Merge staging-next into staging

84 files changed, 874 insertions, 253 deletions

diff --git a/nixos/modules/services/networking/jicofo.nix b/nixos/modules/services/networking/jicofo.nix
index 5e978896073..0886bbe004c 100644
--- a/nixos/modules/services/networking/jicofo.nix
+++ b/nixos/modules/services/networking/jicofo.nix
@@ -4,6 +4,15 @@ with lib;
 
 let
   cfg = config.services.jicofo;
+
+  # HOCON is a JSON superset that some jitsi-meet components use for configuration
+  toHOCON = x: if isAttrs x && x ? __hocon_envvar then ("\${" + x.__hocon_envvar + "}")
+    else if isAttrs x && x ? __hocon_unquoted_string then x.__hocon_unquoted_string
+    else if isAttrs x then "{${ concatStringsSep "," (mapAttrsToList (k: v: ''"${k}":${toHOCON v}'') x) }}"
+    else if isList x then "[${ concatMapStringsSep "," toHOCON x }]"
+    else builtins.toJSON x;
+
+  configFile = pkgs.writeText "jicofo.conf" (toHOCON cfg.config);
 in
 {
   options.services.jicofo = with types; {
@@ -68,22 +77,34 @@ in
     };
 
     config = mkOption {
-      type = attrsOf str;
+      type = (pkgs.formats.json {}).type;
       default = { };
       example = literalExpression ''
         {
-          "org.jitsi.jicofo.auth.URL" = "XMPP:jitsi-meet.example.com";
+          jicofo.bridge.max-bridge-participants = 42;
         }
       '';
       description = lib.mdDoc ''
-        Contents of the {file}`sip-communicator.properties` configuration file for jicofo.
+        Contents of the {file}`jicofo.conf` configuration file.
       '';
     };
   };
 
   config = mkIf cfg.enable {
-    services.jicofo.config = mapAttrs (_: v: mkDefault v) {
-      "org.jitsi.jicofo.BRIDGE_MUC" = cfg.bridgeMuc;
+    services.jicofo.config = {
+      jicofo = {
+        bridge.brewery-jid = cfg.bridgeMuc;
+        xmpp = rec {
+          client = {
+            hostname = cfg.xmppHost;
+            username = cfg.userName;
+            domain = cfg.userDomain;
+            password = { __hocon_envvar = "JICOFO_AUTH_PASS"; };
+            xmpp-domain = if cfg.xmppDomain == null then cfg.xmppHost else cfg.xmppDomain;
+          };
+          service = client;
+        };
+      };
     };
 
     users.groups.jitsi-meet = {};
@@ -93,6 +114,7 @@ in
         "-Dnet.java.sip.communicator.SC_HOME_DIR_LOCATION" = "/etc/jitsi";
         "-Dnet.java.sip.communicator.SC_HOME_DIR_NAME" = "jicofo";
         "-Djava.util.logging.config.file" = "/etc/jitsi/jicofo/logging.properties";
+        "-Dconfig.file" = configFile;
       };
     in
     {
@@ -101,18 +123,13 @@ in
       after = [ "network.target" ];
 
       restartTriggers = [
-        config.environment.etc."jitsi/jicofo/sip-communicator.properties".source
+        configFile
       ];
       environment.JAVA_SYS_PROPS = concatStringsSep " " (mapAttrsToList (k: v: "${k}=${toString v}") jicofoProps);
 
       script = ''
-        ${pkgs.jicofo}/bin/jicofo \
-          --host=${cfg.xmppHost} \
-          --domain=${if cfg.xmppDomain == null then cfg.xmppHost else cfg.xmppDomain} \
-          --secret=$(cat ${cfg.componentPasswordFile}) \
-          --user_name=${cfg.userName} \
-          --user_domain=${cfg.userDomain} \
-          --user_password=$(cat ${cfg.userPasswordFile})
+        export JICOFO_AUTH_PASS="$(<${cfg.userPasswordFile})"
+        exec "${pkgs.jicofo}/bin/jicofo"
       '';
 
       serviceConfig = {
@@ -140,10 +157,7 @@ in
       };
     };
 
-    environment.etc."jitsi/jicofo/sip-communicator.properties".source =
-      pkgs.writeText "sip-communicator.properties" (
-        generators.toKeyValue {} cfg.config
-      );
+    environment.etc."jitsi/jicofo/sip-communicator.properties".text = "";
     environment.etc."jitsi/jicofo/logging.properties".source =
       mkDefault "${pkgs.jicofo}/etc/jitsi/jicofo/logging.properties-journal";
   };
diff --git a/nixos/modules/services/web-apps/jitsi-meet.nix b/nixos/modules/services/web-apps/jitsi-meet.nix
index 28be3a3702e..3825b03c244 100644
--- a/nixos/modules/services/web-apps/jitsi-meet.nix
+++ b/nixos/modules/services/web-apps/jitsi-meet.nix
@@ -411,11 +411,14 @@ in
       componentPasswordFile = "/var/lib/jitsi-meet/jicofo-component-secret";
       bridgeMuc = "jvbbrewery@internal.${cfg.hostName}";
       config = mkMerge [{
-        "org.jitsi.jicofo.ALWAYS_TRUST_MODE_ENABLED" = "true";
+        jicofo.xmpp.service.disable-certificate-verification = true;
+        jicofo.xmpp.client.disable-certificate-verification = true;
       #} (lib.mkIf cfg.jibri.enable {
        } (lib.mkIf (config.services.jibri.enable || cfg.jibri.enable) {
-        "org.jitsi.jicofo.jibri.BREWERY" = "JibriBrewery@internal.${cfg.hostName}";
-        "org.jitsi.jicofo.jibri.PENDING_TIMEOUT" = "90";
+         jicofo.jibri = {
+           brewery-jid = "JibriBrewery@internal.${cfg.hostName}";
+           pending-timeout = "90";
+         };
       })];
     };
 
diff --git a/pkgs/applications/editors/tiled/default.nix b/pkgs/applications/editors/tiled/default.nix
index 03c6d19b80c..47270dcce65 100644
--- a/pkgs/applications/editors/tiled/default.nix
+++ b/pkgs/applications/editors/tiled/default.nix
@@ -19,13 +19,13 @@ in
 
 stdenv.mkDerivation rec {
   pname = "tiled";
-  version = "1.9.2";
+  version = "1.10.0";
 
   src = fetchFromGitHub {
-    owner = "bjorn";
+    owner = "mapeditor";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-026OO7r8n1BUapUtKRHvqKdSZiClTQIiYfajiC2TAcQ=";
+    sha256 = "sha256-y79trmkRrkOOP6p9VMjo/11IE22J3YJtnerBsVP9134=";
   };
 
   nativeBuildInputs = [ pkg-config qbs wrapQtAppsHook ];
diff --git a/pkgs/applications/graphics/hydrus/default.nix b/pkgs/applications/graphics/hydrus/default.nix
index 611033c5906..ed8f2bef9e3 100644
--- a/pkgs/applications/graphics/hydrus/default.nix
+++ b/pkgs/applications/graphics/hydrus/default.nix
@@ -12,14 +12,14 @@
 
 python3Packages.buildPythonPackage rec {
   pname = "hydrus";
-  version = "519";
+  version = "520";
   format = "other";
 
   src = fetchFromGitHub {
     owner = "hydrusnetwork";
     repo = "hydrus";
     rev = "refs/tags/v${version}";
-    hash = "sha256-q5pPRMBuB6hqDGuOl0kMyXjMKze5dw+3kdmA2FPJTPU=";
+    hash = "sha256-y8KfPe3cBBq/iPCG7hNXrZDkOSNi+qSir6rO/65SHkI=";
   };
 
   nativeBuildInputs = [
diff --git a/pkgs/applications/misc/cubocore-packages/coreaction/default.nix b/pkgs/applications/misc/cubocore-packages/coreaction/default.nix
index a3a8c1dcf6c..258c8b4ce7d 100644
--- a/pkgs/applications/misc/cubocore-packages/coreaction/default.nix
+++ b/pkgs/applications/misc/cubocore-packages/coreaction/default.nix
@@ -2,13 +2,13 @@
 
 mkDerivation rec {
   pname = "coreaction";
-  version = "4.3.0";
+  version = "4.4.0";
 
   src = fetchFromGitLab {
     owner = "cubocore/coreapps";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-XQ/GcSjGSe+3d0dJxjmmcBFoDzrmM6zsHMfbDdzmpPs=";
+    sha256 = "sha256-rJ4EFKk/zlvQqptbL81WdqqZQUR9hYADFkXuw11SzRc=";
   };
 
   nativeBuildInputs = [
diff --git a/pkgs/applications/misc/cubocore-packages/corearchiver/default.nix b/pkgs/applications/misc/cubocore-packages/corearchiver/default.nix
index 7549ef20b11..4403a2c08d1 100644
--- a/pkgs/applications/misc/cubocore-packages/corearchiver/default.nix
+++ b/pkgs/applications/misc/cubocore-packages/corearchiver/default.nix
@@ -2,13 +2,13 @@
 
 mkDerivation rec {
   pname = "corearchiver";
-  version = "4.3.0";
+  version = "4.4.0";
 
   src = fetchFromGitLab {
     owner = "cubocore/coreapps";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-EUcUivUuuUApIC9daS6BFA1YoE4yO3Kc8jG0VIks/Y0=";
+    sha256 = "sha256-rn0rasFWSjgBIOpKIb35xsEewOfAQOr4kEiA1GhShg0=";
   };
 
   nativeBuildInputs = [
diff --git a/pkgs/applications/misc/cubocore-packages/corefm/default.nix b/pkgs/applications/misc/cubocore-packages/corefm/default.nix
index a3314dface4..3d3edae1b17 100644
--- a/pkgs/applications/misc/cubocore-packages/corefm/default.nix
+++ b/pkgs/applications/misc/cubocore-packages/corefm/default.nix
@@ -2,13 +2,13 @@
 
 mkDerivation rec {
   pname = "corefm";
-  version = "4.3.0";
+  version = "4.4.0";
 
   src = fetchFromGitLab {
     owner = "cubocore/coreapps";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-uScM6cVRwYopZ6NY3PSAAyxNNyX3hVnFs6hkAyF29PA=";
+    sha256 = "sha256-ue0OOBf0PAxYHTfo37RvxnsKxzAEGIiGltXBVZpI6lk=";
   };
 
   nativeBuildInputs = [
diff --git a/pkgs/applications/misc/cubocore-packages/coregarage/default.nix b/pkgs/applications/misc/cubocore-packages/coregarage/default.nix
index f416f21c419..15cd71ec9e2 100644
--- a/pkgs/applications/misc/cubocore-packages/coregarage/default.nix
+++ b/pkgs/applications/misc/cubocore-packages/coregarage/default.nix
@@ -2,13 +2,13 @@
 
 mkDerivation rec {
   pname = "coregarage";
-  version = "4.3.0";
+  version = "4.4.0";
 
   src = fetchFromGitLab {
     owner = "cubocore/coreapps";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-Jq0lIXfw/1Ixd+QIY7D1ErBCOSKmwkWBupcDxUUEliM=";
+    sha256 = "sha256-NsCJS+FyHWj2aLXlbzxcHEcdZ2cViZmJlh501/48xdI=";
   };
 
   nativeBuildInputs = [
diff --git a/pkgs/applications/misc/cubocore-packages/corehunt/default.nix b/pkgs/applications/misc/cubocore-packages/corehunt/default.nix
index 7da5ebe081f..060a5bc4eb9 100644
--- a/pkgs/applications/misc/cubocore-packages/corehunt/default.nix
+++ b/pkgs/applications/misc/cubocore-packages/corehunt/default.nix
@@ -2,13 +2,13 @@
 
 mkDerivation rec {
   pname = "corehunt";
-  version = "4.3.0";
+  version = "4.4.0";
 
   src = fetchFromGitLab {
     owner = "cubocore/coreapps";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-zhJadrdOXpl0bXxEPWjQ59Pzjg4MfIZXtYzCnJbh+pI=";
+    sha256 = "sha256-txQ/uoSwseo0i4/CqdQm3wN9/3p3gioRG9IuJTsgSF4=";
   };
 
   nativeBuildInputs = [
diff --git a/pkgs/applications/misc/cubocore-packages/coreimage/default.nix b/pkgs/applications/misc/cubocore-packages/coreimage/default.nix
index 6078d04be7a..07035867271 100644
--- a/pkgs/applications/misc/cubocore-packages/coreimage/default.nix
+++ b/pkgs/applications/misc/cubocore-packages/coreimage/default.nix
@@ -2,13 +2,13 @@
 
 mkDerivation rec {
   pname = "coreimage";
-  version = "4.3.0";
+  version = "4.4.0";
 
   src = fetchFromGitLab {
     owner = "cubocore/coreapps";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-uG9/8sQK0G3f7O59OHEHqNHP8cUC73hmjsfpOnj0kFM=";
+    sha256 = "sha256-8ILnZQIErLakiNfGZ91/vY+9XS/eOHcAnIFIuT1x9Mg=";
   };
 
   nativeBuildInputs = [
diff --git a/pkgs/applications/misc/cubocore-packages/coreinfo/default.nix b/pkgs/applications/misc/cubocore-packages/coreinfo/default.nix
index c5f7e49d452..bb9e603f06c 100644
--- a/pkgs/applications/misc/cubocore-packages/coreinfo/default.nix
+++ b/pkgs/applications/misc/cubocore-packages/coreinfo/default.nix
@@ -2,13 +2,13 @@
 
 mkDerivation rec {
   pname = "coreinfo";
-  version = "4.3.0";
+  version = "4.4.0";
 
   src = fetchFromGitLab {
     owner = "cubocore/coreapps";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-KoX2U07giVF2xZR1diM6teiNfKYRiqjowTJgnsMlaN0=";
+    sha256 = "sha256-EWz2FQQzWVeP2qw1pz2Lg3COUo2y7/9a105R1Bj0Aqw=";
   };
 
   nativeBuildInputs = [
diff --git a/pkgs/applications/misc/cubocore-packages/corekeyboard/0001-fix-installPhase.patch b/pkgs/applications/misc/cubocore-packages/corekeyboard/0001-fix-installPhase.patch
deleted file mode 100644
index 084a650c610..00000000000
--- a/pkgs/applications/misc/cubocore-packages/corekeyboard/0001-fix-installPhase.patch
+++ /dev/null
@@ -1,8 +0,0 @@
---- a/corekeyboard/CMakeLists.txt	2022-01-29 14:03:28.149607341 +0700
-+++ b/CMakeLists.txt	2022-01-29 14:04:00.178733700 +0700
-@@ -55,5 +55,4 @@
- 
- install( TARGETS corekeyboard DESTINATION bin )
- install( FILES org.cubocore.CoreKeyboard.desktop DESTINATION share/applications )
--install( FILES org.cubocore.CoreKeyboard-Tray.desktop DESTINATION /etc/xdg/autostart )
- install( FILES org.cubocore.CoreKeyboard.svg DESTINATION share/icons/hicolor/scalable/apps/ )
diff --git a/pkgs/applications/misc/cubocore-packages/corekeyboard/default.nix b/pkgs/applications/misc/cubocore-packages/corekeyboard/default.nix
index 5116f80f4cb..bf065bc2a5c 100644
--- a/pkgs/applications/misc/cubocore-packages/corekeyboard/default.nix
+++ b/pkgs/applications/misc/cubocore-packages/corekeyboard/default.nix
@@ -2,20 +2,15 @@
 
 mkDerivation rec {
   pname = "corekeyboard";
-  version = "4.3.0";
+  version = "4.4.0";
 
   src = fetchFromGitLab {
     owner = "cubocore/coreapps";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-yJOcuE6HknDhXCr1qW/NJkerjvBABYntXos0owDDwcw=";
+    sha256 = "sha256-zOH/w4QroMaVjWnFuWAJQ11RYlpXwIXRG9QYGDkfLVY=";
   };
 
