diff --git a/doc/builders/packages/index.xml b/doc/builders/packages/index.xml
index 3a7ca59505c..ba59ceb016b 100644
--- a/doc/builders/packages/index.xml
+++ b/doc/builders/packages/index.xml
@@ -15,11 +15,11 @@
  <xi:include href="linux.xml" />
  <xi:include href="locales.xml" />
  <xi:include href="nginx.xml" />
- <xi:include href="opengl.xml" />
+ <xi:include href="opengl.section.xml" />
  <xi:include href="shell-helpers.xml" />
  <xi:include href="steam.xml" />
  <xi:include href="cataclysm-dda.section.xml" />
  <xi:include href="urxvt.xml" />
- <xi:include href="weechat.xml" />
- <xi:include href="xorg.xml" />
+ <xi:include href="weechat.section.xml" />
+ <xi:include href="xorg.section.xml" />
 </chapter>
diff --git a/doc/builders/packages/opengl.section.md b/doc/builders/packages/opengl.section.md
new file mode 100644
index 00000000000..6866bf89221
--- /dev/null
+++ b/doc/builders/packages/opengl.section.md
@@ -0,0 +1,15 @@
+# OpenGL {#sec-opengl}
+
+OpenGL support varies depending on which hardware is used and which drivers are available and loaded.
+
+Broadly, we support both GL vendors: Mesa and NVIDIA.
+
+## NixOS Desktop
+
+The NixOS desktop or other non-headless configurations are the primary target for OpenGL libraries and applications. The current solution for discovering which drivers are available is based on [libglvnd](https://gitlab.freedesktop.org/glvnd/libglvnd). `libglvnd` performs "vendor-neutral dispatch", trying a variety of techniques to find the system's GL implementation. In practice, this will be either via standard GLX for X11 users or EGL for Wayland users, and supporting either NVIDIA or Mesa extensions.
+
+## Nix on GNU/Linux
+
+If you are using a non-NixOS GNU/Linux/X11 desktop with free software video drivers, consider launching OpenGL-dependent programs from Nixpkgs with Nixpkgs versions of `libglvnd` and `mesa.drivers` in `LD_LIBRARY_PATH`. For Mesa drivers, the Linux kernel version doesn't have to match nixpkgs.
+
+For proprietary video drivers you might have luck with also adding the corresponding video driver package.
diff --git a/doc/builders/packages/opengl.xml b/doc/builders/packages/opengl.xml
deleted file mode 100644
index dfd64b18858..00000000000
--- a/doc/builders/packages/opengl.xml
+++ /dev/null
@@ -1,9 +0,0 @@
-<section xmlns="http://docbook.org/ns/docbook"
-         xmlns:xlink="http://www.w3.org/1999/xlink"
-         xml:id="sec-opengl">
- <title>OpenGL</title>
-
- <para>
-  Packages that use OpenGL have NixOS desktop as their primary target. The current solution for loading the GPU-specific drivers is based on <literal>libglvnd</literal> and looks for the driver implementation in <literal>LD_LIBRARY_PATH</literal>. If you are using a non-NixOS GNU/Linux/X11 desktop with free software video drivers, consider launching OpenGL-dependent programs from Nixpkgs with Nixpkgs versions of <literal>libglvnd</literal> and <literal>mesa.drivers</literal> in <literal>LD_LIBRARY_PATH</literal>. For proprietary video drivers you might have luck with also adding the corresponding video driver package.
- </para>
-</section>
diff --git a/doc/builders/packages/weechat.section.md b/doc/builders/packages/weechat.section.md
new file mode 100644
index 00000000000..1d99b00e632
--- /dev/null
+++ b/doc/builders/packages/weechat.section.md
@@ -0,0 +1,85 @@
+# Weechat {#sec-weechat}
+
+Weechat can be configured to include your choice of plugins, reducing its closure size from the default configuration which includes all available plugins. To make use of this functionality, install an expression that overrides its configuration such as
+
+```nix
+weechat.override {configure = {availablePlugins, ...}: {
+    plugins = with availablePlugins; [ python perl ];
+  }
+}
+```
+
+If the `configure` function returns an attrset without the `plugins` attribute, `availablePlugins` will be used automatically.
+
+The plugins currently available are `python`, `perl`, `ruby`, `guile`, `tcl` and `lua`.
+
+The python and perl plugins allows the addition of extra libraries. For instance, the `inotify.py` script in `weechat-scripts` requires D-Bus or libnotify, and the `fish.py` script requires `pycrypto`. To use these scripts, use the plugin's `withPackages` attribute:
+
+```nix
+weechat.override { configure = {availablePlugins, ...}: {
+    plugins = with availablePlugins; [
+            (python.withPackages (ps: with ps; [ pycrypto python-dbus ]))
+        ];
+    };
+}
+```
+
+In order to also keep all default plugins installed, it is possible to use the following method:
+
+```nix
+weechat.override { configure = { availablePlugins, ... }: {
+  plugins = builtins.attrValues (availablePlugins // {
+    python = availablePlugins.python.withPackages (ps: with ps; [ pycrypto python-dbus ]);
+  });
+}; }
+```
+
+WeeChat allows to set defaults on startup using the `--run-command`. The `configure` method can be used to pass commands to the program:
+
+```nix
+weechat.override {
+  configure = { availablePlugins, ... }: {
+    init = ''
+      /set foo bar
+      /server add freenode chat.freenode.org
+    '';
+  };
+}
+```
+
+Further values can be added to the list of commands when running `weechat --run-command "your-commands"`.
+
+Additionally it's possible to specify scripts to be loaded when starting `weechat`. These will be loaded before the commands from `init`:
+
+```nix
+weechat.override {
+  configure = { availablePlugins, ... }: {
+    scripts = with pkgs.weechatScripts; [
+      weechat-xmpp weechat-matrix-bridge wee-slack
+    ];
+    init = ''
+      /set plugins.var.python.jabber.key "val"
+    '':
+  };
+}
+```
+
+In `nixpkgs` there's a subpackage which contains derivations for WeeChat scripts. Such derivations expect a `passthru.scripts` attribute which contains a list of all scripts inside the store path. Furthermore all scripts have to live in `$out/share`. An exemplary derivation looks like this:
+
+```nix
+{ stdenv, fetchurl }:
+
+stdenv.mkDerivation {
+  name = "exemplary-weechat-script";
+  src = fetchurl {
+    url = "https://scripts.tld/your-scripts.tar.gz";
+    sha256 = "...";
+  };
+  passthru.scripts = [ "foo.py" "bar.lua" ];
+  installPhase = ''
+    mkdir $out/share
+    cp foo.py $out/share
+    cp bar.lua $out/share
+  '';
+}
+```
diff --git a/doc/builders/packages/weechat.xml b/doc/builders/packages/weechat.xml
deleted file mode 100644
index a110d3f491c..00000000000
--- a/doc/builders/packages/weechat.xml
+++ /dev/null
@@ -1,85 +0,0 @@
-<section xmlns="http://docbook.org/ns/docbook"
-         xmlns:xlink="http://www.w3.org/1999/xlink"
-         xml:id="sec-weechat">
- <title>Weechat</title>
-
- <para>
-  Weechat can be configured to include your choice of plugins, reducing its closure size from the default configuration which includes all available plugins. To make use of this functionality, install an expression that overrides its configuration such as
-<programlisting>weechat.override {configure = {availablePlugins, ...}: {
-    plugins = with availablePlugins; [ python perl ];
-  }
-}</programlisting>
-  If the <literal>configure</literal> function returns an attrset without the <literal>plugins</literal> attribute, <literal>availablePlugins</literal> will be used automatically.
- </para>
-
- <para>
-  The plugins currently available are <literal>python</literal>, <literal>perl</literal>, <literal>ruby</literal>, <literal>guile</literal>, <literal>tcl</literal> and <literal>lua</literal>.
- </para>
-
- <para>
-  The python and perl plugins allows the addition of extra libraries. For instance, the <literal>inotify.py</literal> script in weechat-scripts requires D-Bus or libnotify, and the <literal>fish.py</literal> script requires pycrypto. To use these scripts, use the plugin's <literal>withPackages</literal> attribute:
-<programlisting>weechat.override { configure = {availablePlugins, ...}: {
-    plugins = with availablePlugins; [
-            (python.withPackages (ps: with ps; [ pycrypto python-dbus ]))
-        ];
-    };
-}
-</programlisting>
- </para>
-
- <para>
-  In order to also keep all default plugins installed, it is possible to use the following method:
-<programlisting>weechat.override { configure = { availablePlugins, ... }: {
-  plugins = builtins.attrValues (availablePlugins // {
-    python = availablePlugins.python.withPackages (ps: with ps; [ pycrypto python-dbus ]);
-  });
-}; }
-</programlisting>
- </para>
-
- <para>
-  WeeChat allows to set defaults on startup using the <literal>--run-command</literal>. The <literal>configure</literal> method can be used to pass commands to the program:
-<programlisting>weechat.override {
-  configure = { availablePlugins, ... }: {
-    init = ''
-      /set foo bar
-      /server add freenode chat.freenode.org
-    '';
-  };
-}</programlisting>
-  Further values can be added to the list of commands when running <literal>weechat --run-command "your-commands"</literal>.
- </para>
-
- <para>
-  Additionally it's possible to specify scripts to be loaded when starting <literal>weechat</literal>. These will be loaded before the commands from <literal>init</literal>:
-<programlisting>weechat.override {
-  configure = { availablePlugins, ... }: {
-    scripts = with pkgs.weechatScripts; [
-      weechat-xmpp weechat-matrix-bridge wee-slack
-    ];
-    init = ''
-      /set plugins.var.python.jabber.key "val"
-    '':
-  };
-}</programlisting>
- </para>
-
- <para>
-  In <literal>nixpkgs</literal> there's a subpackage which contains derivations for WeeChat scripts. Such derivations expect a <literal>passthru.scripts</literal> attribute which contains a list of all scripts inside the store path. Furthermore all scripts have to live in <literal>$out/share</literal>. An exemplary derivation looks like this:
-<programlisting>{ stdenv, fetchurl }:
-
-stdenv.mkDerivation {
-  name = "exemplary-weechat-script";
-  src = fetchurl {
-    url = "https://scripts.tld/your-scripts.tar.gz";
-    sha256 = "...";
-  };
-  passthru.scripts = [ "foo.py" "bar.lua" ];
-  installPhase = ''
-    mkdir $out/share
-    cp foo.py $out/share
-    cp bar.lua $out/share
-  '';
-}</programlisting>
- </para>
-</section>
diff --git a/doc/builders/packages/xorg.section.md b/doc/builders/packages/xorg.section.md
new file mode 100644
index 00000000000..be220a25404
--- /dev/null
+++ b/doc/builders/packages/xorg.section.md
@@ -0,0 +1,34 @@
+# X.org {#sec-xorg}
+
+The Nix expressions for the X.org packages reside in `pkgs/servers/x11/xorg/default.nix`. This file is automatically generated from lists of tarballs in an X.org release. As such it should not be modified directly; rather, you should modify the lists, the generator script or the file `pkgs/servers/x11/xorg/overrides.nix`, in which you can override or add to the derivations produced by the generator.
+
+## Katamari Tarballs
+
+X.org upstream releases used to include [katamari](https://en.wiktionary.org/wiki/%E3%81%8B%E3%81%9F%E3%81%BE%E3%82%8A) releases, which included a holistic recommended version for each tarball, up until 7.7. To create a list of tarballs in a katamari release:
+
+```ShellSession
+export release="X11R7.7"
+export url="mirror://xorg/$release/src/everything/"
+cat $(PRINT_PATH=1 nix-prefetch-url $url | tail -n 1) \
+  | perl -e 'while (<>) { if (/(href|HREF)="([^"]*.bz2)"/) { print "$ENV{'url'}$2\n"; }; }' \
+  | sort > "tarballs-$release.list"
+```
+
+## Individual Tarballs
+
+The upstream release process for [X11R7.8](https://x.org/wiki/Releases/7.8/) does not include a planned katamari. Instead, each component of X.org is released as its own tarball. We maintain `pkgs/servers/x11/xorg/tarballs.list` as a list of tarballs for each individual package. This list includes X.org core libraries and protocol descriptions, extra newer X11 interface libraries, like `xorg.libxcb`, and classic utilities which are largely unused but still available if needed, like `xorg.imake`.
+
+## Generating Nix Expressions
+
+The generator is invoked as follows:
+
+```ShellSession
+cd pkgs/servers/x11/xorg
+<tarballs.list perl ./generate-expr-from-tarballs.pl
+```
+
+For each of the tarballs in the `.list` files, the script downloads it, unpacks it, and searches its `configure.ac` and `*.pc.in` files for dependencies. This information is used to generate `default.nix`. The generator caches downloaded tarballs between runs. Pay close attention to the `NOT FOUND: $NAME` messages at the end of the run, since they may indicate missing dependencies. (Some might be optional dependencies, however.)
+
+## Overriding the Generator
+
+If the expression for a package requires derivation attributes that the generator cannot figure out automatically (say, `patches` or a `postInstall` hook), you should modify `pkgs/servers/x11/xorg/overrides.nix`.
diff --git a/doc/builders/packages/xorg.xml b/doc/builders/packages/xorg.xml
deleted file mode 100644
index ebf4930cc09..00000000000
--- a/doc/builders/packages/xorg.xml
+++ /dev/null
@@ -1,34 +0,0 @@
-<section xmlns="http://docbook.org/ns/docbook"
-         xmlns:xlink="http://www.w3.org/1999/xlink"
-         xml:id="sec-xorg">
- <title>X.org</title>
-
- <para>
-  The Nix expressions for the X.org packages reside in <filename>pkgs/servers/x11/xorg/default.nix</filename>. This file is automatically generated from lists of tarballs in an X.org release. As such it should not be modified directly; rather, you should modify the lists, the generator script or the file <filename>pkgs/servers/x11/xorg/overrides.nix</filename>, in which you can override or add to the derivations produced by the generator.
- </para>
-
- <para>
-  The generator is invoked as follows:
-<screen>
-<prompt>$ </prompt>cd pkgs/servers/x11/xorg
-<prompt>$ </prompt>cat tarballs-7.5.list extra.list old.list \
-  | perl ./generate-expr-from-tarballs.pl
-</screen>
-  For each of the tarballs in the <filename>.list</filename> files, the script downloads it, unpacks it, and searches its <filename>configure.ac</filename> and <filename>*.pc.in</filename> files for dependencies. This information is used to generate <filename>default.nix</filename>. The generator caches downloaded tarballs between runs. Pay close attention to the <literal>NOT FOUND: <replaceable>name</replaceable></literal> messages at the end of the run, since they may indicate missing dependencies. (Some might be optional dependencies, however.)
