-fail "FOLDER=/etc/legion_linux/" "FOLDER=$out/share/legion_linux"
     substituteInPlace ./legion_linux/legion.py \
-      --replace "/etc/legion_linux" "$out/share/legion_linux"
-    substituteInPlace ./legion_linux/legion_gui{,_user}.desktop \
-      --replace "Icon=/usr/share/pixmaps/legion_logo.png" "Icon=legion_logo"
+      --replace-fail "/etc/legion_linux" "$out/share/legion_linux"
+    substituteInPlace ./legion_linux/legion_gui.desktop \
+      --replace-fail "Icon=/usr/share/pixmaps/legion_logo.png" "Icon=legion_logo"
   '';
 
   dontWrapQtApps = true;
diff --git a/pkgs/os-specific/linux/lenovo-legion/default.nix b/pkgs/os-specific/linux/lenovo-legion/default.nix
index 527f1852f1e08..a79c901a13126 100644
--- a/pkgs/os-specific/linux/lenovo-legion/default.nix
+++ b/pkgs/os-specific/linux/lenovo-legion/default.nix
@@ -1,4 +1,4 @@
-{ lib, fetchurl, stdenv, kernel, bash, lenovo-legion }:
+{ lib, stdenv, kernel, bash, lenovo-legion }:
 
 stdenv.mkDerivation {
   pname = "lenovo-legion-module";
diff --git a/pkgs/os-specific/linux/libbpf/0.x.nix b/pkgs/os-specific/linux/libbpf/0.x.nix
index 480e78d0803a8..b34cca4a51af4 100644
--- a/pkgs/os-specific/linux/libbpf/0.x.nix
+++ b/pkgs/os-specific/linux/libbpf/0.x.nix
@@ -14,13 +14,13 @@
 
 stdenv.mkDerivation rec {
   pname = "libbpf";
-  version = "0.8.1";
+  version = "0.8.3";
 
   src = fetchFromGitHub {
     owner = "libbpf";
     repo = "libbpf";
     rev = "v${version}";
-    sha256 = "sha256-daVS+TErmDU8ksThOvcepg1A61iD8N8GIkC40cmc9/8=";
+    sha256 = "sha256-J5cUvfUYc+uLdkFa2jx/2bqBoZg/eSzc6SWlgKqcfIc=";
   };
 
   nativeBuildInputs = [ pkg-config ];
diff --git a/pkgs/os-specific/linux/libbpf/default.nix b/pkgs/os-specific/linux/libbpf/default.nix
index 21712e76661ae..6a0ee908347ca 100644
--- a/pkgs/os-specific/linux/libbpf/default.nix
+++ b/pkgs/os-specific/linux/libbpf/default.nix
@@ -14,13 +14,13 @@
 
 stdenv.mkDerivation rec {
   pname = "libbpf";
-  version = "1.3.0";
+  version = "1.4.2";
 
   src = fetchFromGitHub {
     owner = "libbpf";
     repo = "libbpf";
     rev = "v${version}";
-    sha256 = "sha256-wVCBLJK9nlS1N9/DrQtogoZmgWW4ECqInSeQTjUFhcY=";
+    sha256 = "sha256-PlGr/qZbKnaY37wikdmX/iYtP11WHShn1I7vACUgLG0=";
   };
 
   nativeBuildInputs = [ pkg-config ];
@@ -47,7 +47,7 @@ stdenv.mkDerivation rec {
   # outputs = [ "out" "dev" ];
 
   meta = with lib; {
-    description = "Upstream mirror of libbpf";
+    description = "Library for loading eBPF programs and reading and manipulating eBPF objects from user-space";
     homepage = "https://github.com/libbpf/libbpf";
     license = with licenses; [ lgpl21 /* or */ bsd2 ];
     maintainers = with maintainers; [ thoughtpolice vcunat saschagrunert martinetd ];
diff --git a/pkgs/os-specific/linux/libcap-ng/default.nix b/pkgs/os-specific/linux/libcap-ng/default.nix
index 59aa5bbc0e5d0..478b5fa8ac2cc 100644
--- a/pkgs/os-specific/linux/libcap-ng/default.nix
+++ b/pkgs/os-specific/linux/libcap-ng/default.nix
@@ -2,11 +2,11 @@
 
 stdenv.mkDerivation rec {
   pname = "libcap-ng";
-  version = "0.8.4";
+  version = "0.8.5";
 
   src = fetchurl {
     url = "https://people.redhat.com/sgrubb/libcap-ng/libcap-ng-${version}.tar.gz";
-    sha256 = "sha256-aFgdOzjnVTy29t33gTsfyZ5ShW8hQh97R3zlq9JgWoo=";
+    hash = "sha256-O6UpTRy9+pivqs+8ALavntK4PoohgXGF39hEzIx6xv8=";
   };
 
   outputs = [ "out" "dev" "man" ];
diff --git a/pkgs/os-specific/linux/libnvme/default.nix b/pkgs/os-specific/linux/libnvme/default.nix
index 34c798ca3355a..7346e0d67d391 100644
--- a/pkgs/os-specific/linux/libnvme/default.nix
+++ b/pkgs/os-specific/linux/libnvme/default.nix
@@ -65,7 +65,7 @@ stdenv.mkDerivation (finalAttrs: {
   meta = with lib; {
     description = "C Library for NVM Express on Linux";
     homepage = "https://github.com/linux-nvme/libnvme";
-    maintainers = with maintainers; [ fogti vifino ];
+    maintainers = with maintainers; [ vifino ];
     license = with licenses; [ lgpl21Plus ];
     platforms = platforms.linux;
   };
diff --git a/pkgs/os-specific/linux/libsepol/default.nix b/pkgs/os-specific/linux/libsepol/default.nix
index 548d5222c7a29..41d8a724e53c1 100644
--- a/pkgs/os-specific/linux/libsepol/default.nix
+++ b/pkgs/os-specific/linux/libsepol/default.nix
@@ -39,7 +39,7 @@ stdenv.mkDerivation rec {
     description = "SELinux binary policy manipulation library";
     homepage = "http://userspace.selinuxproject.org";
     platforms = platforms.linux;
-    maintainers = [ ];
+    maintainers = with maintainers; [ RossComputerGuy ];
     license = lib.licenses.gpl2Plus;
     pkgConfigModules = [ "libselinux" ];
   };
diff --git a/pkgs/os-specific/linux/libzbc/default.nix b/pkgs/os-specific/linux/libzbc/default.nix
index 94f5c93f949bb..e2da36d9dc793 100644
--- a/pkgs/os-specific/linux/libzbc/default.nix
+++ b/pkgs/os-specific/linux/libzbc/default.nix
@@ -10,13 +10,13 @@
 
 stdenv.mkDerivation rec {
   pname = "libzbc";
-  version = "5.13.0";
+  version = "5.14.0";
 
   src = fetchFromGitHub {
     owner = "westerndigitalcorporation";
     repo = "libzbc";
     rev = "v${version}";
-    sha256 = "6xkA96bgQ2Ik1vEwkw7hwjMbjMSlopzv5ziTh60Mjx0=";
+    sha256 = "sha256-+MBk2ZUr3Vt6pZFb4gTXMOzKBlf1EXMF8y/c1iDrIZM=";
   };
 
   nativeBuildInputs = [
@@ -31,7 +31,7 @@ stdenv.mkDerivation rec {
   meta = with lib; {
     description = "ZBC device manipulation library";
     homepage = "https://github.com/westerndigitalcorporation/libzbc";
-    maintainers = [ maintainers.fogti ];
+    maintainers = [ ];
     license = with licenses; [ bsd2 lgpl3Plus ];
     platforms = platforms.linux;
   };
diff --git a/pkgs/os-specific/linux/libzbd/default.nix b/pkgs/os-specific/linux/libzbd/default.nix
index 4675a13837587..3bc48d0657b27 100644
--- a/pkgs/os-specific/linux/libzbd/default.nix
+++ b/pkgs/os-specific/linux/libzbd/default.nix
@@ -34,7 +34,7 @@ stdenv.mkDerivation rec {
     description = "Zoned block device manipulation library and tools";
     mainProgram = "zbd";
     homepage = "https://github.com/westerndigitalcorporation/libzbd";
-    maintainers = [ maintainers.fogti ];
+    maintainers = [ ];
     license = with licenses; [ lgpl3Plus gpl3Plus ];
     platforms = platforms.linux;
   };
diff --git a/pkgs/os-specific/linux/lttng-modules/default.nix b/pkgs/os-specific/linux/lttng-modules/default.nix
index 89b49068d40c1..cfb38f0983cea 100644
--- a/pkgs/os-specific/linux/lttng-modules/default.nix
+++ b/pkgs/os-specific/linux/lttng-modules/default.nix
@@ -2,13 +2,13 @@
 
 stdenv.mkDerivation rec {
   pname = "lttng-modules-${kernel.version}";
-  version = "2.13.10";
+  version = "2.13.13";
 
   src = fetchFromGitHub {
     owner = "lttng";
     repo = "lttng-modules";
     rev = "v${version}";
-    hash = "sha256-R5qwB1ayw0KueMBSSxm0TwINt78N6w356kY7WGBX0zM=";
+    hash = "sha256-iA3B838EUU5rFWCL8BAubkTrTO1itDFp5d1653OPnS0=";
   };
 
   nativeBuildInputs = kernel.moduleBuildDependencies;
diff --git a/pkgs/os-specific/linux/lxc/add-meson-options.patch b/pkgs/os-specific/linux/lxc/add-meson-options.patch
deleted file mode 100644
index 01aea4df27473..0000000000000
--- a/pkgs/os-specific/linux/lxc/add-meson-options.patch
+++ /dev/null
@@ -1,153 +0,0 @@
-diff --git a/meson.build b/meson.build
-index 21a8705d0..f12b81442 100644
---- a/meson.build
-+++ b/meson.build
-@@ -50,7 +50,7 @@ rootfsmount = get_option('rootfs-mount-path')
- user_network_db_opt = get_option('usernet-db-path')
- user_network_conf_opt = get_option('usernet-config-path')
- 
--bashcompletiondir = join_paths('/', 'usr', 'share', 'bash-completion', 'completions')
-+bashcompletiondir = join_paths(prefixdir, get_option('datadir'), 'bash-completion', 'completions')
- bindir = join_paths(prefixdir, get_option('bindir'))
- datadir = join_paths(prefixdir, get_option('datadir'))
- mandir = join_paths(prefixdir, get_option('mandir'))
-@@ -123,22 +123,6 @@ conf.set('PACKAGE_VERSION', meson.project_version())
- conf.set('RUNTIME_PATH', runtimepath)
- conf.set('SYSCONFDIR', sysconfdir)
- 
--# Set sysconfdir
--fs = import('fs')
--distrosysconfdir = get_option('distrosysconfdir')
--if distrosysconfdir != ''
--    distrosysconfdir = join_paths(sysconfdir, distrosysconfdir)
--    conf.set('LXC_DISTRO_SYSCONF', distrosysconfdir)
--elif fs.is_dir('/etc/sysconfig')
--    distrosysconfdir = join_paths(sysconfdir, 'sysconfig')
--    conf.set('LXC_DISTRO_SYSCONF', distrosysconfdir)
--elif fs.is_dir('/etc/default')
--    distrosysconfdir = join_paths(sysconfdir, 'default')
--    conf.set('LXC_DISTRO_SYSCONF', distrosysconfdir)
--else
--    error('"distrosysconfdir" is not set')
--endif
--
- # Cross-compile on Android.
- srcconf.set10('IS_BIONIC', host_machine.system() == 'android')
- 
-@@ -148,6 +132,7 @@ coverity = get_option('coverity-build')
- init_script = get_option('init-script')
- sanitize = get_option('b_sanitize')
- want_examples = get_option('examples')
-+want_install_init = get_option('install-init-files')
- want_io_uring = get_option('io-uring-event-loop')
- want_pam_cgroup = get_option('pam-cgroup')
- want_mans = get_option('man')
-@@ -160,10 +145,30 @@ want_openssl = get_option('openssl')
- want_selinux = get_option('selinux')
- want_oss_fuzz = get_option('oss-fuzz')
- want_seccomp = get_option('seccomp')
-+want_spec = get_option('specfile')
-+want_state_dirs = get_option('install-state-dirs')
- want_thread_safety = get_option('thread-safety')
- want_memfd_rexec = get_option('memfd-rexec')
- want_sd_bus = get_option('sd-bus')
- 
-+# Set sysconfdir
-+fs = import('fs')
-+if want_install_init
-+    distrosysconfdir = get_option('distrosysconfdir')
-+    if distrosysconfdir != ''
-+        distrosysconfdir = join_paths(sysconfdir, distrosysconfdir)
-+        conf.set('LXC_DISTRO_SYSCONF', distrosysconfdir)
-+    elif fs.is_dir('/etc/sysconfig')
-+        distrosysconfdir = join_paths(sysconfdir, 'sysconfig')
-+        conf.set('LXC_DISTRO_SYSCONF', distrosysconfdir)
-+    elif fs.is_dir('/etc/default')
-+        distrosysconfdir = join_paths(sysconfdir, 'default')
-+        conf.set('LXC_DISTRO_SYSCONF', distrosysconfdir)
-+    else
-+        error('"distrosysconfdir" is not set')
-+    endif
-+endif
-+
- srcconf.set_quoted('DEFAULT_CGROUP_PATTERN', cgrouppattern)
- if coverity
-     srcconf.set('ENABLE_COVERITY_BUILD', 1)
-@@ -926,14 +931,16 @@ if want_apparmor
- endif
- subdir('config/bash')
- subdir('config/etc')
--subdir('config/init/common')
--subdir('config/init/systemd')
--subdir('config/init/sysvinit')
--subdir('config/init/upstart')
-+if want_install_init
-+    subdir('config/init/common')
-+    subdir('config/init/systemd')
-+    subdir('config/init/sysvinit')
-+    subdir('config/init/upstart')
-+    subdir('config/sysconfig')
-+endif
- if want_selinux
-     subdir('config/selinux')
- endif
--subdir('config/sysconfig')
- subdir('config/templates')
- subdir('config/templates/common.conf.d')
- subdir('config/yum')
-@@ -963,21 +970,25 @@ pkg_config_file = pkgconfig.generate(liblxc,
- )
- 
- # Empty dirs.
--install_emptydir(join_paths(localstatedir, 'cache', 'lxc'))
--install_emptydir(join_paths(localstatedir, 'lib', 'lxc'))
-+if want_state_dirs
-+    install_emptydir(join_paths(localstatedir, 'cache', 'lxc'))
-+    install_emptydir(join_paths(localstatedir, 'lib', 'lxc'))
-+endif
- 
- # RPM spec file.
--specconf = configuration_data()
--specconf.set('LXC_VERSION_BASE', meson.project_version())
--specconf.set('LXC_VERSION_BETA', version_data.get('LXC_VERSION_BETA'))
--specconf.set('PACKAGE', meson.project_name())
--specconf.set('LXC_DISTRO_SYSCONF', conf.get('LXC_DISTRO_SYSCONF'))
--
--configure_file(
--    configuration: specconf,
--    input: 'lxc.spec.in',
--    output: 'lxc.spec',
--    install: false)
-+if want_spec
-+    specconf = configuration_data()
-+    specconf.set('LXC_VERSION_BASE', meson.project_version())
-+    specconf.set('LXC_VERSION_BETA', version_data.get('LXC_VERSION_BETA'))
-+    specconf.set('PACKAGE', meson.project_name())
-+    specconf.set('LXC_DISTRO_SYSCONF', conf.get('LXC_DISTRO_SYSCONF'))
-+
-+    configure_file(
-+        configuration: specconf,
-+        input: 'lxc.spec.in',
-+        output: 'lxc.spec',
-+        install: false)
-+endif
- 
- # Build overview.
- status = [
-diff --git a/meson_options.txt b/meson_options.txt
-index 9803473d2..84a6d45b5 100644
---- a/meson_options.txt
-+++ b/meson_options.txt
-@@ -120,3 +120,12 @@ option('memfd-rexec', type : 'boolean', value : 'true',
- 
- option('distrosysconfdir', type : 'string', value: '',
-        description: 'relative path to sysconfdir for distro default configuration')
-+
-+option('specfile', type : 'boolean', value: true,
-+       description: 'whether to prepare RPM spec')
-+
-+option('install-init-files', type : 'boolean', value: true,
-+       description: 'whether to install init files for local init (e.g. systemd, sysvinit)')
-+
-+option('install-state-dirs', type : 'boolean', value: true,
-+       description: 'whether to create state directories on install')
diff --git a/pkgs/os-specific/linux/lxc/default.nix b/pkgs/os-specific/linux/lxc/default.nix
deleted file mode 100644
index 4026784f92a43..0000000000000
--- a/pkgs/os-specific/linux/lxc/default.nix
+++ /dev/null
@@ -1,91 +0,0 @@
-{
-  lib,
-  stdenv,
-  fetchFromGitHub,
-  docbook2x,
-  libapparmor,
-  libcap,
-  libseccomp,
-  libselinux,
-  meson,
-  ninja,
-  nix-update-script,
-  nixosTests,
-  openssl,
-  pkg-config,
-  systemd,
-}:
-
-stdenv.mkDerivation rec {
-  pname = "lxc";
-  version = "5.0.3";
-
-  src = fetchFromGitHub {
-    owner = "lxc";
-    repo = "lxc";
-    rev = "refs/tags/lxc-${version}";
-    hash = "sha256-lnLmLgWXt3pI2S+4OeHRlPP5gui7S7ZXXClFt+n/8sY=";
-  };
-
-  nativeBuildInputs = [
-    docbook2x
-    meson
-    ninja
-    pkg-config
-  ];
-
-  buildInputs = [
-    libapparmor
-    libcap
-    libseccomp
-    libselinux
-    openssl
-    systemd
-  ];
-
-  patches = [
-     # make build more nix compatible
-    ./add-meson-options.patch
-
-    # fix docbook2man version detection
-    ./docbook-hack.patch
-  ];
-
-  mesonFlags = [
-    "-Dinstall-init-files=false"
-    "-Dinstall-state-dirs=false"
-    "-Dspecfile=false"
-  ];
-
-  enableParallelBuilding = true;
-
-  doCheck = true;
-
-  passthru = {
-    tests = {
-      incus-old-init = nixosTests.incus.container-old-init;
-      incus-new-init = nixosTests.incus.container-new-init;
-    };
-    updateScript = nix-update-script {
-      extraArgs = [
-        "-vr"
-        "lxc-(.*)"
-      ];
-    };
-  };
-
-  meta = {
-    homepage = "https://linuxcontainers.org/";
-    description = "Userspace tools for Linux Containers, a lightweight virtualization system";
-    license = lib.licenses.gpl2;
-
-    longDescription = ''
-      LXC containers are often considered as something in the middle between a chroot and a
-      full fledged virtual machine. The goal of LXC is to create an environment as close as
-      possible to a standard Linux installation but without the need for a separate kernel.
-    '';
-
-    platforms = lib.platforms.linux;
-    maintainers = lib.teams.lxc.members;
-  };
-}
diff --git a/pkgs/os-specific/linux/lxc/docbook-hack.patch b/pkgs/os-specific/linux/lxc/docbook-hack.patch
deleted file mode 100644
index f758014efbaa2..0000000000000
--- a/pkgs/os-specific/linux/lxc/docbook-hack.patch
+++ /dev/null
@@ -1,21 +0,0 @@
-diff --git a/meson.build b/meson.build
-index d1527679e..360824994 100644
---- a/meson.build
-+++ b/meson.build
-@@ -320,15 +320,7 @@ docconf.set('LXC_USERNIC_CONF', lxc_user_network_conf)
- docconf.set('LXC_USERNIC_DB', lxc_user_network_db)
- docconf.set('PACKAGE_VERSION', version_data.get('LXC_VERSION'))
- docconf.set('docdtd', '"-//OASIS//DTD DocBook XML" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd"')
--sgml2man = find_program('docbook2X2man', 'docbook2x-man', 'db2x_docbook2man', 'docbook2man', 'docbook-to-man', required: false, version: '>=0.8')
--if not sgml2man.found()
--    sgml2man = find_program('docbook2man', required: false, version: '<0.8')
--    if sgml2man.found()
--        docconf.set('docdtd', '"-//Davenport//DTD DocBook V3.0//EN"')
--    elif want_mans
--        error('missing required docbook2x or docbook-utils dependency')
--    endif
--endif
-+sgml2man = find_program('docbook2X2man', 'docbook2x-man', 'db2x_docbook2man', 'docbook2man', 'docbook-to-man', required: false)
- 
- ## Threads.
- threads = dependency('threads')
diff --git a/pkgs/os-specific/linux/lxcfs/default.nix b/pkgs/os-specific/linux/lxcfs/default.nix
deleted file mode 100644
index 00c7f6f5edbda..0000000000000
--- a/pkgs/os-specific/linux/lxcfs/default.nix
+++ /dev/null
@@ -1,77 +0,0 @@
-{
-  lib,
-  stdenv,
-  fetchFromGitHub,
-  fuse3,
-  help2man,
-  makeWrapper,
-  meson,
-  ninja,
-  nixosTests,
-  pkg-config,
-  python3,
-  util-linux,
-}:
-
-stdenv.mkDerivation rec {
-  pname = "lxcfs";
-  version = "5.0.4";
-
-  src = fetchFromGitHub {
-    owner = "lxc";
-    repo = "lxcfs";
-    rev = "lxcfs-${version}";
-    sha256 = "sha256-vusxbFV7cnQVBOOo7E+fSyaE63f5QiE2xZhYavc8jJU=";
-  };
-
-  patches = [
-    # skip RPM spec generation
-    ./no-spec.patch
-
-    # skip installing systemd files
-    ./skip-init.patch
-
-    # fix pidfd checks and include
-    ./pidfd.patch
-  ];
-
-
-  nativeBuildInputs = [
-    meson
-    help2man
-    makeWrapper
-    ninja
-    (python3.withPackages (p: [ p.jinja2 ]))
-    pkg-config
-  ];
-  buildInputs = [ fuse3 ];
-
-  preConfigure = ''
-    patchShebangs tools/
-  '';
-
-  postInstall = ''
-    # `mount` hook requires access to the `mount` command from `util-linux`:
-    wrapProgram "$out/share/lxcfs/lxc.mount.hook" --prefix PATH : "${util-linux}/bin"
-  '';
-
-  postFixup = ''
-    # liblxcfs.so is reloaded with dlopen()
-    patchelf --set-rpath "$(patchelf --print-rpath "$out/bin/lxcfs"):$out/lib" "$out/bin/lxcfs"
-  '';
-
-  passthru.tests = {
-    incus-container-old-init = nixosTests.incus.container-old-init;
-    incus-container-new-init = nixosTests.incus.container-new-init;
-  };
-
-  meta = {
-    description = "FUSE filesystem for LXC";
-    mainProgram = "lxcfs";
-    homepage = "https://linuxcontainers.org/lxcfs";
-    changelog = "https://linuxcontainers.org/lxcfs/news/";
-    license = lib.licenses.asl20;
-    platforms = lib.platforms.linux;
-    maintainers = lib.teams.lxc.members;
-  };
-}
diff --git a/pkgs/os-specific/linux/lxcfs/no-spec.patch b/pkgs/os-specific/linux/lxcfs/no-spec.patch
deleted file mode 100644
index ead4bfcf80f75..0000000000000
--- a/pkgs/os-specific/linux/lxcfs/no-spec.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-diff --git a/meson.build b/meson.build
-index a0289ad..93fc61a 100644
---- a/meson.build
-+++ b/meson.build
-@@ -253,19 +253,6 @@ if want_tests == true
-         c_args: '-DRELOADTEST -DDEBUG')
- endif
- 
--# RPM spec.
--lxcfs_spec = custom_target(
--    'lxcfs.spec',
--    build_by_default: true,
--    input: 'lxcfs.spec.in',
--    output: 'lxcfs.spec',
--    command: [
--        meson_render_jinja2,
--        config_h,
--        '@INPUT@',
--        '@OUTPUT@',
--    ])
--
- # Man pages
- if want_docs == true
-     help2man = find_program('help2man')
diff --git a/pkgs/os-specific/linux/lxcfs/pidfd.patch b/pkgs/os-specific/linux/lxcfs/pidfd.patch
deleted file mode 100644
index 3d9b6faa57f9e..0000000000000
--- a/pkgs/os-specific/linux/lxcfs/pidfd.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-diff --git a/meson.build b/meson.build
-index a0289ad..211b01b 100644
---- a/meson.build
-+++ b/meson.build
-@@ -134,11 +134,13 @@ foreach ident: [
-      '''#include <stdlib.h>
-         #include <unistd.h>
-         #include <signal.h>
-+        #include <sys/pidfd.h>
-         #include <sys/wait.h>'''],
-     ['pidfd_open',
-      '''#include <stdlib.h>
-         #include <unistd.h>
-         #include <signal.h>
-+        #include <sys/pidfd.h>
-         #include <sys/wait.h>'''],
- ]
-     have = cc.has_function(ident[0], prefix: ident[1], args: '-D_GNU_SOURCE')
-diff --git a/src/bindings.c b/src/bindings.c
-index 13259c1..e760330 100644
---- a/src/bindings.c
-+++ b/src/bindings.c
-@@ -1,5 +1,6 @@
- /* SPDX-License-Identifier: LGPL-2.1+ */
- 
-+#include <sys/pidfd.h>
- #include "config.h"
- 
- #include <dirent.h>
diff --git a/pkgs/os-specific/linux/lxcfs/skip-init.patch b/pkgs/os-specific/linux/lxcfs/skip-init.patch
deleted file mode 100644
index 6e7cdc90d706f..0000000000000
--- a/pkgs/os-specific/linux/lxcfs/skip-init.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-diff --git a/meson.build b/meson.build
-index a0289ad..10c0a28 100644
---- a/meson.build
-+++ b/meson.build
-@@ -285,7 +285,6 @@ endif
- 
- 
- # Include sub-directories.
--subdir('config/init')
- subdir('share')
- subdir('tests')
- 
diff --git a/pkgs/os-specific/linux/mdadm/default.nix b/pkgs/os-specific/linux/mdadm/default.nix
index e7aa16d3dd39a..7150930cb5619 100644
--- a/pkgs/os-specific/linux/mdadm/default.nix
+++ b/pkgs/os-specific/linux/mdadm/default.nix
@@ -2,14 +2,31 @@
 