-  patches = [
-    # Remove autostart
-    ./0001-fix-installPhase.patch
-  ];
-
   nativeBuildInputs = [
     cmake
     ninja
diff --git a/pkgs/applications/misc/cubocore-packages/corepad/default.nix b/pkgs/applications/misc/cubocore-packages/corepad/default.nix
index bdded6e8f1f..d1856445ab3 100644
--- a/pkgs/applications/misc/cubocore-packages/corepad/default.nix
+++ b/pkgs/applications/misc/cubocore-packages/corepad/default.nix
@@ -2,13 +2,13 @@
 
 mkDerivation rec {
   pname = "corepad";
-  version = "4.3.0";
+  version = "4.4.0";
 
   src = fetchFromGitLab {
     owner = "cubocore/coreapps";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-19qR08QhWeeXnJAQHe1SJjT0xnQLlbkXlzmd9uiMp14=";
+    sha256 = "sha256-MZdEdGfCaQp5DuDDYRNXi37O+O/aRS8XgAN0Jma/J3k=";
   };
 
   nativeBuildInputs = [
diff --git a/pkgs/applications/misc/cubocore-packages/corepaint/default.nix b/pkgs/applications/misc/cubocore-packages/corepaint/default.nix
index 228b0175a7d..745a9637643 100644
--- a/pkgs/applications/misc/cubocore-packages/corepaint/default.nix
+++ b/pkgs/applications/misc/cubocore-packages/corepaint/default.nix
@@ -2,13 +2,13 @@
 
 mkDerivation rec {
   pname = "corepaint";
-  version = "4.3.0";
+  version = "4.4.0";
 
   src = fetchFromGitLab {
     owner = "cubocore/coreapps";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-uAFV3NKtgNri8GQLD+MRacl9WYMfkMVZcoVML+oSX78=";
+    sha256 = "sha256-wRF2Z2n9rEixmKYDRqKxQad2JDSxsgfGIWQWpjz/+yU=";
   };
 
   nativeBuildInputs = [
diff --git a/pkgs/applications/misc/cubocore-packages/corepdf/default.nix b/pkgs/applications/misc/cubocore-packages/corepdf/default.nix
index 42f8fd0dd0f..8bf3a6f8cbb 100644
--- a/pkgs/applications/misc/cubocore-packages/corepdf/default.nix
+++ b/pkgs/applications/misc/cubocore-packages/corepdf/default.nix
@@ -2,13 +2,13 @@
 
 mkDerivation rec {
   pname = "corepdf";
-  version = "4.3.0";
+  version = "4.4.0";
 
   src = fetchFromGitLab {
     owner = "cubocore/coreapps";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-VwJ3H/jNP3u5C+LATPUSftiWm89upx77fN3NqzTnU7Y=";
+    sha256 = "sha256-Dm3RDVHw1JXSC3HdS0k/IVTO/o5vaWiCr5vPDjr2uFk=";
   };
 
   nativeBuildInputs = [
diff --git a/pkgs/applications/misc/cubocore-packages/corepins/default.nix b/pkgs/applications/misc/cubocore-packages/corepins/default.nix
index 7b5ba0ad7a6..c71e64f1623 100644
--- a/pkgs/applications/misc/cubocore-packages/corepins/default.nix
+++ b/pkgs/applications/misc/cubocore-packages/corepins/default.nix
@@ -2,13 +2,13 @@
 
 mkDerivation rec {
   pname = "corepins";
-  version = "4.3.0";
+  version = "4.4.0";
 
   src = fetchFromGitLab {
     owner = "cubocore/coreapps";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-CVToPF8/Tw+n31/A0bzyBbwF7xPBVirsqVOUsM8QtH0=";
+    sha256 = "sha256-wrP9Jm3T9gzEwEjNH2SXSqwP/+YRxVIyQRSPxdYgPCs=";
   };
 
   nativeBuildInputs = [
diff --git a/pkgs/applications/misc/cubocore-packages/corerenamer/default.nix b/pkgs/applications/misc/cubocore-packages/corerenamer/default.nix
index e13485619d9..cdec45c745f 100644
--- a/pkgs/applications/misc/cubocore-packages/corerenamer/default.nix
+++ b/pkgs/applications/misc/cubocore-packages/corerenamer/default.nix
@@ -2,13 +2,13 @@
 
 mkDerivation rec {
   pname = "corerenamer";
-  version = "4.3.0";
+  version = "4.4.0";
 
   src = fetchFromGitLab {
     owner = "cubocore/coreapps";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-WrMyz8Noq0EeBIxL4mSl6e+8wrivmwfoa1yKBrSgrRI=";
+    sha256 = "sha256-hjI7KK+/u7OcqyjrZkRtBTfo8obDNqdudlFYcJR0dl8=";
   };
 
   nativeBuildInputs = [
diff --git a/pkgs/applications/misc/cubocore-packages/coreshot/default.nix b/pkgs/applications/misc/cubocore-packages/coreshot/default.nix
index 18d773e904b..808adcc3d3f 100644
--- a/pkgs/applications/misc/cubocore-packages/coreshot/default.nix
+++ b/pkgs/applications/misc/cubocore-packages/coreshot/default.nix
@@ -2,13 +2,13 @@
 
 mkDerivation rec {
   pname = "coreshot";
-  version = "4.3.0";
+  version = "4.4.0";
 
   src = fetchFromGitLab {
     owner = "cubocore/coreapps";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-wEpo/YINtKAYHqlGYytUPh9ndkvQBw3tRIlyjnKJaf8=";
+    sha256 = "sha256-K/K6630ctWG856igXF1fAukwu6FbsBzF8JxG8K3gICc=";
   };
 
   nativeBuildInputs = [
diff --git a/pkgs/applications/misc/cubocore-packages/corestats/default.nix b/pkgs/applications/misc/cubocore-packages/corestats/default.nix
index ac3f7280aa7..b08a7980fe6 100644
--- a/pkgs/applications/misc/cubocore-packages/corestats/default.nix
+++ b/pkgs/applications/misc/cubocore-packages/corestats/default.nix
@@ -2,13 +2,13 @@
 
 mkDerivation rec {
   pname = "corestats";
-  version = "4.3.0";
+  version = "4.4.0";
 
   src = fetchFromGitLab {
     owner = "cubocore/coreapps";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-154BZIKb6QDrTC4DXh4dbFtN/Lq0ok/qOrqTkXa+rAo=";
+    sha256 = "sha256-AhM7Rvxh8WZPrpDzhY6DYALVe4VlF9b77oX61AVntI0=";
   };
 
   nativeBuildInputs = [
diff --git a/pkgs/applications/misc/cubocore-packages/corestuff/default.nix b/pkgs/applications/misc/cubocore-packages/corestuff/default.nix
index 04c6d82d4b2..e482ece3d15 100644
--- a/pkgs/applications/misc/cubocore-packages/corestuff/default.nix
+++ b/pkgs/applications/misc/cubocore-packages/corestuff/default.nix
@@ -2,13 +2,13 @@
 
 mkDerivation rec {
   pname = "corestuff";
-  version = "4.3.0";
+  version = "4.4.0";
 
   src = fetchFromGitLab {
     owner = "cubocore/coreapps";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-snzW6cqxIyiXJLOD5MoEqmzen1aZN4IALESaIWIOMro=";
+    sha256 = "sha256-F0kddb622W44MDkZOh4YTyFQ+J/UGGbkcrWXCSDYcek=";
   };
 
   patches = [
diff --git a/pkgs/applications/misc/cubocore-packages/coreterminal/default.nix b/pkgs/applications/misc/cubocore-packages/coreterminal/default.nix
index 1203706a62e..7710f2f753e 100644
--- a/pkgs/applications/misc/cubocore-packages/coreterminal/default.nix
+++ b/pkgs/applications/misc/cubocore-packages/coreterminal/default.nix
@@ -12,13 +12,13 @@
 
 mkDerivation rec {
   pname = "coreterminal";
-  version = "4.3.0";
+  version = "4.4.0";
 
   src = fetchFromGitLab {
     owner = "cubocore/coreapps";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-0gxcbfDD43BnkxYWSdViK3hjzfgPGFruwzF4hCxFZ7c=";
+    sha256 = "sha256-sFNKyqzNrPAGitmR8YEtIf6vtnvAP7+jXk4GFnDeGJs=";
   };
 
   nativeBuildInputs = [
diff --git a/pkgs/applications/misc/cubocore-packages/coretime/default.nix b/pkgs/applications/misc/cubocore-packages/coretime/default.nix
index 41fe2698e4e..844e18b26b7 100644
--- a/pkgs/applications/misc/cubocore-packages/coretime/default.nix
+++ b/pkgs/applications/misc/cubocore-packages/coretime/default.nix
@@ -2,13 +2,13 @@
 
 mkDerivation rec {
   pname = "coretime";
-  version = "4.3.0";
+  version = "4.4.0";
 
   src = fetchFromGitLab {
     owner = "cubocore/coreapps";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-MIcmgBfgyjEyJxXCq6IbQ/i6IdtL5cWVGpV2YZbzK58=";
+    sha256 = "sha256-XTX4oeUFwfZE0ey1NjXpAzw0x+4d8IGwU/sEojRwBBY=";
   };
 
   nativeBuildInputs = [
diff --git a/pkgs/applications/misc/cubocore-packages/coretoppings/default.nix b/pkgs/applications/misc/cubocore-packages/coretoppings/default.nix
index b72008cd43a..9da76dfa4c0 100644
--- a/pkgs/applications/misc/cubocore-packages/coretoppings/default.nix
+++ b/pkgs/applications/misc/cubocore-packages/coretoppings/default.nix
@@ -30,13 +30,13 @@
 
 mkDerivation rec {
   pname = "coretoppings";
-  version = "4.3.0";
+  version = "4.4.0";
 
   src = fetchFromGitLab {
     owner = "cubocore/coreapps";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-Yq57dY1zIuQN2Gj9haxJMomafL32B+/9v3lWlY9fvcc=";
+    sha256 = "sha256-3wLDTN3SrbQNs43nQmSBrSB0bD6YineBQ8eNPDws1G8=";
   };
 
   patches = [
diff --git a/pkgs/applications/misc/cubocore-packages/coreuniverse/default.nix b/pkgs/applications/misc/cubocore-packages/coreuniverse/default.nix
index 5e72458dad4..a29aa95fdce 100644
--- a/pkgs/applications/misc/cubocore-packages/coreuniverse/default.nix
+++ b/pkgs/applications/misc/cubocore-packages/coreuniverse/default.nix
@@ -2,13 +2,13 @@
 
 mkDerivation rec {
   pname = "coreuniverse";
-  version = "4.3.0";
+  version = "4.4.0";
 
   src = fetchFromGitLab {
     owner = "cubocore/coreapps";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-KNjXrsm4OfBxida8mcAlKgomcpg0xJg51ZxEdhaiL84=";
+    sha256 = "sha256-ThEzuwBrPUkXURcW9KiXJs8ExqYWZamlfeQ1IggMWdc=";
   };
 
   nativeBuildInputs = [
diff --git a/pkgs/applications/misc/cubocore-packages/libcprime/0001-fix-application-dirs.patch b/pkgs/applications/misc/cubocore-packages/libcprime/0001-fix-application-dirs.patch
index b454abb188b..3d2238b5778 100644
--- a/pkgs/applications/misc/cubocore-packages/libcprime/0001-fix-application-dirs.patch
+++ b/pkgs/applications/misc/cubocore-packages/libcprime/0001-fix-application-dirs.patch
@@ -1,29 +1,31 @@
-From 8e6328e932ab2739f075e8e8d602c2370a2a8ce8 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Mustafa=20=C3=87al=C4=B1=C5=9Fkan?= <musfay@protonmail.com>
-Date: Wed, 28 Jul 2021 02:26:39 +0300
+From a63a4b6de9ba730e10b54f4b5ce454edb10c7c39 Mon Sep 17 00:00:00 2001
+From: dyrnade <gurescicem@gmail.com>
+Date: Wed, 1 Feb 2023 22:28:02 +0100
 Subject: [PATCH] fix application dirs
 