- </para>
-
- <para>
-  A file like <filename>tarballs-7.5.list</filename> contains all tarballs in a X.org release. It can be generated like this:
-<screen>
-<prompt>$ </prompt>export i="mirror://xorg/X11R7.4/src/everything/"
-<prompt>$ </prompt>cat $(PRINT_PATH=1 nix-prefetch-url $i | tail -n 1) \
-  | perl -e 'while (&lt;>) { if (/(href|HREF)="([^"]*.bz2)"/) { print "$ENV{'i'}$2\n"; }; }' \
-  | sort > tarballs-7.4.list
-</screen>
-  <filename>extra.list</filename> contains libraries that aren’t part of X.org proper, but are closely related to it, such as <literal>libxcb</literal>. <filename>old.list</filename> contains some packages that were removed from X.org, but are still needed by some people or by other packages (such as <varname>imake</varname>).
- </para>
-
- <para>
-  If the expression for a package requires derivation attributes that the generator cannot figure out automatically (say, <varname>patches</varname> or a <varname>postInstall</varname> hook), you should modify <filename>pkgs/servers/x11/xorg/overrides.nix</filename>.
- </para>
-</section>
diff --git a/doc/languages-frameworks/coq.section.md b/doc/languages-frameworks/coq.section.md
new file mode 100644
index 00000000000..714e84efc8d
--- /dev/null
+++ b/doc/languages-frameworks/coq.section.md
@@ -0,0 +1,40 @@
+# Coq {#sec-language-coq}
+
+Coq libraries should be installed in `$(out)/lib/coq/${coq.coq-version}/user-contrib/`. Such directories are automatically added to the `$COQPATH` environment variable by the hook defined in the Coq derivation.
+
+Some extensions (plugins) might require OCaml and sometimes other OCaml packages. The `coq.ocamlPackages` attribute can be used to depend on the same package set Coq was built against.
+
+Coq libraries may be compatible with some specific versions of Coq only. The `compatibleCoqVersions` attribute is used to precisely select those versions of Coq that are compatible with this derivation.
+
+Here is a simple package example. It is a pure Coq library, thus it depends on Coq. It builds on the Mathematical Components library, thus it also takes `mathcomp` as `buildInputs`. Its `Makefile` has been generated using `coq_makefile` so we only have to set the `$COQLIB` variable at install time.
+
+```nix
+{ stdenv, fetchFromGitHub, coq, mathcomp }:
+
+stdenv.mkDerivation rec {
+  name = "coq${coq.coq-version}-multinomials-${version}";
+  version = "1.0";
+  src = fetchFromGitHub {
+    owner = "math-comp";
+    repo = "multinomials";
+    rev = version;
+    sha256 = "1qmbxp1h81cy3imh627pznmng0kvv37k4hrwi2faa101s6bcx55m";
+  };
+
+  buildInputs = [ coq ];
+  propagatedBuildInputs = [ mathcomp ];
+
+  installFlags = "COQLIB=$(out)/lib/coq/${coq.coq-version}/";
+
+  meta = {
+    description = "A Coq/SSReflect Library for Monoidal Rings and Multinomials";
+    inherit (src.meta) homepage;
+    license = stdenv.lib.licenses.cecill-b;
+    inherit (coq.meta) platforms;
+  };
+
+  passthru = {
+    compatibleCoqVersions = v: builtins.elem v [ "8.5" "8.6" "8.7" ];
+  };
+}
+```
diff --git a/doc/languages-frameworks/coq.xml b/doc/languages-frameworks/coq.xml
deleted file mode 100644
index 86d9226166f..00000000000
--- a/doc/languages-frameworks/coq.xml
+++ /dev/null
@@ -1,52 +0,0 @@
-<section xmlns="http://docbook.org/ns/docbook"
-         xmlns:xlink="http://www.w3.org/1999/xlink"
-         xml:id="sec-language-coq">
- <title>Coq</title>
-
- <para>
-  Coq libraries should be installed in <literal>$(out)/lib/coq/${coq.coq-version}/user-contrib/</literal>. Such directories are automatically added to the <literal>$COQPATH</literal> environment variable by the hook defined in the Coq derivation.
- </para>
-
- <para>
-  Some extensions (plugins) might require OCaml and sometimes other OCaml packages. The <literal>coq.ocamlPackages</literal> attribute can be used to depend on the same package set Coq was built against.
- </para>
-
- <para>
-  Coq libraries may be compatible with some specific versions of Coq only. The <literal>compatibleCoqVersions</literal> attribute is used to precisely select those versions of Coq that are compatible with this derivation.
- </para>
-
- <para>
-  Here is a simple package example. It is a pure Coq library, thus it depends on Coq. It builds on the Mathematical Components library, thus it also takes <literal>mathcomp</literal> as <literal>buildInputs</literal>. Its <literal>Makefile</literal> has been generated using <literal>coq_makefile</literal> so we only have to set the <literal>$COQLIB</literal> variable at install time.
- </para>
-
-<programlisting>
-{ stdenv, fetchFromGitHub, coq, mathcomp }:
-
-stdenv.mkDerivation rec {
-  name = "coq${coq.coq-version}-multinomials-${version}";
-  version = "1.0";
-  src = fetchFromGitHub {
-    owner = "math-comp";
-    repo = "multinomials";
-    rev = version;
-    sha256 = "1qmbxp1h81cy3imh627pznmng0kvv37k4hrwi2faa101s6bcx55m";
-  };
-
-  buildInputs = [ coq ];
-  propagatedBuildInputs = [ mathcomp ];
-
-  installFlags = "COQLIB=$(out)/lib/coq/${coq.coq-version}/";
-
-  meta = {
-    description = "A Coq/SSReflect Library for Monoidal Rings and Multinomials";
-    inherit (src.meta) homepage;
-    license = stdenv.lib.licenses.cecill-b;
-    inherit (coq.meta) platforms;
-  };
-
-  passthru = {
-    compatibleCoqVersions = v: builtins.elem v [ "8.5" "8.6" "8.7" ];
-  };
-}
-</programlisting>
-</section>
diff --git a/doc/languages-frameworks/index.xml b/doc/languages-frameworks/index.xml
index 22bc6e1baaa..c302b67cfd5 100644
--- a/doc/languages-frameworks/index.xml
+++ b/doc/languages-frameworks/index.xml
@@ -9,7 +9,7 @@
  <xi:include href="android.section.xml" />
  <xi:include href="beam.section.xml" />
  <xi:include href="bower.xml" />
- <xi:include href="coq.xml" />
+ <xi:include href="coq.section.xml" />
  <xi:include href="crystal.section.xml" />
  <xi:include href="emscripten.section.xml" />
  <xi:include href="gnome.xml" />
@@ -17,7 +17,7 @@
  <xi:include href="haskell.section.xml" />
  <xi:include href="idris.section.xml" />
  <xi:include href="ios.section.xml" />
- <xi:include href="java.xml" />
+ <xi:include href="java.section.xml" />
  <xi:include href="lua.section.xml" />
  <xi:include href="maven.section.xml" />
  <xi:include href="node.section.xml" />
diff --git a/doc/languages-frameworks/java.section.md b/doc/languages-frameworks/java.section.md
new file mode 100644
index 00000000000..77919d43f74
--- /dev/null
+++ b/doc/languages-frameworks/java.section.md
@@ -0,0 +1,91 @@
+# Java {#sec-language-java}
+
+Ant-based Java packages are typically built from source as follows:
+
+```nix
+stdenv.mkDerivation {
+  name = "...";
+  src = fetchurl { ... };
+
+  nativeBuildInputs = [ jdk ant ];
+
+  buildPhase = "ant";
+}
+```
+
+Note that `jdk` is an alias for the OpenJDK (self-built where available,
+or pre-built via Zulu). Platforms with OpenJDK not (yet) in Nixpkgs
+(`Aarch32`, `Aarch64`) point to the (unfree) `oraclejdk`.
+
+JAR files that are intended to be used by other packages should be
+installed in `$out/share/java`. JDKs have a stdenv setup hook that add
+any JARs in the `share/java` directories of the build inputs to the
+`CLASSPATH` environment variable. For instance, if the package `libfoo`
+installs a JAR named `foo.jar` in its `share/java` directory, and
+another package declares the attribute
+
+```nix
+buildInputs = [ libfoo ];
+nativeBuildInputs = [ jdk ];
+```
+
+then `CLASSPATH` will be set to
+`/nix/store/...-libfoo/share/java/foo.jar`.
+
+Private JARs should be installed in a location like
+`$out/share/package-name`.
+
+If your Java package provides a program, you need to generate a wrapper
+script to run it using a JRE. You can use `makeWrapper` for this:
+
+```nix
+nativeBuildInputs = [ makeWrapper ];
+
+installPhase = ''
+  mkdir -p $out/bin
+  makeWrapper ${jre}/bin/java $out/bin/foo \
+    --add-flags "-cp $out/share/java/foo.jar org.foo.Main"
+'';
+```
+
+Since the introduction of the Java Platform Module System in Java 9,
+Java distributions typically no longer ship with a general-purpose JRE:
+instead, they allow generating a JRE with only the modules required for
+your application(s). Because we can't predict what modules will be
+needed on a general-purpose system, the default jre package is the full
+JDK. When building a minimal system/image, you can override the
+`modules` parameter on `jre_minimal` to build a JRE with only the
+modules relevant for you:
+
+```nix
+let
+  my_jre = pkgs.jre_minimal.override {
+    modules = [
+      # The modules used by 'something' and 'other' combined:
+      "java.base"
+      "java.logging"
+    ];
+  };
+  something = (pkgs.something.override { jre = my_jre; });
+  other = (pkgs.other.override { jre = my_jre; });
+in
+  ...
+```
+
+Note all JDKs passthru `home`, so if your application requires
+environment variables like `JAVA_HOME` being set, that can be done in a
+generic fashion with the `--set` argument of `makeWrapper`:
+
+```bash
+--set JAVA_HOME ${jdk.home}
+```
+
+It is possible to use a different Java compiler than `javac` from the
+OpenJDK. For instance, to use the GNU Java Compiler:
+
+```nix
+nativeBuildInputs = [ gcj ant ];
+```
+
+Here, Ant will automatically use `gij` (the GNU Java Runtime) instead of
+the OpenJRE.
diff --git a/doc/languages-frameworks/java.xml b/doc/languages-frameworks/java.xml
deleted file mode 100644
index 881d492b5bf..00000000000
--- a/doc/languages-frameworks/java.xml
+++ /dev/null
@@ -1,77 +0,0 @@
-<section xmlns="http://docbook.org/ns/docbook"
-         xmlns:xlink="http://www.w3.org/1999/xlink"
-         xml:id="sec-language-java">
- <title>Java</title>
-
- <para>
-  Ant-based Java packages are typically built from source as follows:
-<programlisting>
-stdenv.mkDerivation {
-  name = "...";
-  src = fetchurl { ... };
-
-  nativeBuildInputs = [ jdk ant ];
-
-  buildPhase = "ant";
-}
-</programlisting>
-  Note that <varname>jdk</varname> is an alias for the OpenJDK (self-built where available, or pre-built via Zulu). Platforms with OpenJDK not (yet) in Nixpkgs (<literal>Aarch32</literal>, <literal>Aarch64</literal>) point to the (unfree) <literal>oraclejdk</literal>.
- </para>
-
- <para>
-  JAR files that are intended to be used by other packages should be installed in <filename>$out/share/java</filename>. JDKs have a stdenv setup hook that add any JARs in the <filename>share/java</filename> directories of the build inputs to the <envar>CLASSPATH</envar> environment variable. For instance, if the package <literal>libfoo</literal> installs a JAR named <filename>foo.jar</filename> in its <filename>share/java</filename> directory, and another package declares the attribute
-<programlisting>
-buildInputs = [ libfoo ];
-nativeBuildInputs = [ jdk ];
-</programlisting>
-  then <envar>CLASSPATH</envar> will be set to <filename>/nix/store/...-libfoo/share/java/foo.jar</filename>.
- </para>
-
- <para>
-  Private JARs should be installed in a location like <filename>$out/share/<replaceable>package-name</replaceable></filename>.
- </para>
-
- <para>
-  If your Java package provides a program, you need to generate a wrapper script to run it using a JRE. You can use <literal>makeWrapper</literal> for this:
-<programlisting>
-nativeBuildInputs = [ makeWrapper ];
-
-installPhase =
-  ''
-    mkdir -p $out/bin
-    makeWrapper ${jre}/bin/java $out/bin/foo \
-      --add-flags "-cp $out/share/java/foo.jar org.foo.Main"
-  '';
-</programlisting>
-Since the introduction of the Java Platform Module System in Java 9, Java distributions typically no longer ship with a general-purpose JRE: instead, they allow generating a JRE with only the modules required for your application(s). Because we can't predict what modules will be needed on a general-purpose system, the default <package>jre</package> package is the full JDK. When building a minimal system/image, you can override the <literal>modules</literal> parameter on <literal>jre_minimal</literal> to build a JRE with only the modules relevant for you:
-<programlisting>
-let
-  my_jre = pkgs.jre_minimal.override {
-    modules = [
-      # The modules used by 'something' and 'other' combined:
-      "java.base"
-      "java.logging"
-    ];
-  };
-  something = (pkgs.something.override { jre = my_jre; });
-  other = (pkgs.other.override { jre = my_jre; });
-in
-  ...
-</programlisting>
- </para>
-
- <para>
-  Note all JDKs passthru <literal>home</literal>, so if your application requires environment variables like <envar>JAVA_HOME</envar> being set, that can be done in a generic fashion with the <literal>--set</literal> argument of <literal>makeWrapper</literal>:
-<programlisting>
---set JAVA_HOME ${jdk.home}
-</programlisting>
- </para>
-
- <para>
-  It is possible to use a different Java compiler than <command>javac</command> from the OpenJDK. For instance, to use the GNU Java Compiler:
-<programlisting>
-nativeBuildInputs = [ gcj ant ];
-</programlisting>
-  Here, Ant will automatically use <command>gij</command> (the GNU Java Runtime) instead of the OpenJRE.
- </para>
-</section>
diff --git a/nixos/doc/manual/installation/installing.xml b/nixos/doc/manual/installation/installing.xml
index 6df1d830348..bedeb7ccfa8 100644
--- a/nixos/doc/manual/installation/installing.xml
+++ b/nixos/doc/manual/installation/installing.xml
@@ -480,13 +480,8 @@ Retype new UNIX password: ***</screen>
 <prompt>$ </prompt>passwd eelco</screen>
     </para>
     <para>
-     You may also want to install some software. For instance,
-<screen>
-<prompt>$ </prompt>nix-env -qaP \*</screen>
-     shows what packages are available, and
-<screen>
-<prompt>$ </prompt>nix-env -f '&lt;nixpkgs&gt;' -iA w3m</screen>
-     installs the <literal>w3m</literal> browser.
+     You may also want to install some software. This will be covered
+     in <xref linkend="sec-package-management" />.
     </para>
    </listitem>
   </orderedlist>
diff --git a/nixos/modules/services/mail/rspamd.nix b/nixos/modules/services/mail/rspamd.nix
index a6c19a2af73..2f9d28195bd 100644
--- a/nixos/modules/services/mail/rspamd.nix
+++ b/nixos/modules/services/mail/rspamd.nix
@@ -371,6 +371,9 @@ in
     };
     services.postfix.config = mkIf cfg.postfix.enable cfg.postfix.config;
 