 stdenv.mkDerivation rec {
   pname = "mdadm";
-  version = "4.2";
+  version = "4.3";
 
   src = fetchurl {
     url = "mirror://kernel/linux/utils/raid/mdadm/mdadm-${version}.tar.xz";
-    sha256 = "sha256-RhwhVnCGS7dKTRo2IGhKorL4KW3/oGdD8m3aVVes8B0=";
+    sha256 = "sha256-QWcnrh8QgOpuMJDOo23QdoJvw2kVHjarc2VXupIZb58=";
   };
 
-  patches = [ ./no-self-references.patch ];
+  patches = [
+    ./no-self-references.patch
+    ./fix-hardcoded-mapdir.patch
+    # Fixes build on musl
+    (fetchurl {
+      url = "https://raw.githubusercontent.com/void-linux/void-packages/e58d2b17d3c40faffc0d426aab00184f28d9dafa/srcpkgs/mdadm/patches/musl.patch";
+      hash = "sha256-TIcQs+8RM5Q6Z8MHkI50kaJd7f9WdS/EVI16F7b2+SA=";
+    })
+    # Fixes build on musl 1.2.5+
+    (fetchurl {
+      url = "https://lore.kernel.org/linux-raid/20240220165158.3521874-1-raj.khem@gmail.com/raw";
+      hash = "sha256-JOZ8n7zi+nq236NPpB4e2gUy8I3l3DbcoLhpeL73f98=";
+    })
+    (fetchurl {
+      url = "https://github.com/md-raid-utilities/mdadm/commit/9dbd11e091f84eb0bf9d717283774816c4c4453d.patch";
+      hash = "sha256-8GdjP1ceVwejTOFXcHXG8wkIF9/D6hOUGD6btvuqs24=";
+    })
+  ];
 
   makeFlags = [
     "NIXOS=1" "INSTALL=install" "BINDIR=$(out)/sbin"
@@ -46,7 +63,7 @@ stdenv.mkDerivation rec {
 
   meta = with lib; {
     description = "Programs for managing RAID arrays under Linux";
-    homepage = "http://neil.brown.name/blog/mdadm";
+    homepage = "https://git.kernel.org/pub/scm/utils/mdadm/mdadm.git";
     license = licenses.gpl2;
     mainProgram = "mdadm";
     maintainers = with maintainers; [ ekleog ];
diff --git a/pkgs/os-specific/linux/mdadm/fix-hardcoded-mapdir.patch b/pkgs/os-specific/linux/mdadm/fix-hardcoded-mapdir.patch
new file mode 100644
index 0000000000000..cf50d6012487c
--- /dev/null
+++ b/pkgs/os-specific/linux/mdadm/fix-hardcoded-mapdir.patch
@@ -0,0 +1,13 @@
+diff --git a/udev.c b/udev.c
+index bc4722b0..aa2a1a24 100644
+--- a/udev.c
++++ b/udev.c
+@@ -167,7 +167,7 @@ enum udev_status udev_block(char *devnm)
+ 	int fd;
+ 	char *path = xcalloc(1, BUFSIZ);
+ 
+-	snprintf(path, BUFSIZ, "/run/mdadm/creating-%s", devnm);
++	snprintf(path, BUFSIZ, "%s/creating-%s", MAP_DIR, devnm);
+ 
+ 	fd = open(path, O_CREAT | O_RDWR, 0600);
+ 	if (!is_fd_valid(fd)) {
diff --git a/pkgs/os-specific/linux/microcode/intel.nix b/pkgs/os-specific/linux/microcode/intel.nix
index 6953bbca8963e..f099cea8ed7b4 100644
--- a/pkgs/os-specific/linux/microcode/intel.nix
+++ b/pkgs/os-specific/linux/microcode/intel.nix
@@ -2,13 +2,13 @@
 
 stdenv.mkDerivation rec {
   pname = "microcode-intel";
-  version = "20240312";
+  version = "20240514";
 
   src = fetchFromGitHub {
     owner = "intel";
     repo = "Intel-Linux-Processor-Microcode-Data-Files";
     rev = "microcode-${version}";
-    hash = "sha256-4ZSA+LVczfjZINXhImmFOCc/6kKNrrUQvrXPdOvMM8g=";
+    hash = "sha256-6XHlAtQzHtlRs3Zy4+CC/XGJS/PkDPtTg/Y2bX7PJek=";
   };
 
   nativeBuildInputs = [ iucode-tool libarchive ];
diff --git a/pkgs/os-specific/linux/miraclecast/default.nix b/pkgs/os-specific/linux/miraclecast/default.nix
index 7b502fa4adee7..0b03aeb3c2d07 100644
--- a/pkgs/os-specific/linux/miraclecast/default.nix
+++ b/pkgs/os-specific/linux/miraclecast/default.nix
@@ -1,24 +1,25 @@
 { lib, stdenv, fetchFromGitHub, meson, ninja, pkg-config
-, glib, readline, pcre, systemd, udev }:
+, glib, readline, pcre, systemd, udev, iproute2 }:
 
 stdenv.mkDerivation {
   pname = "miraclecast";
-  version = "1.0-20190403";
+  version = "1.0-20231112";
 
   src = fetchFromGitHub {
     owner  = "albfan";
     repo   = "miraclecast";
-    rev    = "960a785e10523cc525885380dd03aa2c5ba11bc7";
-    sha256 = "05afqi33rv7k6pbkkw4mynj6p97vkzhhh13y5nh0yxkyhcgf45pm";
+    rev    = "af6ab257eae83bb0270a776a8fe00c0148bc53c4";
+    hash   = "sha256-3ZIAvA3w/ZhoJtVmUD444nch0PGD58PdBRke7zd9IuQ=";
   };
 
   nativeBuildInputs = [ meson ninja pkg-config ];
 
-  buildInputs = [ glib pcre readline systemd udev ];
+  buildInputs = [ glib pcre readline systemd udev iproute2 ];
 
   mesonFlags = [
     "-Drely-udev=true"
     "-Dbuild-tests=true"
+    "-Dip-binary=${iproute2}/bin/ip"
   ];
 
   meta = with lib; {
diff --git a/pkgs/os-specific/linux/vm-tools/default.nix b/pkgs/os-specific/linux/mm-tools/default.nix
index c5981bfc27136..38f16ca4e7d27 100644
--- a/pkgs/os-specific/linux/vm-tools/default.nix
+++ b/pkgs/os-specific/linux/mm-tools/default.nix
@@ -1,12 +1,12 @@
 { lib, stdenv, linux }:
 
 stdenv.mkDerivation {
-  pname = "vm-tools";
+  pname = "mm-tools";
   inherit (linux) version src;
 
   makeFlags = [ "sbindir=${placeholder "out"}/bin" ];
 
-  preConfigure = "cd tools/vm";
+  preConfigure = "cd tools/mm";
 
   meta = with lib; {
     inherit (linux.meta) license platforms;
diff --git a/pkgs/os-specific/linux/mstflint_access/default.nix b/pkgs/os-specific/linux/mstflint_access/default.nix
index 6e29e27ccbf20..95168249122f0 100644
--- a/pkgs/os-specific/linux/mstflint_access/default.nix
+++ b/pkgs/os-specific/linux/mstflint_access/default.nix
@@ -6,7 +6,7 @@ stdenv.mkDerivation rec {
 
   src = fetchurl {
     url = "https://github.com/Mellanox/mstflint/releases/download/v${version}/kernel-mstflint-${version}.tar.gz";
-    hash = "sha256-rfZts0m8x6clVazpbAa2xK+dYgRU9Us5rbcWa0uHJ1M=";
+    hash = "sha256-bWYglHJUNCPT13N7aBdjbLPMZIk7vjvF+o9W3abDNr0=";
   };
 
   nativeBuildInputs = [ kmod ] ++ kernel.moduleBuildDependencies;
@@ -18,10 +18,6 @@ stdenv.mkDerivation rec {
 
   enableParallelBuilding = true;
 
-  preConfigure = lib.optionals (lib.versionAtLeast kernel.version "6.4") ''
-    sed -i "s/class_create(THIS_MODULE, dev->name)/class_create(dev->name)/g" mst_main.c
-  '';
-
   installPhase = ''
     runHook preInstall
 
diff --git a/pkgs/os-specific/linux/multipath-tools/default.nix b/pkgs/os-specific/linux/multipath-tools/default.nix
index 5ec8197451cfb..ebb8cc03d37c0 100644
--- a/pkgs/os-specific/linux/multipath-tools/default.nix
+++ b/pkgs/os-specific/linux/multipath-tools/default.nix
@@ -1,6 +1,7 @@
 { lib
 , stdenv
 , fetchFromGitHub
+, fetchpatch
 , coreutils
 
 , perl
@@ -21,21 +22,30 @@
 
 stdenv.mkDerivation rec {
   pname = "multipath-tools";
-  version = "0.9.6";
+  version = "0.9.8";
 
   src = fetchFromGitHub {
     owner = "opensvc";
     repo = "multipath-tools";
     rev = "refs/tags/${version}";
-    sha256 = "sha256-X4sAMGn4oBMY3cQkVj1dMcrDF7FgMl8SbZeUnCCOY6Q=";
+    sha256 = "sha256-4cby19BjgnmWf7klK1sBgtZnyvo7q3L1uyVPlVoS+uk=";
   };
 
+  patches = [
+    # Backport build fix for musl libc 1.2.5
+    (fetchpatch {
+      url = "https://github.com/openSUSE/multipath-tools/commit/e5004de8296cd596aeeac0a61b901e98cf7a69d2.patch";
+      hash = "sha256-ZvNFVphB9f+S/XMxktR6P/YYSTLeJXEsj4XrAnw6GUI=";
+      excludes = ["tests/util.c"];
+    })
+  ];
+
   postPatch = ''
     substituteInPlace create-config.mk \
-      --replace /bin/echo ${coreutils}/bin/echo
+      --replace-fail /bin/echo ${coreutils}/bin/echo
 
-    substituteInPlace multipathd/multipathd.service \
-      --replace /sbin/multipathd "$out/bin/multipathd"
+    substituteInPlace multipathd/multipathd.service.in \
+      --replace-fail /sbin/multipathd "$out/bin/multipathd"
 
     sed -i -re '
       s,^( *#define +DEFAULT_MULTIPATHDIR\>).*,\1 "'"$out/lib/multipath"'",
@@ -76,7 +86,7 @@ stdenv.mkDerivation rec {
   doCheck = true;
   preCheck = ''
     # skip test attempting to access /sys/dev/block
-    substituteInPlace tests/Makefile --replace ' devt ' ' '
+    substituteInPlace tests/Makefile --replace-fail ' devt ' ' '
   '';
   nativeCheckInputs = [ cmocka ];
 
diff --git a/pkgs/os-specific/linux/mwprocapture/default.nix b/pkgs/os-specific/linux/mwprocapture/default.nix
index 9185f50674ff9..711a14845df76 100644
--- a/pkgs/os-specific/linux/mwprocapture/default.nix
+++ b/pkgs/os-specific/linux/mwprocapture/default.nix
@@ -12,12 +12,12 @@ let
 in
 stdenv.mkDerivation rec {
   pname = "mwprocapture";
-  subVersion = "4373";
+  subVersion = "4390";
   version = "1.3.0.${subVersion}-${kernel.version}";
 
   src = fetchurl {
     url = "https://www.magewell.com/files/drivers/ProCaptureForLinux_${subVersion}.tar.gz";
-    sha256 = "sha256-/6q+6CTlgkHOgq1PF8dSPfl/xm/UFczr/AGkac2mXZ8=";
+    sha256 = "sha256-a2cU7PYQh1KR5eeMhMNx2Sc3HHd7QvCG9+BoJyVPp1Y=";
   };
 
   nativeBuildInputs = kernel.moduleBuildDependencies;
@@ -60,7 +60,7 @@ stdenv.mkDerivation rec {
     homepage = "https://www.magewell.com/";
     description = "Linux driver for the Magewell Pro Capture family";
     license = licenses.unfreeRedistributable;
-    maintainers = with maintainers; [ flexiondotorg MP2E ];
+    maintainers = with maintainers; [ flexiondotorg ];
     platforms = platforms.linux;
   };
 }
diff --git a/pkgs/os-specific/linux/nct6687d/default.nix b/pkgs/os-specific/linux/nct6687d/default.nix
index 493d0e6af101d..35e77c7922dfd 100644
--- a/pkgs/os-specific/linux/nct6687d/default.nix
+++ b/pkgs/os-specific/linux/nct6687d/default.nix
@@ -2,17 +2,18 @@
 , stdenv
 , fetchFromGitHub
 , kernel
+, nix-update-script
 }:
 
 stdenv.mkDerivation rec {
   pname = "nct6687d";
-  version = "unstable-2023-09-22";
+  version = "0-unstable-2024-02-23";
 
   src = fetchFromGitHub {
     owner = "Fred78290";
     repo = "nct6687d";
-    rev = "cdfe855342a9383a9c4c918d51576c36d989070d";
-    hash = "sha256-iOLWxj4I6oYkNXFSkmw7meTQEnrIfb4Mw+/LkzgzDxM=";
+    rev = "0ee35ed9541bde22fe219305d1647b51ed010c5e";
+    hash = "sha256-g81U+ngnsOslBDCQP51uDDyHPpCv9T/j+KmFUAQfz/M=";
   };
 
   setSourceRoot = ''
@@ -30,6 +31,10 @@ stdenv.mkDerivation rec {
   installFlags = [ "INSTALL_MOD_PATH=${placeholder "out"}" ];
   installTargets = [ "modules_install" ];
 
+  passthru.updateScript = nix-update-script {
+    extraArgs = [ "--version=branch=main" ];
+  };
+
   meta = with lib; {
     description = "Kernel module for the Nuvoton NCT6687-R chipset found on many B550/B650 motherboards from ASUS and MSI";
     license = with licenses; [ gpl2Only ];
diff --git a/pkgs/os-specific/linux/ndiswrapper/default.nix b/pkgs/os-specific/linux/ndiswrapper/default.nix
index 2db046e6392f6..39a8d919d8be6 100644
--- a/pkgs/os-specific/linux/ndiswrapper/default.nix
+++ b/pkgs/os-specific/linux/ndiswrapper/default.nix
@@ -1,4 +1,4 @@
-{ lib, stdenv, fetchurl, kernel, perl, kmod, libelf }:
+{ lib, stdenv, fetchurl, kernel, perl, kmod, elfutils }:
 let
   version = "1.63";
 in
@@ -34,7 +34,7 @@ stdenv.mkDerivation {
     sha256 = "1v6b66jhisl110jfl00hm43lmnrav32vs39d85gcbxrjqnmcx08g";
   };
 
-  buildInputs = [ perl libelf ];
+  buildInputs = [ perl elfutils ];
 
   meta = {
     description = "Ndis driver wrapper for the Linux kernel";
diff --git a/pkgs/os-specific/linux/nftables/default.nix b/pkgs/os-specific/linux/nftables/default.nix
index 3680cd43efb77..95e4183a2fb6b 100644
--- a/pkgs/os-specific/linux/nftables/default.nix
+++ b/pkgs/os-specific/linux/nftables/default.nix
@@ -5,7 +5,6 @@
 , autoreconfHook
 , withDebugSymbols ? false
 , withCli ? true, libedit
-, withPython ? false, python3
 , withXtables ? true, iptables
 , nixosTests
 }:
@@ -29,25 +28,12 @@ stdenv.mkDerivation rec {
     libmnl libnftnl libpcap
     gmp jansson
   ] ++ lib.optional withCli libedit
-    ++ lib.optional withXtables iptables
-    ++ lib.optionals withPython [
-      python3
-      python3.pkgs.setuptools
-    ];
-
-  patches = [ ./fix-py-libnftables.patch ];
-
-  postPatch = ''
-    substituteInPlace "py/src/nftables.py" \
-      --subst-var-by "out" "$out"
-  '';
+    ++ lib.optional withXtables iptables;
 
   configureFlags = [
     "--with-json"
     (lib.withFeatureAs withCli "cli" "editline")
   ] ++ lib.optional (!withDebugSymbols) "--disable-debug"
-    ++ lib.optional (!withPython) "--disable-python"
-    ++ lib.optional withPython "--enable-python"
     ++ lib.optional withXtables "--with-xtables";
 
   passthru.tests = {
diff --git a/pkgs/os-specific/linux/nftables/fix-py-libnftables.patch b/pkgs/os-specific/linux/nftables/fix-py-libnftables.patch
deleted file mode 100644
index 3ab1e5363019a..0000000000000
--- a/pkgs/os-specific/linux/nftables/fix-py-libnftables.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-diff --git a/py/src/nftables.py b/py/src/nftables.py
-index f1e43ade..9adcd1be 100644
---- a/py/src/nftables.py
-+++ b/py/src/nftables.py
-@@ -69,7 +69,7 @@ class Nftables:
- 
-     validator = None
- 
--    def __init__(self, sofile="libnftables.so.1"):
-+    def __init__(self, sofile="@out@/lib/libnftables.so.1"):
-         """Instantiate a new Nftables class object.
- 
-         Accepts a shared object file to open, by default standard search path
diff --git a/pkgs/os-specific/linux/nftables/python.nix b/pkgs/os-specific/linux/nftables/python.nix
new file mode 100644
index 0000000000000..7980b8ff6de68
--- /dev/null
+++ b/pkgs/os-specific/linux/nftables/python.nix
@@ -0,0 +1,26 @@
+{ lib
+, buildPythonPackage
+, setuptools
+, nftables
+}:
+
+buildPythonPackage {
+  pname = "nftables";
+  inherit (nftables) version src;
+  pyproject = true;
+
+  postPatch = ''
+    substituteInPlace "src/nftables.py" \
+      --replace-fail "libnftables.so.1" "${nftables}/lib/libnftables.so.1"
+  '';
+
+  setSourceRoot = "sourceRoot=$(echo */py)";
+
+  build-system = [ setuptools ];
+
+  pythonImportsCheck = [ "nftables" ];
+
+  meta = {
+    inherit (nftables.meta) description homepage license platforms maintainers;
+  };
+}
diff --git a/pkgs/os-specific/linux/nixos-rebuild/default.nix b/pkgs/os-specific/linux/nixos-rebuild/default.nix
index 4849ff75c54ab..17a9bc51732ca 100644
--- a/pkgs/os-specific/linux/nixos-rebuild/default.nix
+++ b/pkgs/os-specific/linux/nixos-rebuild/default.nix
@@ -1,5 +1,5 @@
 { callPackage
-, substituteAll
+, substitute
 , runtimeShell
 , coreutils
 , gnused
@@ -14,19 +14,25 @@
 let
   fallback = import ./../../../../nixos/modules/installer/tools/nix-fallback-paths.nix;
 in
-substituteAll {
+substitute {
   name = "nixos-rebuild";
   src = ./nixos-rebuild.sh;
   dir = "bin";
   isExecutable = true;
-  inherit runtimeShell nix;
-  nix_x86_64_linux = fallback.x86_64-linux;
-  nix_i686_linux = fallback.i686-linux;
-  nix_aarch64_linux = fallback.aarch64-linux;
-  path = lib.makeBinPath [ coreutils gnused gnugrep jq util-linux ];
+
+  substitutions = [
+    "--subst-var-by" "runtimeShell" runtimeShell
+    "--subst-var-by" "nix" nix
+    "--subst-var-by" "nix_x86_64_linux" fallback.x86_64-linux
+    "--subst-var-by" "nix_i686_linux" fallback.i686-linux
+    "--subst-var-by" "nix_aarch64_linux" fallback.aarch64-linux
+    "--subst-var-by" "path" (lib.makeBinPath [ coreutils gnused gnugrep jq util-linux ])
+  ];
+
   nativeBuildInputs = [
     installShellFiles
   ];
+
   postInstall = ''
     installManPage ${./nixos-rebuild.8}
 
diff --git a/pkgs/os-specific/linux/nixos-rebuild/nixos-rebuild.sh b/pkgs/os-specific/linux/nixos-rebuild/nixos-rebuild.sh
index 248dc72138883..fb7c8b2322a7a 100755
--- a/pkgs/os-specific/linux/nixos-rebuild/nixos-rebuild.sh
+++ b/pkgs/os-specific/linux/nixos-rebuild/nixos-rebuild.sh
@@ -50,6 +50,10 @@ while [ "$#" -gt 0 ]; do
         ;;
       switch|boot|test|build|edit|repl|dry-build|dry-run|dry-activate|build-vm|build-vm-with-bootloader|list-generations)
         if [ "$i" = dry-run ]; then i=dry-build; fi
+        if [ "$i" = list-generations ]; then
+            buildNix=
+            fast=1
+        fi
         # exactly one action mandatory, bail out if multiple are given
         if [ -n "$action" ]; then showSyntax; fi
         action="$i"
@@ -387,7 +391,7 @@ if [[ -n $flake ]]; then
        flakeAttr="${BASH_REMATCH[2]}"
     fi
     if [[ -z $flakeAttr ]]; then
-        read -r hostname < /proc/sys/kernel/hostname
+        hostname="$(targetHostCmd cat /proc/sys/kernel/hostname)"
         if [[ -z $hostname ]]; then
             hostname=default
         fi
@@ -559,11 +563,16 @@ if [ "$action" = repl ]; then
         blue="$(echo -e '\033[34;1m')"
         attention="$(echo -e '\033[35;1m')"
         reset="$(echo -e '\033[0m')"
+        if [[ -e $flake ]]; then
+            flakePath=$(realpath "$flake")
+        else
+            flakePath=$flake
+        fi
         # This nix repl invocation is impure, because usually the flakeref is.
         # For a solution that preserves the motd and custom scope, we need
         # something like https://github.com/NixOS/nix/issues/8679.
         exec nix repl --impure --expr "
-          let flake = builtins.getFlake ''$flake'';
+          let flake = builtins.getFlake ''$flakePath'';
               configuration = flake.$flakeAttr;
               motd = ''
                 $d{$q\n$q}
@@ -788,7 +797,13 @@ if [[ "$action" = switch || "$action" = boot || "$action" = test || "$action" =
     else
         cmd+=("$pathToConfig/specialisation/$specialisation/bin/switch-to-configuration")
 