 ---
- cprime/systemxdg.cpp | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
+ cprime/systemxdg.cpp | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
 
 diff --git a/cprime/systemxdg.cpp b/cprime/systemxdg.cpp
-index f9eee66..ea0553d 100644
+index 4c40d4c..5dbb6ff 100644
 --- a/cprime/systemxdg.cpp
 +++ b/cprime/systemxdg.cpp
-@@ -233,8 +233,10 @@ void SystemXdgMime::setApplicationAsDefault( QString appFileName, QString mimety
- SystemXdgMime::SystemXdgMime() {
+@@ -372,9 +372,10 @@ void SystemXdgMime::setApplicationAsDefault(QString appFileName, QString mimetyp
  
- 	appsDirs << QDir::home().filePath( ".local/share/applications/" );
+ SystemXdgMime::SystemXdgMime()
+ {
+-	appsDirs << QDir::home().filePath(".local/share/applications/");
 -	appsDirs << "/usr/local/share/applications/" << "/usr/share/applications/";
 -	appsDirs << "/usr/share/applications/kde4/" << "/usr/share/gnome/applications/";
-+	appsDirs << QDir::home().filePath( ".nix-profile/share/applications/" );
++	appsDirs << QDir::home().filePath(".nix-profile/share/applications/");
 +	appsDirs << "/run/current-system/sw/share/applications/";
 +	appsDirs << "/run/current-system/sw/share/applications/kde4/";
 +	appsDirs << "/run/current-system/sw/share/gnome/applications/";
- };
+ }
+ 
  
- DesktopFile SystemXdgMime::xdgDefaultApp( QMimeType mimeType ) {
 -- 
-2.32.0
+2.39.0
+
 
diff --git a/pkgs/applications/misc/cubocore-packages/libcprime/default.nix b/pkgs/applications/misc/cubocore-packages/libcprime/default.nix
index f100a3a1040..37f95c4ad17 100644
--- a/pkgs/applications/misc/cubocore-packages/libcprime/default.nix
+++ b/pkgs/applications/misc/cubocore-packages/libcprime/default.nix
@@ -10,13 +10,13 @@
 
 mkDerivation rec {
   pname = "libcprime";
-  version = "4.3.0";
+  version = "4.4.1";
 
   src = fetchFromGitLab {
     owner = "cubocore";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-+z5dXKaV2anN6OLMycEz87kDqQScgHHEKwGhDAdHSd4=";
+    sha256 = "sha256-6kkKmF9mARhSm93ZrWJiwRNmpkiCxyhSD3W7X3gYuu4=";
   };
 
   patches = [
diff --git a/pkgs/applications/misc/cubocore-packages/libcsys/default.nix b/pkgs/applications/misc/cubocore-packages/libcsys/default.nix
index 395a40ddfc6..adba59b9da1 100644
--- a/pkgs/applications/misc/cubocore-packages/libcsys/default.nix
+++ b/pkgs/applications/misc/cubocore-packages/libcsys/default.nix
@@ -2,13 +2,13 @@
 
 mkDerivation rec {
   pname = "libcsys";
-  version = "4.3.0";
+  version = "4.4.1";
 
   src = fetchFromGitLab {
     owner = "cubocore";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-/iRFppe08+rMQNFjWSyxo3Noy0iNaelg0JAczg/BYBs=";
+    sha256 = "sha256-IWzgRwouI/0bQBuEd9CV0Ue6cF2HwRw3jMdLyGA1+TY=";
   };
 
   nativeBuildInputs = [
diff --git a/pkgs/applications/misc/nut/default.nix b/pkgs/applications/misc/nut/default.nix
index 31adb54ac71..45db4d47977 100644
--- a/pkgs/applications/misc/nut/default.nix
+++ b/pkgs/applications/misc/nut/default.nix
@@ -4,10 +4,10 @@
 
 stdenv.mkDerivation rec {
   pname = "nut";
-  version = "2.7.4";
+  version = "2.8.0";
 
   src = fetchurl {
-    url = "https://networkupstools.org/source/2.7/${pname}-${version}.tar.gz";
+    url = "https://networkupstools.org/source/${lib.versions.majorMinor version}/${pname}-${version}.tar.gz";
     sha256 = "19r5dm07sfz495ckcgbfy0pasx0zy3faa0q7bih69lsjij8q43lq";
   };
 
diff --git a/pkgs/applications/misc/watchmate/default.nix b/pkgs/applications/misc/watchmate/default.nix
index d7d49717434..8053d8bd2a7 100644
--- a/pkgs/applications/misc/watchmate/default.nix
+++ b/pkgs/applications/misc/watchmate/default.nix
@@ -13,16 +13,16 @@
 
 rustPlatform.buildRustPackage rec {
   pname = "watchmate";
-  version = "0.4.2";
+  version = "0.4.3";
 
   src = fetchFromGitHub {
     owner = "azymohliad";
     repo = "watchmate";
     rev = "v${version}";
-    hash = "sha256-UHlHfDFTQapQcETCvtch72DqelfBYMymMD/zODFtr1c=";
+    hash = "sha256-LwtlI6WCOO24w8seUzyhCp51pfEiCM+iL6lu/J6v4PQ=";
   };
 
-  cargoHash = "sha256-QYw/am5cMVbRdx/XQ+lZv2Jo9Aiwd2ypUlo854sm7i4=";
+  cargoHash = "sha256-MD0eWZDpCevBY1Y3Gzgk13qCFtL7QOPDATv8MA+Q5go=";
 
   nativeBuildInputs = [
     pkg-config
diff --git a/pkgs/applications/networking/cluster/kubelogin/default.nix b/pkgs/applications/networking/cluster/kubelogin/default.nix
index 474a27238f2..ec177fe8556 100644
--- a/pkgs/applications/networking/cluster/kubelogin/default.nix
+++ b/pkgs/applications/networking/cluster/kubelogin/default.nix
@@ -2,16 +2,16 @@
 
 buildGoModule rec {
   pname = "kubelogin";
-  version = "0.0.27";
+  version = "0.0.28";
 
   src = fetchFromGitHub {
     owner = "Azure";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-yC0J6uXL0W00o0BGIrrZ9WjThSgIu5fEgQdyH2vZESs=";
+    sha256 = "sha256-uIWlOVZIqwOSvFWRIWKTFEp0aToIBo1htUXb3F+njyI=";
   };
 
-  vendorHash = "sha256-QGzaKtku7fm14ijmE68nqgqoX86IgmEsemlQltZECI0=";
+  vendorHash = "sha256-CVBpBb8yYkc6/yLPsCPbVhBHecqZ03WE0NcKiH8SGYs=";
 
   ldflags = [
     "-X main.version=${version}"
diff --git a/pkgs/applications/networking/flexget/default.nix b/pkgs/applications/networking/flexget/default.nix
index 4edf146b333..2612aef79d1 100644
--- a/pkgs/applications/networking/flexget/default.nix
+++ b/pkgs/applications/networking/flexget/default.nix
@@ -34,6 +34,7 @@ python3Packages.buildPythonApplication rec {
     beautifulsoup4
     click
     colorama
+    commonmark
     feedparser
     guessit
     html5lib
diff --git a/pkgs/applications/science/networking/sumo/default.nix b/pkgs/applications/science/networking/sumo/default.nix
index 7ed79f478cf..3caf1601084 100644
--- a/pkgs/applications/science/networking/sumo/default.nix
+++ b/pkgs/applications/science/networking/sumo/default.nix
@@ -5,13 +5,13 @@
 
 stdenv.mkDerivation rec {
   pname = "sumo";
-  version = "1.9.2";
+  version = "1.15.0";
 
   src = fetchFromGitHub {
     owner = "eclipse";
     repo = "sumo";
     rev = "v${lib.replaceStrings ["."] ["_"] version}";
-    sha256 = "0zpd331vy1kfi4hfiszv3m8wl4m0wdfr3zzza200kkaakw5hjxhs";
+    sha256 = "sha256-Mm8Kqb5W9h2jYvRGypI6v5IHDm4CnAeT+NcJybdU5K0=";
     fetchSubmodules = true;
   };
 
diff --git a/pkgs/applications/video/mpv/default.nix b/pkgs/applications/video/mpv/default.nix
index 0fa8486e15b..a24d2eb2394 100644
--- a/pkgs/applications/video/mpv/default.nix
+++ b/pkgs/applications/video/mpv/default.nix
@@ -2,6 +2,7 @@
 , lib
 , stdenv
 , fetchFromGitHub
+, fetchpatch
 , addOpenGLRunpath
 , docutils
 , meson
@@ -93,6 +94,15 @@ in stdenv.mkDerivation (self: {
     sha256 = "sha256-CoYTX9hgxLo72YdMoa0sEywg4kybHbFsypHk1rCM6tM=";
   };
 
+  patches = [
+    (fetchpatch {
+      # fixes EDL error on youtube DASH streams https://github.com/mpv-player/mpv/issues/11392
+      # to be removed on next release
+      url = "https://github.com/mpv-player/mpv/commit/94c189dae76ba280d9883b16346c3dfb9720687e.patch";
+      sha256 = "sha256-MGXU1L5OSxY5bdEpu9vHngnRXMr7WHeHWuamhjcUD4A=";
+    })
+  ];
+
   postPatch = ''
     patchShebangs version.* ./TOOLS/
   '';
diff --git a/pkgs/applications/video/plex-mpv-shim/default.nix b/pkgs/applications/video/plex-mpv-shim/default.nix
index b7a5f2ce38c..8a2094bbb55 100644
--- a/pkgs/applications/video/plex-mpv-shim/default.nix
+++ b/pkgs/applications/video/plex-mpv-shim/default.nix
@@ -3,13 +3,13 @@
 
 buildPythonApplication rec {
   pname = "plex-mpv-shim";
-  version = "1.10.3";
+  version = "1.11.0";
 
   src = fetchFromGitHub {
     owner = "iwalton3";
     repo = pname;
-    rev = "v${version}";
-    sha256 = "0hgv9g17dkrh3zbsx27n80yvkgix9j2x0rgg6d3qsf7hp5j3xw4r";
+    rev = "refs/tags/v${version}";
+    sha256 = "sha256-hUGKOJEDZMK5uhHoevFt1ay6QQEcoN4F8cPxln5uMRo=";
   };
 
   nativeBuildInputs = [
diff --git a/pkgs/development/guile-modules/guile-ssh/default.nix b/pkgs/development/guile-modules/guile-ssh/default.nix
index be082c373a2..a704ff74d03 100644
--- a/pkgs/development/guile-modules/guile-ssh/default.nix
+++ b/pkgs/development/guile-modules/guile-ssh/default.nix
@@ -11,13 +11,13 @@
 
 stdenv.mkDerivation rec {
   pname = "guile-ssh";
-  version = "0.16.2";
+  version = "0.16.3";
 
   src = fetchFromGitHub {
     owner = "artyom-poptsov";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-BDnLm5Q+69v8JbrfAn0+XMuWzRvCeUB/prfrKnvw5eY=";
+    sha256 = "sha256-P29U88QrCjoyl/wdTPZbiMoykd/v6ul6CW/IJn9UAyw=";
   };
 
   configureFlags = [ "--with-guilesitedir=\${out}/share/guile/site" ];
diff --git a/pkgs/development/interpreters/clojure/default.nix b/pkgs/development/interpreters/clojure/default.nix
index 6632592a51b..7376655d126 100644
--- a/pkgs/development/interpreters/clojure/default.nix
+++ b/pkgs/development/interpreters/clojure/default.nix
@@ -2,12 +2,12 @@
 
 stdenv.mkDerivation rec {
   pname = "clojure";
-  version = "1.11.1.1252";
+  version = "1.11.1.1257";
 
   src = fetchurl {
     # https://clojure.org/releases/tools
     url = "https://download.clojure.org/install/clojure-tools-${version}.tar.gz";
-    sha256 = "sha256-ZQFhN/vO1L1kKmEC6wKT74qimR6ctkdoXrCFujobX6A=";
+    sha256 = "sha256-bZcJFtDOo8S2LQebsdTkgzlBVuZaKJUlUQX4F/qSq9A=";
   };
 
   nativeBuildInputs = [
diff --git a/pkgs/development/libraries/bobcat/default.nix b/pkgs/development/libraries/bobcat/default.nix
index 3047cf539ce..4e328fe2b2a 100644
--- a/pkgs/development/libraries/bobcat/default.nix
+++ b/pkgs/development/libraries/bobcat/default.nix
@@ -4,10 +4,10 @@
 
 stdenv.mkDerivation rec {
   pname = "bobcat";
-  version = "5.10.01";
+  version = "5.11.01";
 
   src = fetchFromGitLab {
-    sha256 = "sha256-QhjUIaPSDAvOt0ZCzQWASpG+GJaTviosGDrzrckhuhs=";
+    sha256 = "sha256-JLJKaJmztputIon9JkKzpm3Ch60iwm4Imh9p42crYzA=";
     domain = "gitlab.com";
     rev = version;
     repo = "bobcat";
diff --git a/pkgs/development/libraries/drumstick/default.nix b/pkgs/development/libraries/drumstick/default.nix
index 36a4c56bbaf..6d7352e8774 100644
--- a/pkgs/development/libraries/drumstick/default.nix
+++ b/pkgs/development/libraries/drumstick/default.nix
@@ -5,11 +5,11 @@
 
 stdenv.mkDerivation rec {
   pname = "drumstick";
-  version = "2.6.1";
+  version = "2.7.0";
 
   src = fetchurl {
     url = "mirror://sourceforge/drumstick/${version}/${pname}-${version}.tar.bz2";
-    hash = "sha256-5O9yD3MexorJUm5tv6oghDb4J/b3SO10mDQR9dT2jlA=";
+    hash = "sha256-Yb5SrXJ5ZK0IJ8XbnxAGLlfqKGOrfv2VET9Ba8dKItU=";
   };
 