+    systemd.services.postfix.serviceConfig.SupplementaryGroups =
+      mkIf cfg.postfix.enable [ postfixCfg.group ];
+
     # Allow users to run 'rspamc' and 'rspamadm'.
     environment.systemPackages = [ pkgs.rspamd ];
 
@@ -394,16 +397,45 @@ in
       restartTriggers = [ rspamdDir ];
 
       serviceConfig = {
-        ExecStart = "${pkgs.rspamd}/bin/rspamd ${optionalString cfg.debug "-d"} --user=${cfg.user} --group=${cfg.group} --pid=/run/rspamd.pid -c /etc/rspamd/rspamd.conf -f";
+        ExecStart = "${pkgs.rspamd}/bin/rspamd ${optionalString cfg.debug "-d"} -c /etc/rspamd/rspamd.conf -f";
         Restart = "always";
-        RuntimeDirectory = "rspamd";
-        PrivateTmp = true;
-      };
 
-      preStart = ''
-        ${pkgs.coreutils}/bin/mkdir -p /var/lib/rspamd
-        ${pkgs.coreutils}/bin/chown ${cfg.user}:${cfg.group} /var/lib/rspamd
-      '';
+        User = "${cfg.user}";
+        Group = "${cfg.group}";
+        SupplementaryGroups = mkIf cfg.postfix.enable [ postfixCfg.group ];
+
+        RuntimeDirectory = "rspamd";
+        RuntimeDirectoryMode = "0755";
+        StateDirectory = "rspamd";
+        StateDirectoryMode = "0700";
+
+        AmbientCapabilities = [];
+        CapabilityBoundingSet = [];
+        DevicePolicy = "closed";
+        LockPersonality = true;
+        NoNewPrivileges = true;
+        PrivateDevices = true;
+        PrivateMounts = true;
+        PrivateTmp = true;
+        # we need to chown socket to rspamd-milter
+        PrivateUsers = !cfg.postfix.enable;
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectSystem = "strict";
+        RemoveIPC = true;
+        RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ];
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        SystemCallArchitectures = "native";
+        SystemCallFilter = "@system-service";
+        UMask = "0077";
+      };
     };
   };
   imports = [
diff --git a/nixos/modules/services/networking/nat.nix b/nixos/modules/services/networking/nat.nix
index 21ae9eb8b6d..45eb500fe8c 100644
--- a/nixos/modules/services/networking/nat.nix
+++ b/nixos/modules/services/networking/nat.nix
@@ -9,7 +9,14 @@ with lib;
 let
   cfg = config.networking.nat;
 
-  dest = if cfg.externalIP == null then "-j MASQUERADE" else "-j SNAT --to-source ${cfg.externalIP}";
+  mkDest = externalIP: if externalIP == null
+                       then "-j MASQUERADE"
+                       else "-j SNAT --to-source ${externalIP}";
+  dest = mkDest cfg.externalIP;
+  destIPv6 = mkDest cfg.externalIPv6;
+
+  # Whether given IP (plus optional port) is an IPv6.
+  isIPv6 = ip: builtins.length (lib.splitString ":" ip) > 2;
 
   helpers = import ./helpers.nix { inherit config lib; };
 
@@ -28,63 +35,80 @@ let
     ${cfg.extraStopCommands}
   '';
 
-  setupNat = ''
-    ${helpers}
-    # Create subchain where we store rules
-    ip46tables -w -t nat -N nixos-nat-pre
-    ip46tables -w -t nat -N nixos-nat-post
-    ip46tables -w -t nat -N nixos-nat-out
-
+  mkSetupNat = { iptables, dest, internalIPs, forwardPorts }: ''
     # We can't match on incoming interface in POSTROUTING, so
     # mark packets coming from the internal interfaces.
     ${concatMapStrings (iface: ''
-      iptables -w -t nat -A nixos-nat-pre \
+      ${iptables} -w -t nat -A nixos-nat-pre \
         -i '${iface}' -j MARK --set-mark 1
     '') cfg.internalInterfaces}
 
     # NAT the marked packets.
     ${optionalString (cfg.internalInterfaces != []) ''
-      iptables -w -t nat -A nixos-nat-post -m mark --mark 1 \
+      ${iptables} -w -t nat -A nixos-nat-post -m mark --mark 1 \
         ${optionalString (cfg.externalInterface != null) "-o ${cfg.externalInterface}"} ${dest}
     ''}
 
     # NAT packets coming from the internal IPs.
     ${concatMapStrings (range: ''
-      iptables -w -t nat -A nixos-nat-post \
+      ${iptables} -w -t nat -A nixos-nat-post \
         -s '${range}' ${optionalString (cfg.externalInterface != null) "-o ${cfg.externalInterface}"} ${dest}
-    '') cfg.internalIPs}
+    '') internalIPs}
 
     # NAT from external ports to internal ports.
     ${concatMapStrings (fwd: ''
-      iptables -w -t nat -A nixos-nat-pre \
+      ${iptables} -w -t nat -A nixos-nat-pre \
         -i ${toString cfg.externalInterface} -p ${fwd.proto} \
         --dport ${builtins.toString fwd.sourcePort} \
         -j DNAT --to-destination ${fwd.destination}
 