-        if [[ ! -f "${cmd[-1]}" ]]; then
+        if [ -z "$targetHost" ]; then
+            specialisationExists=$(test -f "${cmd[-1]}")
+        else
+            specialisationExists=$(targetHostCmd test -f "${cmd[-1]}")
+        fi
+
+        if ! $specialisationExists; then
             log "error: specialisation not found: $specialisation"
             exit 1
         fi
diff --git a/pkgs/os-specific/linux/nixos-rebuild/test/repl.nix b/pkgs/os-specific/linux/nixos-rebuild/test/repl.nix
index 1161ff84664d3..c17546851cbf5 100644
--- a/pkgs/os-specific/linux/nixos-rebuild/test/repl.nix
+++ b/pkgs/os-specific/linux/nixos-rebuild/test/repl.nix
@@ -113,7 +113,7 @@ runCommand "test-nixos-rebuild-repl" {
 
   # cat -n ~/flake.nix
 
-  expect ${writeText "test-nixos-rebuild-repl-expect" ''
+  expect ${writeText "test-nixos-rebuild-repl-absolute-path-expect" ''
     ${expectSetup}
     spawn sh -c "nixos-rebuild repl --fast --flake path:\$HOME#testconf"
 
@@ -138,6 +138,19 @@ runCommand "test-nixos-rebuild-repl" {
     send "lib?nixos\n"
     expect_simple "true"
   ''}
+
+  pushd "$HOME"
+  expect ${writeText "test-nixos-rebuild-repl-relative-path-expect" ''
+    ${expectSetup}
+    spawn sh -c "nixos-rebuild repl --fast --flake .#testconf"
+
+    expect_simple "nix-repl>"
+
+    send "config.networking.hostName\n"
+    expect_simple "itsme"
+  ''}
+  popd
+
   echo
 
   #########
diff --git a/pkgs/os-specific/linux/nmon/default.nix b/pkgs/os-specific/linux/nmon/default.nix
index 9e3a6667d7054..3de22bfae6d76 100644
--- a/pkgs/os-specific/linux/nmon/default.nix
+++ b/pkgs/os-specific/linux/nmon/default.nix
@@ -2,11 +2,11 @@
 
 stdenv.mkDerivation rec {
   pname = "nmon";
-  version = "16p";
+  version = "16q";
 
   src = fetchurl {
     url = "mirror://sourceforge/nmon/lmon${version}.c";
-    sha256 = "sha256-XcYEX2cl4ySalpkY+uaWY6HWaRYgh3ILq825D86eayo=";
+    sha256 = "sha256-G3ioFnLBkpGz0RpuMZ3ZsjoCKiYtuh786gCNbfUaylE=";
   };
 
   buildInputs = [ ncurses ];
diff --git a/pkgs/os-specific/linux/numworks-udev-rules/default.nix b/pkgs/os-specific/linux/numworks-udev-rules/default.nix
index aae7507f50cdd..dbea6e4df79d9 100644
--- a/pkgs/os-specific/linux/numworks-udev-rules/default.nix
+++ b/pkgs/os-specific/linux/numworks-udev-rules/default.nix
@@ -1,4 +1,4 @@
-{ lib, stdenv, fetchurl }:
+{ lib, stdenv }:
 
 stdenv.mkDerivation rec {
   pname = "numworks-udev-rules";
diff --git a/pkgs/os-specific/linux/nvidia-x11/default.nix b/pkgs/os-specific/linux/nvidia-x11/default.nix
index 9bfbe18f16abb..fcf45f40531da 100644
--- a/pkgs/os-specific/linux/nvidia-x11/default.nix
+++ b/pkgs/os-specific/linux/nvidia-x11/default.nix
@@ -33,12 +33,12 @@ rec {
   stable = if stdenv.hostPlatform.system == "i686-linux" then legacy_390 else latest;
 
   production = generic {
-    version = "550.67";
-    sha256_64bit = "sha256-mSAaCccc/w/QJh6w8Mva0oLrqB+cOSO1YMz1Se/32uI=";
-    sha256_aarch64 = "sha256-+UuK0UniAsndN15VDb/xopjkdlc6ZGk5LIm/GNs5ivA=";
-    openSha256 = "sha256-M/1qAQxTm61bznAtCoNQXICfThh3hLqfd0s1n1BFj2A=";
-    settingsSha256 = "sha256-FUEwXpeUMH1DYH77/t76wF1UslkcW721x9BHasaRUaM=";
-    persistencedSha256 = "sha256-ojHbmSAOYl3lOi2X6HOBlokTXhTCK6VNsH6+xfGQsyo=";
+    version = "550.78";
+    sha256_64bit = "sha256-NAcENFJ+ydV1SD5/EcoHjkZ+c/be/FQ2bs+9z+Sjv3M=";
+    sha256_aarch64 = "sha256-2POG5RWT2H7Rhs0YNfTGHO64Q8u5lJD9l/sQCGVb+AA=";
+    openSha256 = "sha256-cF9omNvfHx6gHUj2u99k6OXrHGJRpDQDcBG3jryf41Y=";
+    settingsSha256 = "sha256-lZiNZw4dJw4DI/6CI0h0AHbreLm825jlufuK9EB08iw=";
+    persistencedSha256 = "sha256-qDGBAcZEN/ueHqWO2Y6UhhXJiW5625Kzo1m/oJhvbj4=";
   };
 
   latest = selectHighestVersion production (generic {
@@ -51,24 +51,22 @@ rec {
   });
 
   beta = selectHighestVersion latest (generic {
-    version = "550.40.07";
-    sha256_64bit = "sha256-KYk2xye37v7ZW7h+uNJM/u8fNf7KyGTZjiaU03dJpK0=";
-    sha256_aarch64 = "sha256-AV7KgRXYaQGBFl7zuRcfnTGr8rS5n13nGUIe3mJTXb4=";
-    openSha256 = "sha256-mRUTEWVsbjq+psVe+kAT6MjyZuLkG2yRDxCMvDJRL1I=";
-    settingsSha256 = "sha256-c30AQa4g4a1EHmaEu1yc05oqY01y+IusbBuq+P6rMCs=";
-    persistencedSha256 = "sha256-11tLSY8uUIl4X/roNnxf5yS2PQvHvoNjnd2CB67e870=";
-
-    patches = [ rcu_patch ];
+    version = "555.42.02";
+    sha256_64bit = "sha256-k7cI3ZDlKp4mT46jMkLaIrc2YUx1lh1wj/J4SVSHWyk=";
+    sha256_aarch64 = "sha256-ekx0s0LRxxTBoqOzpcBhEKIj/JnuRCSSHjtwng9qAc0=";
+    openSha256 = "sha256-3/eI1VsBzuZ3Y6RZmt3Q5HrzI2saPTqUNs6zPh5zy6w=";
+    settingsSha256 = "sha256-rtDxQjClJ+gyrCLvdZlT56YyHQ4sbaL+d5tL4L4VfkA=";
+    persistencedSha256 = "sha256-3ae31/egyMKpqtGEqgtikWcwMwfcqMv2K4MVFa70Bqs=";
   });
 
   # Vulkan developer beta driver
   # See here for more information: https://developer.nvidia.com/vulkan-driver
   vulkan_beta = generic rec {
-    version = "550.40.55";
+    version = "550.40.61";
     persistencedVersion = "550.54.14";
     settingsVersion = "550.54.14";
-    sha256_64bit = "sha256-i9FYgSZW0vLMEORg16+LxFBOacXXrAfWKbtCFuD8+IQ=";
-    openSha256 = "sha256-slb058rNKk/TEltGkdw6Shn/3SF3kjgsXQc8IyFMUB8=";
+    sha256_64bit = "sha256-JNVeA5/u5/ictU3QpPnbXIHDKOtwou8wGmMt3We4FJY=";
+    openSha256 = "sha256-kWGTj3eAvwLTJ7zgzRFvyhXmfpxQbUMmyxWxER9i9m0=";
     settingsSha256 = "sha256-m2rNASJp0i0Ez2OuqL+JpgEF0Yd8sYVCyrOoo/ln2a4=";
     persistencedSha256 = "sha256-XaPN8jVTjdag9frLPgBtqvO/goB5zxeGzaTU0CdL6C4=";
     url = "https://developer.nvidia.com/downloads/vulkan-beta-${lib.concatStrings (lib.splitVersion version)}-linux";
@@ -107,6 +105,19 @@ rec {
   # If you add a legacy driver here, also update `top-level/linux-kernels.nix`,
   # adding to the `nvidia_x11_legacy*` entries.
 
+  # Last one without the bug reported here:
+  # https://bbs.archlinux.org/viewtopic.php?pid=2155426#p2155426
+  legacy_535 = generic {
+    version = "535.154.05";
+    sha256_64bit = "sha256-fpUGXKprgt6SYRDxSCemGXLrEsIA6GOinp+0eGbqqJg=";
+    sha256_aarch64 = "sha256-G0/GiObf/BZMkzzET8HQjdIcvCSqB1uhsinro2HLK9k=";
+    openSha256 = "sha256-wvRdHguGLxS0mR06P5Qi++pDJBCF8pJ8hr4T8O6TJIo=";
+    settingsSha256 = "sha256-9wqoDEWY4I7weWW05F4igj1Gj9wjHsREFMztfEmqm10=";
+    persistencedSha256 = "sha256-d0Q3Lk80JqkS1B54Mahu2yY/WocOqFFbZVBh+ToGhaE=";
+
+    patches = [ rcu_patch ];
+  };
+
   # Last one supporting Kepler architecture
   legacy_470 = generic {
     version = "470.239.06";
diff --git a/pkgs/os-specific/linux/nvidia-x11/libxnvctrl-build-shared-3xx.patch b/pkgs/os-specific/linux/nvidia-x11/libxnvctrl-build-shared-3xx.patch
new file mode 100644
index 0000000000000..d2e074add7549
--- /dev/null
+++ b/pkgs/os-specific/linux/nvidia-x11/libxnvctrl-build-shared-3xx.patch
@@ -0,0 +1,24 @@
+--- a/src/libXNVCtrl/Makefile
++++ b/src/libXNVCtrl/Makefile
+@@ -33,6 +33,8 @@
+ 
+ LIBXNVCTRL = libXNVCtrl.a
+ 
++LIBXNVCTRL_SHARED = $(OUTPUTDIR)/libXNVCtrl.so
++
+ LIBXNVCTRL_PROGRAM_NAME = "libXNVCtrl"
+ 
+ LIBXNVCTRL_VERSION := $(NVIDIA_VERSION)
+@@ -62,6 +64,12 @@
+ $(LIBXNVCTRL) : $(OBJS)
+ 	$(AR) ru $@ $(OBJS)
+ 
++$(LIBXNVCTRL_SHARED): $(LIBXNVCTRL_OBJ)
++	$(RM) $@ $@.*
++	$(CC) -shared -Wl,-soname=$(@F).0 -o $@.0.0.0 $(LDFLAGS) $^ -lXext -lX11
++	ln -s $(@F).0.0.0 $@.0
++	ln -s $(@F).0 $@
++
+ # define the rule to build each object file
+ $(foreach src,$(SRC),$(eval $(call DEFINE_OBJECT_RULE,TARGET,$(src))))
+ 
diff --git a/pkgs/os-specific/linux/nvidia-x11/libxnvctrl-build-shared.patch b/pkgs/os-specific/linux/nvidia-x11/libxnvctrl-build-shared.patch
new file mode 100644
index 0000000000000..ad1dc1eae4002
--- /dev/null
+++ b/pkgs/os-specific/linux/nvidia-x11/libxnvctrl-build-shared.patch
@@ -0,0 +1,21 @@
+--- a/src/libXNVCtrl/xnvctrl.mk
++++ b/src/libXNVCtrl/xnvctrl.mk
+@@ -39,6 +39,8 @@
+ 
+ LIBXNVCTRL = $(OUTPUTDIR)/libXNVCtrl.a
+ 
++LIBXNVCTRL_SHARED = $(OUTPUTDIR)/libXNVCtrl.so
++
+ LIBXNVCTRL_SRC = $(XNVCTRL_DIR)/NVCtrl.c
+ 
+ LIBXNVCTRL_OBJ = $(call BUILD_OBJECT_LIST,$(LIBXNVCTRL_SRC))
+@@ -47,3 +49,9 @@
+ 
+ $(LIBXNVCTRL) : $(LIBXNVCTRL_OBJ)
+ 	$(call quiet_cmd,AR) ru $@ $(LIBXNVCTRL_OBJ)
++
++$(LIBXNVCTRL_SHARED): $(LIBXNVCTRL_OBJ)
++	$(RM) $@ $@.*
++	$(CC) -shared -Wl,-soname=$(@F).0 -o $@.0.0.0 $(LDFLAGS) $^ -lXext -lX11
++	ln -s $(@F).0.0.0 $@.0
++	ln -s $(@F).0 $@
diff --git a/pkgs/os-specific/linux/nvidia-x11/settings.nix b/pkgs/os-specific/linux/nvidia-x11/settings.nix
index b11dc06c85ebf..e13f3a157b641 100644
--- a/pkgs/os-specific/linux/nvidia-x11/settings.nix
+++ b/pkgs/os-specific/linux/nvidia-x11/settings.nix
@@ -16,7 +16,7 @@ nvidia_x11: sha256:
 , libXxf86vm
 , libvdpau
 , librsvg
-, wrapGAppsHook
+, wrapGAppsHook3
 , addOpenGLRunpath
 , withGtk2 ? false
 , withGtk3 ? true
@@ -43,6 +43,14 @@ let
 
     makeFlags = [
       "OUTPUTDIR=." # src/libXNVCtrl
+      "libXNVCtrl.a"
+      "libXNVCtrl.so"
+    ];
+
+    patches = [
+      # Patch the Makefile to also produce a shared library.
+      (if lib.versionOlder nvidia_x11.settingsVersion "400" then ./libxnvctrl-build-shared-3xx.patch
+      else ./libxnvctrl-build-shared.patch)
     ];
 
     installPhase = ''
@@ -52,6 +60,7 @@ let
       cp libXNVCtrl.a $out/lib
       cp NVCtrl.h     $out/include/NVCtrl
       cp NVCtrlLib.h  $out/include/NVCtrl
+      cp -P libXNVCtrl.so* $out/lib
     '';
   };
 
@@ -96,7 +105,7 @@ stdenv.mkDerivation {
   nativeBuildInputs = [ pkg-config m4 addOpenGLRunpath ];
 
   buildInputs = [ jansson libXv libXrandr libXext libXxf86vm libvdpau nvidia_x11 gtk2 dbus ]
-    ++ lib.optionals withGtk3 [ gtk3 librsvg wrapGAppsHook ];
+    ++ lib.optionals withGtk3 [ gtk3 librsvg wrapGAppsHook3 ];
 
   installFlags = [ "PREFIX=$(out)" ];
 
@@ -138,6 +147,6 @@ stdenv.mkDerivation {
     license = licenses.unfreeRedistributable;
     platforms = nvidia_x11.meta.platforms;
     mainProgram = "nvidia-settings";
-    maintainers = with maintainers; [ abbradar ];
+    maintainers = with maintainers; [ abbradar aidalgol ];
   };
 }
diff --git a/pkgs/os-specific/linux/nvme-cli/default.nix b/pkgs/os-specific/linux/nvme-cli/default.nix
index b7e94d3938aa0..d909e331871be 100644
--- a/pkgs/os-specific/linux/nvme-cli/default.nix
+++ b/pkgs/os-specific/linux/nvme-cli/default.nix
@@ -4,7 +4,6 @@
 , libnvme
 , json_c
 , zlib
-, libhugetlbfs
 , python3Packages
 }:
 
diff --git a/pkgs/os-specific/linux/oddjob/default.nix b/pkgs/os-specific/linux/oddjob/default.nix
index bcbea9086488d..1ade48c896972 100644
--- a/pkgs/os-specific/linux/oddjob/default.nix
+++ b/pkgs/os-specific/linux/oddjob/default.nix
@@ -1,12 +1,15 @@
-{ lib
-, fetchurl
-, stdenv
-, autoreconfHook
-, dbus
-, libxml2
-, pam
-, pkg-config
-, systemd
+{
+  autoreconfHook,
+  dbus,
+  fetchpatch,
+  fetchurl,
+  lib,
+  libxml2,
+  nixosTests,
+  pam,
+  pkg-config,
+  stdenv,
+  systemd,
 }:
 
 stdenv.mkDerivation rec {
@@ -14,34 +17,36 @@ stdenv.mkDerivation rec {
   version = "0.34.7";
 
   src = fetchurl {
-     url = "https://pagure.io/oddjob/archive/${pname}-${version}/oddjob-${pname}-${version}.tar.gz";
-     hash = "sha256-SUOsMH55HtEsk5rX0CXK0apDObTj738FGOaL5xZRnIM=";
+    url = "https://pagure.io/oddjob/archive/${pname}-${version}/oddjob-${pname}-${version}.tar.gz";
+    hash = "sha256-SUOsMH55HtEsk5rX0CXK0apDObTj738FGOaL5xZRnIM=";
   };
 
+  patches = [
+    # Define SystemD service location using `with-systemdsystemunitdir` configure flag
+    (fetchpatch {
+      url = "https://pagure.io/oddjob/c/f63287a35107385dcb6e04a4c742077c9d1eab86.patch";
+      hash = "sha256-2mmw4pJhrIk4/47FM8zKH0dTQJWnntHPNmq8VAUWqJI=";
+    })
+  ];
+
   nativeBuildInputs = [
     autoreconfHook
     pkg-config
   ];
 
-  buildInputs =[
-    libxml2
+  buildInputs = [
     dbus
+    libxml2
     pam
     systemd
   ];
 
-  postPatch = ''
-    substituteInPlace configure.ac \
-      --replace 'SYSTEMDSYSTEMUNITDIR=`pkg-config --variable=systemdsystemunitdir systemd 2> /dev/null`' "SYSTEMDSYSTEMUNITDIR=${placeholder "out"}" \
-      --replace 'SYSTEMDSYSTEMUNITDIR=`pkg-config --variable=systemdsystemunitdir systemd`' "SYSTEMDSYSTEMUNITDIR=${placeholder "out"}"
-  '';
-
   configureFlags = [
     "--prefix=${placeholder "out"}"
     "--sysconfdir=${placeholder "out"}/etc"
     "--with-selinux-acls=no"
     "--with-selinux-labels=no"
-    "--disable-systemd"
+    "--with-systemdsystemunitdir=${placeholder "out"}/lib/systemd/system"
   ];
 
   postConfigure = ''
@@ -49,12 +54,19 @@ stdenv.mkDerivation rec {
       --replace "globals.selinux_enabled" "FALSE"
   '';
 