   patches = [
diff --git a/pkgs/development/libraries/freetds/default.nix b/pkgs/development/libraries/freetds/default.nix
index a473b708a27..29d7d178db2 100644
--- a/pkgs/development/libraries/freetds/default.nix
+++ b/pkgs/development/libraries/freetds/default.nix
@@ -8,11 +8,11 @@ assert odbcSupport -> unixODBC != null;
 
 stdenv.mkDerivation rec {
   pname = "freetds";
-  version = "1.3.13";
+  version = "1.3.17";
 
   src = fetchurl {
     url    = "https://www.freetds.org/files/stable/${pname}-${version}.tar.bz2";
-    sha256 = "sha256-1M+QCUFR/c3aEo7RjLCmv2WzCL41K1NEmUO1JJxbSPI=";
+    sha256 = "sha256-+AzAGg71u+M+fLs3Au2SSqteJaxuzNk8lJ6H3+98WYQ=";
   };
 
   buildInputs = [
diff --git a/pkgs/development/libraries/json-fortran/default.nix b/pkgs/development/libraries/json-fortran/default.nix
new file mode 100644
index 00000000000..422248520fc
--- /dev/null
+++ b/pkgs/development/libraries/json-fortran/default.nix
@@ -0,0 +1,37 @@
+{ stdenv, lib, fetchFromGitHub, gfortran, cmake }:
+
+stdenv.mkDerivation rec {
+  pname = "json-fortran";
+  version = "8.3.0";
+
+  src = fetchFromGitHub {
+    owner = "jacobwilliams";
+    repo = pname;
+    rev = version;
+    hash = "sha256-96W9bzWEZ3EN4wtnDT3G3pvLdcI4SIhGJWBVPU3rNZ4=";
+  };
+
+  nativeBuildInputs = [
+    cmake
+    gfortran
+  ];
+
+  cmakeFlags = [
+    "-DUSE_GNU_INSTALL_CONVENTION=ON"
+  ];
+
+  # Due to some misconfiguration in CMake the Fortran modules end up in $out/$out.
+  # Move them back to the desired location.
+  postInstall = ''
+    mv $out/$out/include $out/.
+    rm -r $out/nix
+  '';
+
+  meta = with lib; {
+    description = "Modern Fortran JSON API";
+    homepage = "https://github.com/jacobwilliams/json-fortran";
+    license = licenses.mit;
+    platforms = platforms.linux;
+    maintainers = [ maintainers.sheepforce ];
+  };
+}
diff --git a/pkgs/development/libraries/science/chemistry/dftd4/default.nix b/pkgs/development/libraries/science/chemistry/dftd4/default.nix
new file mode 100644
index 00000000000..a099a14a8e6
--- /dev/null
+++ b/pkgs/development/libraries/science/chemistry/dftd4/default.nix
@@ -0,0 +1,47 @@
+{ stdenv
+, lib
+, fetchFromGitHub
+, cmake
+, gfortran
+, blas
+, lapack
+, mctc-lib
+, mstore
+, multicharge
+}:
+
+assert !blas.isILP64 && !lapack.isILP64;
+
+stdenv.mkDerivation rec {
+  pname = "dftd4";
+  version = "3.5.0";
+
+  src = fetchFromGitHub {
+    owner = "dftd4";
+    repo = pname;
+    rev = "v${version}";
+    hash = "sha256-ZCoFbjTNQD7slq5sKwPRPkrHSHofsxU9C9h/bF5jmZI=";
+  };
+
+  nativeBuildInputs = [ cmake gfortran ];
+
+  buildInputs = [ blas lapack mctc-lib mstore multicharge ];
+
+  postInstall = ''
+    substituteInPlace $out/lib/pkgconfig/${pname}.pc \
+      --replace "''${prefix}" ""
+  '';
+
+  doCheck = true;
+  preCheck = ''
+    export OMP_NUM_THREADS=2
+  '';
+
+  meta = with lib; {
+    description = "Generally Applicable Atomic-Charge Dependent London Dispersion Correction";
+    license = with licenses; [ lgpl3Plus gpl3Plus ];
+    homepage = "https://github.com/grimme-lab/dftd4";
+    platforms = platforms.linux;
+    maintainers = [ maintainers.sheepforce ];
+  };
+}
diff --git a/pkgs/development/libraries/science/chemistry/mctc-lib/default.nix b/pkgs/development/libraries/science/chemistry/mctc-lib/default.nix
new file mode 100644
index 00000000000..e9be83970fb
--- /dev/null
+++ b/pkgs/development/libraries/science/chemistry/mctc-lib/default.nix
@@ -0,0 +1,39 @@
+{ stdenv
+, lib
+, fetchFromGitHub
+, gfortran
+, pkg-config
+, json-fortran
+, cmake
+}:
+
+stdenv.mkDerivation rec {
+  pname = "mctc-lib";
+  version = "0.3.1";
+
+  src = fetchFromGitHub {
+    owner = "grimme-lab";
+    repo = pname;
+    rev = "v${version}";
+    hash = "sha256-AXjg/ZsitdDf9fNoGVmVal1iZ4/sxjJb7A9W4yye/rg=";
+  };
+
+  nativeBuildInputs = [ gfortran pkg-config cmake ];
+
+  buildInputs = [ json-fortran ];
+
+  postInstall = ''
+    substituteInPlace $out/lib/pkgconfig/${pname}.pc \
+      --replace "''${prefix}" ""
+  '';
+
+  doCheck = true;
+
+  meta = with lib; {
+    description = "Modular computation tool chain library";
+    homepage = "https://github.com/grimme-lab/mctc-lib";
+    license = licenses.asl20;
+    platforms = platforms.linux;
+    maintainers = [ maintainers.sheepforce ];
+  };
+}
diff --git a/pkgs/development/libraries/science/chemistry/mstore/default.nix b/pkgs/development/libraries/science/chemistry/mstore/default.nix
new file mode 100644
index 00000000000..7fcdfbdf549
--- /dev/null
+++ b/pkgs/development/libraries/science/chemistry/mstore/default.nix
@@ -0,0 +1,36 @@
+{ stdenv
+, lib
+, fetchFromGitHub
+, cmake
+, gfortran
+, mctc-lib
+}:
+
+stdenv.mkDerivation rec {
+  pname = "mstore";
+  version = "0.2.0";
+
+  src = fetchFromGitHub {
+    owner = "grimme-lab";
+    repo = pname;
+    rev = "v${version}";
+    hash = "sha256-dN2BulLS/ENRFVdJIrZRxgBV8S4d5+7BjTCGnhBbf4I=";
+  };
+
+  nativeBuildInputs = [ cmake gfortran ];
+
+  buildInputs = [ mctc-lib ];
+
+  postInstall = ''
+    substituteInPlace $out/lib/pkgconfig/${pname}.pc \
+      --replace "''${prefix}" ""
+  '';
+
+  meta = with lib; {
+    description = "Molecular structure store for testing";
+    license = licenses.asl20;
+    homepage = "https://github.com/grimme-lab/mstore";
+    platforms = platforms.linux;
+    maintainers = [ maintainers.sheepforce ];
+  };
+}
diff --git a/pkgs/development/libraries/science/chemistry/multicharge/default.nix b/pkgs/development/libraries/science/chemistry/multicharge/default.nix
new file mode 100644
index 00000000000..5a5046cd2a5
--- /dev/null
+++ b/pkgs/development/libraries/science/chemistry/multicharge/default.nix
@@ -0,0 +1,46 @@
+{ stdenv
+, lib
+, fetchFromGitHub
+, cmake
+, gfortran
+, blas
+, lapack
+, mctc-lib
+, mstore
+}:
+
+assert !blas.isILP64 && !lapack.isILP64;
+
+stdenv.mkDerivation rec {
+  pname = "multicharge";
+  version = "0.2.0";
+
+  src = fetchFromGitHub {
+    owner = "grimme-lab";
+    repo = pname;
+    rev = "v${version}";
+    hash = "sha256-oUI5x5/Gd0EZBb1w+0jlJUF9X51FnkHFu8H7KctqXl0=";
+  };
+
+  nativeBuildInputs = [ cmake gfortran ];
+
+  buildInputs = [ blas lapack mctc-lib mstore ];
+
+  postInstall = ''
+    substituteInPlace $out/lib/pkgconfig/${pname}.pc \
+      --replace "''${prefix}" ""
+  '';
+
+  doCheck = true;
+  preCheck = ''
+    export OMP_NUM_THREADS=2
+  '';
+
+  meta = with lib; {
+    description = "Electronegativity equilibration model for atomic partial charges";
+    license = licenses.asl20;
+    homepage = "https://github.com/grimme-lab/multicharge";
+    platforms = platforms.linux;
+    maintainers = [ maintainers.sheepforce ];
+  };
+}
diff --git a/pkgs/development/libraries/science/chemistry/simple-dftd3/default.nix b/pkgs/development/libraries/science/chemistry/simple-dftd3/default.nix
new file mode 100644
index 00000000000..a9bd2c8faa7
--- /dev/null
+++ b/pkgs/development/libraries/science/chemistry/simple-dftd3/default.nix
@@ -0,0 +1,46 @@
+{ stdenv
+, lib
+, fetchFromGitHub
+, gfortran
+, cmake
+, mctc-lib
+, mstore
+, toml-f
+, blas
+}:
+
+assert !blas.isILP64;
+
+stdenv.mkDerivation rec {
+  pname = "simple-dftd3";
+  version = "0.7.0";
+
+  src = fetchFromGitHub {
+    owner = "dftd3";
+    repo = pname;
+    rev = "v${version}";
+    hash = "sha256-5OvmMgjD8ujjKHkuw4NT8hEXKh5YPxuBl/Mu6g2/KIA=";
+  };
+
+  nativeBuildInputs = [ cmake gfortran ];
+
+  buildInputs = [ mctc-lib mstore toml-f blas ];
+
+  postInstall = ''
+    substituteInPlace $out/lib/pkgconfig/s-dftd3.pc \
+      --replace "''${prefix}" ""
+  '';
+
+  doCheck = true;
+  preCheck = ''
+    export OMP_NUM_THREADS=2
+  '';
+
+  meta = with lib; {
+    description = "Reimplementation of the DFT-D3 program";
+    license = with licenses; [lgpl3Only gpl3Only];
+    homepage = "https://github.com/dftd3/simple-dftd3";
+    platforms = [ "x86_64-linux" ];
+    maintainers = [ maintainers.sheepforce ];
+  };
+}
diff --git a/pkgs/development/libraries/science/chemistry/tblite/default.nix b/pkgs/development/libraries/science/chemistry/tblite/default.nix
new file mode 100644
index 00000000000..0f05315b9d8
--- /dev/null
+++ b/pkgs/development/libraries/science/chemistry/tblite/default.nix
@@ -0,0 +1,59 @@
+{ stdenv
+, lib
+, fetchFromGitHub
+, cmake
+, gfortran
+, blas
+, lapack
+, mctc-lib
+, mstore
+, toml-f
+, multicharge
+, dftd4
+, simple-dftd3
+}:
+
+assert !blas.isILP64 && !lapack.isILP64;
+
+stdenv.mkDerivation rec {
+  pname = "tblite";
+  version = "0.3.0";
+
+  src = fetchFromGitHub {
+    owner = "tblite";
+    repo = pname;
+    rev = "v${version}";
+    hash = "sha256-R7CAFG/x55k5Ieslxeq+DWq1wPip4cI+Yvn1cBbeVNs=";
+  };
+
+  nativeBuildInputs = [ cmake gfortran ];
+
+  buildInputs = [
+    blas
+    lapack
+    mctc-lib
+    mstore
+    toml-f
+    multicharge
+    dftd4
+    simple-dftd3
+  ];
+
+  doCheck = true;
+  preCheck = ''
+    export OMP_NUM_THREADS=2
+  '';
+
+  postInstall = ''
+    substituteInPlace $out/lib/pkgconfig/${pname}.pc \
+      --replace "''${prefix}" ""
+  '';
+
+  meta = with lib; {
+    description = "Light-weight tight-binding framework";
+    license = with licenses; [ gpl3Plus lgpl3Plus ];
+    homepage = "https://github.com/tblite/tblite";
+    platforms = platforms.linux;
+    maintainers = [ maintainers.sheepforce ];
+  };
+}
diff --git a/pkgs/development/libraries/science/chemistry/tblite/python.nix b/pkgs/development/libraries/science/chemistry/tblite/python.nix
new file mode 100644
index 00000000000..00301d95766
--- /dev/null
+++ b/pkgs/development/libraries/science/chemistry/tblite/python.nix
@@ -0,0 +1,28 @@
+{ buildPythonPackage
+, meson
+, ninja
+, pkg-config
+, tblite
+, cffi
+}:
+
+buildPythonPackage rec {
+  inherit (tblite) pname version src meta;
+
+  nativeBuildInputs = [ meson ninja pkg-config ];
+
+  buildInputs = [ tblite ];
+
+  propagatedBuildInputs = [ cffi ];
+
+  format = "other";
+
+  configurePhase = ''
+    runHook preConfigure
+
+    meson setup build python --prefix=$out
+    cd build
+
+    runHook postConfigure
+  '';
+}
diff --git a/pkgs/development/libraries/science/math/suitesparse-graphblas/default.nix b/pkgs/development/libraries/science/math/suitesparse-graphblas/default.nix
index 0d5409c6817..f6baae932ba 100644
--- a/pkgs/development/libraries/science/math/suitesparse-graphblas/default.nix
+++ b/pkgs/development/libraries/science/math/suitesparse-graphblas/default.nix
@@ -6,7 +6,7 @@
 
 stdenv.mkDerivation rec {
   pname = "suitesparse-graphblas";
-  version = "7.2.0";
+  version = "7.4.3";
 
   outputs = [ "out" "dev" ];
 