       ${concatMapStrings (loopbackip:
         let
-          m                = builtins.match "([0-9.]+):([0-9-]+)" fwd.destination;
-          destinationIP    = if (m == null) then throw "bad ip:ports `${fwd.destination}'" else elemAt m 0;
-          destinationPorts = if (m == null) then throw "bad ip:ports `${fwd.destination}'" else builtins.replaceStrings ["-"] [":"] (elemAt m 1);
+          matchIP          = if isIPv6 fwd.destination then "[[]([0-9a-fA-F:]+)[]]" else "([0-9.]+)";
+          m                = builtins.match "${matchIP}:([0-9-]+)" fwd.destination;
+          destinationIP    = if m == null then throw "bad ip:ports `${fwd.destination}'" else elemAt m 0;
+          destinationPorts = if m == null then throw "bad ip:ports `${fwd.destination}'" else builtins.replaceStrings ["-"] [":"] (elemAt m 1);
         in ''
           # Allow connections to ${loopbackip}:${toString fwd.sourcePort} from the host itself
-          iptables -w -t nat -A nixos-nat-out \
+          ${iptables} -w -t nat -A nixos-nat-out \
             -d ${loopbackip} -p ${fwd.proto} \
             --dport ${builtins.toString fwd.sourcePort} \
             -j DNAT --to-destination ${fwd.destination}
 
           # Allow connections to ${loopbackip}:${toString fwd.sourcePort} from other hosts behind NAT
-          iptables -w -t nat -A nixos-nat-pre \
+          ${iptables} -w -t nat -A nixos-nat-pre \
             -d ${loopbackip} -p ${fwd.proto} \
             --dport ${builtins.toString fwd.sourcePort} \
             -j DNAT --to-destination ${fwd.destination}
 
-          iptables -w -t nat -A nixos-nat-post \
+          ${iptables} -w -t nat -A nixos-nat-post \
             -d ${destinationIP} -p ${fwd.proto} \
             --dport ${destinationPorts} \
             -j SNAT --to-source ${loopbackip}
         '') fwd.loopbackIPs}
-    '') cfg.forwardPorts}
+    '') forwardPorts}
+  '';
+
+  setupNat = ''
+    ${helpers}
+    # Create subchains where we store rules
+    ip46tables -w -t nat -N nixos-nat-pre
+    ip46tables -w -t nat -N nixos-nat-post
+    ip46tables -w -t nat -N nixos-nat-out
+
+    ${mkSetupNat {
+      iptables = "iptables";
+      inherit dest;
+      inherit (cfg) internalIPs;
+      forwardPorts = filter (x: !(isIPv6 x.destination)) cfg.forwardPorts;
+    }}
+
+    ${optionalString cfg.enableIPv6 (mkSetupNat {
+      iptables = "ip6tables";
+      dest = destIPv6;
+      internalIPs = cfg.internalIPv6s;
+      forwardPorts = filter (x: isIPv6 x.destination) cfg.forwardPorts;
+    })}
 
     ${optionalString (cfg.dmzHost != null) ''
       iptables -w -t nat -A nixos-nat-pre \
@@ -117,6 +141,15 @@ in
         '';
     };
 
+    networking.nat.enableIPv6 = mkOption {
+      type = types.bool;
+      default = false;
+      description =
+        ''
+          Whether to enable IPv6 NAT.
+        '';
+    };
+
     networking.nat.internalInterfaces = mkOption {
       type = types.listOf types.str;
       default = [];
@@ -141,6 +174,18 @@ in
         '';
     };
 
+    networking.nat.internalIPv6s = mkOption {
+      type = types.listOf types.str;
+      default = [];
+      example = [ "fc00::/64" ];
+      description =
+        ''
+          The IPv6 address ranges for which to perform NAT.  Packets
+          coming from these addresses (on any interface) and destined
+          for the external interface will be rewritten.
+        '';
+    };
+
     networking.nat.externalInterface = mkOption {
       type = types.nullOr types.str;
       default = null;
@@ -164,6 +209,19 @@ in
         '';
     };
 
+    networking.nat.externalIPv6 = mkOption {
+      type = types.nullOr types.str;
+      default = null;
+      example = "2001:dc0:2001:11::175";
+      description =
+        ''
+          The public IPv6 address to which packets from the local
+          network are to be rewritten.  If this is left empty, the
+          IP address associated with the external interface will be
+          used.
+        '';
+    };
+
     networking.nat.forwardPorts = mkOption {
       type = with types; listOf (submodule {
         options = {
@@ -176,7 +234,7 @@ in
           destination = mkOption {
             type = types.str;
             example = "10.0.0.1:80";
-            description = "Forward connection to destination ip:port; to specify a port range, use ip:start-end";
+            description = "Forward connection to destination ip:port (or [ipv6]:port); to specify a port range, use ip:start-end";
           };
 
           proto = mkOption {
@@ -195,11 +253,15 @@ in
         };
       });
       default = [];
-      example = [ { sourcePort = 8080; destination = "10.0.0.1:80"; proto = "tcp"; } ];
+      example = [
+        { sourcePort = 8080; destination = "10.0.0.1:80"; proto = "tcp"; }
+        { sourcePort = 8080; destination = "[fc00::2]:80"; proto = "tcp"; }
+      ];
       description =
         ''
           List of forwarded ports from the external interface to
-          internal destinations by using DNAT.
+          internal destinations by using DNAT. Destination can be
+          IPv6 if IPv6 NAT is enabled.
         '';
     };
 
@@ -246,6 +308,9 @@ in
     (mkIf config.networking.nat.enable {
 
       assertions = [
+        { assertion = cfg.enableIPv6           -> config.networking.enableIPv6;
+          message = "networking.nat.enableIPv6 requires networking.enableIPv6";
+        }
         { assertion = (cfg.dmzHost != null)    -> (cfg.externalInterface != null);
           message = "networking.nat.dmzHost requires networking.nat.externalInterface";
         }
@@ -261,6 +326,15 @@ in
         kernel.sysctl = {
           "net.ipv4.conf.all.forwarding" = mkOverride 99 true;
           "net.ipv4.conf.default.forwarding" = mkOverride 99 true;
+        } // optionalAttrs cfg.enableIPv6 {
+          # Do not prevent IPv6 autoconfiguration.
+          # See <http://strugglers.net/~andy/blog/2011/09/04/linux-ipv6-router-advertisements-and-forwarding/>.
+          "net.ipv6.conf.all.accept_ra" = mkOverride 99 2;
+          "net.ipv6.conf.default.accept_ra" = mkOverride 99 2;
+
+          # Forward IPv6 packets.
+          "net.ipv6.conf.all.forwarding" = mkOverride 99 true;
+          "net.ipv6.conf.default.forwarding" = mkOverride 99 true;
         };
       };
 
diff --git a/nixos/modules/services/networking/tailscale.nix b/nixos/modules/services/networking/tailscale.nix
index d6684d69e61..1a1474595be 100644
--- a/nixos/modules/services/networking/tailscale.nix
+++ b/nixos/modules/services/networking/tailscale.nix
@@ -14,11 +14,18 @@ in {
       default = 41641;
       description = "The port to listen on for tunnel traffic (0=autoselect).";
     };
+
+    package = mkOption {
+      type = types.package;
+      default = pkgs.tailscale;
+      defaultText = "pkgs.tailscale";
+      description = "The package to use for tailscale";
+    };
   };
 
   config = mkIf cfg.enable {
-    environment.systemPackages = [ pkgs.tailscale ]; # for the CLI
-    systemd.packages = [ pkgs.tailscale ];
+    environment.systemPackages = [ cfg.package ]; # for the CLI
+    systemd.packages = [ cfg.package ];
     systemd.services.tailscaled = {
       wantedBy = [ "multi-user.target" ];
       serviceConfig.Environment = "PORT=${toString cfg.port}";
diff --git a/nixos/tests/podman.nix b/nixos/tests/podman.nix
index bccd2de7c9b..dd28563dc4c 100644
--- a/nixos/tests/podman.nix
+++ b/nixos/tests/podman.nix
@@ -61,6 +61,12 @@ import ./make-test-python.nix (
           podman.succeed("podman stop sleeping")
           podman.succeed("podman rm sleeping")
 
+
+      podman.succeed(
+          "mkdir -p /tmp/podman-run-1000/libpod && chown alice -R /tmp/podman-run-1000"
+      )
+
+
       with subtest("Run container rootless with crun"):
           podman.succeed(su_cmd("tar cv --files-from /dev/null | podman import - scratchimg"))
           podman.succeed(
diff --git a/nixos/tests/rspamd.nix b/nixos/tests/rspamd.nix
index 6eaa02ef429..7f41e1a7956 100644
--- a/nixos/tests/rspamd.nix
+++ b/nixos/tests/rspamd.nix
@@ -13,10 +13,12 @@ let
     machine.succeed("id rspamd >/dev/null")
   '';
   checkSocket = socket: user: group: mode: ''
-    machine.succeed("ls ${socket} >/dev/null")
-    machine.succeed('[[ "$(stat -c %U ${socket})" == "${user}" ]]')
-    machine.succeed('[[ "$(stat -c %G ${socket})" == "${group}" ]]')
-    machine.succeed('[[ "$(stat -c %a ${socket})" == "${mode}" ]]')
+    machine.succeed(
+        "ls ${socket} >/dev/null",
+        '[[ "$(stat -c %U ${socket})" == "${user}" ]]',
+        '[[ "$(stat -c %G ${socket})" == "${group}" ]]',
+        '[[ "$(stat -c %a ${socket})" == "${mode}" ]]',
+    )
   '';
   simple = name: enableIPv6: makeTest {
     name = "rspamd-${name}";
@@ -54,33 +56,35 @@ in
       services.rspamd = {
         enable = true;
         workers.normal.bindSockets = [{
-          socket = "/run/rspamd.sock";
+          socket = "/run/rspamd/rspamd.sock";
           mode = "0600";
-          owner = "root";
-          group = "root";
+          owner = "rspamd";
+          group = "rspamd";
         }];
         workers.controller.bindSockets = [{
-          socket = "/run/rspamd-worker.sock";
+          socket = "/run/rspamd/rspamd-worker.sock";
           mode = "0666";
-          owner = "root";
-          group = "root";
+          owner = "rspamd";
+          group = "rspamd";
         }];
       };
     };
 
     testScript = ''
       ${initMachine}
-      machine.wait_for_file("/run/rspamd.sock")
-      ${checkSocket "/run/rspamd.sock" "root" "root" "600" }
-      ${checkSocket "/run/rspamd-worker.sock" "root" "root" "666" }
+      machine.wait_for_file("/run/rspamd/rspamd.sock")
+      ${checkSocket "/run/rspamd/rspamd.sock" "rspamd" "rspamd" "600" }
+      ${checkSocket "/run/rspamd/rspamd-worker.sock" "rspamd" "rspamd" "666" }
       machine.log(machine.succeed("cat /etc/rspamd/rspamd.conf"))
       machine.log(
           machine.succeed("grep 'CONFDIR/worker-controller.inc' /etc/rspamd/rspamd.conf")
       )
       machine.log(machine.succeed("grep 'CONFDIR/worker-normal.inc' /etc/rspamd/rspamd.conf"))
-      machine.log(machine.succeed("rspamc -h /run/rspamd-worker.sock stat"))
+      machine.log(machine.succeed("rspamc -h /run/rspamd/rspamd-worker.sock stat"))
       machine.log(
-          machine.succeed("curl --unix-socket /run/rspamd-worker.sock http://localhost/ping")
+          machine.succeed(
+              "curl --unix-socket /run/rspamd/rspamd-worker.sock http://localhost/ping"
+          )
       )
     '';
   };
@@ -91,16 +95,16 @@ in
       services.rspamd = {
         enable = true;
         workers.normal.bindSockets = [{
-          socket = "/run/rspamd.sock";
+          socket = "/run/rspamd/rspamd.sock";
           mode = "0600";
-          owner = "root";
-          group = "root";
+          owner = "rspamd";
+          group = "rspamd";
         }];
         workers.controller.bindSockets = [{
-          socket = "/run/rspamd-worker.sock";
+          socket = "/run/rspamd/rspamd-worker.sock";
           mode = "0666";
-          owner = "root";
-          group = "root";
+          owner = "rspamd";
+          group = "rspamd";
         }];
         workers.controller2 = {
           type = "controller";
@@ -116,9 +120,9 @@ in
 