-  meta = with lib; {
+  # Requires a dbus-daemon environment
+  doCheck = false;
+
+  passthru.tests = {
+    inherit (nixosTests) oddjobd;
+  };
+
+  meta = {
+    changelog = "https://pagure.io/oddjob/blob/oddjob-${version}/f/ChangeLog";
     description = "Odd Job Daemon";
     homepage = "https://pagure.io/oddjob";
-    changelog = "https://pagure.io/oddjob/blob/oddjob-${version}/f/ChangeLog";
-    license = licenses.bsd0;
-    platforms = platforms.linux;
-    maintainers = with maintainers; [ SohamG ];
+    license = lib.licenses.bsd3;
+    maintainers = with lib.maintainers; [ SohamG ];
+    platforms = lib.platforms.linux;
   };
 }
diff --git a/pkgs/os-specific/linux/openvswitch/default.nix b/pkgs/os-specific/linux/openvswitch/default.nix
deleted file mode 100644
index 0ea5b6391605a..0000000000000
--- a/pkgs/os-specific/linux/openvswitch/default.nix
+++ /dev/null
@@ -1,4 +0,0 @@
-import ./generic.nix {
-  version = "3.3.0";
-  hash = "sha256-Gvy4H7lHwL6IWGaZXWwIjmHfQ1YRFXiSBqKzP3vBsF8=";
-}
diff --git a/pkgs/os-specific/linux/openvswitch/generic.nix b/pkgs/os-specific/linux/openvswitch/generic.nix
deleted file mode 100644
index ce800a7ba9923..0000000000000
--- a/pkgs/os-specific/linux/openvswitch/generic.nix
+++ /dev/null
@@ -1,135 +0,0 @@
-{ version
-, hash
-, updateScriptArgs ? ""
-}:
-
-{ lib
-, stdenv
-, fetchurl
-, autoconf
-, automake
-, installShellFiles
-, iproute2
-, kernel ? null
-, libcap_ng
-, libtool
-, openssl
-, perl
-, pkg-config
-, procps
-, python3
-, sphinxHook
-, util-linux
-, which
-, writeScript
-}:
-
-let
-  _kernel = kernel;
-in stdenv.mkDerivation rec {
-  pname = "openvswitch";
-  inherit version;
-
-  kernel = lib.optional (_kernel != null) _kernel.dev;
-
-  src = fetchurl {
-    url = "https://www.openvswitch.org/releases/${pname}-${version}.tar.gz";
-    inherit hash;
-  };
-
-  outputs = [
-    "out"
-    "man"
-  ];
-
-  patches = [
-    # 8: vsctl-bashcomp - argument completion FAILED (completion.at:664)
-    ./patches/disable-bash-arg-completion-test.patch
-  ];
-
-  nativeBuildInputs = [
-    autoconf
-    automake
-    installShellFiles
-    libtool
-    pkg-config
-    sphinxHook
-  ];
-
-  sphinxBuilders = [
-    "man"
-  ];
-
-  sphinxRoot = "./Documentation";
-
-  buildInputs = [
-    libcap_ng
-    openssl
-    perl
-    procps
-    python3
-    util-linux
-    which
-  ];
-
-  preConfigure = "./boot.sh";
-
-  configureFlags = [
-    "--localstatedir=/var"
-    "--sharedstatedir=/var"
-    "--sbindir=$(out)/bin"
-  ] ++ (lib.optionals (_kernel != null) ["--with-linux"]);
-
-  # Leave /var out of this!
-  installFlags = [
-    "LOGDIR=$(TMPDIR)/dummy"
-    "RUNDIR=$(TMPDIR)/dummy"
-    "PKIDIR=$(TMPDIR)/dummy"
-  ];
-
-  enableParallelBuilding = true;
-
-  postInstall = ''
-    installShellCompletion --bash utilities/ovs-appctl-bashcomp.bash
-    installShellCompletion --bash utilities/ovs-vsctl-bashcomp.bash
-  '';
-
-  doCheck = true;
-  preCheck = ''
-    export TESTSUITEFLAGS="-j$NIX_BUILD_CORES"
-    export RECHECK=yes
-
-    patchShebangs tests/
-  '';
-
-  nativeCheckInputs = [
-    iproute2
-  ] ++ (with python3.pkgs; [
-    netaddr
-    pyparsing
-    pytest
-  ]);
-
-  passthru.updateScript = writeScript "ovs-update.nu" ''
-    ${./update.nu} ${updateScriptArgs}
-  '';
-
-  meta = with lib; {
-    changelog = "https://www.openvswitch.org/releases/NEWS-${version}.txt";
-    description = "A multilayer virtual switch";
-    longDescription = ''
-      Open vSwitch is a production quality, multilayer virtual switch
-      licensed under the open source Apache 2.0 license. It is
-      designed to enable massive network automation through
-      programmatic extension, while still supporting standard
-      management interfaces and protocols (e.g. NetFlow, sFlow, SPAN,
-      RSPAN, CLI, LACP, 802.1ag). In addition, it is designed to
-      support distribution across multiple physical servers similar
-      to VMware's vNetwork distributed vswitch or Cisco's Nexus 1000V.
-    '';
-    homepage = "https://www.openvswitch.org/";
-    license = licenses.asl20;
-    maintainers = with maintainers; [ netixx kmcopper ];
-    platforms = platforms.linux;
-  };
-}
diff --git a/pkgs/os-specific/linux/openvswitch/lts.nix b/pkgs/os-specific/linux/openvswitch/lts.nix
deleted file mode 100644
index 93ccbfcee95d6..0000000000000
--- a/pkgs/os-specific/linux/openvswitch/lts.nix
+++ /dev/null
@@ -1,5 +0,0 @@
-import ./generic.nix {
-  version = "2.17.9";
-  hash = "sha256-4bP6RyZ2YmhT8i1j+VnlrQYeG/V+G71ETQ7Yj5R++LE=";
-  updateScriptArgs = "--lts=true --regex '2\.17.*'";
-}
diff --git a/pkgs/os-specific/linux/openvswitch/patches/disable-bash-arg-completion-test.patch b/pkgs/os-specific/linux/openvswitch/patches/disable-bash-arg-completion-test.patch
deleted file mode 100644
index 2b45427417632..0000000000000
--- a/pkgs/os-specific/linux/openvswitch/patches/disable-bash-arg-completion-test.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-diff --git a/tests/completion.at b/tests/completion.at
-index b6155af25..6367cb545 100644
---- a/tests/completion.at
-+++ b/tests/completion.at
-@@ -425,6 +425,7 @@ AT_CLEANUP
- 
- 
- AT_SETUP([vsctl-bashcomp - argument completion])
-+AT_SKIP_IF([true])
- AT_SKIP_IF([test -z ${BASH_VERSION+x}])
- AT_SKIP_IF([eval 'test ${BASH_VERSINFO[[0]]} -lt 4'])
- OVS_VSWITCHD_START(
diff --git a/pkgs/os-specific/linux/openvswitch/update.nu b/pkgs/os-specific/linux/openvswitch/update.nu
deleted file mode 100755
index 5d457dda5f3e9..0000000000000
--- a/pkgs/os-specific/linux/openvswitch/update.nu
+++ /dev/null
@@ -1,19 +0,0 @@
-#!/usr/bin/env nix-shell
-#!nix-shell -i nu -p nushell common-updater-scripts
-
-def main [--lts: bool = false, --regex: string] {
-  let tags = list-git-tags --url=https://github.com/openvswitch/ovs | lines | sort --natural | str replace v ''
-
-  let latest_tag = if $regex == null { $tags } else { $tags | find --regex $regex } | last
-  let current_version = nix eval --raw -f default.nix $"openvswitch(if $lts {"-lts"}).version" | str trim
-
-  if $latest_tag != $current_version {
-    if $lts {
-      update-source-version openvswitch-lts $latest_tag $"--file=(pwd)/pkgs/os-specific/linux/openvswitch/lts.nix"
-    } else {
-      update-source-version openvswitch $latest_tag $"--file=(pwd)/pkgs/os-specific/linux/openvswitch/default.nix"
-    }
-  }
-
-  {"lts?": $lts, before: $current_version, after: $latest_tag}
-}
diff --git a/pkgs/os-specific/linux/pam/default.nix b/pkgs/os-specific/linux/pam/default.nix
index c956dfad4c64f..e5f8fec5acb14 100644
--- a/pkgs/os-specific/linux/pam/default.nix
+++ b/pkgs/os-specific/linux/pam/default.nix
@@ -1,4 +1,4 @@
-{ lib, stdenv, buildPackages, fetchurl, fetchpatch
+{ lib, stdenv, buildPackages, fetchurl
 , flex, cracklib, db4, gettext, audit, libxcrypt
 , nixosTests
 , autoreconfHook269, pkg-config-unwrapped
@@ -6,22 +6,15 @@
 
 stdenv.mkDerivation rec {
   pname = "linux-pam";
-  version = "1.6.0";
+  version = "1.6.1";
 
   src = fetchurl {
     url = "https://github.com/linux-pam/linux-pam/releases/download/v${version}/Linux-PAM-${version}.tar.xz";
-    hash = "sha256-//SjTlu+534ujxmS8nYx4jKby/igVj3etcM4m04xaa0=";
+    hash = "sha256-+JI8dAFZBS1xnb/CovgZQtaN00/K9hxwagLJuA/u744=";
   };
 
   patches = [
     ./suid-wrapper-path.patch
-
-    # Backport fix for missing include breaking musl builds.
-    (fetchpatch {
-      name = "pam_namespace-stdint.h.patch";
-      url = "https://github.com/linux-pam/linux-pam/commit/cc9d40b7cdbd3e15ccaa324a0dda1680ef9dea13.patch";
-      hash = "sha256-tCnH2yPO4dBbJOZA0fP2gm1EavHRMEJyfzB5Vy7YjAA=";
-    })
   ];
 
   # Case-insensitivity workaround for https://github.com/linux-pam/linux-pam/issues/569
diff --git a/pkgs/os-specific/linux/pam_rssh/default.nix b/pkgs/os-specific/linux/pam_rssh/default.nix
index 2da53d4627909..8b4224d6f4dfe 100644
--- a/pkgs/os-specific/linux/pam_rssh/default.nix
+++ b/pkgs/os-specific/linux/pam_rssh/default.nix
@@ -1,11 +1,12 @@
-{ lib
-, rustPlatform
-, fetchFromGitHub
-, coreutils
-, pkg-config
-, openssl
-, pam
-, openssh
+{
+  lib,
+  rustPlatform,
+  fetchFromGitHub,
+  coreutils,
+  pkg-config,
+  openssl,
+  pam,
+  openssh,
 }:
 
 rustPlatform.buildRustPackage rec {
@@ -28,9 +29,7 @@ rustPlatform.buildRustPackage rec {
       --replace '/bin/false' '${coreutils}/bin/false'
   '';
 
-  nativeBuildInputs = [
-    pkg-config
-  ];
+  nativeBuildInputs = [ pkg-config ];
 
   buildInputs = [
     openssl
@@ -42,9 +41,7 @@ rustPlatform.buildRustPackage rec {
     "--skip=tests::parse_user_authorized_keys"
   ];
 
-  nativeCheckInputs = [
-    openssh
-  ];
+  nativeCheckInputs = [ (openssh.override { dsaKeysSupport = true; }) ];
 
   env.USER = "nixbld";
 
diff --git a/pkgs/os-specific/linux/pcm/default.nix b/pkgs/os-specific/linux/pcm/default.nix
index e464d113e2f73..5c111952727de 100644
--- a/pkgs/os-specific/linux/pcm/default.nix
+++ b/pkgs/os-specific/linux/pcm/default.nix
@@ -2,13 +2,13 @@
 
 stdenv.mkDerivation rec {
   pname = "pcm";
-  version = "202403";
+  version = "202405";
 
   src = fetchFromGitHub {
     owner = "opcm";
     repo = "pcm";
     rev = version;
-    hash = "sha256-qefqtuxRaQEsWpXNAuGxuIT3LiH2b8xQb54B0RkzKGA=";
+    hash = "sha256-yEe1lWbvafc3N3+K9WMMlIXVVX+fVO8QsuKdyIqiKAg=";
   };
 
   nativeBuildInputs = [ cmake ];
diff --git a/pkgs/os-specific/linux/piper/default.nix b/pkgs/os-specific/linux/piper/default.nix
index b1508dcb6a3ed..dcdc7a363e30e 100644
--- a/pkgs/os-specific/linux/piper/default.nix
+++ b/pkgs/os-specific/linux/piper/default.nix
@@ -1,5 +1,5 @@
 { lib, meson, ninja, pkg-config, gettext, fetchFromGitHub, python3
-, wrapGAppsHook, gtk3, glib, desktop-file-utils, appstream-glib, gnome
+, wrapGAppsHook3, gtk3, glib, desktop-file-utils, appstream-glib, gnome
 , gobject-introspection, librsvg }:
 
 python3.pkgs.buildPythonApplication rec {
@@ -15,7 +15,7 @@ python3.pkgs.buildPythonApplication rec {
     sha256 = "0jsvfy0ihdcgnqljfgs41lys1nlz18qvsa0a8ndx3pyr41f8w8wf";
   };
 
-  nativeBuildInputs = [ meson ninja gettext pkg-config wrapGAppsHook desktop-file-utils appstream-glib gobject-introspection ];
+  nativeBuildInputs = [ meson ninja gettext pkg-config wrapGAppsHook3 desktop-file-utils appstream-glib gobject-introspection ];
   buildInputs = [
     gtk3 glib gnome.adwaita-icon-theme python3 librsvg
   ];
diff --git a/pkgs/os-specific/linux/power-profiles-daemon/default.nix b/pkgs/os-specific/linux/power-profiles-daemon/default.nix
index 2ea7a06b46e1d..f7145bc02ebe7 100644
--- a/pkgs/os-specific/linux/power-profiles-daemon/default.nix
+++ b/pkgs/os-specific/linux/power-profiles-daemon/default.nix
@@ -1,5 +1,6 @@
 { stdenv
 , lib
+, bash-completion
 , pkg-config
 , meson
 , mesonEmulatorHook
@@ -10,6 +11,7 @@
 , polkit
 , dbus
 , gobject-introspection
+, wrapGAppsNoGuiHook
 , gettext
 , gtk-doc
 , docbook-xsl-nons
@@ -25,7 +27,7 @@
 
 stdenv.mkDerivation rec {
   pname = "power-profiles-daemon";
-  version = "0.20";
+  version = "0.21";
 
   outputs = [ "out" "devdoc" ];
 
@@ -34,7 +36,7 @@ stdenv.mkDerivation rec {
     owner = "upower";
     repo = "power-profiles-daemon";
     rev = version;
-    sha256 = "sha256-8wSRPR/1ELcsZ9K3LvSNlPcJvxRhb/LRjTIxKtdQlCA=";
+    sha256 = "sha256-5JbMbz38SeNEkVKFjJLxeUHiOrx+QCaK/vXgRPbzwzY=";
   };
 
   nativeBuildInputs = [
@@ -48,17 +50,21 @@ stdenv.mkDerivation rec {
     libxml2 # for xmllint for stripping GResources
     libxslt # for xsltproc for building docs
     gobject-introspection
+    wrapGAppsNoGuiHook
     # checkInput but cheked for during the configuring
     (python3.pythonOnBuildForHost.withPackages (ps: with ps; [
       pygobject3
       dbus-python
       python-dbusmock
+      argparse-manpage
+      shtab
     ]))
   ] ++ lib.optionals (!stdenv.buildPlatform.canExecute stdenv.hostPlatform) [
     mesonEmulatorHook
   ];
 
   buildInputs = [
+    bash-completion
     libgudev
     systemd
     upower
@@ -84,11 +90,16 @@ stdenv.mkDerivation rec {
   mesonFlags = [
     "-Dsystemdsystemunitdir=${placeholder "out"}/lib/systemd/system"
     "-Dgtk_doc=true"
+    "-Dpylint=disabled"
+    "-Dzshcomp=${placeholder "out"}/share/zsh/site-functions"
     "-Dtests=${lib.boolToString (stdenv.buildPlatform.canExecute stdenv.hostPlatform)}"
   ];
 
   doCheck = true;
 
+  # Only need to wrap the Python tool (powerprofilectl)
+  dontWrapGApps = true;
+
   PKG_CONFIG_POLKIT_GOBJECT_1_POLICYDIR = "${placeholder "out"}/share/polkit-1/actions";
 
   postPatch = ''
@@ -100,6 +111,10 @@ stdenv.mkDerivation rec {
       src/powerprofilesctl
   '';
 
+  postFixup = ''
+    wrapGApp "$out/bin/powerprofilesctl"
+  '';
+
   passthru = {
     tests = {
       nixos = nixosTests.power-profiles-daemon;
@@ -112,6 +127,6 @@ stdenv.mkDerivation rec {
     mainProgram = "powerprofilesctl";
     platforms = platforms.linux;
     license = licenses.gpl3Plus;
-    maintainers = with maintainers; [ mvnetbiz ];
+    maintainers = with maintainers; [ mvnetbiz picnoir ];
   };
 }
diff --git a/pkgs/os-specific/linux/prl-tools/default.nix b/pkgs/os-specific/linux/prl-tools/default.nix
index 6acb8eba38633..1eff2088a6c75 100644
--- a/pkgs/os-specific/linux/prl-tools/default.nix
+++ b/pkgs/os-specific/linux/prl-tools/default.nix
@@ -36,13 +36,13 @@ let
 in
 stdenv.mkDerivation (finalAttrs: {
   pname = "prl-tools";
-  version = "19.3.0-54924";
+  version = "19.3.1-54941";
 
   # We download the full distribution to extract prl-tools-lin.iso from
   # => ${dmg}/Parallels\ Desktop.app/Contents/Resources/Tools/prl-tools-lin.iso
   src = fetchurl {
     url = "https://download.parallels.com/desktop/v${lib.versions.major finalAttrs.version}/${finalAttrs.version}/ParallelsDesktop-${finalAttrs.version}.dmg";
-    hash = "sha256-Hj1manQSZHiht6mmWes44RVk2Bdqp6QdNCdK322bzWc=";
+    hash = "sha256-2M87+dbQaDerajzc6bCXmrpIyUNXfMxFiX1SbLJ0fss=";
   };
 
   hardeningDisable = [ "pic" "format" ];
diff --git a/pkgs/os-specific/linux/r8125/default.nix b/pkgs/os-specific/linux/r8125/default.nix
index 1c261355954ad..9b5210350bdd2 100644
--- a/pkgs/os-specific/linux/r8125/default.nix
+++ b/pkgs/os-specific/linux/r8125/default.nix
@@ -4,7 +4,7 @@ stdenv.mkDerivation rec {
   pname = "r8125";
   # On update please verify (using `diff -r`) that the source matches the
   # realtek version.
-  version = "9.012.03";
+  version = "9.013.02";
 
   # This is a mirror. The original website[1] doesn't allow non-interactive
   # downloads, instead emailing you a download link.
@@ -13,7 +13,7 @@ stdenv.mkDerivation rec {
     owner = "louistakepillz";
     repo = "r8125";
     rev = version;
-    sha256 = "sha256-+CrxvKB96QOcOo87McZOt/XUhriTtTV8jTQgpBG3ejs=";
+    sha256 = "sha256-i45xKF5WVN+nNhpD6HWZHvGgxuaD/YhMHERqW8/bC5Y=";
   };
 
   hardeningDisable = [ "pic" ];
diff --git a/pkgs/os-specific/linux/radeontop/default.nix b/pkgs/os-specific/linux/radeontop/default.nix
index 49e2fdfd90b52..221a26f623406 100644
--- a/pkgs/os-specific/linux/radeontop/default.nix
+++ b/pkgs/os-specific/linux/radeontop/default.nix
@@ -37,7 +37,7 @@ stdenv.mkDerivation rec {
       blocks. Supports R600 and later cards: even Southern Islands should work.
       Works with both the open drivers and AMD Catalyst. Total GPU utilization
       is also valid for OpenCL loads; the other blocks are only useful for GL
-      loads. Requires root rights or other permissions to read /dev/mem.
+      loads.
     '';
     homepage = "https://github.com/clbr/radeontop";
     platforms = platforms.linux;
diff --git a/pkgs/os-specific/linux/rdma-core/default.nix b/pkgs/os-specific/linux/rdma-core/default.nix
index 7014e3b095f49..9ddb211ba0d57 100644
--- a/pkgs/os-specific/linux/rdma-core/default.nix
+++ b/pkgs/os-specific/linux/rdma-core/default.nix
@@ -15,13 +15,13 @@
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "rdma-core";
-  version = "50.0";
+  version = "51.0";
 
   src = fetchFromGitHub {
     owner = "linux-rdma";
     repo = "rdma-core";
     rev = "v${finalAttrs.version}";
-    hash = "sha256-PJlbY7QR9b2eVaALpuq/67kRTc91HEhs9Wl7WXtSLmA=";
+    hash = "sha256-G5Z2BbmF5fzOg/32BBgGpC6yroDFOnZWtA/+5QatQ1M=";
   };
 
   strictDeps = true;
diff --git a/pkgs/os-specific/linux/restool/default.nix b/pkgs/os-specific/linux/restool/default.nix
index 853d9eeb7f3d6..7f7c094007e47 100644
--- a/pkgs/os-specific/linux/restool/default.nix
+++ b/pkgs/os-specific/linux/restool/default.nix
@@ -47,6 +47,6 @@ stdenv.mkDerivation rec {
     homepage = "https://github.com/nxp-qoriq/restool";
     license = licenses.bsd3;
     platforms = platforms.linux;
-    maintainers = with maintainers; [ delroth ];
+    maintainers = with maintainers; [ ];
   };
 }
diff --git a/pkgs/os-specific/linux/rt-tests/default.nix b/pkgs/os-specific/linux/rt-tests/default.nix
index 8e3a9b0ceb02a..a9e3e57d48752 100644
--- a/pkgs/os-specific/linux/rt-tests/default.nix
+++ b/pkgs/os-specific/linux/rt-tests/default.nix
@@ -8,11 +8,11 @@
 
 stdenv.mkDerivation rec {
   pname = "rt-tests";
-  version = "2.6";
+  version = "2.7";
 
   src = fetchurl {
     url = "https://git.kernel.org/pub/scm/utils/rt-tests/rt-tests.git/snapshot/${pname}-${version}.tar.gz";
-    sha256 = "sha256-apRJwRqcyzfmyGCCv5BDN92pKP3Nafa9SkxlZ+Bxrm0=";
+    sha256 = "sha256-1kfLmB1RPO8Hd7o8tROSyVBWchchc+AGPuOUlM2hR8g=";
   };
 
   nativeBuildInputs = [ makeWrapper ];
diff --git a/pkgs/os-specific/linux/rtl8189es/default.nix b/pkgs/os-specific/linux/rtl8189es/default.nix
index e31a54f56c31a..553c6a309682e 100644
--- a/pkgs/os-specific/linux/rtl8189es/default.nix
+++ b/pkgs/os-specific/linux/rtl8189es/default.nix
@@ -2,13 +2,13 @@
 
 stdenv.mkDerivation rec {
   name = "rtl8189es-${kernel.version}-${version}";
-  version = "2023-03-14";
+  version = "2024-01-21";
 
   src = fetchFromGitHub {
     owner = "jwrdegoede";
     repo = "rtl8189ES_linux";
-    rev = "ae7b31e55526ca0e01d2a3310118530bff4f1055";
-    sha256 = "sha256-l/xUxs63Y5LVT6ZafuRc+iaCXCSt2HwysYJLJ5hg3RM=";
+    rev = "eb51e021b0e1b6f94a4b49da3f4ee5c5fb20b715";
+    sha256 = "sha256-n7Bsstr1H1RvguAyJnVqk/JgEx8WEZWaVg7ZfEYykR0=";
   };
 
   nativeBuildInputs = [ bc nukeReferences ] ++ kernel.moduleBuildDependencies;
diff --git a/pkgs/os-specific/linux/rtl8189fs/default.nix b/pkgs/os-specific/linux/rtl8189fs/default.nix
index 67642f11d3222..0405fc8561a9b 100644
--- a/pkgs/os-specific/linux/rtl8189fs/default.nix
+++ b/pkgs/os-specific/linux/rtl8189fs/default.nix
@@ -3,13 +3,13 @@
 # rtl8189fs is a branch of the rtl8189es driver
 rtl8189es.overrideAttrs (drv: rec {
   name = "rtl8189fs-${kernel.version}-${version}";
-  version = "2023-03-27";
+  version = "2024-01-22";
 
   src = fetchFromGitHub {
     owner = "jwrdegoede";
     repo = "rtl8189ES_linux";
-    rev = "c223a25b1000d64432eca4201a8f012414dfc7ce";
-    sha256 = "sha256-5b5IshLbWxvmzcKy/xLsqKa3kZpwDQXTQtjqZLHyOCo=";
+    rev = "5d523593f41c0b8d723c6aa86b217ee1d0965786";
+    sha256 = "sha256-pziaUM6XfF4Tt9yfWUnLUiTw+sw6uZrr1HcaXdRQ31E=";
   };
 
   meta = with lib; {
diff --git a/pkgs/os-specific/linux/rtl8192eu/default.nix b/pkgs/os-specific/linux/rtl8192eu/default.nix
index 32b97b59c52ea..529f16fc1db4f 100644
--- a/pkgs/os-specific/linux/rtl8192eu/default.nix
+++ b/pkgs/os-specific/linux/rtl8192eu/default.nix
@@ -4,15 +4,15 @@ with lib;
 
 let modDestDir = "$out/lib/modules/${kernel.modDirVersion}/kernel/drivers/net/wireless/realtek/rtl8192eu";
 