@@ -14,7 +14,7 @@ stdenv.mkDerivation rec {
     owner = "DrTimothyAldenDavis";
     repo = "GraphBLAS";
     rev = "v${version}";
-    sha256 = "sha256-N3TBuKWQRisXE5DQ0c+N2cv0darQ8mz4g2oe7pKst9E=";
+    sha256 = "sha256-myUaSzBlt34L3UJDKB9VXetaPCc3SZCzpbsSn1j+MPw=";
   };
 
   nativeBuildInputs = [
diff --git a/pkgs/development/libraries/test-drive/default.nix b/pkgs/development/libraries/test-drive/default.nix
new file mode 100644
index 00000000000..b858f39498c
--- /dev/null
+++ b/pkgs/development/libraries/test-drive/default.nix
@@ -0,0 +1,32 @@
+{ stdenv, lib, fetchFromGitHub, gfortran, cmake }:
+
+stdenv.mkDerivation rec {
+  pname = "test-drive";
+  version = "0.4.0";
+
+  src = fetchFromGitHub {
+    owner = "fortran-lang";
+    repo = pname;
+    rev = "v${version}";
+    hash = "sha256-ObAnHFP1Hp0knf/jtGHynVF0CCqK47eqetePx4NLmlM=";
+  };
+
+  postPatch = ''
+    substituteInPlace config/template.pc \
+      --replace 'libdir=''${prefix}/@CMAKE_INSTALL_LIBDIR@' "libdir=@CMAKE_INSTALL_LIBDIR@" \
+      --replace 'includedir=''${prefix}/@CMAKE_INSTALL_INCLUDEDIR@' "includedir=@CMAKE_INSTALL_INCLUDEDIR@"
+  '';
+
+  nativeBuildInputs = [
+    gfortran
+    cmake
+  ];
+
+  meta = with lib; {
+    description = "Procedural Fortran testing framework";
+    homepage = "https://github.com/fortran-lang/test-drive";
+    license = with licenses; [ asl20 mit ] ;
+    platforms = platforms.linux;
+    maintainers = [ maintainers.sheepforce ];
+  };
+}
diff --git a/pkgs/development/libraries/toml-f/default.nix b/pkgs/development/libraries/toml-f/default.nix
new file mode 100644
index 00000000000..d28447c4004
--- /dev/null
+++ b/pkgs/development/libraries/toml-f/default.nix
@@ -0,0 +1,38 @@
+{ stdenv
+, lib
+, fetchFromGitHub
+, gfortran
+, cmake
+, test-drive
+}:
+
+stdenv.mkDerivation rec {
+  pname = "toml-f";
+  version = "0.3.1";
+
+  src = fetchFromGitHub {
+    owner = pname;
+    repo = pname;
+    rev = "v${version}";
+    hash = "sha256-8FbnUkeJUP4fiuJCroAVDo6U2M7ZkFLpG2OYrapMYtU=";
+  };
+
+  nativeBuildInputs = [ gfortran cmake ];
+
+  buildInputs = [ test-drive ];
+
+  postInstall = ''
+    substituteInPlace $out/lib/pkgconfig/${pname}.pc \
+      --replace "''${prefix}/" ""
+  '';
+
+  doCheck = true;
+
+  meta = with lib; {
+    description = "TOML parser implementation for data serialization and deserialization in Fortran";
+    license = with licenses; [ asl20 mit ];
+    homepage = "https://github.com/toml-f/toml-f";
+    platforms = [ "x86_64-linux" ];
+    maintainers = [ maintainers.sheepforce ];
+  };
+}
diff --git a/pkgs/development/libraries/xsimd/default.nix b/pkgs/development/libraries/xsimd/default.nix
index db8cc787dee..ec2d166ef58 100644
--- a/pkgs/development/libraries/xsimd/default.nix
+++ b/pkgs/development/libraries/xsimd/default.nix
@@ -1,12 +1,12 @@
 { lib, stdenv, fetchFromGitHub, cmake, gtest }:
 stdenv.mkDerivation rec {
   pname = "xsimd";
-  version = "8.1.0";
+  version = "9.0.1";
   src = fetchFromGitHub {
     owner = "xtensor-stack";
     repo = "xsimd";
     rev = version;
-    sha256 = "sha256-Aqs6XJkGjAjGAp0PprabSM4m+32M/UXpSHppCHdzaZk=";
+    sha256 = "sha256-onALN6agtrHWigtFlCeefD9CiRZI4Y690XTzy2UDnrk=";
   };
 
   nativeBuildInputs = [ cmake ];
diff --git a/pkgs/development/python-modules/glfw/default.nix b/pkgs/development/python-modules/glfw/default.nix
index c695169deb4..cc97f2f49fa 100644
--- a/pkgs/development/python-modules/glfw/default.nix
+++ b/pkgs/development/python-modules/glfw/default.nix
@@ -1,30 +1,46 @@
-{ lib, buildPythonPackage, fetchFromGitHub, glfw3 }:
+{ lib
+, buildPythonPackage
+, fetchFromGitHub
+, glfw3
+, pythonOlder
+}:
 
 buildPythonPackage rec {
   pname = "glfw";
-  version = "2.5.6";
+  version = "2.5.7";
+  format = "setuptools";
+
+  disabled = pythonOlder "3.7";
 
   src = fetchFromGitHub {
     owner = "FlorianRhiem";
     repo = "pyGLFW";
     rev = "refs/tags/v${version}";
-    hash = "sha256-zusVOhZfJyUpftvrUSLZJl7mG5AEGMLGXMOojFnEsH0=";
+    hash = "sha256-tB9qoGIUb0KgD7SQIV7nP5/fWKY/LrP/lQbljfVqiXw=";
   };
 
   # Patch path to GLFW shared object
   patches = [ ./search-path.patch ];
+
   postPatch = ''
     substituteInPlace glfw/library.py --replace "@GLFW@" '${glfw3}/lib'
   '';
-  propagatedBuildInputs = [ glfw3 ];
+
+  propagatedBuildInputs = [
+    glfw3
+  ];
 
   # Project has no tests
   doCheck = false;
-  pythonImportsCheck = [ "glfw" ];
+
+  pythonImportsCheck = [
+    "glfw"
+  ];
 
   meta = with lib; {
     description = "Python bindings for GLFW";
     homepage = "https://github.com/FlorianRhiem/pyGLFW";
+    changelog = "https://github.com/FlorianRhiem/pyGLFW/blob/v${version}/CHANGELOG.md";
     license = licenses.mit;
     maintainers = [ maintainers.McSinyx ];
   };
diff --git a/pkgs/development/python-modules/google-cloud-bigquery/default.nix b/pkgs/development/python-modules/google-cloud-bigquery/default.nix
index cd574b5323f..078af6d9510 100644
--- a/pkgs/development/python-modules/google-cloud-bigquery/default.nix
+++ b/pkgs/development/python-modules/google-cloud-bigquery/default.nix
@@ -28,14 +28,14 @@
 
 buildPythonPackage rec {
   pname = "google-cloud-bigquery";
-  version = "3.6.0";
+  version = "3.7.0";
   format = "setuptools";
 
   disabled = pythonOlder "3.7";
 
   src = fetchPypi {
     inherit pname version;
-    hash = "sha256-WIbBTykJcVjVmvp0pnMtvdWD5u8w3Jk0pWrVMpBt41Y=";
+    hash = "sha256-z59UP606r0hxxT9Wtxjh75Spp3ixfxaJABX2/CXDKOw=";
   };
 
   propagatedBuildInputs = [
diff --git a/pkgs/development/python-modules/moderngl/default.nix b/pkgs/development/python-modules/moderngl/default.nix
index 3f2185fac87..8937c967912 100644
--- a/pkgs/development/python-modules/moderngl/default.nix
+++ b/pkgs/development/python-modules/moderngl/default.nix
@@ -9,14 +9,14 @@
 
 buildPythonPackage rec {
   pname = "moderngl";
-  version = "5.8.0";
+  version = "5.8.1";
   format = "setuptools";
 
   disabled = pythonOlder "3.7";
 
   src = fetchPypi {
     inherit pname version;
-    hash = "sha256-eudtjF6NanAFFDHqHOVLfcBBX02mpIIPW3gqvZV7Dds=";
+    hash = "sha256-li7QA9jXZL0z4C508bOxwMdaG5L1HwONKhMJwG9OXLg=";
   };
 
   buildInputs = [
diff --git a/pkgs/development/python-modules/tlv8/default.nix b/pkgs/development/python-modules/tlv8/default.nix
new file mode 100644
index 00000000000..05ece63e42e
--- /dev/null
+++ b/pkgs/development/python-modules/tlv8/default.nix
@@ -0,0 +1,39 @@
+{ lib
+, buildPythonPackage
+, fetchFromGitHub
+, pytestCheckHook
+}:
+
+buildPythonPackage rec {
+  pname = "tlv8";
+  version = "0.10.0";
+  format = "setuptools";
+
+  # pypi does not contain test files
+  src = fetchFromGitHub {
+    owner = "jlusiardi";
+    repo = "tlv8_python";
+    rev = "v${version}";
+    sha256 = "sha256-G35xMFYasKD3LnGi9q8wBmmFvqgtg0HPdC+y82nxRWA=";
+  };
+
+  checkInputs = [
+    pytestCheckHook
+  ];
+
+  pythonImportsCheck = [
+    "tlv8"
+  ];
+
+  meta = with lib; {
+    description = "Type-Length-Value8 (TLV8) for Python";
+    longDescription = ''
+      Python module to handle type-length-value (TLV) encoded data 8-bit type, 8-bit length, and N-byte
+      value as described within the Apple HomeKit Accessory Protocol Specification Non-Commercial Version
+      Release R2.
+    '';
+    homepage = "https://github.com/jlusiardi/tlv8_python";
+    license = licenses.asl20;
+    maintainers = with maintainers; [ jojosch ];
+  };
+}
diff --git a/pkgs/development/python-modules/transmission-rpc/default.nix b/pkgs/development/python-modules/transmission-rpc/default.nix
index 05d5c28dbf0..20fc4c3b31c 100644
--- a/pkgs/development/python-modules/transmission-rpc/default.nix
+++ b/pkgs/development/python-modules/transmission-rpc/default.nix
@@ -13,7 +13,7 @@
 
 buildPythonPackage rec {
   pname = "transmission-rpc";
-  version = "4.1.0";
+  version = "4.1.3";
   format = "pyproject";
 
   disabled = pythonOlder "3.8";
@@ -22,7 +22,7 @@ buildPythonPackage rec {
     owner = "Trim21";
     repo = "transmission-rpc";
     rev = "refs/tags/v${version}";
-    hash = "sha256-LHxB3VkpUlDupqOybvnhW8ER1gvu4vex6dT3m9y0r4o=";
+    hash = "sha256-GF2dXvtYgXTjdcellyCPFFTjp4Y6PKb2ihQETfomgU4=";
   };
 
   nativeBuildInputs = [
diff --git a/pkgs/development/python-modules/trimesh/default.nix b/pkgs/development/python-modules/trimesh/default.nix
index 1f2c0fc3986..a8614aa5bba 100644
--- a/pkgs/development/python-modules/trimesh/default.nix
+++ b/pkgs/development/python-modules/trimesh/default.nix
@@ -6,11 +6,11 @@
 
 buildPythonPackage rec {
   pname = "trimesh";
-  version = "3.20.1";
+  version = "3.20.2";
 
   src = fetchPypi {
     inherit pname version;
-    hash = "sha256-UUkzHQoRCC7SmQgA4uz09J/KRxizr5LhwCYobINY1gc=";
+    hash = "sha256-6tSrWovgVTEccDelUFrw8E1ghyiPmUsEASW8kGPUBhM=";
   };
 
   propagatedBuildInputs = [ numpy ];
diff --git a/pkgs/development/tools/analysis/checkov/default.nix b/pkgs/development/tools/analysis/checkov/default.nix
index 278098453f1..1602fcea018 100644
--- a/pkgs/development/tools/analysis/checkov/default.nix
+++ b/pkgs/development/tools/analysis/checkov/default.nix
@@ -23,14 +23,14 @@ with py.pkgs;
 
 buildPythonApplication rec {
   pname = "checkov";
-  version = "2.3.95";
+  version = "2.3.96";
   format = "setuptools";
 
   src = fetchFromGitHub {
     owner = "bridgecrewio";
     repo = pname;
     rev = "refs/tags/${version}";
-    hash = "sha256-M7Qy7+yh1LZlMq3cN5HJ2IHea4qBlLr7ckT0v/PuunI=";
+    hash = "sha256-jQ5VaOvJkxhZ0fHrNmkuFK+qmRUNdzR5XCWqWv1iBs4=";
   };
 
   patches = [
@@ -114,7 +114,7 @@ buildPythonApplication rec {
     # Tests are comparing console output
     "cli"
     "console"
-    # Starting to fail after 2.3.95
+    # Starting to fail after 2.3.96
     "test_runner_verify_secrets_skip"
   ];
 
diff --git a/pkgs/development/tools/build-managers/scala-cli/sources.json b/pkgs/development/tools/build-managers/scala-cli/sources.json
index f49972839a0..ffbf1a33130 100644
--- a/pkgs/development/tools/build-managers/scala-cli/sources.json
+++ b/pkgs/development/tools/build-managers/scala-cli/sources.json
@@ -1,21 +1,21 @@
 {
-  "version": "0.2.0",
+  "version": "0.2.1",
   "assets": {
     "aarch64-darwin": {
       "asset": "scala-cli-aarch64-apple-darwin.gz",
-      "sha256": "0fv4ph1pf924wf3vmzri68s79i4kxgmp2fl9qy9v14ff71bbnyv5"
+      "sha256": "184ywxdqn729pjnhmy3y02j9zwvy89a4g95wng35j0wdlyrv7j1f"
     },
     "aarch64-linux": {
       "asset": "scala-cli-aarch64-pc-linux.gz",
-      "sha256": "1h5kvd1wf6x3xis15bdrsvrivs8zmbvggcaspr9brsjw38q13c7q"
+      "sha256": "0g55svbzy7nlrs7hn6lfn428zndahcln34p2szf6yx180h56irns"
     },
     "x86_64-darwin": {
       "asset": "scala-cli-x86_64-apple-darwin.gz",
-      "sha256": "1p4gkghbfs5cac4k7760nnsdf7m5i5d4f568m8xsyfx8nkhpyw1w"
+      "sha256": "1hm0gf4bq4hhnd54rlzpv6sbl1vyp6gzsswc8kyk7f31mzazqg14"
     },
     "x86_64-linux": {
       "asset": "scala-cli-x86_64-pc-linux.gz",
-      "sha256": "0xk4n71lgg91kkjk0633sz04s2ypyjkig9vsxg60b16gzm7z4j22"
+      "sha256": "1v7hbr1wk89wzvdja2pdzridrdvw6vsb7qfsqx8fl6xi613wn66p"
     }
   }
 }
diff --git a/pkgs/development/tools/misc/nrfutil/default.nix b/pkgs/development/tools/misc/nrfutil/default.nix
index 37197727974..e0b65b4ccc7 100644
--- a/pkgs/development/tools/misc/nrfutil/default.nix
+++ b/pkgs/development/tools/misc/nrfutil/default.nix
@@ -8,13 +8,13 @@ with python3.pkgs;
 