     testScript = ''
       ${initMachine}
-      machine.wait_for_file("/run/rspamd.sock")
-      ${checkSocket "/run/rspamd.sock" "root" "root" "600" }
-      ${checkSocket "/run/rspamd-worker.sock" "root" "root" "666" }
+      machine.wait_for_file("/run/rspamd/rspamd.sock")
+      ${checkSocket "/run/rspamd/rspamd.sock" "rspamd" "rspamd" "600" }
+      ${checkSocket "/run/rspamd/rspamd-worker.sock" "rspamd" "rspamd" "666" }
       machine.log(machine.succeed("cat /etc/rspamd/rspamd.conf"))
       machine.log(
           machine.succeed("grep 'CONFDIR/worker-controller.inc' /etc/rspamd/rspamd.conf")
@@ -137,9 +141,11 @@ in
       machine.wait_until_succeeds(
           "journalctl -u rspamd | grep -i 'starting controller process' >&2"
       )
-      machine.log(machine.succeed("rspamc -h /run/rspamd-worker.sock stat"))
+      machine.log(machine.succeed("rspamc -h /run/rspamd/rspamd-worker.sock stat"))
       machine.log(
-          machine.succeed("curl --unix-socket /run/rspamd-worker.sock http://localhost/ping")
+          machine.succeed(
+              "curl --unix-socket /run/rspamd/rspamd-worker.sock http://localhost/ping"
+          )
       )
       machine.log(machine.succeed("curl http://localhost:11335/ping"))
     '';
diff --git a/pkgs/applications/graphics/pqiv/default.nix b/pkgs/applications/graphics/pqiv/default.nix
index bb29101b4c7..96efc091ef2 100644
--- a/pkgs/applications/graphics/pqiv/default.nix
+++ b/pkgs/applications/graphics/pqiv/default.nix
@@ -4,13 +4,13 @@
 
 stdenv.mkDerivation (rec {
   pname = "pqiv";
-  version = "2.11";
+  version = "2.12";
 
   src = fetchFromGitHub {
     owner = "phillipberndt";
     repo = "pqiv";
     rev = version;
-    sha256 = "06cwm28b7j1skwp21s5snmj1pqh3xh6y2i5v4w3pz0b8k3053h9i";
+    sha256 = "18nvrqmlifh4m8nfs0d19sb9d1l3a95xc89qxqdr881jcxdsgflw";
   };
 
   nativeBuildInputs = [ pkgconfig ];
diff --git a/pkgs/applications/misc/dbeaver/default.nix b/pkgs/applications/misc/dbeaver/default.nix
index 4f1d4391181..4e928ff34f0 100644
--- a/pkgs/applications/misc/dbeaver/default.nix
+++ b/pkgs/applications/misc/dbeaver/default.nix
@@ -7,7 +7,7 @@
 
 stdenv.mkDerivation rec {
   pname = "dbeaver-ce";
-  version = "7.2.5";
+  version = "7.3.0";
 
   desktopItem = makeDesktopItem {
     name = "dbeaver";
@@ -30,7 +30,7 @@ stdenv.mkDerivation rec {
 
   src = fetchurl {
     url = "https://dbeaver.io/files/${version}/dbeaver-ce-${version}-linux.gtk.x86_64.tar.gz";
-    sha256 = "sha256-CRyAeizhaSDmVFGRhrYIW0Ofli9HnkgItiAGRJAETQM=";
+    sha256 = "sha256-JhEF2/97vo2FgzpCFkuc31aLl9qjKHV8RYXO5oBU1no=";
   };
 
   installPhase = ''
diff --git a/pkgs/applications/misc/navi/default.nix b/pkgs/applications/misc/navi/default.nix
index 7553b078ef6..46d463645e5 100644
--- a/pkgs/applications/misc/navi/default.nix
+++ b/pkgs/applications/misc/navi/default.nix
@@ -2,16 +2,16 @@
 
 rustPlatform.buildRustPackage rec {
   pname = "navi";
-  version = "2.12.1";
+  version = "2.13.0";
 
   src = fetchFromGitHub {
     owner = "denisidoro";
     repo = "navi";
     rev = "v${version}";
-    sha256 = "1vrj8ad004h6jgmcb56f3f19s4xk6gvcpwysj78bxzgpa1998r3r";
+    sha256 = "04ks38s6d3nkdj0arhxw8f3sfw796l97fbqxsm7b9g5d2953a6cs";
   };
 
-  cargoSha256 = "0yifgcf2pfszzny523ax7pb9a5r3012nynbnhdqg0j1ia1pdymf3";
+  cargoSha256 = "1zwar1l793809bsgqnwrgi50y76bd78qd4s8lw6d64f4z72dh80g";
 
   nativeBuildInputs = [ makeWrapper ];
 
diff --git a/pkgs/applications/misc/obsidian/default.nix b/pkgs/applications/misc/obsidian/default.nix
index ac28694c45e..5618a8df910 100644
--- a/pkgs/applications/misc/obsidian/default.nix
+++ b/pkgs/applications/misc/obsidian/default.nix
@@ -30,12 +30,12 @@ let
 
 in stdenv.mkDerivation rec {
   pname = "obsidian";
-  version = "0.9.15";
+  version = "0.9.17";
 
   src = fetchurl {
     url =
       "https://github.com/obsidianmd/obsidian-releases/releases/download/v${version}/obsidian-${version}.asar.gz";
-    sha256 = "0cfzci2l1bbjc5mqs3hjyy3grz5jk3qbna57vfcvxz36kcd5djv5";
+    sha256 = "0spa5zsipd456dcsp7ww24ab5vk4vmwyvrdmraw3hcsbnj9vcnwa";
   };
 
   nativeBuildInputs = [ makeWrapper graphicsmagick ];
diff --git a/pkgs/applications/misc/pueue/default.nix b/pkgs/applications/misc/pueue/default.nix
index 3cd9d5db006..d0459cb426c 100644
--- a/pkgs/applications/misc/pueue/default.nix
+++ b/pkgs/applications/misc/pueue/default.nix
@@ -2,16 +2,16 @@
 
 rustPlatform.buildRustPackage rec {
   pname = "pueue";
-  version = "0.8.1";
+  version = "0.8.2";
 
   src = fetchFromGitHub {
     owner = "Nukesor";
     repo = pname;
     rev = "v${version}";
-    sha256 = "0rqnbils0r98qglhm2jafw5d119fqdzszmk825yc0bma4icm7xzp";
+    sha256 = "1vdlsfnqnyri0ny2g695lhivs9m25v9lsqf1valwbjv9l9vjxfqa";
   };
 
-  cargoSha256 = "1f3g5i0yh82qll1hyihrvv08pbd4h9vzs6jy6bf94bzabyjsgnzv";
+  cargoSha256 = "0qziwb69qpbziz772np8dcb1dvxg6m506k5kl63m75z4zicgykcv";
 
   nativeBuildInputs = [ installShellFiles ];
 
diff --git a/pkgs/applications/networking/cluster/terraform-providers/update-provider b/pkgs/applications/networking/cluster/terraform-providers/update-provider
index c7094e1c77e..e1f1a0ef38a 100755
--- a/pkgs/applications/networking/cluster/terraform-providers/update-provider
+++ b/pkgs/applications/networking/cluster/terraform-providers/update-provider
@@ -1,42 +1,94 @@
 #!/usr/bin/env nix-shell
-#! nix-shell -i bash -p coreutils curl jq
+#! nix-shell -i bash -p coreutils curl jq moreutils
 # shellcheck shell=bash
+# vim: ft=sh
+#
+# Update a terraform provider to the latest version advertised at the
+# provider source address.
 #
-# Update a terraform provider to the latest version advertised at
-# the provider source address.
 set -euo pipefail
 
-USAGE=$(cat<<DOC
-Specify the terraform provider name to update.
+show_usage() {
+  cat <<DOC
+Usage: ./update-provider [--force] [--vendor] [<owner>/]<provider>
 
-Example:
-To update nixpkgs.terraform-providers.aws run:
-./update-provider aws
+Update a single provider in the providers.json inventory file.
+
+For example to update 'terraform-providers.aws' run:
+
+    ./update-provider aws
+
+If the provider is not in the list already, use the form '<owner>/<provider>'
+to add the provider to the list:
+
+    ./update-provider hetznercloud/hcloud
+
+Options:
+
+  * --force: Force the update even if the version matches.
+  * --vendor: Switch from go package to go modules with vendor.
+  * --vendor-sha256 <sha256>: Override the SHA256 or "null".
 DOC
-)
+}
 
-provider_name="${1:-}"
-if [ -z "$provider_name" ]; then
-  echo "No providers specified!"
+force=
+provider=
+vendor=
+vendorSha256=
+
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+  -h | --help)
+    show_usage
+    exit
+    ;;
+  --force)
+    force=1
+    shift
+    ;;
+  --vendor)
+    force=1
+    vendor=1
+    shift
+    ;;
+  --vendor-sha256)
+    force=1
+    vendorSha256=$2
+    shift 2
+    ;;
+  *)
+    if [[ -n "$provider" ]]; then
+      echo "ERROR: provider name was passed two times: '$provider' and '$1'"
+      echo "Use --help for more info"
+      exit 1
+    fi
+    provider=$1
+    shift
+  esac
+done
+
+if [[ -z "$provider" ]]; then
+  echo "ERROR: No providers specified!"
   echo
-  echo "$USAGE"
+  show_usage
   exit 1
 fi
 
-provider_source_address="$(jq -r ".$provider_name.\"provider-source-address\"" providers.json)"
+provider_name=$(basename "$provider")
 
-if [ "$provider_source_address" == "null" ]; then
-  echo "No provider source address specified with provider: $provider_name"
-  exit 1
-fi
+# Usage: read_attr <key>
+read_attr() {
+  jq -r ".\"$provider_name\".\"$1\"" providers.json
+}
 
-# The provider source address (used inside Terraform `required_providers` block) is
-# used to compute the registry API endpoint
-#
-# registry.terraform.io/hashicorp/aws (provider source address)
-# registry.terraform.io/providers/hashicorp/aws (provider URL for the website)
-# registry.terraform.io/v1/providers/hashicorp/aws (provider URL for the JSON API)
-registry_response=$(curl -s https://"${provider_source_address/\///v1/providers/}")
+# Usage: update_attr <key> <value>
+update_attr() {
+  if [[ "$2" == "null" ]]; then
+    jq -S ".\"$provider_name\".\"$1\" = null" providers.json | sponge providers.json
+  else
+    jq -S ".\"$provider_name\".\"$1\" = \"$2\"" providers.json | sponge providers.json
+  fi
+}
 
 prefetch_github() {
   # of a given owner, repo and rev, fetch the tarball and return the output of
@@ -47,31 +99,80 @@ prefetch_github() {
   nix-prefetch-url --unpack "https://github.com/$owner/$repo/archive/$rev.tar.gz"
 }
 
+old_source_address="$(read_attr provider-source-address)"
+old_vendor_sha256=$(read_attr vendorSha256)
+old_version=$(read_attr version)
+
+if [[ $provider =~ ^[^/]+/[^/]+$ ]]; then
+  source_address=registry.terraform.io/$provider
+else
+  source_address=$old_source_address
+fi
+if [[ "$source_address" == "null" ]]; then
+  echo "Could not find the source address for provider: $provider"
+  exit 1
+fi
+update_attr "provider-source-address" "$source_address"
+
+# The provider source address (used inside Terraform `required_providers` block) is
+# used to compute the registry API endpoint
+#
+# registry.terraform.io/hashicorp/aws (provider source address)
+# registry.terraform.io/providers/hashicorp/aws (provider URL for the website)
+# registry.terraform.io/v1/providers/hashicorp/aws (provider URL for the JSON API)
+registry_response=$(curl -s https://"${source_address/\///v1/providers/}")
+
+version="$(jq -r '.version' <<< "$registry_response")"
+if [[ "$old_version" = "$version" && "$force" != 1 && -z "$vendorSha256" && "$old_vendor_sha256" != "$vendorSha256" ]]; then
+  echo "$provider_name is already at version $version"
+  exit
+fi
+update_attr version "$version"
+
 provider_source_url="$(jq -r '.source' <<< "$registry_response")"
 
 org="$(echo "$provider_source_url" | cut -d '/' -f 4)"
+update_attr owner "$org"
 repo="$(echo "$provider_source_url" | cut -d '/' -f 5)"
+update_attr repo "$repo"
 rev="$(jq -r '.tag' <<< "$registry_response")"
-
+update_attr rev "$rev"
 sha256=$(prefetch_github "$org" "$repo" "$rev")
+update_attr sha256 "$sha256"
 