-in stdenv.mkDerivation rec {
+in stdenv.mkDerivation {
   pname = "rtl8192eu";
-  version = "${kernel.version}-4.4.1.20230613";
+  version = "${kernel.version}-4.4.1.20240507";
 
   src = fetchFromGitHub {
     owner = "Mange";
     repo = "rtl8192eu-linux-driver";
-    rev = "f2fc8af7ab58d2123eed1aa4428e713cdfc27976";
-    sha256 = "sha256-OgsxBcXoIP8h9Z0bLsG91/s/+r89Tdn2dPOt4p3sx8k=";
+    rev = "27410641da6926eb1ac565068ff89d35f7496328";
+    sha256 = "sha256-/BztTE3yKw35Oo7KkzHMtD+8qpJNXWiSwR3YjrotR0I=";
   };
 
   hardeningDisable = [ "pic" ];
diff --git a/pkgs/os-specific/linux/rtl8723ds/default.nix b/pkgs/os-specific/linux/rtl8723ds/default.nix
index be4b954c1b618..a9c1f18de0c2a 100644
--- a/pkgs/os-specific/linux/rtl8723ds/default.nix
+++ b/pkgs/os-specific/linux/rtl8723ds/default.nix
@@ -2,13 +2,13 @@
 
 stdenv.mkDerivation {
   pname = "rtl8723ds";
-  version = "${kernel.version}-unstable-2022-12-01";
+  version = "${kernel.version}-unstable-2023-11-14";
 
   src = fetchFromGitHub {
     owner = "lwfinger";
     repo = "rtl8723ds";
-    rev = "a638cc8639015b8b9390af3350fab0366b6c87e7";
-    sha256 = "sha256-qfVE7k71NPzw3FwoOaUxH66PnDjbpMAF6CyOyUVdSMA=";
+    rev = "52e593e8c889b68ba58bd51cbdbcad7fe71362e4";
+    sha256 = "sha256-SszvDuWN9opkXyVQAOLjnNtPp93qrKgnGvzK0y7Y9b0=";
   };
 
   hardeningDisable = [ "pic" ];
diff --git a/pkgs/os-specific/linux/rtl8812au/default.nix b/pkgs/os-specific/linux/rtl8812au/default.nix
index ed330fc246375..d9fd92c4a9f09 100644
--- a/pkgs/os-specific/linux/rtl8812au/default.nix
+++ b/pkgs/os-specific/linux/rtl8812au/default.nix
@@ -2,13 +2,13 @@
 
 stdenv.mkDerivation {
   pname = "rtl8812au";
-  version = "${kernel.version}-unstable-2024-01-19";
+  version = "${kernel.version}-unstable-2024-03-20";
 
   src = fetchFromGitHub {
     owner = "morrownr";
     repo = "8812au-20210629";
-    rev = "3b921c0beda8583c1d2d1b0b7e4692d11e7ea772";
-    hash = "sha256-Ji61Y23uGSTyj3Z5ia9iev5rVzSOv7XY/IfAClhz7Q8=";
+    rev = "8be3a1d7acf60f77c5d9c33b690b8d7301bdf127";
+    hash = "sha256-HchnRezJNzimOB72Sv5BwL4oXuxPxloAHVuaL+warj8=";
   };
 
   nativeBuildInputs = [ bc nukeReferences ] ++ kernel.moduleBuildDependencies;
diff --git a/pkgs/os-specific/linux/rtl8821au/default.nix b/pkgs/os-specific/linux/rtl8821au/default.nix
index b89cddbfc73b6..e8be48cc403c8 100644
--- a/pkgs/os-specific/linux/rtl8821au/default.nix
+++ b/pkgs/os-specific/linux/rtl8821au/default.nix
@@ -2,13 +2,13 @@
 
 stdenv.mkDerivation {
   pname = "rtl8821au";
-  version = "${kernel.version}-unstable-2023-07-23";
+  version = "${kernel.version}-unstable-2024-03-16";
 
   src = fetchFromGitHub {
     owner = "morrownr";
     repo = "8821au-20210708";
-    rev = "0dc022287b0ab534efa885881eaa65c5503291be";
-    hash = "sha256-pLRBWdqlv9A39VbCS8dymTCJHcwJooqD8v6mTbOsBz0=";
+    rev = "168ac48174067e17ffb9f8b15ab802f37447dacc";
+    hash = "sha256-eB9RCoU5jg5fgZkfcef9fsQ6tyD8gTPD+wYcR6PbWNw=";
   };
 
   nativeBuildInputs = [ bc nukeReferences ] ++ kernel.moduleBuildDependencies;
diff --git a/pkgs/os-specific/linux/rtl8821cu/default.nix b/pkgs/os-specific/linux/rtl8821cu/default.nix
index 806df9f6dd4d8..9d83d4b4c28a1 100644
--- a/pkgs/os-specific/linux/rtl8821cu/default.nix
+++ b/pkgs/os-specific/linux/rtl8821cu/default.nix
@@ -1,14 +1,14 @@
 { lib, stdenv, fetchFromGitHub, kernel, bc }:
 
-stdenv.mkDerivation rec {
+stdenv.mkDerivation {
   pname = "rtl8821cu";
-  version = "${kernel.version}-unstable-2023-09-10";
+  version = "${kernel.version}-unstable-2024-05-03";
 
   src = fetchFromGitHub {
     owner = "morrownr";
     repo = "8821cu-20210916";
-    rev = "f6d4598290c5e9c8e545130e8a31d130f6d135f4";
-    hash = "sha256-jpMf8K9diJ3mbEkP9Cp+VwairK+pwiEGU/AtUIouCqM=";
+    rev = "3eacc28b721950b51b0249508cc31e6e54988a0c";
+    hash = "sha256-JP7mvwhnKqmkb/B0l4vhc11TBjjUA1Ubzbj/IVEXvBM=";
   };
 
   hardeningDisable = [ "pic" ];
diff --git a/pkgs/os-specific/linux/rtl8852au/default.nix b/pkgs/os-specific/linux/rtl8852au/default.nix
new file mode 100644
index 0000000000000..e7b682893f855
--- /dev/null
+++ b/pkgs/os-specific/linux/rtl8852au/default.nix
@@ -0,0 +1,52 @@
+{ lib, stdenv, fetchFromGitHub, kernel, bc, nukeReferences }:
+
+stdenv.mkDerivation {
+  pname = "rtl8852au";
+  version = "${kernel.version}-unstable-2024-04-16";
+
+  src = fetchFromGitHub {
+    owner = "lwfinger";
+    repo = "rtl8852au";
+    rev = "5894bc6fed2bcaa525d13fcee1edada8aba67f2b";
+    hash = "sha256-R4Yb/jbh3nMgM41ByFjtkCMbsh/mmMRJ7CcvCRUvKu8=";
+  };
+
+  nativeBuildInputs = [ bc nukeReferences ] ++ kernel.moduleBuildDependencies;
+  hardeningDisable = [ "pic" "format" ];
+
+  postPatch = ''
+    substituteInPlace ./Makefile \
+      --replace-fail /sbin/depmod \# \
+      --replace-fail '$(MODDESTDIR)' "$out/lib/modules/${kernel.modDirVersion}/kernel/net/wireless/" \
+      --replace-fail '/usr/lib/systemd/system-sleep' "$out/usr/lib/systemd/system-sleep"
+    substituteInPlace ./platform/i386_pc.mk \
+      --replace-fail /lib/modules "${kernel.dev}/lib/modules"
+  '';
+
+  makeFlags = [
+    "ARCH=${stdenv.hostPlatform.linuxArch}"
+    ("CONFIG_PLATFORM_I386_PC=" + (if stdenv.hostPlatform.isx86 then "y" else "n"))
+    ("CONFIG_PLATFORM_ARM_RPI=" + (if stdenv.hostPlatform.isAarch then "y" else "n"))
+  ] ++ lib.optionals (stdenv.hostPlatform != stdenv.buildPlatform) [
+    "CROSS_COMPILE=${stdenv.cc.targetPrefix}"
+  ];
+
+  preInstall = ''
+    mkdir -p "$out/lib/modules/${kernel.modDirVersion}/kernel/net/wireless/"
+    mkdir -p "$out/usr/lib/systemd/system-sleep"
+  '';
+
+  postInstall = ''
+    nuke-refs $out/lib/modules/*/kernel/net/wireless/*.ko
+  '';
+
+  enableParallelBuilding = true;
+
+  meta = with lib; {
+    description = "Driver for Realtek 802.11ac, rtl8852au, provides the 8852au mod";
+    homepage = "https://github.com/lwfinger/rtl8852au";
+    license = licenses.gpl2Only;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ lonyelon ];
+  };
+}
diff --git a/pkgs/os-specific/linux/rtl8852bu/default.nix b/pkgs/os-specific/linux/rtl8852bu/default.nix
new file mode 100644
index 0000000000000..cc0f495b8122f
--- /dev/null
+++ b/pkgs/os-specific/linux/rtl8852bu/default.nix
@@ -0,0 +1,51 @@
+{ lib, stdenv, fetchFromGitHub, kernel, bc, nukeReferences }:
+
+stdenv.mkDerivation {
+  pname = "rtl8852bu";
+  version = "${kernel.version}-unstable-2024-03-28";
+
+  src = fetchFromGitHub {
+    owner = "morrownr";
+    repo = "rtl8852bu";
+    rev = "f6aaa3c0094c541d9b0347926c76c1e9cc4a49d1";
+    hash = "sha256-Jbd6nixo873LU74klhhQU1qD3ahxEnywdqcF89LTRxc=";
+  };
+
+  nativeBuildInputs = [ bc nukeReferences ] ++ kernel.moduleBuildDependencies;
+  hardeningDisable = [ "pic" "format" ];
+
+  postPatch = ''
+    substituteInPlace ./Makefile \
+      --replace-fail /sbin/depmod \# \
+      --replace-fail '$(MODDESTDIR)' "$out/lib/modules/${kernel.modDirVersion}/kernel/net/wireless/"
+    substituteInPlace ./platform/i386_pc.mk \
+      --replace-fail /lib/modules "${kernel.dev}/lib/modules"
+  '';
+
+  makeFlags = [
+    "ARCH=${stdenv.hostPlatform.linuxArch}"
+    ("CONFIG_PLATFORM_I386_PC=" + (if stdenv.hostPlatform.isx86 then "y" else "n"))
+    ("CONFIG_PLATFORM_ARM_RPI=" + (if stdenv.hostPlatform.isAarch then "y" else "n"))
+  ] ++ lib.optionals (stdenv.hostPlatform != stdenv.buildPlatform) [
+    "CROSS_COMPILE=${stdenv.cc.targetPrefix}"
+  ];
+
+  preInstall = ''
+    mkdir -p "$out/lib/modules/${kernel.modDirVersion}/kernel/net/wireless/"
+    mkdir -p "$out/usr/lib/systemd/system-sleep"
+  '';
+
+  postInstall = ''
+    nuke-refs $out/lib/modules/*/kernel/net/wireless/*.ko
+  '';
+
+  enableParallelBuilding = true;
+
+  meta = with lib; {
+    description = "Driver for Realtek rtl8852au and rtl8832bu chipsets, provides the 8852au mod";
+    homepage = "https://github.com/morrownr/rtl8852bu";
+    license = licenses.gpl2Only;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ lonyelon ];
+  };
+}
diff --git a/pkgs/os-specific/linux/rtl88xxau-aircrack/default.nix b/pkgs/os-specific/linux/rtl88xxau-aircrack/default.nix
index 78409b7bd14a2..2f6ab211d32e2 100644
--- a/pkgs/os-specific/linux/rtl88xxau-aircrack/default.nix
+++ b/pkgs/os-specific/linux/rtl88xxau-aircrack/default.nix
@@ -2,13 +2,13 @@
 
 stdenv.mkDerivation rec {
   pname = "rtl88xxau-aircrack";
-  version = "${kernel.version}-unstable-02-05-2023";
+  version = "${kernel.version}-unstable-2024-04-09";
 
   src = fetchFromGitHub {
     owner = "aircrack-ng";
     repo = "rtl8812au";
-    rev = "35308f4dd73e77fa572c48867cce737449dd8548";
-    hash = "sha256-0kHrNsTKRl/xTQpDkIOYqTtcHlytXhXX8h+6guvLmLI=";
+    rev = "63cf0b4584aa8878b0fe8ab38017f31c319bde3d";
+    hash = "sha256-tDsI/ZzsQm9999EpCpDFArfEIg/ueUJEbSYESbGxd4A=";
   };
 
   nativeBuildInputs = kernel.moduleBuildDependencies;
@@ -29,10 +29,12 @@ stdenv.mkDerivation rec {
   enableParallelBuilding = true;
 
   meta = with lib; {
-    description = "Aircrack-ng kernel module for Realtek 88XXau network cards\n(8811au, 8812au, 8814au and 8821au chipsets) with monitor mode and injection support.";
+    description = ''
+      Aircrack-ng kernel module for Realtek 88XXau network cards
+      (8811au, 8812au, 8814au and 8821au chipsets) with monitor mode and injection support.'';
     homepage = "https://github.com/aircrack-ng/rtl8812au";
     license = licenses.gpl2Only;
-    maintainers = [ maintainers.jethro ];
+    maintainers = [ maintainers.ja1den maintainers.jethro ];
     platforms = [ "x86_64-linux" "i686-linux" "aarch64-linux" ];
   };
 }
diff --git a/pkgs/os-specific/linux/rust-out-of-tree-module/default.nix b/pkgs/os-specific/linux/rust-out-of-tree-module/default.nix
index fd6b85a4dbd69..5ef6f7c4edbb7 100644
--- a/pkgs/os-specific/linux/rust-out-of-tree-module/default.nix
+++ b/pkgs/os-specific/linux/rust-out-of-tree-module/default.nix
@@ -22,7 +22,8 @@ kernel.stdenv.mkDerivation {
     homepage = "https://github.com/Rust-for-Linux/rust-out-of-tree-module";
     license = lib.licenses.gpl2Only;
     maintainers = [ lib.maintainers.blitz ];
-    platforms = lib.platforms.linux;
+    platforms = [ "x86_64-linux" ]
+      ++ lib.optional (kernel.kernelAtLeast "6.9") "aarch64-linux";
   };
 
 }
diff --git a/pkgs/os-specific/linux/ryzen-smu/default.nix b/pkgs/os-specific/linux/ryzen-smu/default.nix
new file mode 100644
index 0000000000000..7f899f2c2c90c
--- /dev/null
+++ b/pkgs/os-specific/linux/ryzen-smu/default.nix
@@ -0,0 +1,69 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, kernel
+}:
+
+let
+  version = "0.1.5-unstable-2024-01-03";
+
+  ## Upstream has not been merging PRs.
+  ## Nixpkgs maintainers are providing a
+  ## repo with PRs merged until upstream is
+  ## updated.
+  src = fetchFromGitHub {
+    owner = "Cryolitia";
+    repo = "ryzen_smu";
+    rev = "ce1aa918efa33ca79998f0f7d467c04d4b07016c";
+    hash = "sha256-s9SSmbL6ixWqZUKEhrZdxN4xoWgk+8ClZPoKq2FDAAE=";
+  };
+
+  monitor-cpu = stdenv.mkDerivation {
+    pname = "monitor-cpu";
+    inherit version src;
+
+    makeFlags = [
+      "-C userspace"
+    ];
+
+    installPhase = ''
+    runHook preInstall
+
+    install userspace/monitor_cpu -Dm755 -t $out/bin
+
+    runHook postInstall
+  '';
+  };
+
+in
+stdenv.mkDerivation {
+  pname = "ryzen-smu-${kernel.version}";
+  inherit version src;
+
+  hardeningDisable = [ "pic" ];
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  makeFlags = [
+    "TARGET=${kernel.modDirVersion}"
+    "KERNEL_BUILD=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+  ];
+
+  installPhase = ''
+    runHook preInstall
+
+    install ryzen_smu.ko -Dm444 -t $out/lib/modules/${kernel.modDirVersion}/kernel/drivers/ryzen_smu
+    install ${monitor-cpu}/bin/monitor_cpu -Dm755 -t $out/bin
+
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    description = "A Linux kernel driver that exposes access to the SMU (System Management Unit) for certain AMD Ryzen Processors";
+    homepage = "https://gitlab.com/leogx9r/ryzen_smu";
+    license = licenses.gpl2Plus;
+    maintainers = with maintainers; [ Cryolitia phdyellow ];
+    platforms = [ "x86_64-linux" ];
+    mainProgram = "monitor_cpu";
+  };
+}
diff --git a/pkgs/os-specific/linux/sd-switch/default.nix b/pkgs/os-specific/linux/sd-switch/default.nix
index 7750862c34c2c..4f80ce5d6b2b8 100644
--- a/pkgs/os-specific/linux/sd-switch/default.nix
+++ b/pkgs/os-specific/linux/sd-switch/default.nix
@@ -1,6 +1,6 @@
-{ lib, fetchFromSourcehut, rustPlatform, pkg-config, dbus }:
+{ lib, fetchFromSourcehut, rustPlatform, nix-update-script }:
 
-let version = "0.3.0";
+let version = "0.4.0";
 in rustPlatform.buildRustPackage {
   pname = "sd-switch";
   inherit version;
@@ -9,18 +9,20 @@ in rustPlatform.buildRustPackage {
     owner = "~rycee";
     repo = "sd-switch";
     rev = version;
-    hash = "sha256-mWrLbCUnoJ3hVtpSU/7dw91U5TLyw5kNchX5nmP9asA=";
+    hash = "sha256-PPFYH34HAD/vC+9jpA1iPQRVNR6MX8ncSPC+7bl2oHY=";
   };
 
-  cargoHash = "sha256-VK+kPX1pGhowbWKkUs1PL0DXIhDXJOFVoIHTtWQcWEs=";
+  cargoHash = "sha256-zUoa7nPNFvnYekbEZwtnJKZ6qd47Sb4LZGEkaKVQ9ZQ=";
 
-  nativeBuildInputs = [ pkg-config ];
-  buildInputs = [ dbus ];
+  passthru = {
+    updateScript = nix-update-script { };
+  };
 
   meta = with lib; {
     description = "A systemd unit switcher for Home Manager";
     mainProgram = "sd-switch";
-    homepage = "https://gitlab.com/rycee/sd-switch";
+    homepage = "https://git.sr.ht/~rycee/sd-switch";
+    changelog = "https://git.sr.ht/~rycee/sd-switch/refs/${version}";
     license = licenses.gpl3Plus;
     maintainers = with maintainers; [ rycee ];
     platforms = platforms.linux;
diff --git a/pkgs/os-specific/linux/semodule-utils/default.nix b/pkgs/os-specific/linux/semodule-utils/default.nix
index 70de3cc6b60c0..013a9ecb90342 100644
--- a/pkgs/os-specific/linux/semodule-utils/default.nix
+++ b/pkgs/os-specific/linux/semodule-utils/default.nix
@@ -22,6 +22,6 @@ stdenv.mkDerivation rec {
     description = "SELinux policy core utilities (packaging additions)";
     license = licenses.gpl2;
     inherit (libsepol.meta) homepage platforms;
-    maintainers = [ ];
+    maintainers = with maintainers; [ RossComputerGuy ];
   };
 }
diff --git a/pkgs/os-specific/linux/setools/default.nix b/pkgs/os-specific/linux/setools/default.nix
index 0819ae91fc87a..8e3b0e627d374 100644
--- a/pkgs/os-specific/linux/setools/default.nix
+++ b/pkgs/os-specific/linux/setools/default.nix
@@ -8,13 +8,13 @@ with python3.pkgs;
 
 buildPythonApplication rec {
   pname = "setools";
-  version = "4.4.4";
+  version = "4.5.0";
 
   src = fetchFromGitHub {
     owner = "SELinuxProject";
     repo = pname;
     rev = "refs/tags/${version}";
-    hash = "sha256-QCJfFdY4THBurx7G8q/WAzb7b9CwtNNGi5fn9D++BMU=";
+    hash = "sha256-4y4Uhh3O84UbK39j8ACu06/6n7lyHsd8MzODR0FOp3I=";
   };
 
   nativeBuildInputs = [ cython ];
diff --git a/pkgs/os-specific/linux/sgx/azure-dcap-client/default.nix b/pkgs/os-specific/linux/sgx/azure-dcap-client/default.nix
index 0ee191e868957..99e5c4b1a09c1 100644
--- a/pkgs/os-specific/linux/sgx/azure-dcap-client/default.nix
+++ b/pkgs/os-specific/linux/sgx/azure-dcap-client/default.nix
@@ -16,7 +16,7 @@ let
     find "$out" -mindepth 1 -delete
     cp ${lib.concatStringsSep " " list} "$out/"
   '';
-  headers = linkFarmFromDrvs "azure-dcpa-client-intel-headers" [
+  headers = linkFarmFromDrvs "azure-dcap-client-intel-headers" [
     (fetchFromGitHub rec {
       name = "${repo}-headers";
       owner = "intel";
@@ -35,13 +35,13 @@ let
 in
 stdenv.mkDerivation rec {
   pname = "azure-dcap-client";
-  version = "1.12.1";
+  version = "1.12.3";
 
   src = fetchFromGitHub {
     owner = "microsoft";
     repo = pname;
     rev = version;
-    hash = "sha256-q0dI4WdA1ue4sw+QfSherh31Ldf9gnhoft66o3E9gnU=";
+    hash = "sha256-zTDaICsSPXctgFRCZBiZwXV9dLk2pFL9kp5a8FkiTZA=";
   };
 
   patches = [
@@ -69,8 +69,8 @@ stdenv.mkDerivation rec {
     find -L '${headers}' -type f -exec ln -s {} src/Linux/ext/intel \;
 
     substitute src/Linux/Makefile{.in,} \
-      --replace '##CURLINC##' '${curl.dev}/include/curl/' \
-      --replace '$(TEST_SUITE): $(PROVIDER_LIB) $(TEST_SUITE_OBJ)' '$(TEST_SUITE): $(TEST_SUITE_OBJ)'
+      --replace-fail '##CURLINC##' '${curl.dev}/include/curl/' \
+      --replace-fail '$(TEST_SUITE): $(PROVIDER_LIB) $(TEST_SUITE_OBJ)' '$(TEST_SUITE): $(TEST_SUITE_OBJ)'
   '';
 
   env.NIX_CFLAGS_COMPILE = "-Wno-deprecated-declarations";
@@ -84,11 +84,11 @@ stdenv.mkDerivation rec {
   # $(nix-build -A sgx-azure-dcap-client.tests.suite)/bin/tests
   passthru.tests.suite = callPackage ./test-suite.nix { };
 