 buildPythonApplication rec {
   pname = "nrfutil";
-  version = "6.1.6";
+  version = "6.1.7";
 
   src = fetchFromGitHub {
     owner = "NordicSemiconductor";
     repo = "pc-nrfutil";
-    rev = "v${version}";
-    sha256 = "sha256-UiGNNJxNSpIzpeYMlzocLG2kuetl8xti5A3n6zz0lcY=";
+    rev = "refs/tags/v${version}";
+    sha256 = "sha256-WiXqeQObhXszDcLxJN8ABd2ZkxsOUvtZQSVP8cYlT2M=";
   };
 
   propagatedBuildInputs = [
diff --git a/pkgs/development/tools/rain/default.nix b/pkgs/development/tools/rain/default.nix
index 07db283bff7..7980f2783f2 100644
--- a/pkgs/development/tools/rain/default.nix
+++ b/pkgs/development/tools/rain/default.nix
@@ -7,16 +7,16 @@
 
 buildGoModule rec {
   pname = "rain";
-  version = "1.2.0";
+  version = "1.3.3";
 
   src = fetchFromGitHub {
     owner = "aws-cloudformation";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-6YKZy6sdy1Yi2cDaLMA54GBTZ9uPhYi5Cq5QqCGbD5k=";
+    sha256 = "sha256-34BHWvXwwdiFotVlV8U6HSkRy9TvJ6DLIC0Mpz//C3w=";
   };
 
-  vendorSha256 = "sha256-e3R8+xarofbx3Ky6JIfDbysTQETCUaQj/QmzAiU7fZk=";
+  vendorHash = "sha256-h/9a+o/jiNH2b1XIkbnKXSpCsBtyIhdOGyTNHU+Q/bA=";
 
   subPackages = [ "cmd/rain" ];
 
diff --git a/pkgs/misc/jitsi-meet-prosody/default.nix b/pkgs/misc/jitsi-meet-prosody/default.nix
index f8e57cf12a3..7d00c7586e0 100644
--- a/pkgs/misc/jitsi-meet-prosody/default.nix
+++ b/pkgs/misc/jitsi-meet-prosody/default.nix
@@ -2,10 +2,10 @@
 
 stdenv.mkDerivation rec {
   pname = "jitsi-meet-prosody";
-  version = "1.0.6644";
+  version = "1.0.6943";
   src = fetchurl {
     url = "https://download.jitsi.org/stable/${pname}_${version}-1_all.deb";
-    sha256 = "41jlcsJpcFlNdBIOAdzTUF3wOUAOS9upF/uxFQaGULc=";
+    sha256 = "MrLRA0XdaDWD7frh4XDXLTcjsAYWal5qwT5C6cq4MKc=";
   };
 
   dontBuild = true;
diff --git a/pkgs/servers/computing/slurm/default.nix b/pkgs/servers/computing/slurm/default.nix
index 2281031a644..0c891364630 100644
--- a/pkgs/servers/computing/slurm/default.nix
+++ b/pkgs/servers/computing/slurm/default.nix
@@ -14,7 +14,7 @@
 
 stdenv.mkDerivation rec {
   pname = "slurm";
-  version = "22.05.8.1";
+  version = "23.02.0.1";
 
   # N.B. We use github release tags instead of https://www.schedmd.com/downloads.php
   # because the latter does not keep older releases.
@@ -23,7 +23,7 @@ stdenv.mkDerivation rec {
     repo = "slurm";
     # The release tags use - instead of .
     rev = "${pname}-${builtins.replaceStrings ["."] ["-"] version}";
-    sha256 = "sha256-hL/FnHl+Fj62xGH1FVkB9jVtvrVxbPU73DlMWC6CyJ0=";
+    sha256 = "sha256-MxlrDLdPKtYF2xpX2q0i0DHinEL6BIzIGAxqTwWX/k0=";
   };
 
   outputs = [ "out" "dev" ];
diff --git a/pkgs/servers/jibri/default.nix b/pkgs/servers/jibri/default.nix
index be312614af9..5bf50d01752 100644
--- a/pkgs/servers/jibri/default.nix
+++ b/pkgs/servers/jibri/default.nix
@@ -13,10 +13,10 @@ let
 in
 stdenv.mkDerivation rec {
   pname = "jibri";
-  version = "8.0-139-g7ab9aa2";
+  version = "8.0-140-gccc7278";
   src = fetchurl {
     url = "https://download.jitsi.org/stable/${pname}_${version}-1_all.deb";
-    sha256 = "14V5khp6S9T3SWiNfKyxn2WCzwhcXDCRDtATa15p01M=";
+    sha256 = "TiKCK41ar3X1aOrGitnNBr/iWru1HOjjGkwLBB76M1M=";
   };
 
   dontBuild = true;
diff --git a/pkgs/servers/jicofo/default.nix b/pkgs/servers/jicofo/default.nix
index 315d95e1f15..b8bcda29de0 100644
--- a/pkgs/servers/jicofo/default.nix
+++ b/pkgs/servers/jicofo/default.nix
@@ -2,10 +2,10 @@
 
 let
   pname = "jicofo";
-  version = "1.0-940";
+  version = "1.0-987";
   src = fetchurl {
     url = "https://download.jitsi.org/stable/${pname}_${version}-1_all.deb";
-    sha256 = "vx7aUHfKxG+tZ0sM8eWr1tTKf//bMxdKVhE5I4P4mLo=";
+    sha256 = "VK4Ck+OU6xv/Lma4YpXduPThej2wopbs+OkBC2SOkJU=";
   };
 in
 stdenv.mkDerivation {
diff --git a/pkgs/servers/jitsi-videobridge/default.nix b/pkgs/servers/jitsi-videobridge/default.nix
index d7a0ef8dd84..0a4cbb840b5 100644
--- a/pkgs/servers/jitsi-videobridge/default.nix
+++ b/pkgs/servers/jitsi-videobridge/default.nix
@@ -2,10 +2,10 @@
 
 let
   pname = "jitsi-videobridge2";
-  version = "2.2-45-ge8b20f06";
+  version = "2.2-69-gad606ca2";
   src = fetchurl {
     url = "https://download.jitsi.org/stable/${pname}_${version}-1_all.deb";
-    sha256 = "fbSpjLdx9xbLdp7vzHTW9B/cDf3DahpwuI4IcqEqpas=";
+    sha256 = "+5fcxUiCMy45CdDuORU5Xo//f4iAAJEzt1gO+fKU43c=";
   };
 in
 stdenv.mkDerivation {
diff --git a/pkgs/servers/klipper/default.nix b/pkgs/servers/klipper/default.nix
index b1d38c4adc3..3be8eb51a7e 100644
--- a/pkgs/servers/klipper/default.nix
+++ b/pkgs/servers/klipper/default.nix
@@ -7,13 +7,13 @@
 
 stdenv.mkDerivation rec {
   pname = "klipper";
-  version = "unstable-2023-02-03";
+  version = "unstable-2023-02-20";
 
   src = fetchFromGitHub {
     owner = "KevinOConnor";
     repo = "klipper";
-    rev = "5644481590a16ac5b3d8c20874f0477d5d51a963";
-    sha256 = "sha256-OGFVcUPw0sqTbJyrMvCxp8nER9/42ZRN4zIrpm/qh4E=";
+    rev = "848a78d1a548cfe28af20d5d0ab021558368cfae";
+    sha256 = "sha256-pSuGNBvLBJ64pm4hECign2FhtAPx6xnXlhCa2eFzrwE=";
   };
 
   sourceRoot = "source/klippy";
diff --git a/pkgs/servers/web-apps/jitsi-meet/default.nix b/pkgs/servers/web-apps/jitsi-meet/default.nix
index 6ea75ee7a9c..c67a639b9d8 100644
--- a/pkgs/servers/web-apps/jitsi-meet/default.nix
+++ b/pkgs/servers/web-apps/jitsi-meet/default.nix
@@ -2,11 +2,11 @@
 
 stdenv.mkDerivation rec {
   pname = "jitsi-meet";
-  version = "1.0.6644";
+  version = "1.0.6943";
 
   src = fetchurl {
     url = "https://download.jitsi.org/jitsi-meet/src/jitsi-meet-${version}.tar.bz2";
-    sha256 = "y1oI3nxIu7breYNPhdX7PU5GfnCyxdEbAYlyZmif2Uo=";
+    sha256 = "4swWsCo6PmMzvSVY6vS5n2HH8o6pU+Ak37ng18BLqIk=";
   };
 
   dontBuild = true;
diff --git a/pkgs/shells/zsh/grml-zsh-config/default.nix b/pkgs/shells/zsh/grml-zsh-config/default.nix
index 18c4eef4800..47dc4748c1f 100644
--- a/pkgs/shells/zsh/grml-zsh-config/default.nix
+++ b/pkgs/shells/zsh/grml-zsh-config/default.nix
@@ -5,13 +5,13 @@ with lib;
 
 stdenv.mkDerivation rec {
   pname = "grml-zsh-config";
-  version = "0.19.4";
+  version = "0.19.5";
 
   src = fetchFromGitHub {
     owner = "grml";
     repo = "grml-etc-core";
     rev = "v${version}";
-    sha256 = "sha256-2TAhs2/yAVAU35IeVfT/68xLt9QZ4fLxMQjxnbCfBKs=";
+    sha256 = "sha256-/phoIi8amqdO+OK26+CE2OXwHTE71PaV9NIXEnGl6Co=";
   };
 
   strictDeps = true;
diff --git a/pkgs/test/texlive/default.nix b/pkgs/test/texlive/default.nix
index db83bd5149f..cbfa0c45e8f 100644
--- a/pkgs/test/texlive/default.nix
+++ b/pkgs/test/texlive/default.nix
@@ -174,10 +174,10 @@
 
     for fname in language.{dat,def,dat.lua} ; do
       diff --ignore-matching-lines='^\(%\|--\) Generated by ' -u \
-        {"$hyphenBase","$schemeFull"/share/texmf}/tex/generic/config/"$fname" \
+        {"$hyphenBase","$schemeFull"/share/texmf-var}/tex/generic/config/"$fname" \
         | tee "$out/scheme-full/$fname.patch"
       diff --ignore-matching-lines='^\(%\|--\) Generated by ' -u \
-        {,"$schemeInfraOnly"/share/texmf/tex/generic/config/}"$fname" \
+        {,"$schemeInfraOnly"/share/texmf-var/tex/generic/config/}"$fname" \
         | tee "$out/scheme-infraonly/$fname.patch"
     done
   '';
@@ -190,7 +190,7 @@
     mkdir -p "$out"
 
     diff --ignore-matching-lines='^# Generated by ' -u \
-      {"$kpathsea","$schemeFull"/share/texmf}/web2c/fmtutil.cnf \
+      {"$kpathsea","$schemeFull"/share/texmf-var}/web2c/fmtutil.cnf \
       | tee "$out/fmtutil.cnf.patch"
   '';
 }
diff --git a/pkgs/tools/X11/xmousepasteblock/default.nix b/pkgs/tools/X11/xmousepasteblock/default.nix
index 984f6ac70a6..ec6a5b0b8e1 100644
--- a/pkgs/tools/X11/xmousepasteblock/default.nix
+++ b/pkgs/tools/X11/xmousepasteblock/default.nix
@@ -2,14 +2,14 @@
 
 stdenv.mkDerivation rec {
   pname = "xmousepasteblock";
-  version = "1.0";
+  version = "1.3";
   src = fetchFromGitHub {
     owner = "milaq";
     repo = "XMousePasteBlock";
-    sha256 = "0vidckfp277cg2gsww8a8q5b18m10iy4ppyp2qipr89771nrcmns";
+    hash = "sha256-0rpAbYUU0SoeQaVNStmIEuYyiWbRAdTN7Mvm0ySDnhU=";
     rev = version;
   };
-  makeFlags = [ "PREFIX=$(out)" ];
+  makeFlags = [ "PREFIX=$(out)" "CC=${stdenv.cc.targetPrefix}cc" ];
   buildInputs = with xorg; [ libX11 libXext libXi libev ];
   nativeBuildInputs = [ pkg-config ];
   meta = with lib; {
diff --git a/pkgs/tools/X11/xpra/default.nix b/pkgs/tools/X11/xpra/default.nix
index e51d5f386b1..e182fe5e8c1 100644
--- a/pkgs/tools/X11/xpra/default.nix
+++ b/pkgs/tools/X11/xpra/default.nix
@@ -69,11 +69,11 @@ let
   '';
 in buildPythonApplication rec {
   pname = "xpra";
-  version = "4.4.3";
+  version = "4.4.4";
 
   src = fetchurl {
     url = "https://xpra.org/src/${pname}-${version}.tar.xz";
-    hash = "sha256-j7tHT486ylyWAmR34BBWw9+HbDPnYMvHU88HV+Cs1w8=";
+    hash = "sha256-oPa9ECqCE9+PrcZufsHWYR6EHxTZVFJOMUlK2b0mwLE=";
   };
 