-version="$(jq -r '.version' <<< "$registry_response")"
+repo_root=$(git rev-parse --show-toplevel)
 
-updated_provider="$(mktemp)"
-cat <<EOF >> "$updated_provider"
-{
-  "$provider_name": {
-    "owner": "$org",
-    "repo": "$repo",
-    "rev": "$rev",
-    "sha256": "$sha256",
-    "version": "$version",
-    "provider-source-address": "$provider_source_address"
-  }
-}
-EOF
+if [[ -z "$vendorSha256" ]]; then
+  if [[ "$old_vendor_sha256" == null ]]; then
+    vendorSha256=null
+  elif [[ -n "$old_vendor_sha256" || "$vendor" = 1 ]]; then
+    echo "=== Calculating vendorSha256 ==="
+    update_attr vendorSha256 "0000000000000000000000000000000000000000000000000000000000000000"
+    # Hackish way to find out the desired sha256. First build, then extract the
+    # error message from the logs.
+    set +e
+    nix-build --no-out-link "$repo_root" -A "terraform-providers.$provider_name.go-modules" 2>vendor_log.txt
+    set -e
+    logs=$(< vendor_log.txt)
+    if ! [[ $logs =~ got:\ +([^\ ]+) ]]; then
+      echo "ERROR: could not find new hash in output:"
+      cat vendor_log.txt
+      rm -f vendor_log.txt
+      exit 1
+    fi
+    rm -f vendor_log.txt
+    vendorSha256=${BASH_REMATCH[1]}
+    # Deal with nix unstable
+    if [[ $vendorSha256 = sha256-* ]]; then
+      vendorSha256=$(nix to-base32 "$vendorSha256")
+    fi
+  fi
+fi
 
-original_provider_list="$(mktemp)"
-cat providers.json > "$original_provider_list"
+if [[ -n "$vendorSha256" ]]; then
+  update_attr vendorSha256 "$vendorSha256"
+fi
 
-jq --sort-keys --slurp '.[0] * .[1]' "$original_provider_list" "$updated_provider" > providers.json
+# Check that the provider builds
+echo "=== Building terraform-providers.$provider_name ==="
+nix-build "$repo_root" -A "terraform-providers.$provider_name"
diff --git a/pkgs/applications/networking/feedreaders/rssguard/default.nix b/pkgs/applications/networking/feedreaders/rssguard/default.nix
index f9abd3fef3c..13dc38aaba9 100644
--- a/pkgs/applications/networking/feedreaders/rssguard/default.nix
+++ b/pkgs/applications/networking/feedreaders/rssguard/default.nix
@@ -2,13 +2,13 @@
 
 stdenv.mkDerivation rec {
   pname = "rssguard";
-  version = "3.8.2";
+  version = "3.8.3";
 
   src = fetchFromGitHub {
     owner = "martinrotter";
     repo = pname;
     rev = version;
-    sha256 = "0vy89ih586s89s29dzzggk7bkaz70mzrc9islirk01s1jal1jn0v";
+    sha256 = "1704nj77h6s88l4by3wxl5l770gaig90mv3ix80r00nh8mhzq44q";
   };
 
   buildInputs =  [ qtwebengine qttools ];
diff --git a/pkgs/applications/networking/instant-messengers/toxic/default.nix b/pkgs/applications/networking/instant-messengers/toxic/default.nix
index c9dd22f1831..6b511d1a1a9 100644
--- a/pkgs/applications/networking/instant-messengers/toxic/default.nix
+++ b/pkgs/applications/networking/instant-messengers/toxic/default.nix
@@ -4,13 +4,13 @@
 
 stdenv.mkDerivation rec {
   pname = "toxic";
-  version = "0.9.0";
+  version = "0.9.1";
 
   src = fetchFromGitHub {
     owner  = "Tox";
     repo   = "toxic";
     rev    = "v${version}";
-    sha256 = "1y0k9vfb4818b3s313jlxbpjwdxd62cc4kc1vpxdjvs8mx543vrv";
+    sha256 = "1j0yd33sm824dy4mhwfxqkywa46yhqy5hd5wq4lp7lgl6m6mypar";
   };
 
   makeFlags = [ "PREFIX=$(out)"];
diff --git a/pkgs/applications/networking/seaweedfs/default.nix b/pkgs/applications/networking/seaweedfs/default.nix
index 3fe3b665075..d0a396d6a90 100644
--- a/pkgs/applications/networking/seaweedfs/default.nix
+++ b/pkgs/applications/networking/seaweedfs/default.nix
@@ -2,13 +2,13 @@
 
 buildGoModule rec {
   pname = "seaweedfs";
-  version = "2.12";
+  version = "2.13";
 
   src = fetchFromGitHub {
     owner = "chrislusf";
     repo = "seaweedfs";
     rev = version;
-    sha256 = "08jv8dbvdygcm6wzvncx89p8cn9mbjn4lj8rf5svq8lr7zk1rvpw";
+    sha256 = "0w41p2fm26ml5dvdg2cnxcw0xzsbjq26chpa3bkn1adpazlpivp4";
   };
 
   vendorSha256 = "0g344dj325d35i0myrzhg5chspqnly40qp910ml6zrmp7iszc1mw";
diff --git a/pkgs/applications/version-management/pijul/default.nix b/pkgs/applications/version-management/pijul/default.nix
index e90f47e51f3..bb720df3f27 100644
--- a/pkgs/applications/version-management/pijul/default.nix
+++ b/pkgs/applications/version-management/pijul/default.nix
@@ -15,14 +15,14 @@
 
 rustPlatform.buildRustPackage rec {
   pname = "pijul";
-  version = "1.0.0-alpha.8";
+  version = "1.0.0-alpha.11";
 
   src = fetchCrate {
     inherit version pname;
-    sha256 = "01wag3ckqsa7r6zc7cla428w8hr49n2ybp31s42dqmsbak3xbc14";
+    sha256 = "1y2xgbzclmk0i98iydmqgvf6acx0v326dmj9j2hiwrld193fc4dx";
   };
 
-  cargoSha256 = "1hh4xmkhbbbkag3v25vh6zpn0r4fmipxmkcr8ahgrxf71dvyxj8x";
+  cargoSha256 = "0i1rr8jg34g4b8i2lvh9gy2rpfa01ma9jpcpyp5zklrzk5f1ksvf";
 
   cargoBuildFlags = stdenv.lib.optional gitImportSupport "--features=git";
   LIBCLANG_PATH = "${libclang}/lib";
diff --git a/pkgs/applications/version-management/sparkleshare/default.nix b/pkgs/applications/version-management/sparkleshare/default.nix
index 8f77fdbe54c..6f639ecd77f 100644
--- a/pkgs/applications/version-management/sparkleshare/default.nix
+++ b/pkgs/applications/version-management/sparkleshare/default.nix
@@ -23,13 +23,13 @@
 
 stdenv.mkDerivation rec {
   pname = "sparkleshare";
-  version = "3.28";
+  version = "3.38";
 
   src = fetchFromGitHub {
     owner = "hbons";
     repo = "SparkleShare";
     rev = version;
-    sha256 = "sha256:1x5nv2f3mrsr4a336bz5kc2lzkzilfh43bxy2yqhhjp2dgb20497";
+    sha256 = "1a9csflmj96iyr1l0mdm3ziv1bljfcjnzm9xb2y4qqk7ha2p6fbq";
   };
 
   nativeBuildInputs = [
diff --git a/pkgs/applications/video/shotcut/default.nix b/pkgs/applications/video/shotcut/default.nix
index b1db8cc57d2..1b3ca285048 100644
--- a/pkgs/applications/video/shotcut/default.nix
+++ b/pkgs/applications/video/shotcut/default.nix
@@ -25,13 +25,13 @@ assert stdenv.lib.versionAtLeast mlt.version "6.22.1";
 
 mkDerivation rec {
   pname = "shotcut";
-  version = "20.11.25";
+  version = "20.11.28";
 
   src = fetchFromGitHub {
     owner = "mltframework";
     repo = "shotcut";
     rev = "v${version}";
-    sha256 = "1nm71gnjd082m7bxlmrkngn079m3fdrb059f7wy23qj7khgpi3iz";
+    sha256 = "1yr71ihml9wnm7y5pv0gz41l1k6ybd16dk78zxf96kn9b838mzhq";
   };
 
   enableParallelBuilding = true;
diff --git a/pkgs/applications/virtualization/podman/default.nix b/pkgs/applications/virtualization/podman/default.nix
index b05149fd150..dd56efe60f8 100644
--- a/pkgs/applications/virtualization/podman/default.nix
+++ b/pkgs/applications/virtualization/podman/default.nix
@@ -16,13 +16,13 @@
 
 buildGoModule rec {
   pname = "podman";
-  version = "2.1.1";
+  version = "2.2.0";
 
   src = fetchFromGitHub {
     owner = "containers";
     repo = "podman";
     rev = "v${version}";
-    sha256 = "0cy842wlyasxlxnwxkwhwgj148s30kfxnhgxa6ar26fly432aa68";
+    sha256 = "13na6ms0dapcmfb4pg8z3sds9nprr1lyyjs0v2izqifcyb1r1c00";
   };
 
   vendorSha256 = null;
diff --git a/pkgs/data/misc/spdx-license-list-data/default.nix b/pkgs/data/misc/spdx-license-list-data/default.nix
index 6d2c58afdb2..19f02a16f47 100644
--- a/pkgs/data/misc/spdx-license-list-data/default.nix
+++ b/pkgs/data/misc/spdx-license-list-data/default.nix
@@ -2,13 +2,13 @@
 
 stdenv.mkDerivation rec {
   pname = "spdx-license-list-data";
-  version = "3.10";
+  version = "3.11";
 
   src = fetchFromGitHub {
     owner = "spdx";
     repo = "license-list-data";
     rev = "v${version}";
-    sha256 = "1zza0jrs82112dcjqgkyck2b7hv4kg9s10pmlripi6c1rs37av14";
+    sha256 = "1iwyqhh6lh51a47mhfy98zvjan8yjsvlym8qz0isx2i1zzxlj47a";
   };
 
   phases = [ "unpackPhase" "installPhase" ];
diff --git a/pkgs/data/themes/vimix/default.nix b/pkgs/data/themes/vimix/default.nix
index 1b3d2005f08..43636b584d3 100644
--- a/pkgs/data/themes/vimix/default.nix
+++ b/pkgs/data/themes/vimix/default.nix
@@ -2,13 +2,13 @@
 
 stdenv.mkDerivation rec {
   pname = "vimix-gtk-themes";
-  version = "2020-02-24";
+  version = "2020-11-28";
 
   src = fetchFromGitHub {
     owner = "vinceliuice";
     repo = pname;
     rev = version;
-    sha256 = "18v7yhwzachjgy276rdhj5cg353f0qysa2kxk9gyc6s71q2gjzcv";
+    sha256 = "1m84p4cs9dfwc27zfjnwgkfdnfmlzbimq3g5z4mhz23cijm178rf";
   };
 