-  meta = with lib; {
+  meta = {
     description = "Interfaces between SGX SDKs and the Azure Attestation SGX Certification Cache";
     homepage = "https://github.com/microsoft/azure-dcap-client";
-    maintainers = with maintainers; [ trundle veehaitch ];
+    maintainers = with lib.maintainers; [ phlip9 trundle veehaitch ];
     platforms = [ "x86_64-linux" ];
-    license = [ licenses.mit ];
+    license = [ lib.licenses.mit ];
   };
 }
diff --git a/pkgs/os-specific/linux/sgx/psw/default.nix b/pkgs/os-specific/linux/sgx/psw/default.nix
index 22e52b6ec9fdb..829b0c6525ecc 100644
--- a/pkgs/os-specific/linux/sgx/psw/default.nix
+++ b/pkgs/os-specific/linux/sgx/psw/default.nix
@@ -14,7 +14,7 @@
 , debug ? false
 }:
 stdenv.mkDerivation rec {
-  inherit (sgx-sdk) version versionTag src;
+  inherit (sgx-sdk) patches src version versionTag;
   pname = "sgx-psw";
 
   postUnpack =
@@ -24,16 +24,16 @@ stdenv.mkDerivation rec {
       # attestation quotes, and do platform certification.
       ae.prebuilt = fetchurl {
         url = "https://download.01.org/intel-sgx/sgx-linux/${versionTag}/prebuilt_ae_${versionTag}.tar.gz";
-        hash = "sha256-IckW4p1XWkWCDCErXyTtnKYKeAUaCrp5iAMsRBMjLX0=";
+        hash = "sha256-IGV9VEwY/cQBV4Vz2sps4JgRweWRl/l08ocb9P4SH8Q=";
       };
       # Also include the Data Center Attestation Primitives (DCAP) platform
       # enclaves.
       dcap = rec {
-        version = "1.18";
+        version = "1.21";
         filename = "prebuilt_dcap_${version}.tar.gz";
         prebuilt = fetchurl {
           url = "https://download.01.org/intel-sgx/sgx-dcap/${version}/linux/${filename}";
-          hash = "sha256-9ceys7ozOEienug+9MTZ6dw3nx7VBfxLNiwhZYv4SzY=";
+          hash = "sha256-/PPD2MyNxoCwzNljIFcpkFvItXbyvymsJ7+Uf4IyZuk=";
         };
       };
     in
@@ -158,31 +158,31 @@ stdenv.mkDerivation rec {
     # is helpful to have properly patched versions for non-NixOS distributions.
     echo "Fixing aesmd.service"
     substituteInPlace $out/lib/systemd/system/aesmd.service \
-      --replace '@aesm_folder@' \
-                "$out/aesm" \
-      --replace 'Type=forking' \
-                'Type=simple' \
-      --replace "ExecStart=$out/aesm/aesm_service" \
-                "ExecStart=$out/bin/aesm_service --no-daemon"\
-      --replace "/bin/mkdir" \
-                "${coreutils}/bin/mkdir" \
-      --replace "/bin/chown" \
-                "${coreutils}/bin/chown" \
-      --replace "/bin/chmod" \
-                "${coreutils}/bin/chmod" \
-      --replace "/bin/kill" \
-                "${coreutils}/bin/kill"
+      --replace-fail '@aesm_folder@' \
+                     "$out/aesm" \
+      --replace-fail 'Type=forking' \
+                     'Type=simple' \
+      --replace-fail "ExecStart=$out/aesm/aesm_service" \
+                     "ExecStart=$out/bin/aesm_service --no-daemon"\
+      --replace-fail "/bin/mkdir" \
+                     "${coreutils}/bin/mkdir" \
+      --replace-fail "/bin/chown" \
+                     "${coreutils}/bin/chown" \
+      --replace-fail "/bin/chmod" \
+                     "${coreutils}/bin/chmod" \
+      --replace-fail "/bin/kill" \
+                     "${coreutils}/bin/kill"
   '';
 
   passthru.tests = {
     service = nixosTests.aesmd;
   };
 
-  meta = with lib; {
+  meta = {
     description = "Intel SGX Architectural Enclave Service Manager";
     homepage = "https://github.com/intel/linux-sgx";
-    maintainers = with maintainers; [ veehaitch citadelcore ];
+    maintainers = with lib.maintainers; [ phlip9 veehaitch citadelcore ];
     platforms = [ "x86_64-linux" ];
-    license = with licenses; [ bsd3 ];
+    license = [ lib.licenses.bsd3 ];
   };
 }
diff --git a/pkgs/os-specific/linux/sgx/sdk/cppmicroservices-no-mtime.patch b/pkgs/os-specific/linux/sgx/sdk/cppmicroservices-no-mtime.patch
new file mode 100644
index 0000000000000..019f58927152a
--- /dev/null
+++ b/pkgs/os-specific/linux/sgx/sdk/cppmicroservices-no-mtime.patch
@@ -0,0 +1,26 @@
+diff --git a/external/CppMicroServices/framework/src/bundle/BundleResourceContainer.cpp b/external/CppMicroServices/framework/src/bundle/BundleResourceContainer.cpp
+index aee499e9..13fa89d4 100644
+--- a/external/CppMicroServices/framework/src/bundle/BundleResourceContainer.cpp
++++ b/external/CppMicroServices/framework/src/bundle/BundleResourceContainer.cpp
+@@ -105,7 +105,7 @@ bool BundleResourceContainer::GetStat(int index,
+                    const_cast<mz_zip_archive*>(&m_ZipArchive), index)
+                    ? true
+                    : false;
+-    stat.modifiedTime = zipStat.m_time;
++    stat.modifiedTime = 0;
+     stat.crc32 = zipStat.m_crc32;
+     // This will limit the size info from uint64 to uint32 on 32-bit
+     // architectures. We don't care because we assume resources > 2GB
+diff --git a/external/CppMicroServices/third_party/miniz.c b/external/CppMicroServices/third_party/miniz.c
+index 6b0ebd7a..fa2aebca 100644
+--- a/external/CppMicroServices/third_party/miniz.c
++++ b/external/CppMicroServices/third_party/miniz.c
+@@ -170,7 +170,7 @@
+ // If MINIZ_NO_TIME is specified then the ZIP archive functions will not be able to get the current time, or
+ // get/set file times, and the C run-time funcs that get/set times won't be called.
+ // The current downside is the times written to your archives will be from 1979.
+-//#define MINIZ_NO_TIME
++#define MINIZ_NO_TIME
+
+ // Define MINIZ_NO_ARCHIVE_APIS to disable all ZIP archive API's.
+ //#define MINIZ_NO_ARCHIVE_APIS
diff --git a/pkgs/os-specific/linux/sgx/sdk/default.nix b/pkgs/os-specific/linux/sgx/sdk/default.nix
index 2570406a7112e..4f7374d634f36 100644
--- a/pkgs/os-specific/linux/sgx/sdk/default.nix
+++ b/pkgs/os-specific/linux/sgx/sdk/default.nix
@@ -1,7 +1,6 @@
 { lib
 , stdenv
 , fetchFromGitHub
-, fetchpatch
 , autoconf
 , automake
 , binutils
@@ -27,15 +26,15 @@
 stdenv.mkDerivation rec {
   pname = "sgx-sdk";
   # Version as given in se_version.h
-  version = "2.21.100.1";
+  version = "2.24.100.3";
   # Version as used in the Git tag
-  versionTag = "2.21";
+  versionTag = "2.24";
 
   src = fetchFromGitHub {
     owner = "intel";
     repo = "linux-sgx";
     rev = "sgx_${versionTag}";
-    hash = "sha256-Yo2G0H0XUI2p9W7lDRLkFHw2t8X1220brGohQJ0r2WY=";
+    hash = "sha256-1urEdfMKNUqqyJ3wQ10+tvtlRuAKELpaCWIOzjCbYKw=";
     fetchSubmodules = true;
   };
 
@@ -46,39 +45,28 @@ stdenv.mkDerivation rec {
   '';
 
   patches = [
-    # Fix missing pthread_compat.h, see https://github.com/intel/linux-sgx/pull/784
-    (fetchpatch {
-      url = "https://github.com/intel/linux-sgx/commit/254b58f922a6bd49c308a4f47f05f525305bd760.patch";
-      sha256 = "sha256-sHU++K7NJ+PdITx3y0PwstA9MVh10rj2vrLn01N9F4w=";
-    })
+    # There's a `make preparation` step that downloads some prebuilt binaries
+    # and applies some patches to the in-repo git submodules. This patch removes
+    # the parts that download things, since we can't do that inside the sandbox.
+    ./disable-downloads.patch
+
+    # This patch disable mtime in bundled zip file for reproducible builds.
+    #
+    # Context: The `aesm_service` binary depends on a vendored library called
+    # `CppMicroServices`. At build time, this lib creates and then bundles
+    # service resources into a zip file and then embeds this zip into the
+    # binary. Without changes, the `aesm_service` will be different after every
+    # build because the embedded zip file contents have different modified times.
+    ./cppmicroservices-no-mtime.patch
   ];
 
-  # There's a `make preparation` step that downloads some prebuilt binaries and
-  # applies some patches to the in-repo git submodules. We can't just run it,
-  # since it downloads things, so this step just extracts the patching steps.
   postPatch = ''
     patchShebangs linux/installer/bin/build-installpkg.sh \
       linux/installer/common/sdk/createTarball.sh \
       linux/installer/common/sdk/install.sh \
       external/sgx-emm/create_symlink.sh
 
-    echo "Running 'make preparation' but without download steps"
-
-    # Seems to download something. Build currently uses ipp-crypto and not
-    # sgxssl so probably not an issue.
-    # $ ./external/dcap_source/QuoteVerification/prepare_sgxssl.sh nobuild
-
-    pushd external/openmp/openmp_code
-      git apply ../0001-Enable-OpenMP-in-SGX.patch >/dev/null 2>&1 \
-        || git apply ../0001-Enable-OpenMP-in-SGX.patch --check -R
-    popd
-
-    pushd external/protobuf/protobuf_code
-      git apply ../sgx_protobuf.patch >/dev/null 2>&1 \
-        || git apply ../sgx_protobuf.patch --check -R
-    popd
-
-    ./external/sgx-emm/create_symlink.sh
+    make preparation
   '';
 
   # We need `cmake` as a build input but don't use it to kick off the build phase
@@ -133,8 +121,6 @@ stdenv.mkDerivation rec {
 
       pushd 'external/ippcp_internal'
 
-      cp -r ${ipp-crypto-no_mitigation}/include/. inc/
-
       install -D -m a+rw ${ipp-crypto-no_mitigation}/lib/intel64/libippcp.a \
         lib/linux/intel64/no_mitigation/libippcp.a
       install -D -m a+rw ${ipp-crypto-cve_2020_0551_load}/lib/intel64/libippcp.a \
@@ -142,8 +128,13 @@ stdenv.mkDerivation rec {
       install -D -m a+rw ${ipp-crypto-cve_2020_0551_cf}/lib/intel64/libippcp.a \
         lib/linux/intel64/cve_2020_0551_cf/libippcp.a
 
+      cp -r ${ipp-crypto-no_mitigation}/include/* inc/
+
+      mkdir inc/ippcp
+      cp ${ipp-crypto-no_mitigation}/include/fips_cert.h inc/ippcp/
+
       rm inc/ippcp.h
-      patch ${ipp-crypto-no_mitigation}/include/ippcp.h -i inc/ippcp21u7.patch -o inc/ippcp.h
+      patch ${ipp-crypto-no_mitigation}/include/ippcp.h -i ./inc/ippcp21u11.patch -o ./inc/ippcp.h
 
       install -D ${ipp-crypto-no_mitigation.src}/LICENSE license/LICENSE
 
@@ -297,11 +288,11 @@ stdenv.mkDerivation rec {
       '';
     };
 
-  meta = with lib; {
+  meta = {
     description = "Intel SGX SDK for Linux built with IPP Crypto Library";
     homepage = "https://github.com/intel/linux-sgx";
-    maintainers = with maintainers; [ sbellem arturcygan veehaitch ];
+    maintainers = with lib.maintainers; [ phlip9 sbellem arturcygan veehaitch ];
     platforms = [ "x86_64-linux" ];
-    license = with licenses; [ bsd3 ];
+    license = [ lib.licenses.bsd3 ];
   };
 }
diff --git a/pkgs/os-specific/linux/sgx/sdk/disable-downloads.patch b/pkgs/os-specific/linux/sgx/sdk/disable-downloads.patch
new file mode 100644
index 0000000000000..c045606df144c
--- /dev/null
+++ b/pkgs/os-specific/linux/sgx/sdk/disable-downloads.patch
@@ -0,0 +1,28 @@
+diff --git a/Makefile b/Makefile
+index 73502a7..f24bd11 100644
+--- a/Makefile
++++ b/Makefile
+@@ -50,18 +50,18 @@ tips:
+ preparation:
+ # As SDK build needs to clone and patch openmp, we cannot support the mode that download the source from github as zip.
+ # Only enable the download from git
+-	git submodule update --init --recursive
+-	./external/dcap_source/QuoteVerification/prepare_sgxssl.sh nobuild
++	# git submodule update --init --recursive
++	# ./external/dcap_source/QuoteVerification/prepare_sgxssl.sh nobuild
+ 	cd external/openmp/openmp_code && git apply ../0001-Enable-OpenMP-in-SGX.patch >/dev/null 2>&1 ||  git apply ../0001-Enable-OpenMP-in-SGX.patch --check -R
+ 	cd external/protobuf/protobuf_code && git apply ../sgx_protobuf.patch >/dev/null 2>&1 ||  git apply ../sgx_protobuf.patch --check -R
+-	cd external/protobuf/protobuf_code && git submodule update --init --recursive && cd third_party/abseil-cpp && git apply ../../../sgx_abseil.patch>/dev/null 2>&1 || git apply ../../../sgx_abseil.patch --check -R
++	cd external/protobuf/protobuf_code && cd third_party/abseil-cpp && git apply ../../../sgx_abseil.patch>/dev/null 2>&1 || git apply ../../../sgx_abseil.patch --check -R
+ 	./external/sgx-emm/create_symlink.sh
+ 	cd external/mbedtls/mbedtls_code && git apply ../sgx_mbedtls.patch >/dev/null 2>&1 || git apply ../sgx_mbedtls.patch --check -R
+ 	cd external/cbor && cp -r libcbor sgx_libcbor
+ 	cd external/cbor/libcbor && git apply ../raw_cbor.patch >/dev/null 2>&1 || git apply ../raw_cbor.patch --check -R
+ 	cd external/cbor/sgx_libcbor && git apply ../sgx_cbor.patch >/dev/null 2>&1 || git apply ../sgx_cbor.patch --check -R
+-	./download_prebuilt.sh
+-	./external/dcap_source/QuoteGeneration/download_prebuilt.sh
++	# ./download_prebuilt.sh
++	# ./external/dcap_source/QuoteGeneration/download_prebuilt.sh
+ 
+ psw:
+ 	$(MAKE) -C psw/ USE_OPT_LIBS=$(USE_OPT_LIBS)
diff --git a/pkgs/os-specific/linux/sgx/sdk/ipp-crypto.nix b/pkgs/os-specific/linux/sgx/sdk/ipp-crypto.nix
index 5a4c941a22b99..eba9e7f6a0e5c 100644
--- a/pkgs/os-specific/linux/sgx/sdk/ipp-crypto.nix
+++ b/pkgs/os-specific/linux/sgx/sdk/ipp-crypto.nix
@@ -8,16 +8,20 @@
 }:
 gcc11Stdenv.mkDerivation rec {
   pname = "ipp-crypto";
-  version = "2021.9.0";
+  version = "2021.11.1";
 
   src = fetchFromGitHub {
     owner = "intel";
     repo = "ipp-crypto";
     rev = "ippcp_${version}";
-    hash = "sha256-+ITnxyrkDQp4xRa+PVzXdYsSkI5sMNwQGfGU+lFJ6co=";
+    hash = "sha256-OgNrrPE8jFVD/hcv7A43Bno96r4Z/lb7/SE6TEL7RDI=";
   };
 
-  cmakeFlags = [ "-DARCH=intel64" ] ++ extraCmakeFlags;
+  cmakeFlags = [
+    "-DARCH=intel64"
+    # sgx-sdk now requires FIPS-compliance mode turned on
+    "-DIPPCP_FIPS_MODE=on"
+  ] ++ extraCmakeFlags;
 
   nativeBuildInputs = [
     cmake
diff --git a/pkgs/os-specific/linux/sgx/ssl/default.nix b/pkgs/os-specific/linux/sgx/ssl/default.nix
index 9d1905e09d1f7..73cde2e030af4 100644
--- a/pkgs/os-specific/linux/sgx/ssl/default.nix
+++ b/pkgs/os-specific/linux/sgx/ssl/default.nix
@@ -1,8 +1,8 @@
 { stdenv
+, callPackage
 , fetchFromGitHub
 , fetchurl
 , lib
-, openssl
 , perl
 , sgx-sdk
 , which
@@ -10,7 +10,7 @@
 }:
 let
   sgxVersion = sgx-sdk.versionTag;
-  opensslVersion = "1.1.1u";
+  opensslVersion = "3.0.13";
 in
 stdenv.mkDerivation {
   pname = "sgx-ssl" + lib.optionalString debug "-debug";
@@ -19,15 +19,15 @@ stdenv.mkDerivation {
   src = fetchFromGitHub {
     owner = "intel";
     repo = "intel-sgx-ssl";
-    rev = "lin_${sgxVersion}_${opensslVersion}";
-    hash = "sha256-zbXEQz72VUPqnGrboX6oXliaLpbcos7tV6K9lX+zleg=";
+    rev = "3.0_Rev2";
+    hash = "sha256-dmLyaG6v+skjSa0KxLAfIfSBOxp9grrI7ds6WdGPe0I=";
   };
 
   postUnpack =
     let
       opensslSourceArchive = fetchurl {
         url = "https://www.openssl.org/source/openssl-${opensslVersion}.tar.gz";
-        hash = "sha256-4vjYS1I+7NBse+diaDA3AwD7zBU4a/UULXJ1j2lj68Y=";
+        hash = "sha256-iFJXU/edO+wn0vp8ZqoLkrOqlJja/ZPXz6SzeAza4xM=";
       };
     in
     ''
@@ -37,16 +37,15 @@ stdenv.mkDerivation {
   postPatch = ''
     patchShebangs Linux/build_openssl.sh
 
-    # Run the test in the `installCheckPhase`, not the `buildPhase`
+    # Skip the tests. Build and run separately (see below).
     substituteInPlace Linux/sgx/Makefile \
-      --replace '$(MAKE) -C $(TEST_DIR) all' \
-                'bash -c "true"'
+      --replace-fail '$(MAKE) -C $(TEST_DIR) all' \
+                     'bash -c "true"'
   '';
 
   nativeBuildInputs = [
     perl
     sgx-sdk
-    stdenv.cc.libc
     which
   ];
 
@@ -60,22 +59,23 @@ stdenv.mkDerivation {
     "DESTDIR=$(out)"
   ];
 
-  # Build the test app
-  doInstallCheck = true;
-  installCheckTarget = "test";
-  installCheckFlags = [
-    "SGX_MODE=SIM"
-    "-j 1" # Makefile doesn't support multiple jobs
-  ];
-  nativeInstallCheckInputs = [
-    openssl
-  ];
+  # These tests build on any x86_64-linux but BOTH SIM and HW will only _run_ on
+  # real Intel hardware. Split these out so OfBorg doesn't choke on this pkg.
+  #
+  # ```
+  # nix run .#sgx-ssl.tests.HW
+  # nix run .#sgx-ssl.tests.SIM
+  # ```
+  passthru.tests = {
+    HW = callPackage ./tests.nix { sgxMode = "HW"; inherit opensslVersion; };
+    SIM = callPackage ./tests.nix { sgxMode = "SIM"; inherit opensslVersion; };
+  };
 