   patches = [
diff --git a/pkgs/tools/graphics/vulkan-caps-viewer/default.nix b/pkgs/tools/graphics/vulkan-caps-viewer/default.nix
index 39492eefb83..96d48040e1d 100644
--- a/pkgs/tools/graphics/vulkan-caps-viewer/default.nix
+++ b/pkgs/tools/graphics/vulkan-caps-viewer/default.nix
@@ -3,6 +3,7 @@
 , fetchFromGitHub
 , qmake
 , vulkan-loader
+, wayland
 , wrapQtAppsHook
 , withX11 ? true
 , qtx11extras
@@ -10,13 +11,13 @@
 
 stdenv.mkDerivation rec {
   pname = "vulkan-caps-viewer";
-  version = "3.28";
+  version = "3.29";
 
   src = fetchFromGitHub {
     owner = "SaschaWillems";
     repo = "VulkanCapsViewer";
     rev = version;
-    hash = "sha256-gy0gFbPZAwQJHqJvk7WrbZ5y2I+9BGv9VaCoOW1QPek=";
+    hash = "sha256-c7jvlwvz85cf8lUlBPyRYvDkSlvkzSW6Jc6wlyKnHBc=";
     # Note: this derivation strictly requires vulkan-header to be the same it was developed against.
     # To help us, they've put it in a git-submodule.
     # The result will work with any vulkan-loader version.
@@ -30,6 +31,7 @@ stdenv.mkDerivation rec {
 
   buildInputs = [
     vulkan-loader
+    wayland
   ] ++ lib.lists.optionals withX11 [ qtx11extras ];
 
   patchPhase = ''
@@ -38,9 +40,8 @@ stdenv.mkDerivation rec {
   '';
 
   qmakeFlags = [
-    "DEFINES+=wayland"
     "CONFIG+=release"
-  ] ++ lib.lists.optionals withX11 [ "DEFINES+=X11" ];
+  ];
 
   installFlags = [ "INSTALL_ROOT=$(out)" ];
 
diff --git a/pkgs/tools/misc/bandwidth/default.nix b/pkgs/tools/misc/bandwidth/default.nix
index ea96b79fa34..25a7e0647ef 100644
--- a/pkgs/tools/misc/bandwidth/default.nix
+++ b/pkgs/tools/misc/bandwidth/default.nix
@@ -6,11 +6,11 @@ let
 in
 stdenv.mkDerivation rec {
   pname = "bandwidth";
-  version = "1.11.2";
+  version = "1.11.2d";
 
   src = fetchurl {
     url = "https://zsmith.co/archives/${pname}-${version}.tar.gz";
-    sha256 = "sha256-mjtvQAOH9rv12XszGdD5hIX197er7Uc74WfVaP32TpM=";
+    hash = "sha256-7IrNiCXKf1vyRGl73Ccu3aYMqPVc4PpEr6lnSqIa4Q8=";
   };
 
   postPatch = ''
@@ -24,6 +24,10 @@ stdenv.mkDerivation rec {
     # Fix missing symbol exports for macOS clang
     echo global _VectorToVector128 >> routines-x86-64bit.asm
     echo global _VectorToVector256 >> routines-x86-64bit.asm
+    # Fix unexpected token on macOS
+    sed -i '/.section .note.GNU-stack/d' *-64bit.asm
+    sed -i '/.section code/d' *-arm-64bit.asm
+    sed -i 's#-Wl,-z,noexecstack##g' Makefile-arm64
   '';
 
   nativeBuildInputs = [ nasm ];
diff --git a/pkgs/tools/misc/remind/default.nix b/pkgs/tools/misc/remind/default.nix
index 77e13b0b154..9769402e8e9 100644
--- a/pkgs/tools/misc/remind/default.nix
+++ b/pkgs/tools/misc/remind/default.nix
@@ -16,11 +16,11 @@ let
 in
 tcl.mkTclDerivation rec {
   pname = "remind";
-  version = "04.02.01";
+  version = "04.02.03";
 
   src = fetchurl {
     url = "https://dianne.skoll.ca/projects/remind/download/remind-${version}.tar.gz";
-    sha256 = "sha256-RknG1SyKKYSMLWihR2GM8MVROJx0E0E1gD+vSLv6uk0=";
+    sha256 = "sha256-0hY/ee3+ErqPNucD1ZcisK7WbzT7dmV/9vQKus/sOgA=";
   };
 
   propagatedBuildInputs = tclLibraries;
diff --git a/pkgs/tools/misc/tkman/default.nix b/pkgs/tools/misc/tkman/default.nix
new file mode 100644
index 00000000000..e178e173108
--- /dev/null
+++ b/pkgs/tools/misc/tkman/default.nix
@@ -0,0 +1,87 @@
+{ lib
+, stdenv
+, fetchzip
+, fetchpatch
+, makeWrapper
+, makeDesktopItem
+, copyDesktopItems
+, tk
+, groff
+, rman
+}:
+
+stdenv.mkDerivation rec {
+  pname = "tkman";
+  version = "2.2";
+
+  src = fetchzip {
+    url = "mirror://sourceforge/tkman/tkman-${version}.tar.gz";
+    hash = "sha256-S4ffz+7zmVy9+isz/8q+FV4wF5Rw2iL1ftY8RsJjRLs=";
+  };
+
+  nativeBuildInputs = [
+    makeWrapper
+    copyDesktopItems
+  ];
+
+  patches = [(fetchpatch {
+    url = "https://gitweb.gentoo.org/repo/gentoo.git/plain/app-text/tkman/files/tkman-CVE-2008-5137.diff";
+    hash = "sha256-l97SY2/YnMgzHYKnVYCVJKV7oGLN1hXNpeHFlLVzTMA=";
+  })];
+
+  makeFlags = [
+    "BINDIR=$(out)/bin"
+    "WISH=${tk}/bin/wish"
+    "rman=${rman}/bin/rman"
+    # TODO package glimpse https://github.com/gvelez17/glimpse
+    "glimpse=\"\""
+  ];
+
+  preBuild = ''
+    makeFlagsArray+=(
+      'manformat="${groff}/bin/groff -te -Tlatin1 -mandoc $$manx(longtmp) -"'
+    )
+  '';
+
+  preInstall = ''
+    mkdir -p $out/bin
+  '';
+
+  postInstall = ''
+    wrapProgram $out/bin/tkman \
+      --run 'export MANPATH="$(manpath)"'
+    rm $out/bin/retkman # doesn't work
+    install -Dm644 contrib/TkMan.gif $out/share/icons/hicolor/64x64/apps/tkman.gif
+  '';
+
+  desktopItems = [(makeDesktopItem {
+    name = "tkman";
+    desktopName = "TkMan";
+    comment = "Graphical man page and info viewer";
+    exec = "tkman %f";
+    icon = "tkman";
+    terminal = false;
+    type = "Application";
+    categories = [ "Utility" ];
+  })];
+
+  meta = with lib; {
+    description = "Graphical, hypertext manual page and Texinfo browser for UNIX";
+    longDescription = ''
+      TkMan is a graphical, hypertext manual page and Texinfo browser for UNIX.
+      TkMan boasts hypertext links, unmatched online text formatting and display
+      quality, (optional) outline view of man pages, high quality display and
+      superior navigational interface to Texinfo documents, a novel information
+      visualization mechanism called Notemarks, full text search among man pages
+      and Texinfo, incremental and regular expression search within pages,
+      regular expression search within Texinfo that shows all matches (not just
+      the next), robustly attached yellow highlight annotations, a shortcut/hot
+      list, lists of all pages in user configurable volumes, a comprehensive
+      Preferences panel, and man page versioning support, among many other features.
+    '';
+    homepage = "https://tkman.sourceforge.net/index.html";
+    license = licenses.artistic1;
+    platforms = platforms.unix;
+    maintainers = with maintainers; [ fgaz ];
+  };
+}
diff --git a/pkgs/tools/misc/units/default.nix b/pkgs/tools/misc/units/default.nix
index 04e955a78b1..71fbccdf2d5 100644
--- a/pkgs/tools/misc/units/default.nix
+++ b/pkgs/tools/misc/units/default.nix
@@ -11,11 +11,11 @@ assert enableCurrenciesUpdater -> pythonPackages != null;
 
 stdenv.mkDerivation rec {
   pname = "units";
-  version = "2.21";
+  version = "2.22";
 
   src = fetchurl {
     url = "mirror://gnu/units/${pname}-${version}.tar.gz";
-    sha256 = "sha256-bD6AqfmAWJ/ZYqWFKiZ0ZCJX2xxf1bJ8TZ5mTzSGy68=";
+    sha256 = "sha256-XRPhIHch/ncm2Qa6HZLcDt2qn8JnWe0i47jRp5MSWEg=";
   };
 
   pythonEnv = pythonPackages.python.withPackages(ps: [
diff --git a/pkgs/tools/security/pynitrokey/default.nix b/pkgs/tools/security/pynitrokey/default.nix
index 1f36eda5ab3..e18b849c343 100644
--- a/pkgs/tools/security/pynitrokey/default.nix
+++ b/pkgs/tools/security/pynitrokey/default.nix
@@ -4,12 +4,12 @@ with python3Packages;
 
 buildPythonApplication rec {
   pname = "pynitrokey";
-  version = "0.4.27";
+  version = "0.4.31";
   format = "flit";
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "sha256-aWQhMvATcDtyBtj38mGnypkKIqKQgneBzWDh5o/5Wkc=";
+    sha256 = "sha256-nqw5wUzQxKCBzYBRhqB6v7WWrF1Ojf8z6Kf1YUA9+wU=";
   };
 
   propagatedBuildInputs = [
@@ -29,13 +29,18 @@ buildPythonApplication rec {
     cffi
     cbor
     nkdfu
+    fido2
+    tlv8
+  ];
+
+  nativeBuildInputs = [
+    pythonRelaxDepsHook
   ];
 
-  # spsdk is patched to allow for newer cryptography
-  postPatch = ''
-    substituteInPlace pyproject.toml \
-        --replace "cryptography >=3.4.4,<37" "cryptography"
-  '';
+  pythonRelaxDeps = [
+    "cryptography"
+    "spsdk"
+  ];
 
   # no tests
   doCheck = false;
diff --git a/pkgs/tools/typesetting/tex/texlive/combine.nix b/pkgs/tools/typesetting/tex/texlive/combine.nix
index 5caebace7cb..5681d2cd454 100644
--- a/pkgs/tools/typesetting/tex/texlive/combine.nix
+++ b/pkgs/tools/typesetting/tex/texlive/combine.nix
@@ -38,16 +38,44 @@ let
   mkUniqueOutPaths = pkgs: lib.unique
     (map (p: p.outPath) (builtins.filter lib.isDerivation pkgs));
 
-in (buildEnv {
   name = "texlive-${extraName}-${bin.texliveYear}${extraVersion}";
 
-  extraPrefix = "/share/texmf";
+  texmf = (buildEnv {
+    name = "${name}-texmf";
+
+    paths = pkgList.nonbin;
+
+    nativeBuildInputs = [ perl bin.core.out ];
+
+    postBuild = # generate ls-R database
+    ''
+      perl -I "${bin.core.out}/share/texmf-dist/scripts/texlive" \
+        -- "$out/scripts/texlive/mktexlsr.pl" --sort "$out"
+    '';
+  }).overrideAttrs (_: { allowSubstitutes = true; });
+
+  # expose info and man pages in usual /share/{info,man} location
+  doc = buildEnv {
+    name = "${name}-doc";
+
+    paths = [ (texmf.outPath + "/doc") ];
+    extraPrefix = "/share";
+
+    pathsToLink = [
+      "/info"
+      "/man"
+    ];
+  };
+
+in (buildEnv {
+
+  inherit name;
 
   ignoreCollisions = false;
-  paths = pkgList.nonbin;
+  paths = pkgList.bin ++ [ doc ];
   pathsToLink = [
     "/"
-    "/tex/generic/config" # make it a real directory for scheme-infraonly
+    "/bin" # ensure these are writeable directories
   ];
 
   nativeBuildInputs = [ makeWrapper libfaketime perl bin.texlinks ];
@@ -57,54 +85,40 @@ in (buildEnv {
   passthru.packages = pkgList.all;
 
   postBuild = ''
-    mkdir -p "$out"/bin
-  '' +
-    lib.concatMapStrings
-      (path: ''
-        for f in '${path}'/bin/*; do
-          if [[ -L "$f" ]]; then
-            cp -d "$f" "$out"/bin/
-          else
-            ln -s "$f" "$out"/bin/
-          fi
-        done
-      '')
-      pkgList.bin
-    +
-  ''
-    export PATH="$out/bin:$out/share/texmf/scripts/texlive:$PATH"
-    export TEXMFCNF="$out/share/texmf/web2c"
+    TEXMFDIST="${texmf}"
+    export PATH="$out/bin:$PATH"
+    export PERL5LIB="$TEXMFDIST/scripts/texlive:${bin.core.out}/share/texmf-dist/scripts/texlive"
     TEXMFSYSCONFIG="$out/share/texmf-config"
     TEXMFSYSVAR="$out/share/texmf-var"
-    export PERL5LIB="$out/share/texmf/scripts/texlive:${bin.core.out}/share/texmf-dist/scripts/texlive"
+    export TEXMFCNF="$TEXMFSYSVAR/web2c"
   '' +
-    # patch texmf-dist  -> $out/share/texmf
+    # patch texmf-dist  -> $TEXMFDIST
     # patch texmf-local -> $out/share/texmf-local
+    # patch texmf.cnf   -> $TEXMFSYSVAR/web2c/texmf.cnf
     # TODO: perhaps do lua actions?
     # tried inspiration from install-tl, sub do_texmf_cnf
   ''
-    if [ -e "$TEXMFCNF/texmfcnf.lua" ]; then
+    mkdir -p "$TEXMFCNF"
+    if [ -e "$TEXMFDIST/web2c/texmfcnf.lua" ]; then
       sed \
-        -e 's,texmf-dist,texmf,g' \
+        -e "s,\(TEXMFDIST[ ]*=[ ]*\)[^\,]*,\1\"$TEXMFDIST\",g" \
         -e "s,\(TEXMFLOCAL[ ]*=[ ]*\)[^\,]*,\1\"$out/share/texmf-local\",g" \
         -e "s,\$SELFAUTOLOC,$out,g" \
         -e "s,selfautodir:/,$out/share/,g" \
         -e "s,selfautodir:,$out/share/,g" \
         -e "s,selfautoparent:/,$out/share/,g" \
         -e "s,selfautoparent:,$out/share/,g" \
-        -i "$TEXMFCNF/texmfcnf.lua"
+        "$TEXMFDIST/web2c/texmfcnf.lua" > "$TEXMFCNF/texmfcnf.lua"
     fi
 