   buildInputs = [ gtk_engines ];
diff --git a/pkgs/desktops/gnome-3/apps/gnome-boxes/default.nix b/pkgs/desktops/gnome-3/apps/gnome-boxes/default.nix
index 014ad123b41..7f0c7c4f621 100644
--- a/pkgs/desktops/gnome-3/apps/gnome-boxes/default.nix
+++ b/pkgs/desktops/gnome-3/apps/gnome-boxes/default.nix
@@ -54,11 +54,11 @@
 
 stdenv.mkDerivation rec {
   pname = "gnome-boxes";
-  version = "3.38.1";
+  version = "3.38.2";
 
   src = fetchurl {
     url = "mirror://gnome/sources/${pname}/${stdenv.lib.versions.majorMinor version}/${pname}-${version}.tar.xz";
-    sha256 = "0zrm4mihkx5i42h3pvk9lmsqf983dqz4rnfcbccwhx4ml2s4w3qv";
+    sha256 = "1zjvng0izbws3506998l3dwsxjbm7wnhqipb8nmqzvi096czvajl";
   };
 
   doCheck = true;
diff --git a/pkgs/desktops/gnome-3/misc/gnome-tweaks/default.nix b/pkgs/desktops/gnome-3/misc/gnome-tweaks/default.nix
index a51eb854e73..a042ce134a9 100644
--- a/pkgs/desktops/gnome-3/misc/gnome-tweaks/default.nix
+++ b/pkgs/desktops/gnome-3/misc/gnome-tweaks/default.nix
@@ -1,42 +1,69 @@
-{ stdenv, meson, ninja, gettext, fetchurl
-, pkgconfig, gtk3, glib, libsoup, gsettings-desktop-schemas
-, itstool, libxml2, python3Packages, libhandy_0
-, gnome3, gdk-pixbuf, libnotify, gobject-introspection, wrapGAppsHook }:
+{ lib
+, meson
+, ninja
+, fetchurl
+, gdk-pixbuf
+, gettext
+, glib
+, gnome3
+, gobject-introspection
+, gsettings-desktop-schemas
+, gtk3
+, itstool
+, libhandy_0
+, libnotify
+, libsoup
+, libxml2
+, pkg-config
+, python3Packages
+, wrapGAppsHook }:
 
-let
+python3Packages.buildPythonApplication rec {
   pname = "gnome-tweaks";
   version = "3.34.0";
-in stdenv.mkDerivation rec {
-  name = "${pname}-${version}";
+  format = "other";
+  strictDeps = false; # https://github.com/NixOS/nixpkgs/issues/56943
 
   src = fetchurl {
-    url = "mirror://gnome/sources/${pname}/${stdenv.lib.versions.majorMinor version}/${name}.tar.xz";
+    url = "mirror://gnome/sources/${pname}/${lib.versions.majorMinor version}/${pname}-${version}.tar.xz";
     sha256 = "0l2j42ba7v866iknygamnkiq7igh0fjvq92r93cslvvfnkx2ccq0";
   };
 
   nativeBuildInputs = [
-    meson ninja pkgconfig gettext itstool libxml2 wrapGAppsHook python3Packages.python
+    gettext
+    gobject-introspection
+    itstool
+    libxml2
+    meson
+    ninja
+    pkg-config
+    wrapGAppsHook
   ];
+
   buildInputs = [
-    gtk3 glib gsettings-desktop-schemas
-    gdk-pixbuf gnome3.adwaita-icon-theme
-    libnotify gnome3.gnome-shell python3Packages.pygobject3
-    libsoup gnome3.gnome-settings-daemon gnome3.nautilus
-    gnome3.mutter gnome3.gnome-desktop gobject-introspection
-    gnome3.nautilus libhandy_0
+    gdk-pixbuf
+    glib
+    gnome3.gnome-desktop
+    gnome3.gnome-settings-daemon
+    gnome3.gnome-shell
     # Makes it possible to select user themes through the `user-theme` extension
     gnome3.gnome-shell-extensions
+    gnome3.mutter
+    gsettings-desktop-schemas
+    gtk3
+    libhandy_0
+    libnotify
+    libsoup
+  ];
+
+  propagatedBuildInputs = with python3Packages; [
+    pygobject3
   ];
 
   postPatch = ''
     patchShebangs meson-postinstall.py
   '';
 
-  preFixup = ''
-    gappsWrapperArgs+=(
-      --prefix PYTHONPATH : "$out/${python3Packages.python.sitePackages}:$PYTHONPATH")
-  '';
-
   passthru = {
     updateScript = gnome3.updateScript {
       packageName = pname;
@@ -44,7 +71,7 @@ in stdenv.mkDerivation rec {
     };
   };
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "https://wiki.gnome.org/action/show/Apps/GnomeTweakTool";
     description = "A tool to customize advanced GNOME 3 options";
     maintainers = teams.gnome.members;
diff --git a/pkgs/development/interpreters/php/8.0.nix b/pkgs/development/interpreters/php/8.0.nix
new file mode 100644
index 00000000000..ded661e5585
--- /dev/null
+++ b/pkgs/development/interpreters/php/8.0.nix
@@ -0,0 +1,17 @@
+{ callPackage, lib, stdenv, nixosTests, ... }@_args:
+
+let
+  generic = (import ./generic.nix) _args;
+
+  base = callPackage generic (_args // {
+    version = "8.0.0";
+    sha256 = "02cx3gvxqvkllp54jfvs83kl8bmpcqyzp9jf1d0l9x5bgv1jv0sy";
+  });
+
+in base.withExtensions ({ all, ... }: with all; ([
+  bcmath calendar curl ctype dom exif fileinfo filter ftp gd
+  gettext gmp iconv intl ldap mbstring mysqli mysqlnd opcache
+  openssl pcntl pdo pdo_mysql pdo_odbc pdo_pgsql pdo_sqlite pgsql
+  posix readline session simplexml sockets soap sodium sqlite3
+  tokenizer xmlreader xmlwriter zip zlib
+] ++ lib.optionals (!stdenv.isDarwin) [ imap ]))
diff --git a/pkgs/development/interpreters/php/fix-opcache-configure.patch b/pkgs/development/interpreters/php/fix-opcache-configure.patch
new file mode 100644
index 00000000000..e67d2cc7bc7
--- /dev/null
+++ b/pkgs/development/interpreters/php/fix-opcache-configure.patch
@@ -0,0 +1,81 @@
+diff --git a/Zend/Zend.m4 b/Zend/Zend.m4
+index 726188597496..781e51d3e44c 100644
+--- a/Zend/Zend.m4
++++ b/Zend/Zend.m4
+@@ -190,12 +190,6 @@ dnl LIBZEND_OTHER_CHECKS
+ dnl
+ AC_DEFUN([LIBZEND_OTHER_CHECKS],[
+ 
+-AC_ARG_ENABLE([zts],
+-  [AS_HELP_STRING([--enable-zts],
+-    [Enable thread safety])],
+-  [ZEND_ZTS=$enableval],
+-  [ZEND_ZTS=no])
+-
+ AC_MSG_CHECKING(whether to enable thread-safety)
+ AC_MSG_RESULT($ZEND_ZTS)
+ 
+diff --git a/configure.ac b/configure.ac
+index 8d6e922fa9bf..e07a75d19ac7 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -797,6 +797,19 @@ if test "$PHP_DEBUG_ASSERTIONS" = "yes"; then
+   ZEND_DEBUG=yes
+ fi
+ 
++AC_ARG_ENABLE([zts],
++  [AS_HELP_STRING([--enable-zts],
++    [Enable thread safety])],
++  [ZEND_ZTS=$enableval],
++  [ZEND_ZTS=no])
++
++if test "$ZEND_ZTS" = "yes"; then
++  AC_DEFINE(ZTS, 1,[ ])
++  PHP_THREAD_SAFETY=yes
++else
++  PHP_THREAD_SAFETY=no
++fi
++
+ PHP_ARG_ENABLE([rtld-now],
+   [whether to dlopen extensions with RTLD_NOW instead of RTLD_LAZY],
+   [AS_HELP_STRING([--enable-rtld-now],
+@@ -1136,13 +1149,6 @@ LIBZEND_BASIC_CHECKS
+ LIBZEND_DLSYM_CHECK
+ LIBZEND_OTHER_CHECKS
+ 
+-if test "$ZEND_ZTS" = "yes"; then
+-  AC_DEFINE(ZTS,1,[ ])
+-  PHP_THREAD_SAFETY=yes
+-else
+-  PHP_THREAD_SAFETY=no
+-fi
+-
+ INCLUDES="$INCLUDES -I\$(top_builddir)/TSRM"
+ INCLUDES="$INCLUDES -I\$(top_builddir)/Zend"
+ 
+diff --git a/ext/opcache/config.m4 b/ext/opcache/config.m4
+index 054cd28c0247..93d72fb73d19 100644
+--- a/ext/opcache/config.m4
++++ b/ext/opcache/config.m4
+@@ -66,7 +66,7 @@ if test "$PHP_OPCACHE" != "no"; then
+       esac
+     fi
+ 
+-    if test "$enable_zts" = "yes"; then
++    if test "$PHP_THREAD_SAFETY" = "yes"; then
+       DASM_FLAGS="$DASM_FLAGS -D ZTS=1"
+     fi
+ 
+diff --git a/ext/session/config.m4 b/ext/session/config.m4
+index 7abc8813b72a..da31bbde86cc 100644
+--- a/ext/session/config.m4
++++ b/ext/session/config.m4
+@@ -31,7 +31,7 @@ if test "$PHP_MM" != "no"; then
+     AC_MSG_ERROR(cannot find mm library)
+   fi
+ 
+-  if test "$enable_zts" = "yes"; then
++  if test "$PHP_THREAD_SAFETY" = "yes"; then
+     dnl The mm library is not thread-safe, and mod_mm.c refuses to compile.
+     AC_MSG_ERROR(--with-mm cannot be combined with --enable-zts)
+   fi
\ No newline at end of file
diff --git a/pkgs/development/interpreters/php/generic.nix b/pkgs/development/interpreters/php/generic.nix
index 6f0f5c40120..4a96abcf9b6 100644
--- a/pkgs/development/interpreters/php/generic.nix
+++ b/pkgs/development/interpreters/php/generic.nix
@@ -198,7 +198,8 @@ let
             ++ lib.optional (!ipv6Support) "--disable-ipv6"
             ++ lib.optional systemdSupport "--with-fpm-systemd"
             ++ lib.optional valgrindSupport "--with-valgrind=${valgrind.dev}"
-            ++ lib.optional ztsSupport "--enable-maintainer-zts"
+            ++ lib.optional (ztsSupport && (lib.versionOlder version "8.0")) "--enable-maintainer-zts"
+            ++ lib.optional (ztsSupport && (lib.versionAtLeast version "8.0")) "--enable-zts"
 