-  meta = with lib; {
+  meta = {
     description = "Cryptographic library for Intel SGX enclave applications based on OpenSSL";
     homepage = "https://github.com/intel/intel-sgx-ssl";
-    maintainers = with maintainers; [ trundle veehaitch ];
+    maintainers = with lib.maintainers; [ phlip9 trundle veehaitch ];
     platforms = [ "x86_64-linux" ];
-    license = [ licenses.bsd3 licenses.openssl ];
+    license = with lib.licenses; [ bsd3 openssl ];
   };
 }
diff --git a/pkgs/os-specific/linux/sgx/ssl/tests.nix b/pkgs/os-specific/linux/sgx/ssl/tests.nix
new file mode 100644
index 0000000000000..d9357ba043102
--- /dev/null
+++ b/pkgs/os-specific/linux/sgx/ssl/tests.nix
@@ -0,0 +1,95 @@
+# This package _builds_ (but doesn't run!) the sgx-ssl test enclave + harness.
+# The whole package effectively does:
+#
+# ```
+# SGX_MODE=${sgxMode} make -C Linux/sgx/test_app
+# cp Linux/sgx/{TestApp,TestEnclave.signed.so} $out/bin
+# ```
+#
+# OfBorg fails to run these tests since they require real Intel HW. That
+# includes the simulation mode! The tests appears to do something fancy with
+# cpuid and exception trap handlers that make them very non-portable.
+#
+# These tests are split out from the parent pkg since recompiling the parent
+# takes like 30 min : )
+
+{ lib
+, openssl
+, sgx-psw
+, sgx-sdk
+, sgx-ssl
+, stdenv
+, which
+, opensslVersion ? throw "required parameter"
+, sgxMode ? throw "required parameter" # "SIM" or "HW"
+}:
+stdenv.mkDerivation {
+  inherit (sgx-ssl) postPatch src version;
+  pname = sgx-ssl.pname + "-tests-${sgxMode}";
+
+  postUnpack = sgx-ssl.postUnpack + ''
+    sourceRootAbs=$(readlink -e $sourceRoot)
+    packageDir=$sourceRootAbs/Linux/package
+
+    # Do the inverse of 'make install' and symlink built artifacts back into
+    # '$src/Linux/package/' to avoid work.
+    mkdir $packageDir/lib $packageDir/lib64
+    ln -s ${lib.getLib sgx-ssl}/lib/* $packageDir/lib/
+    ln -s ${lib.getLib sgx-ssl}/lib64/* $packageDir/lib64/
+    ln -sf ${lib.getDev sgx-ssl}/include/* $packageDir/include/
+
+    # test_app needs some internal openssl headers.
+    # See: tail end of 'Linux/build_openssl.sh'
+    tar -C $sourceRootAbs/openssl_source -xf $sourceRootAbs/openssl_source/openssl-${opensslVersion}.tar.gz
+    echo '#define OPENSSL_VERSION_STR "${opensslVersion}"' > $sourceRootAbs/Linux/sgx/osslverstr.h
+    ln -s $sourceRootAbs/openssl_source/openssl-${opensslVersion}/include/crypto $sourceRootAbs/Linux/sgx/test_app/enclave/
+    ln -s $sourceRootAbs/openssl_source/openssl-${opensslVersion}/include/internal $sourceRootAbs/Linux/sgx/test_app/enclave/
+  '';
+
+  nativeBuildInputs = [
+    openssl.bin
+    sgx-sdk
+    which
+  ];
+
+  preBuild = ''
+    # Need to regerate the edl header
+    make -C Linux/sgx/libsgx_tsgxssl sgx_tsgxssl_t.c
+  '';
+
+  makeFlags = [
+    "-C Linux/sgx/test_app"
+    "SGX_MODE=${sgxMode}"
+  ];
+
+  installPhase = ''
+    runHook preInstall
+
+    # Enclaves can't be stripped after signing.
+    install -Dm 755 Linux/sgx/test_app/TestEnclave.signed.so -t $TMPDIR/enclaves
+
+    install -Dm 755 Linux/sgx/test_app/TestApp -t $out/bin
+
+    runHook postInstall
+  '';
+
+  postFixup = ''
+    # Move the enclaves where they actually belong.
+    mv $TMPDIR/enclaves/*.signed.so* $out/bin/
+
+    # HW SGX must runs against sgx-psw, not sgx-sdk.
+    if [[ "${sgxMode}" == "HW" ]]; then
+      patchelf \
+        --set-rpath "$( \
+          patchelf --print-rpath $out/bin/TestApp \
+            | sed 's|${lib.getLib sgx-sdk}|${lib.getLib sgx-psw}|' \
+        )" \
+        $out/bin/TestApp
+    fi
+  '';
+
+  meta = {
+    platforms = [ "x86_64-linux" ];
+    mainProgram = "TestApp";
+  };
+}
diff --git a/pkgs/os-specific/linux/sssd/default.nix b/pkgs/os-specific/linux/sssd/default.nix
index a4a0d1dd49ffb..4f27c7e83fb5d 100644
--- a/pkgs/os-specific/linux/sssd/default.nix
+++ b/pkgs/os-specific/linux/sssd/default.nix
@@ -5,7 +5,7 @@
   libuuid, systemd, nspr, check, cmocka, uid_wrapper, p11-kit,
   nss_wrapper, ncurses, Po4a, http-parser, jansson, jose,
   docbook_xsl, docbook_xml_dtd_44,
-  testers, nix-update-script, nixosTests,
+  testers, nix-update-script, nixosTests, fetchpatch,
   withSudo ? false }:
 
 let
@@ -22,6 +22,14 @@ stdenv.mkDerivation (finalAttrs: {
     hash = "sha256-VJXZndbmC6mAVxzvv5Wjb4adrQkP16Rt4cgjl4qGDIc=";
   };
 
+  patches = [
+    # Fix the build with Samba 4.20
+    (fetchpatch {
+      url = "https://github.com/SSSD/sssd/commit/1bf51929a48b84d62ac54f2a42f17e7fbffe1612.patch";
+      hash = "sha256-VLx04APEipp860iOJNIwTGywxZ7rIDdyh3te6m7Ymlo=";
+    })
+  ];
+
   postPatch = ''
     patchShebangs ./sbus_generate.sh.in
   '';
@@ -102,6 +110,7 @@ stdenv.mkDerivation (finalAttrs: {
   passthru = {
     tests = {
       inherit (nixosTests) sssd sssd-ldap;
+      pkg-config = testers.testMetaPkgConfig finalAttrs.finalPackage;
       version = testers.testVersion {
         package = finalAttrs.finalPackage;
         command = "sssd --version";
@@ -117,5 +126,11 @@ stdenv.mkDerivation (finalAttrs: {
     license = licenses.gpl3Plus;
     platforms = platforms.linux;
     maintainers = with maintainers; [ illustris ];
+    pkgConfigModules = [
+      "ipa_hbac"
+      "sss_certmap"
+      "sss_idmap"
+      "sss_nss_idmap"
+    ];
   };
 })
diff --git a/pkgs/os-specific/linux/sysdig/default.nix b/pkgs/os-specific/linux/sysdig/default.nix
index 302404b38e126..59b48eeb7f715 100644
--- a/pkgs/os-specific/linux/sysdig/default.nix
+++ b/pkgs/os-specific/linux/sysdig/default.nix
@@ -1,38 +1,38 @@
 { lib, stdenv, fetchFromGitHub, cmake, kernel, installShellFiles, pkg-config
-, luajit, ncurses, perl, jsoncpp, openssl, curl, jq, gcc, elfutils, tbb, protobuf, grpc
-, yaml-cpp, nlohmann_json, re2, zstd, uthash
-}:
+, luajit, ncurses, perl, jsoncpp, openssl, curl, jq, gcc, elfutils, tbb
+, protobuf, grpc, yaml-cpp, nlohmann_json, re2, zstd, uthash }:
 
 let
-  # Compare with https://github.com/draios/sysdig/blob/0.35.1/cmake/modules/falcosecurity-libs.cmake
-  libsRev = "0.14.2";
-  libsHash = "sha256-sWrniRB/vQd1BZnsiz+wLHugrF3LhuAr9e9gDMavLoo=";
+  # Compare with https://github.com/draios/sysdig/blob/0.37.1/cmake/modules/falcosecurity-libs.cmake
+  libsRev = "0.16.0";
+  libsHash = "sha256-aduO2pLj91tRdZ1dW1F1JFEg//SopialXWPd6Oav/u8=";
 
-  # Compare with https://github.com/falcosecurity/libs/blob/0.14.2/cmake/modules/valijson.cmake
+  # Compare with https://github.com/falcosecurity/libs/blob/0.16.0/cmake/modules/valijson.cmake
   valijson = fetchFromGitHub {
     owner = "tristanpenman";
     repo = "valijson";
-    rev = "v0.6";
-    hash = "sha256-ZD19Q2MxMQd3yEKbY90GFCrerie5/jzgO8do4JQDoKM=";
+    rev = "v1.0.2";
+    hash = "sha256-wvFdjsDtKH7CpbEpQjzWtLC4RVOU9+D2rSK0Xo1cJqo=";
   };
 
-  # https://github.com/draios/sysdig/blob/0.35.1/cmake/modules/driver.cmake
+  # https://github.com/draios/sysdig/blob/0.37.1/cmake/modules/driver.cmake
   driver = fetchFromGitHub {
     owner = "falcosecurity";
     repo = "libs";
-    rev = "7.0.0+driver";
-    hash = "sha256-kXqvfM7HbGh2wEGaO4KBkFDW+m5gpOShJZKJLu9McKk=";
+    rev = "7.1.0+driver";
+    hash = "sha256-FIlnJsNgofGo4HETEEpW28wpC3U9z5AZprwFR5AgFfA=";
   };
-in
-stdenv.mkDerivation rec {
+
+  version = "0.37.1";
+in stdenv.mkDerivation {
   pname = "sysdig";
-  version = "0.35.3";
+  inherit version;
 
   src = fetchFromGitHub {
     owner = "draios";
     repo = "sysdig";
     rev = version;
-    hash = "sha256-wvCnWzQbkkM8qEG93li22P67WX1bGX9orTk+2vsBHZY=";
+    hash = "sha256-V1rvQ6ZznL9UiUFW2lyW6gvdoGttOd5kgT2KPQCjmvQ=";
   };
 
   nativeBuildInputs = [ cmake perl installShellFiles pkg-config ];
@@ -58,12 +58,14 @@ stdenv.mkDerivation rec {
   hardeningDisable = [ "pic" ];
 
   postUnpack = ''
-    cp -r ${fetchFromGitHub {
-      owner = "falcosecurity";
-      repo = "libs";
-      rev = libsRev;
-      hash = libsHash;
-    }} libs
+    cp -r ${
+      fetchFromGitHub {
+        owner = "falcosecurity";
+        repo = "libs";
+        rev = libsRev;
+        hash = libsHash;
+      }
+    } libs
     chmod -R +w libs
 
     substituteInPlace libs/userspace/libscap/libscap.pc.in libs/userspace/libsinsp/libsinsp.pc.in \
@@ -72,6 +74,7 @@ stdenv.mkDerivation rec {
 
     cp -r ${driver} driver-src
     chmod -R +w driver-src
+
     cmakeFlagsArray+=(
       "-DFALCOSECURITY_LIBS_SOURCE_DIR=$(pwd)/libs"
       "-DDRIVER_SOURCE_DIR=$(pwd)/driver-src/driver"
@@ -91,10 +94,8 @@ stdenv.mkDerivation rec {
   ] ++ lib.optional (kernel == null) "-DBUILD_DRIVER=OFF";
 
   env.NIX_CFLAGS_COMPILE =
-   # needed since luajit-2.1.0-beta3
-   "-DluaL_reg=luaL_Reg -DluaL_getn(L,i)=((int)lua_objlen(L,i)) " +
-   # fix compiler warnings been treated as errors
-   "-Wno-error";
+    # fix compiler warnings been treated as errors
+    "-Wno-error";
 
   preConfigure = ''
     if ! grep -q "${libsRev}" cmake/modules/falcosecurity-libs.cmake; then
@@ -107,39 +108,37 @@ stdenv.mkDerivation rec {
     export KERNELDIR="${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
   '';
 
-  postInstall =
-    ''
-      # Fix the bash completion location
-      installShellCompletion --bash $out/etc/bash_completion.d/sysdig
-      rm $out/etc/bash_completion.d/sysdig
-      rmdir $out/etc/bash_completion.d
-      rmdir $out/etc
-    ''
-    + lib.optionalString (kernel != null) ''
-      make install_driver
-      kernel_dev=${kernel.dev}
-      kernel_dev=''${kernel_dev#${builtins.storeDir}/}
-      kernel_dev=''${kernel_dev%%-linux*dev*}
-      if test -f "$out/lib/modules/${kernel.modDirVersion}/extra/scap.ko"; then
-          sed -i "s#$kernel_dev#................................#g" $out/lib/modules/${kernel.modDirVersion}/extra/scap.ko
-      else
-          for i in $out/lib/modules/${kernel.modDirVersion}/{extra,updates}/scap.ko.xz; do
-            if test -f "$i"; then
-              xz -d $i
-              sed -i "s#$kernel_dev#................................#g" ''${i%.xz}
-              xz -9 ''${i%.xz}
-            fi
-          done
-      fi
-    '';
-
-
-  meta = with lib; {
-    description = "A tracepoint-based system tracing tool for Linux (with clients for other OSes)";
-    license = with licenses; [ asl20 gpl2 mit ];
-    maintainers = [maintainers.raskin];
-    platforms = ["x86_64-linux"] ++ platforms.darwin;
-    broken = kernel != null && versionOlder kernel.version "4.14";
+  postInstall = ''
+    # Fix the bash completion location
+    installShellCompletion --bash $out/etc/bash_completion.d/sysdig
+    rm $out/etc/bash_completion.d/sysdig
+    rmdir $out/etc/bash_completion.d
+    rmdir $out/etc
+  '' + lib.optionalString (kernel != null) ''
+    make install_driver
+    kernel_dev=${kernel.dev}
+    kernel_dev=''${kernel_dev#${builtins.storeDir}/}
+    kernel_dev=''${kernel_dev%%-linux*dev*}
+    if test -f "$out/lib/modules/${kernel.modDirVersion}/extra/scap.ko"; then
+        sed -i "s#$kernel_dev#................................#g" $out/lib/modules/${kernel.modDirVersion}/extra/scap.ko
+    else
+        for i in $out/lib/modules/${kernel.modDirVersion}/{extra,updates}/scap.ko.xz; do
+          if test -f "$i"; then
+            xz -d $i
+            sed -i "s#$kernel_dev#................................#g" ''${i%.xz}
+            xz -9 ''${i%.xz}
+          fi
+        done
+    fi
+  '';
+
+  meta = {
+    description =
+      "A tracepoint-based system tracing tool for Linux (with clients for other OSes)";
+    license = with lib.licenses; [ asl20 gpl2 mit ];
+    maintainers = with lib.maintainers; [ raskin ];
+    platforms = [ "x86_64-linux" ] ++ lib.platforms.darwin;
+    broken = kernel != null && ((lib.versionOlder kernel.version "4.14") || kernel.isHardened || kernel.isZen);
     homepage = "https://sysdig.com/opensource/";
     downloadPage = "https://github.com/draios/sysdig/releases";
   };
diff --git a/pkgs/os-specific/linux/systemd/default.nix b/pkgs/os-specific/linux/systemd/default.nix
index 05e66dd704afd..a0f019c610dc9 100644
--- a/pkgs/os-specific/linux/systemd/default.nix
+++ b/pkgs/os-specific/linux/systemd/default.nix
@@ -5,7 +5,6 @@
 , nixosTests
 , pkgsCross
 , fetchFromGitHub
-, fetchpatch
 , fetchzip
 , buildPackages
 , makeBinaryWrapper
@@ -150,6 +149,10 @@
 , withUserDb ? true
 , withUtmp ? !stdenv.hostPlatform.isMusl
 , withVmspawn ? true
+  # kernel-install shouldn't usually be used on NixOS, but can be useful, e.g. for
+  # building disk images for non-NixOS systems. To save users from trying to use it
+  # on their live NixOS system, we disable it by default.
+, withKernelInstall ? false
   # tests assume too much system access for them to be feasible for us right now
 , withTests ? false
   # build only libudev and libsystemd
@@ -176,7 +179,7 @@ assert withBootloader -> withEfi;
 let
   wantCurl = withRemote || withImportd;
   wantGcrypt = withResolved || withImportd;
-  version = "255.2";
+  version = "255.6";
 
   # Use the command below to update `releaseTimestamp` on every (major) version
   # change. More details in the commentary at mesonFlags.
@@ -194,7 +197,7 @@ stdenv.mkDerivation (finalAttrs: {
     owner = "systemd";
     repo = "systemd-stable";
     rev = "v${version}";
-    hash = "sha256-8SfJY/pcH4yrDeJi0GfIUpetTbpMwyswvSu+RSfgqfY=";
+    hash = "sha256-ah0678iNfy0c5NhHhjn0roY6RoM8OE0hWyEt+qEGKRQ=";
   };
 
   # On major changes, or when otherwise required, you *must* :
@@ -225,15 +228,6 @@ stdenv.mkDerivation (finalAttrs: {
     ./0017-meson.build-do-not-create-systemdstatedir.patch
   ] ++ lib.optional (stdenv.hostPlatform.isLinux && stdenv.hostPlatform.isGnu) [
     ./0018-timesyncd-disable-NSCD-when-DNSSEC-validation-is-dis.patch
-  ] ++ lib.optional (stdenv.hostPlatform.isPower || stdenv.hostPlatform.isRiscV) [
-    # Fixed upstream and included in the main and stable branches. Can be dropped
-    # when bumping to >= v255.5.
-    # https://github.com/systemd/systemd/issues/30448
-    # https://github.com/NixOS/nixpkgs/pull/282607
-    (fetchpatch {
-      url = "https://github.com/systemd/systemd/commit/8040fa55a1cbc34dede3205a902095ecd26c21e3.patch";
-      sha256 = "0c6z7bsndbkb8m130jnjpsl138sfv3q171726n5vkyl2n9ihnavk";
-    })
   ] ++ lib.optional stdenv.hostPlatform.isMusl (
     let
       oe-core = fetchzip {
@@ -558,7 +552,7 @@ stdenv.mkDerivation (finalAttrs: {
     (lib.mesonEnable "zlib" withCompression)
 
     # NSS
-    (lib.mesonEnable "nss-mymachines" withNss)
+    (lib.mesonEnable "nss-mymachines" (withNss && withMachined))
     (lib.mesonEnable "nss-resolve" withNss)
     (lib.mesonBool "nss-myhostname" withNss)
     (lib.mesonBool "nss-systemd" withNss)
@@ -570,7 +564,7 @@ stdenv.mkDerivation (finalAttrs: {
 
     # FIDO2
     (lib.mesonEnable "libfido2" withFido2)
-    (lib.mesonEnable "openssl" withFido2)
+    (lib.mesonEnable "openssl" (withHomed || withFido2 || withSysupdate))
 
     # Password Quality
     (lib.mesonEnable "pwquality" withPasswordQuality)
@@ -595,6 +589,7 @@ stdenv.mkDerivation (finalAttrs: {
     (lib.mesonEnable "libiptc" withIptables)
     (lib.mesonEnable "repart" withRepart)
     (lib.mesonEnable "sysupdate" withSysupdate)
+    (lib.mesonEnable "seccomp" withLibseccomp)
     (lib.mesonEnable "selinux" withSelinux)
     (lib.mesonEnable "tpm2" withTpm2Tss)
     (lib.mesonEnable "pcre2" withPCRE2)
@@ -628,6 +623,7 @@ stdenv.mkDerivation (finalAttrs: {
     (lib.mesonBool "efi" withEfi)
     (lib.mesonBool "utmp" withUtmp)
     (lib.mesonBool "log-trace" withLogTrace)
+    (lib.mesonBool "kernel-install" withKernelInstall)
     (lib.mesonBool "quotacheck" false)
     (lib.mesonBool "ldconfig" false)
     (lib.mesonBool "install-sysconfdir" false)
@@ -819,7 +815,7 @@ stdenv.mkDerivation (finalAttrs: {
     done
 
     rm -rf $out/etc/rpm
-
+  '' + lib.optionalString (!withKernelInstall) ''
     # "kernel-install" shouldn't be used on NixOS.
     find $out -name "*kernel-install*" -exec rm {} \;
   '' + lib.optionalString (!withDocumentation) ''
@@ -920,8 +916,9 @@ stdenv.mkDerivation (finalAttrs: {
     maintainers = with lib.maintainers; [ flokli kloenk ];
     platforms = lib.platforms.linux;
     priority = 10;
-    badPlatforms = [ lib.systems.inspect.platformPatterns.isStatic ];
-    # https://github.com/systemd/systemd/issues/20600#issuecomment-912338965
-    broken = stdenv.hostPlatform.isStatic;
+    badPlatforms = [
+      # https://github.com/systemd/systemd/issues/20600#issuecomment-912338965
+      lib.systems.inspect.platformPatterns.isStatic
+    ];
   };
 })
diff --git a/pkgs/os-specific/linux/tailor-gui/default.nix b/pkgs/os-specific/linux/tailor-gui/default.nix
index 531b956f1128d..74bfbeafeac9b 100644
--- a/pkgs/os-specific/linux/tailor-gui/default.nix
+++ b/pkgs/os-specific/linux/tailor-gui/default.nix
@@ -26,7 +26,7 @@ stdenv.mkDerivation {
   cargoDeps = rustPlatform.fetchCargoTarball {
     inherit src sourceRoot;
     name = "${pname}-${version}";
-    hash = "sha256-mt4YQ0iB/Mlnm+o9sGgYVEdbxjF7qArxA5FIK4MAZ8M=";
+    hash = "sha256-jcjq0uls28V8Ka2CMM8oOQmZZRUr9eEQeVtW56AmU28=";
   };
 
   nativeBuildInputs = [
diff --git a/pkgs/os-specific/linux/tbs/default.nix b/pkgs/os-specific/linux/tbs/default.nix
index 5805a400c1e25..4d4a1a96ce5fe 100644
--- a/pkgs/os-specific/linux/tbs/default.nix
+++ b/pkgs/os-specific/linux/tbs/default.nix
@@ -5,22 +5,22 @@ let
     name = repo;
     owner = "tbsdtv";
     repo = "linux_media";
-    rev = "d0a7e44358f28064697e0eed309db03166dcd83b";
-    hash = "sha256-BTHlnta5qv2bdPjD2bButwYGpwR/bq99/AUoZqTHHYw=";
+    rev = "d8d1ff33c0c47e34fe3e860b52b4d6c457520866";
+    hash = "sha256-1Z9itZ5GFpfUeRtp5xTnS+I91LUZLDhsEcF2v8ThaCs=";
   };
 
   build = fetchFromGitHub rec {
     name = repo;
     owner = "tbsdtv";
     repo = "media_build";
-    rev = "88764363a3e3d36b3c59a0a2bf2244e262035d47";
-    hash = "sha256-LFTxYVPudflxqYTSBIDNkTrGs09MOuYBXwpGYqWfEFQ=";
+    rev = "8cd12a6e90999f3a341018812a5d66d7e6b30913";
+    hash = "sha256-+I0NrML54ni37qgDHbRUQiLmmw/UZgXmoFoiDNDeH5A=";
   };
 
 in
 stdenv.mkDerivation {
   pname = "tbs";
-  version = "20231210-${kernel.version}";
+  version = "20240506-${kernel.version}";
 
   srcs = [ media build ];
   sourceRoot = build.name;
@@ -66,6 +66,6 @@ stdenv.mkDerivation {
     license = licenses.gpl2;
     maintainers = with maintainers; [ ck3d ];
     priority = -1;
-    broken = kernel.kernelOlder "4.14" || kernel.kernelAtLeast "6.6";
+    broken = kernel.kernelOlder "4.14" || kernel.kernelAtLeast "6.9";
   };
 }
diff --git a/pkgs/os-specific/linux/tiscamera/default.nix b/pkgs/os-specific/linux/tiscamera/default.nix
index 600655c447f7d..8847a83d53d77 100644
--- a/pkgs/os-specific/linux/tiscamera/default.nix
+++ b/pkgs/os-specific/linux/tiscamera/default.nix
@@ -18,7 +18,7 @@
 , glib
 , gobject-introspection
 , gst_all_1
-, wrapGAppsHook
+, wrapGAppsHook3
   # needs pkg_resources
 , withDoc ? false
 , sphinx
@@ -54,7 +54,7 @@ stdenv.mkDerivation rec {
   nativeBuildInputs = [
     cmake
     pkg-config
-    wrapGAppsHook
+    wrapGAppsHook3
     gobject-introspection
   ] ++ lib.optionals withDoc [
     sphinx
@@ -112,7 +112,7 @@ stdenv.mkDerivation rec {
   # gstreamer tests requires, besides gst-plugins-bad, plugins installed by this expression.
   checkPhase = "ctest --force-new-ctest-process -E gstreamer";
 