     sed \
-      -e 's,texmf-dist,texmf,g' \
+      -e "s,\(TEXMFDIST[ ]*=[ ]*\)[^\,]*,\1$TEXMFDIST,g" \
       -e "s,\$SELFAUTOLOC,$out,g" \
       -e "s,\$SELFAUTODIR,$out/share,g" \
       -e "s,\$SELFAUTOPARENT,$out/share,g" \
       -e "s,\$SELFAUTOGRANDPARENT,$out/share,g" \
       -e "/^mpost,/d" `# CVE-2016-10243` \
-      -i "$TEXMFCNF/texmf.cnf"
-
-    mkdir "$out/share/texmf-local"
+      "$TEXMFDIST/web2c/texmf.cnf" > "$TEXMFCNF/texmf.cnf"
   '' +
     # now filter hyphenation patterns and formats
   (let
@@ -132,18 +146,31 @@ in (buildEnv {
         + lib.concatMapStrings (pname: section "^-- from ${pname}:$" "^}$|^-- from") hyphenPNames
         + "$p;\n"
       );
+    # formats not being installed must be disabled by prepending #! (see man fmtutil)
+    # sed expression that enables the formats in /start/,/end/
+    enableFormats = pname: "/^# from ${pname}:$/,/^# from/{ s/^#! //; };\n";
     fmtutilSed =
       writeText "fmtutil.sed" (
-        "1{ s/^(# Generated by .*)$/\\1, modified by texlive.combine/; p; }\n"
-        + "2,/^# from/{ /^# from/!p; };\n"
-        + lib.concatMapStrings (pname: section "^# from ${pname}:$" "^# from") formatPNames
+        # document how file was generated
+        "1{ s/^(# Generated by .*)$/\\1, modified by texlive.combine/; }\n"
+        # disable all formats, even those already disabled
+        + "s/^([^#]|#! )/#! \\1/;\n"
+        # enable the formats from the packages being installed
+        + lib.concatMapStrings enableFormats formatPNames
+        # clean up formats that have been disabled twice
+        + "s/^#! #! /#! /;\n"
       );
   in ''
-    for fname in "$out"/share/texmf/tex/generic/config/language.{dat,def}; do
-      [[ -e "$fname" ]] && sed -E -n -f '${script}' -i "$fname"
+    mkdir -p "$TEXMFSYSVAR/tex/generic/config"
+    for fname in tex/generic/config/language.{dat,def}; do
+      [[ -e "$TEXMFDIST/$fname" ]] && sed -E -n -f '${script}' "$TEXMFDIST/$fname" > "$TEXMFSYSVAR/$fname"
     done
-    [[ -e "$out"/share/texmf/tex/generic/config/language.dat.lua ]] && sed -E -n -f '${scriptLua}' -i "$out"/share/texmf/tex/generic/config/language.dat.lua
-    [[ -e "$TEXMFCNF"/fmtutil.cnf ]] && sed -E -n -f '${fmtutilSed}' -i "$TEXMFCNF"/fmtutil.cnf
+    [[ -e "$TEXMFDIST"/tex/generic/config/language.dat.lua ]] && sed -E -n -f '${scriptLua}' \
+      "$TEXMFDIST"/tex/generic/config/language.dat.lua > "$TEXMFSYSVAR"/tex/generic/config/language.dat.lua
+    [[ -e "$TEXMFDIST"/web2c/fmtutil.cnf ]] && sed -E -f '${fmtutilSed}' "$TEXMFDIST"/web2c/fmtutil.cnf > "$TEXMFCNF"/fmtutil.cnf
+
+    # make new files visible to kpathsea
+    perl "$TEXMFDIST"/scripts/texlive/mktexlsr.pl --sort "$TEXMFSYSVAR"
   '') +
 
   # function to wrap created executables with required env vars
@@ -191,16 +218,15 @@ in (buildEnv {
   '' +
   # texlive post-install actions
   ''
-    ln -sf "$out"/share/texmf/scripts/texlive/updmap.pl "$out"/bin/updmap
+    ln -sf "$TEXMFDIST"/scripts/texlive/updmap.pl "$out"/bin/updmap
   '' +
     # now hack to preserve "$0" for mktexfmt
   ''
-    cp "$out"/share/texmf/scripts/texlive/fmtutil.pl "$out/bin/fmtutil"
+    cp "$TEXMFDIST"/scripts/texlive/fmtutil.pl "$out/bin/fmtutil"
     patchShebangs "$out/bin/fmtutil"
-    sed "1s|$| -I $out/share/texmf/scripts/texlive|" -i "$out/bin/fmtutil"
+    sed "1s|$| -I $TEXMFDIST/scripts/texlive|" -i "$out/bin/fmtutil"
     ln -sf fmtutil "$out/bin/mktexfmt"
 
-    perl "$out"/share/texmf/scripts/texlive/mktexlsr.pl --sort "$out"/share/texmf
     texlinks "$out/bin" && wrapBin
     FORCE_SOURCE_DATE=1 fmtutil --sys --all | grep '^fmtutil' # too verbose
     #texlinks "$out/bin" && wrapBin # do we need to regenerate format links?
@@ -224,16 +250,16 @@ in (buildEnv {
     # sort entries to improve reproducibility
     [[ -f "$TEXMFSYSCONFIG"/web2c/updmap.cfg ]] && sort -o "$TEXMFSYSCONFIG"/web2c/updmap.cfg "$TEXMFSYSCONFIG"/web2c/updmap.cfg
 
-    perl "$out"/share/texmf/scripts/texlive/mktexlsr.pl --sort "$out"/share/texmf-* # to make sure
+    perl "$TEXMFDIST"/scripts/texlive/mktexlsr.pl --sort "$TEXMFSYSCONFIG" "$TEXMFSYSVAR" # to make sure
   '' +
     # install (wrappers for) scripts, based on a list from upstream texlive
   ''
     source '${bin.core.out}/share/texmf-dist/scripts/texlive/scripts.lst'
     for s in $texmf_scripts; do
-      [[ -x "$out/share/texmf/scripts/$s" ]] || continue
+      [[ -x "$TEXMFDIST/scripts/$s" ]] || continue
       tName="$(basename $s | sed 's/\.[a-z]\+$//')" # remove extension
       [[ ! -e "$out/bin/$tName" ]] || continue
-      ln -sv "$(realpath $out/share/texmf/scripts/$s)" "$out/bin/$tName" # wrapped below
+      ln -sv "$(realpath "$TEXMFDIST/scripts/$s")" "$out/bin/$tName" # wrapped below
     done
   '' +
     # A hacky way to provide repstopdf
@@ -241,8 +267,9 @@ in (buildEnv {
     #  * ./bin/repstopdf needs to be a symlink to be processed by wrapBin
   ''
     if [[ -e "$out"/bin/epstopdf ]]; then
-      cp "$out"/bin/epstopdf "$out"/share/texmf/scripts/repstopdf
-      ln -s "$out"/share/texmf/scripts/repstopdf "$out"/bin/repstopdf
+      mkdir -p "$TEXMFSYSVAR/scripts"
+      cp "$out"/bin/epstopdf "$TEXMFSYSVAR"/scripts/repstopdf
+      ln -s "$TEXMFSYSVAR"/scripts/repstopdf "$out"/bin/repstopdf
     fi
   '' +
     # finish up the wrappers
@@ -262,16 +289,6 @@ in (buildEnv {
   # TODO: a context trigger https://www.preining.info/blog/2015/06/debian-tex-live-2015-the-new-layout/
     # http://wiki.contextgarden.net/ConTeXt_Standalone#Unix-like_platforms_.28Linux.2FMacOS_X.2FFreeBSD.2FSolaris.29
 
-    # I would just create links from "$out"/share/{man,info},
-    #   but buildenv has problems with merging symlinks with directories;
-    #   note: it's possible we might need deepen the work-around to man/*.
-  ''
-    for d in {man,info}; do
-      [[ -e "$out/share/texmf/doc/$d" ]] || continue;
-      mkdir -p "$out/share/$d"
-      ln -s -t "$out/share/$d" "$out/share/texmf/doc/$d"/*
-    done
-  '' +
   # MkIV uses its own lookup mechanism and we need to initialize
   # caches for it.
   ''
@@ -283,7 +300,7 @@ in (buildEnv {
   # Get rid of all log files. They are not needed, but take up space
   # and render the build unreproducible by their embedded timestamps.
   ''
-    find $TEXMFSYSVAR/web2c -name '*.log' -delete
+    find "$TEXMFSYSVAR"/web2c -name '*.log' -delete
   ''
   ;
 }).overrideAttrs (_: { allowSubstitutes = true; })
diff --git a/pkgs/tools/wayland/swayrbar/default.nix b/pkgs/tools/wayland/swayrbar/default.nix
index 808d5c3c31d..76a49cad8a8 100644
--- a/pkgs/tools/wayland/swayrbar/default.nix
+++ b/pkgs/tools/wayland/swayrbar/default.nix
@@ -2,16 +2,16 @@
 
 rustPlatform.buildRustPackage rec {
   pname = "swayrbar";
-  version = "0.3.4";
+  version = "0.3.5";
 
   src = fetchFromSourcehut {
     owner = "~tsdh";
     repo = "swayr";
     rev = "swayrbar-${version}";
-    sha256 = "sha256-OQhq5ZUe2OrfRFxoaAbbewoHgQVPv9cQy0VCpYe1SNo=";
+    sha256 = "sha256-uYQGwccSwqHJ1w8CyxXimmENnGx7e3EMA1MKZuZDTIk=";
   };
 
-  cargoHash = "sha256-vM4SoRbVylN90b378Qk18A8/2S2IB88lnGCM6sqrhs8=";
+  cargoHash = "sha256-PdPaUqJUycUhleaND6XwKkRvwO0MHbvw5lzz95bdfCQ=";
 
   # don't build swayr
   buildAndTestSubdir = pname;
diff --git a/pkgs/tools/wayland/wl-mirror/default.nix b/pkgs/tools/wayland/wl-mirror/default.nix
index 1ab7071a46c..8e19bdc1d9e 100644
--- a/pkgs/tools/wayland/wl-mirror/default.nix
+++ b/pkgs/tools/wayland/wl-mirror/default.nix
@@ -28,13 +28,13 @@ in
 
 stdenv.mkDerivation rec {
   pname = "wl-mirror";
-  version = "0.13.0";
+  version = "0.13.1";
 
   src = fetchFromGitHub {
     owner = "Ferdi265";
     repo = "wl-mirror";
     rev = "v${version}";
-    hash = "sha256-jjOcEr/E7l3ykdLAfiDlRSI0u76byDmBwfispTbopk8=";
+    hash = "sha256-qYJmcsID5qbUs27ZCU2HkWVVnBmxWmyzSgruLPB4jI8=";
   };
 
   strictDeps = true;
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index 68f9c567620..ca5eb3f71b7 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -12774,6 +12774,8 @@ with pkgs;
 
   tiv = callPackage ../applications/misc/tiv { };
 
+  tkman = callPackage ../tools/misc/tkman { };
+
   tldr = callPackage ../tools/misc/tldr { };
 
   tldr-hs = haskellPackages.tldr;
@@ -20830,6 +20832,8 @@ with pkgs;
 
   jsoncpp = callPackage ../development/libraries/jsoncpp { };
 
+  json-fortran = callPackage ../development/libraries/json-fortran { };
+
   jsonnet = callPackage ../development/compilers/jsonnet { };
 
   jsonnet-bundler = callPackage ../development/tools/jsonnet-bundler { };
@@ -22420,6 +22424,22 @@ with pkgs;
 
   mergerfs-tools = callPackage ../tools/filesystems/mergerfs/tools.nix { };
 
+  mctc-lib = callPackage ../development/libraries/science/chemistry/mctc-lib { };
+
+  mstore = callPackage ../development/libraries/science/chemistry/mstore { };
+
+  multicharge = callPackage ../development/libraries/science/chemistry/multicharge { };
+
+  test-drive = callPackage ../development/libraries/test-drive { };
+
+  dftd4 = callPackage ../development/libraries/science/chemistry/dftd4 { };
+
+  simple-dftd3 = callPackage ../development/libraries/science/chemistry/simple-dftd3 { };
+
+  tblite = callPackage ../development/libraries/science/chemistry/tblite { };
+
+  toml-f = callPackage ../development/libraries/toml-f { };
+
   ## libGL/libGLU/Mesa stuff
 
   # Default libGL implementation, should provide headers and
diff --git a/pkgs/top-level/python-packages.nix b/pkgs/top-level/python-packages.nix
index de3f2ba61f0..797d29ed14d 100644
--- a/pkgs/top-level/python-packages.nix
+++ b/pkgs/top-level/python-packages.nix
@@ -11443,6 +11443,11 @@ self: super: with self; {
 
   tblib = callPackage ../development/python-modules/tblib { };
 
+  tblite = callPackage ../development/libraries/science/chemistry/tblite/python.nix {
+    tblite = pkgs.tblite;
+    meson = pkgs.meson;
+  };
+
   tbm-utils = callPackage ../development/python-modules/tbm-utils { };
 
   tcolorpy = callPackage ../development/python-modules/tcolorpy { };
@@ -11716,6 +11721,8 @@ self: super: with self; {
 
   tls-parser = callPackage ../development/python-modules/tls-parser { };
 
+  tlv8 = callPackage ../development/python-modules/tlv8 { };
+
   tmb = callPackage ../development/python-modules/tmb { };
 
   todoist = callPackage ../development/python-modules/todoist { };