-  # wrapGAppsHook: make sure we add ourselves to the introspection
+  # wrapGAppsHook3: make sure we add ourselves to the introspection
   # and gstreamer paths.
   GI_TYPELIB_PATH = "${placeholder "out"}/lib/girepository-1.0";
   GST_PLUGIN_SYSTEM_PATH_1_0 = "${placeholder "out"}/lib/gstreamer-1.0";
diff --git a/pkgs/os-specific/linux/tomb/default.nix b/pkgs/os-specific/linux/tomb/default.nix
index 9c97377cfe04f..98dd9bc1dbca0 100644
--- a/pkgs/os-specific/linux/tomb/default.nix
+++ b/pkgs/os-specific/linux/tomb/default.nix
@@ -1,4 +1,4 @@
-{ stdenv
+{ stdenvNoCC
 , lib
 , fetchFromGitHub
 , substituteAll
@@ -20,7 +20,7 @@
 , nix-update-script
 }:
 
-stdenv.mkDerivation rec {
+stdenvNoCC.mkDerivation rec {
   pname = "tomb";
   version = "2.10";
 
@@ -38,7 +38,7 @@ stdenv.mkDerivation rec {
   postPatch = ''
     # if not, it shows .tomb-wrapped when running
     substituteInPlace tomb \
-      --replace 'TOMBEXEC=$0' 'TOMBEXEC=tomb'
+      --replace-fail 'TOMBEXEC=$0' 'TOMBEXEC=tomb'
   '';
 
   installPhase = ''
diff --git a/pkgs/os-specific/linux/tuna/default.nix b/pkgs/os-specific/linux/tuna/default.nix
index b57169369ca72..3b527c8b534fe 100644
--- a/pkgs/os-specific/linux/tuna/default.nix
+++ b/pkgs/os-specific/linux/tuna/default.nix
@@ -9,7 +9,7 @@
 , gtk3
 , python-linux-procfs
 , python-ethtool
-, wrapGAppsHook
+, wrapGAppsHook3
 }:
 
 buildPythonApplication rec {
@@ -37,7 +37,7 @@ buildPythonApplication rec {
     glib.dev
     gobject-introspection
     gtk3
-    wrapGAppsHook
+    wrapGAppsHook3
   ];
 
   propagatedBuildInputs = [ pygobject3 python-linux-procfs python-ethtool ];
diff --git a/pkgs/os-specific/linux/tuxedo-rs/default.nix b/pkgs/os-specific/linux/tuxedo-rs/default.nix
index ca48571b7933b..d6b09df678a8b 100644
--- a/pkgs/os-specific/linux/tuxedo-rs/default.nix
+++ b/pkgs/os-specific/linux/tuxedo-rs/default.nix
@@ -6,7 +6,7 @@
 }:
 rustPlatform.buildRustPackage rec {
   pname = "tuxedo-rs";
-  version = "0.3.0";
+  version = "0.3.1";
 
   # NOTE: This src is shared with tailor-gui.
   # When updating, the tailor-gui.cargoDeps hash needs to be updated.
@@ -14,14 +14,14 @@ rustPlatform.buildRustPackage rec {
     owner = "AaronErhardt";
     repo = "tuxedo-rs";
     rev = "tailor-v${version}";
-    hash = "sha256-5F9Xo+tnmYqmFiKrKMe+EEqypmG9iIvwai5yuKCm00Y=";
+    hash = "sha256-+NzwUs8TZsA0us9hI1UmEKdiOo9IqTRmTOHs4xmC7MY=";
   };
 
 
   # Some of the tests are impure and rely on files in /etc/tailord
   doCheck = false;
 
-  cargoHash = "sha256-EPbh1elLOJKOrYLeBSaZ27zWGYFajiD60eFGEGaCJKw=";
+  cargoHash = "sha256-HtyCKQ0xDIXevgr4FAnVJcDI8G6vR9fLHFghe9+ADiU=";
 
   passthru.tests.version = testers.testVersion {
     package = tuxedo-rs;
diff --git a/pkgs/os-specific/linux/uhk-agent/default.nix b/pkgs/os-specific/linux/uhk-agent/default.nix
index 0d6b3ccd515ca..553e471faaffa 100644
--- a/pkgs/os-specific/linux/uhk-agent/default.nix
+++ b/pkgs/os-specific/linux/uhk-agent/default.nix
@@ -12,12 +12,12 @@
 
 let
   pname = "uhk-agent";
-  version = "4.0.2";
+  version = "4.1.0";
 
   src = fetchurl {
     url = "https://github.com/UltimateHackingKeyboard/agent/releases/download/v${version}/UHK.Agent-${version}-linux-x86_64.AppImage";
     name = "${pname}-${version}.AppImage";
-    sha256 = "sha256-yx5hOmb1la+vNh8x0PM3edcMn4ojdwzNmGBUg/BH7wE=";
+    sha256 = "sha256-5VzUSuq+yc8HXSILMg24w/hbwasf4jq0H0wte9Mw+nY=";
   };
 
   appimageContents = appimageTools.extract {
diff --git a/pkgs/os-specific/linux/upower/default.nix b/pkgs/os-specific/linux/upower/default.nix
index 3b08318c965ea..8a1d79a9d7bdd 100644
--- a/pkgs/os-specific/linux/upower/default.nix
+++ b/pkgs/os-specific/linux/upower/default.nix
@@ -1,7 +1,6 @@
 { lib
 , stdenv
 , fetchFromGitLab
-, fetchpatch
 , makeWrapper
 , pkg-config
 , libxslt
@@ -33,7 +32,7 @@ assert withDocs -> withIntrospection;
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "upower";
-  version = "1.90.2";
+  version = "1.90.4";
 
   outputs = [ "out" "dev" "installedTests" ]
     ++ lib.optionals withDocs [ "devdoc" ];
@@ -43,7 +42,7 @@ stdenv.mkDerivation (finalAttrs: {
     owner = "upower";
     repo = "upower";
     rev = "v${finalAttrs.version}";
-    hash = "sha256-7WzMAJuf1czU8ZalsEU/NwCXYqTGvcqEqxFt5ocgt48=";
+    hash = "sha256-5twHuDLisVF07Y5KYwlqWMi12+p6UpARJvoBN/+tX2o=";
   };
 
   patches = lib.optionals (stdenv.hostPlatform.system == "i686-linux") [
@@ -52,10 +51,6 @@ stdenv.mkDerivation (finalAttrs: {
     ./i686-test-remove-battery-check.patch
   ] ++ [
     ./installed-tests-path.patch
-    (fetchpatch {
-      url = "https://gitlab.freedesktop.org/upower/upower/-/merge_requests/207.diff";
-      hash = "sha256-ldr1bKbSAdYpwbbe/Iq9i0Q9zQrHWvIvBGym/F3+vxs=";
-    })
   ];
 
   strictDeps = true;
diff --git a/pkgs/os-specific/linux/util-linux/default.nix b/pkgs/os-specific/linux/util-linux/default.nix
index ba989b41a6cac..ef3614bce02ef 100644
--- a/pkgs/os-specific/linux/util-linux/default.nix
+++ b/pkgs/os-specific/linux/util-linux/default.nix
@@ -1,7 +1,9 @@
-{ lib, stdenv, fetchurl, pkg-config, zlib, shadow
+{ lib, stdenv, fetchurl, fetchpatch, autoreconfHook, gtk-doc, pkg-config
+, zlib, shadow
 , capabilitiesSupport ? stdenv.isLinux
 , libcap_ng
 , libxcrypt
+, sqlite
 , ncursesSupport ? true
 , ncurses
 , pamSupport ? true
@@ -17,14 +19,20 @@
 , memstreamHook
 , gitUpdater
 }:
-
+let
+  # Temporarily avoid applying the patches on systems where already we have binaries
+  # (in particular x86_64-linux and aarch64-linux) as the package is a huge rebuild there.
+  avoidRebuild = with stdenv.hostPlatform; isLinux && is64bit && !isStatic;
+in
 stdenv.mkDerivation rec {
   pname = "util-linux" + lib.optionalString (!nlsSupport && !ncursesSupport && !systemdSupport) "-minimal";
-  version = "2.39.3";
+  version = if avoidRebuild then "2.40.1" else "2.39.4";
 
   src = fetchurl {
     url = "mirror://kernel/linux/utils/util-linux/v${lib.versions.majorMinor version}/util-linux-${version}.tar.xz";
-    hash = "sha256-e2YF5I0aSfQ8xLTPxZ8xPQ3VQC+kC5aBC9Vy4Wff7Q8=";
+    hash = if avoidRebuild
+      then "sha256-WeZ2qlPMtEtsOfD/4BqPonSJHJG+8UdHUvrZJGHe8k8="
+      else "sha256-bE+HI9r9QcOdk+y/FlCfyIwzzVvTJ3iArlodl6AU/Q4=";
   };
 
   patches = [
@@ -40,7 +48,7 @@ stdenv.mkDerivation rec {
   separateDebugInfo = true;
 
   postPatch = ''
-    patchShebangs tests/run.sh
+    patchShebangs tests/run.sh tools/all_syscalls
 
     substituteInPlace sys-utils/eject.c \
       --replace "/bin/umount" "$bin/bin/umount"
@@ -59,6 +67,7 @@ stdenv.mkDerivation rec {
     "--enable-fs-paths-default=/run/wrappers/bin:/run/current-system/sw/bin:/sbin"
     "--disable-makeinstall-setuid" "--disable-makeinstall-chown"
     "--disable-su" # provided by shadow
+    "--with-tmpfilesdir=${placeholder "out"}/lib/tmpfiles.d"
     (lib.enableFeature writeSupport "write")
     (lib.enableFeature nlsSupport "nls")
     (lib.withFeature ncursesSupport "ncursesw")
@@ -80,7 +89,7 @@ stdenv.mkDerivation rec {
   nativeBuildInputs = [ pkg-config installShellFiles ]
     ++ lib.optionals translateManpages [ po4a ];
 
-  buildInputs = [ zlib libxcrypt ]
+  buildInputs = [ zlib libxcrypt sqlite ]
     ++ lib.optionals pamSupport [ pam ]
     ++ lib.optionals capabilitiesSupport [ libcap_ng ]
     ++ lib.optionals ncursesSupport [ ncurses ]
diff --git a/pkgs/os-specific/linux/waydroid/default.nix b/pkgs/os-specific/linux/waydroid/default.nix
index ae42c206280da..5e29b911ca548 100644
--- a/pkgs/os-specific/linux/waydroid/default.nix
+++ b/pkgs/os-specific/linux/waydroid/default.nix
@@ -12,7 +12,7 @@
 , iproute2
 , iptables
 , util-linux
-, wrapGAppsHook
+, wrapGAppsHook3
 , wl-clipboard
 , runtimeShell
 }:
@@ -39,7 +39,7 @@ python3Packages.buildPythonApplication rec {
 
   nativeBuildInputs = [
     gobject-introspection
-    wrapGAppsHook
+    wrapGAppsHook3
   ];
 
   buildInputs = [
diff --git a/pkgs/os-specific/linux/xf86-input-wacom/default.nix b/pkgs/os-specific/linux/xf86-input-wacom/default.nix
index eb5a5eae8032e..1a872b758acac 100644
--- a/pkgs/os-specific/linux/xf86-input-wacom/default.nix
+++ b/pkgs/os-specific/linux/xf86-input-wacom/default.nix
@@ -19,13 +19,13 @@
 
 stdenv.mkDerivation rec {
   pname = "xf86-input-wacom";
-  version = "1.2.1";
+  version = "1.2.2";
 
   src = fetchFromGitHub {
     owner = "linuxwacom";
     repo = pname;
     rev = "${pname}-${version}";
-    sha256 = "sha256-ldPNGa1ACjLivs2CVtkvKLsBZSzRuOM8Q7bvMdx0EWA=";
+    sha256 = "sha256-3w12OjjMdu03BhUVEjkyj1ngDFnp0Cp66L0nn3LuU8Q=";
   };
 
   nativeBuildInputs = [ autoreconfHook pkg-config ];
diff --git a/pkgs/os-specific/linux/xone/default.nix b/pkgs/os-specific/linux/xone/default.nix
index b1e2ce570a2d2..92a10878a36ae 100644
--- a/pkgs/os-specific/linux/xone/default.nix
+++ b/pkgs/os-specific/linux/xone/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, lib, fetchFromGitHub, kernel, fetchurl, fetchpatch }:
+{ stdenv, lib, fetchFromGitHub, kernel, fetchpatch }:
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "xone";
diff --git a/pkgs/os-specific/linux/zenmonitor/default.nix b/pkgs/os-specific/linux/zenmonitor/default.nix
index e8fce959c8dc9..8101f47c6a241 100644
--- a/pkgs/os-specific/linux/zenmonitor/default.nix
+++ b/pkgs/os-specific/linux/zenmonitor/default.nix
@@ -1,4 +1,4 @@
-{ lib, stdenv, fetchFromGitHub, pkg-config, gtk3, wrapGAppsHook }:
+{ lib, stdenv, fetchFromGitHub, pkg-config, gtk3, wrapGAppsHook3 }:
 
 stdenv.mkDerivation rec {
   pname = "zenmonitor";
@@ -12,7 +12,7 @@ stdenv.mkDerivation rec {
   };
 
   buildInputs = [ gtk3 ];
-  nativeBuildInputs = [ pkg-config wrapGAppsHook ];
+  nativeBuildInputs = [ pkg-config wrapGAppsHook3 ];
 
   makeFlags = [ "PREFIX=${placeholder "out"}" ];
 
diff --git a/pkgs/os-specific/linux/zfs/2_1.nix b/pkgs/os-specific/linux/zfs/2_1.nix
index 73cc0d9627030..97173a5154a59 100644
--- a/pkgs/os-specific/linux/zfs/2_1.nix
+++ b/pkgs/os-specific/linux/zfs/2_1.nix
@@ -17,7 +17,7 @@ callPackage ./generic.nix args {
   # check the release notes for compatible kernels
   kernelCompatible = kernel.kernelOlder "6.8";
 
-  latestCompatibleLinuxPackages = linuxKernel.packages.linux_6_7;
+  latestCompatibleLinuxPackages = linuxKernel.packages.linux_6_6;
 
   # This is a fixed version to the 2.1.x series, move only
   # if the 2.1.x series moves.
diff --git a/pkgs/os-specific/linux/zfs/2_2.nix b/pkgs/os-specific/linux/zfs/2_2.nix
index 3e5d262f73d06..14c88f195dbf3 100644
--- a/pkgs/os-specific/linux/zfs/2_2.nix
+++ b/pkgs/os-specific/linux/zfs/2_2.nix
@@ -14,17 +14,17 @@ callPackage ./generic.nix args {
   # this attribute is the correct one for this package.
   kernelModuleAttribute = "zfs_2_2";
   # check the release notes for compatible kernels
-  kernelCompatible = kernel.kernelOlder "6.8";
+  kernelCompatible = kernel.kernelOlder "6.9";
 
-  latestCompatibleLinuxPackages = linuxKernel.packages.linux_6_7;
+  latestCompatibleLinuxPackages = linuxKernel.packages.linux_6_8;
 
   # this package should point to the latest release.
-  version = "2.2.3";
+  version = "2.2.4";
 
   tests = [
     nixosTests.zfs.installer
     nixosTests.zfs.series_2_2
   ];
 
-  hash = "sha256-Bzkow15OitUUQ+mTYhCXgTrQl+ao/B4feleHY/rSSjg=";
+  hash = "sha256-SSp/1Tu1iGx5UDcG4j0k2fnYxK05cdE8gzfSn8DU5Z4=";
 }
diff --git a/pkgs/os-specific/linux/zfs/unstable.nix b/pkgs/os-specific/linux/zfs/unstable.nix
index b75de560b1d5d..1d8ced4dd5d74 100644
--- a/pkgs/os-specific/linux/zfs/unstable.nix
+++ b/pkgs/os-specific/linux/zfs/unstable.nix
@@ -16,19 +16,19 @@ callPackage ./generic.nix args {
   # check the release notes for compatible kernels
   kernelCompatible = kernel.kernelOlder "6.9";
 
-  latestCompatibleLinuxPackages = linuxKernel.packages.linux_6_7;
+  latestCompatibleLinuxPackages = linuxKernel.packages.linux_6_8;
 
   # this package should point to a version / git revision compatible with the latest kernel release
   # IMPORTANT: Always use a tagged release candidate or commits from the
   # zfs-<version>-staging branch, because this is tested by the OpenZFS
   # maintainers.
-  version = "2.2.3-unstable-2024-03-21";
-  rev = "58211157bf866bbcdd8720e92c27297db3ba75d6";
+  version = "2.2.4";
+  # rev = "";
 
   isUnstable = true;
   tests = [
     nixosTests.zfs.unstable
   ];
 
-  hash = "sha256-zTTzHo/UDsTGp/b7BmCmy/m115HVipSG8Id/pnkUrvQ=";
+  hash = "sha256-SSp/1Tu1iGx5UDcG4j0k2fnYxK05cdE8gzfSn8DU5Z4=";
 }
diff --git a/pkgs/os-specific/solo5/default.nix b/pkgs/os-specific/solo5/default.nix
deleted file mode 100644
index f235902a91cd6..0000000000000
--- a/pkgs/os-specific/solo5/default.nix
+++ /dev/null
@@ -1,78 +0,0 @@
-{ lib, stdenv, fetchurl, dosfstools, libseccomp, makeWrapper, mtools, parted
-, pkg-config, qemu, syslinux, util-linux }:
-
-let
-  version = "0.8.0";
-  # list of all theoretically available targets
-  targets = [
-    "genode"
-    "hvt"
-    "muen"
-    "spt"
-    "virtio"
-    "xen"
-  ];
-in stdenv.mkDerivation {
-  pname = "solo5";
-  inherit version;
-
-  nativeBuildInputs = [ makeWrapper pkg-config ];
-  buildInputs = lib.optional (stdenv.hostPlatform.isLinux) libseccomp;
-
-  src = fetchurl {
-    url = "https://github.com/Solo5/solo5/releases/download/v${version}/solo5-v${version}.tar.gz";
-    sha256 = "sha256-t80VOZ8Tr1Dq+mJfRPVLGqYprCaqegcQtDqdoHaSXW0=";
-  };
-
-  hardeningEnable = [ "pie" ];
-
-  configurePhase = ''
-    runHook preConfigure
-    sh configure.sh --prefix=/
-    runHook postConfigure
-  '';
-
-  enableParallelBuilding = true;
-
-  separateDebugInfo = true;
-    # debugging requires information for both the unikernel and the tender
-
-  installPhase = ''
-    runHook preInstall
-    export DESTDIR=$out
-    export PREFIX=$out
-    make install
-
-    substituteInPlace $out/bin/solo5-virtio-mkimage \
-      --replace "/usr/lib/syslinux" "${syslinux}/share/syslinux" \
-      --replace "/usr/share/syslinux" "${syslinux}/share/syslinux" \
-      --replace "cp " "cp --no-preserve=mode "
-
-    wrapProgram $out/bin/solo5-virtio-mkimage \
-      --prefix PATH : ${lib.makeBinPath [ dosfstools mtools parted syslinux ]}
-
-    runHook postInstall
-  '';
-
-  doCheck = stdenv.hostPlatform.isLinux;
-  nativeCheckInputs = [ util-linux qemu ];
-  checkPhase = ''
-    runHook preCheck
-    patchShebangs tests
-    ./tests/bats-core/bats ./tests/tests.bats
-    runHook postCheck
-  '';
-
-  meta = with lib; {
-    description = "Sandboxed execution environment";
-    homepage = "https://github.com/solo5/solo5";
-    license = licenses.isc;
-    maintainers = [ maintainers.ehmry ];
-    platforms = builtins.map ({arch, os}: "${arch}-${os}")
-      (cartesianProductOfSets {
-        arch = [ "aarch64" "x86_64" ];
-        os = [ "freebsd" "genode" "linux" "openbsd" ];
-      });
-  };
-
-}
diff --git a/pkgs/os-specific/windows/default.nix b/pkgs/os-specific/windows/default.nix
index 7d152a607b8e4..234abcde16117 100644
--- a/pkgs/os-specific/windows/default.nix
+++ b/pkgs/os-specific/windows/default.nix
@@ -34,10 +34,6 @@ lib.makeScope newScope (self: with self; {
     stdenv = crossThreadsStdenv;
   };
 
-  mcfgthreads_pre_gcc_13 = callPackage ./mcfgthreads/pre_gcc_13.nix {
-    stdenv = crossThreadsStdenv;
-  };
-
   mcfgthreads = callPackage ./mcfgthreads {
     stdenv = crossThreadsStdenv;
   };
diff --git a/pkgs/os-specific/windows/mcfgthreads/pre_gcc_13.nix b/pkgs/os-specific/windows/mcfgthreads/pre_gcc_13.nix
deleted file mode 100644
index 6be64814c93aa..0000000000000
--- a/pkgs/os-specific/windows/mcfgthreads/pre_gcc_13.nix
+++ /dev/null
@@ -1,24 +0,0 @@
-{ stdenv, fetchFromGitHub, autoreconfHook }:
-
-stdenv.mkDerivation {
-  pname = "mcfgthreads";
-  version = "git"; # unstable-2021-03-12, not in any branch
-
-  src = fetchFromGitHub {
-    owner = "lhmouse";
-    repo = "mcfgthread";
-    rev = "c446cf4fcdc262fc899a188a4bb7136284c34222";
-    sha256 = "1ib90lrd4dz8irq4yvzwhxqa86i5vxl2q2z3z04sf1i8hw427p2f";
-  };
-
-  outputs = [ "out" "dev" ];
-
-  # Don't want prebuilt binaries sneaking in.
-  postUnpack = ''
-    rm -r "$sourceRoot/debug" "$sourceRoot/release"
-  '';
-
-  nativeBuildInputs = [
-    autoreconfHook
-  ];
-}