 
             # Sendmail
diff --git a/pkgs/development/libraries/openxr-loader/default.nix b/pkgs/development/libraries/openxr-loader/default.nix
index 9e38f1e828d..f0c4c47db03 100644
--- a/pkgs/development/libraries/openxr-loader/default.nix
+++ b/pkgs/development/libraries/openxr-loader/default.nix
@@ -2,13 +2,13 @@
 
 stdenv.mkDerivation rec {
   pname = "openxr-loader";
-  version = "1.0.12";
+  version = "1.0.13";
 
   src = fetchFromGitHub {
     owner = "KhronosGroup";
     repo = "OpenXR-SDK-Source";
     rev = "release-${version}";
-    sha256 = "0xcra2hcsm88rfd7zf52hccx3nvg9j65a595z7c0lrzv6jz04676";
+    sha256 = "0znhv7x81bvqijk5xhc5w760d5yy6vr5c2y271wpk9lkmxbbcpl1";
   };
 
   nativeBuildInputs = [ cmake python3 ];
diff --git a/pkgs/development/ocaml-modules/functoria/default.nix b/pkgs/development/ocaml-modules/functoria/default.nix
index 330ab26e8e6..4f108320399 100644
--- a/pkgs/development/ocaml-modules/functoria/default.nix
+++ b/pkgs/development/ocaml-modules/functoria/default.nix
@@ -1,16 +1,18 @@
-{ stdenv, fetchurl, buildDunePackage, alcotest, cmdliner
+{ lib, fetchurl, buildDunePackage, alcotest, cmdliner
 , rresult, astring, fmt, ocamlgraph, logs, bos, fpath, ptime
 }:
 
 buildDunePackage rec {
   pname   = "functoria";
-  version = "3.1.0";
+  version = "3.1.1";
+
+  useDune2 = true;
 
   minimumOCamlVersion = "4.04";
 
   src = fetchurl {
     url = "https://github.com/mirage/${pname}/releases/download/v${version}/${pname}-v${version}.tbz";
-    sha256 = "15jdqdj1vfi0x9gjydrrnbwzwbzw34w1iir032jrji820xlblky2";
+    sha256 = "0bihxbq16zwsi7frk4b8wz8993mvy2ym3n6288jhv0n0gb7c2f7m";
   };
 
   propagatedBuildInputs = [ cmdliner rresult astring fmt ocamlgraph logs bos fpath ptime ];
@@ -18,7 +20,7 @@ buildDunePackage rec {
 
   doCheck = true;
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "A DSL to organize functor applications";
     homepage    = "https://github.com/mirage/functoria";
     license     = licenses.isc;
diff --git a/pkgs/development/ocaml-modules/functoria/runtime.nix b/pkgs/development/ocaml-modules/functoria/runtime.nix
index 806ae82b6ef..2ba13ce8738 100644
--- a/pkgs/development/ocaml-modules/functoria/runtime.nix
+++ b/pkgs/development/ocaml-modules/functoria/runtime.nix
@@ -3,7 +3,7 @@
 buildDunePackage {
   pname = "functoria-runtime";
 
-  inherit (functoria) version src;
+  inherit (functoria) version useDune2 src;
 
   propagatedBuildInputs = [ cmdliner fmt ];
   checkInputs = [ alcotest functoria];
diff --git a/pkgs/development/php-packages/couchbase/default.nix b/pkgs/development/php-packages/couchbase/default.nix
index abe4b7efdea..4ec71846919 100644
--- a/pkgs/development/php-packages/couchbase/default.nix
+++ b/pkgs/development/php-packages/couchbase/default.nix
@@ -14,9 +14,10 @@ buildPecl {
   };
 
   configureFlags = [ "--with-couchbase" ];
+  broken = lib.versionAtLeast php.version "8.0";
 
   buildInputs = with pkgs; [ libcouchbase zlib ];
-  internalDeps = [ php.extensions.json ];
+  internalDeps = [] ++ lib.optionals (lib.versionOlder php.version "8.0") [ php.extensions.json ];
   peclDeps = [ php.extensions.igbinary ];
 
   patches = [
diff --git a/pkgs/development/php-packages/imagick/default.nix b/pkgs/development/php-packages/imagick/default.nix
index 63524fb2d06..504e15ae16d 100644
--- a/pkgs/development/php-packages/imagick/default.nix
+++ b/pkgs/development/php-packages/imagick/default.nix
@@ -1,4 +1,4 @@
-{ buildPecl, lib, pkgs, pcre' }:
+{ buildPecl, fetchpatch, lib, pkgs, pcre' }:
 
 buildPecl {
   pname = "imagick";
@@ -6,6 +6,14 @@ buildPecl {
   version = "3.4.4";
   sha256 = "0xvhaqny1v796ywx83w7jyjyd0nrxkxf34w9zi8qc8aw8qbammcd";
 
+  patches = [
+    # Fix compatibility with PHP 8.
+    (fetchpatch {
+      url = "https://github.com/Imagick/imagick/pull/336.patch";
+      sha256 = "nuRdh02qaMx0s/5OzlfWjyYgZG1zgrYnAjsZ/UVIrUM=";
+    })
+  ];
+
   configureFlags = [ "--with-imagick=${pkgs.imagemagick.dev}" ];
   nativeBuildInputs = [ pkgs.pkgconfig ];
   buildInputs = [ pcre' ];
diff --git a/pkgs/development/php-packages/redis/default.nix b/pkgs/development/php-packages/redis/default.nix
index 41ff8f38689..a61ae1194ff 100644
--- a/pkgs/development/php-packages/redis/default.nix
+++ b/pkgs/development/php-packages/redis/default.nix
@@ -7,8 +7,9 @@ buildPecl {
   sha256 = "1cfsbxf3q3im0cmalgk76jpz581zr92z03c1viy93jxb53k2vsgl";
 
   internalDeps = with php.extensions; [
-    json
     session
+  ] ++ lib.optionals (lib.versionOlder php.version "8.0") [
+    json
   ] ++ lib.optionals (lib.versionOlder php.version "7.4") [
     hash
   ];
diff --git a/pkgs/development/python-modules/docplex/default.nix b/pkgs/development/python-modules/docplex/default.nix
index 74ac3bbfdf3..362f2b11b1c 100644
--- a/pkgs/development/python-modules/docplex/default.nix
+++ b/pkgs/development/python-modules/docplex/default.nix
@@ -9,12 +9,12 @@
 
 buildPythonPackage rec {
   pname = "docplex";
-  version = "2.15.194";
+  version = "2.16.196";
 
   # No source available from official repo
   src = fetchPypi {
     inherit pname version;
-    sha256 = "976e9b4e18bccbabae04149c33247a795edb1f00110f1b511c5517ac6ac353bb";
+    sha256 = "8fd96e3586444e577b356c0ac62511414e76027ff159ebe0d0b3e44b881406d1";
   };
 
   propagatedBuildInputs = [
diff --git a/pkgs/development/python-modules/fastjsonschema/default.nix b/pkgs/development/python-modules/fastjsonschema/default.nix
index b49f31e4022..34eb0a158d9 100644
--- a/pkgs/development/python-modules/fastjsonschema/default.nix
+++ b/pkgs/development/python-modules/fastjsonschema/default.nix
@@ -8,7 +8,7 @@
 
 buildPythonPackage rec {
   pname = "fastjsonschema";
-  version = "2.14.4";
+  version = "2.14.5";
 
   disabled = pythonOlder "3.3";
 
@@ -17,7 +17,7 @@ buildPythonPackage rec {
     repo = "python-fastjsonschema";
     rev = "v${version}";
     fetchSubmodules = true;
-    sha256 = "0c3q31lqzrc52gacnqc271k5952qbyl0z4kagsqvl7fiwk84hqlz";
+    sha256 = "1hgzafswdw5zqrd8qhdxa43crzfy7lrlifdn90133a0h3psr7qs1";
   };
 
   checkInputs = [ pytestCheckHook ];
diff --git a/pkgs/development/python-modules/google_cloud_secret_manager/default.nix b/pkgs/development/python-modules/google_cloud_secret_manager/default.nix
index 513b76bafa4..5bc568f879d 100644
--- a/pkgs/development/python-modules/google_cloud_secret_manager/default.nix
+++ b/pkgs/development/python-modules/google_cloud_secret_manager/default.nix
@@ -1,20 +1,22 @@
 { lib, buildPythonPackage, fetchPypi
-, grpc_google_iam_v1, google_api_core
+, grpc_google_iam_v1, google_api_core, libcst, proto-plus
 , pytest, mock
 }:
 
 buildPythonPackage rec {
   pname = "google-cloud-secret-manager";
-  version = "1.0.0";
+  version = "2.0.0";
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "1cm3xqacxnbpv2706bd2jl86mvcsphpjlvhzngz2k2p48a0jjx8r";
+    sha256 = "1w2q602ww8s3n714l2gnaklqzbczshrspxvmvjr6wfwwalxwkc62";
   };
 
   propagatedBuildInputs = [
     google_api_core
     grpc_google_iam_v1
+    libcst
+    proto-plus
   ];
 
   checkInputs = [
diff --git a/pkgs/development/python-modules/pproxy/default.nix b/pkgs/development/python-modules/pproxy/default.nix
index 9f97d7df135..0673a3f8dba 100644
--- a/pkgs/development/python-modules/pproxy/default.nix
+++ b/pkgs/development/python-modules/pproxy/default.nix
@@ -8,7 +8,7 @@
 
 buildPythonPackage rec {
   pname = "pproxy";
-  version = "2.3.2";
+  version = "2.3.7";
 
   disabled = isPy27;
 
@@ -16,8 +16,8 @@ buildPythonPackage rec {
   src = fetchFromGitHub {
     owner = "qwj";
     repo = "python-proxy";
-    rev = "818ab9cc10565789fe429a7be50ddefb9c583781";
-    sha256 = "0g3cyi5lzakhs5p3fpwywbl8jpapnr8890zw9w45dqg8k0svc1fi";
+    rev = "7fccf8dd62204f34b0aa3a70fc568fd6ddff7728";
+    sha256 = "1sl2i0kymnbsk49ina81yjnkxjy09541f7pmic8r6rwsv1s87skc";
   };
 
   propagatedBuildInputs = [
diff --git a/pkgs/development/python-modules/pylatexenc/default.nix b/pkgs/development/python-modules/pylatexenc/default.nix
index 6b56a42246f..e53472c6ead 100644
--- a/pkgs/development/python-modules/pylatexenc/default.nix
+++ b/pkgs/development/python-modules/pylatexenc/default.nix
@@ -6,23 +6,23 @@
 
 buildPythonPackage rec {
   pname = "pylatexenc";
-  version = "2.7";
+  version = "2.8";
 
   src = fetchFromGitHub {
     owner = "phfaist";
     repo = "pylatexenc";
     rev = "v${version}";
-    sha256 = "1hpcwbknfah3mky2m4asw15b9qdvv4k5ni0js764n1jpi83m1zgk";
+    sha256 = "0m9vrbh1gmbgq6dqm7xzklar3accadw0pn896rqsdi5jbgd3w0mh";
   };
 
   pythonImportsCheck = [ "pylatexenc" ];
-  dontUseSetuptoolsCheck = true;
   checkInputs = [ pytestCheckHook ];
 
   meta = with lib; {
     description = "Simple LaTeX parser providing latex-to-unicode and unicode-to-latex conversion";
     homepage = "https://pylatexenc.readthedocs.io";
     downloadPage = "https://www.github.com/phfaist/pylatexenc/releases";
+    changelog = "https://pylatexenc.readthedocs.io/en/latest/changes/";
     license = licenses.mit;
     maintainers = with maintainers; [ drewrisinger ];
   };
diff --git a/pkgs/development/python-modules/pysbd/default.nix b/pkgs/development/python-modules/pysbd/default.nix
new file mode 100644
index 00000000000..e1e0578c83b
--- /dev/null
+++ b/pkgs/development/python-modules/pysbd/default.nix
@@ -0,0 +1,31 @@
+{ lib
+, buildPythonPackage
+, fetchPypi
+, pythonOlder
+, tqdm
+, spacy
+}:
+
+buildPythonPackage rec {
+  pname = "pysbd";
+  version = "0.3.3";
+  disabled = pythonOlder "3.5";
+
+  src = fetchPypi {
+    inherit pname version;
+    sha256 = "56ab48a28a8470f0042a4cb7c9da8a6dde8621ecf87a86d75f201cbf1837e77f";
+  };
+
+  checkInputs = [ tqdm spacy ];
+
+  doCheck = false; # requires pyconll and blingfire
+
+  pythonImportsCheck = [ "pysbd" ];
+
+  meta = with lib; {
+    description = "Pysbd (Python Sentence Boundary Disambiguation) is a rule-based sentence boundary detection that works out-of-the-box across many languages";
+    homepage = "https://github.com/nipunsadvilkar/pySBD";
+    license = licenses.mit;
+    maintainers = [ maintainers.mic92 ];
+  };
+}
diff --git a/pkgs/development/python-modules/qiskit-aer/default.nix b/pkgs/development/python-modules/qiskit-aer/default.nix
index 8e73e942be9..57d89b55711 100644
--- a/pkgs/development/python-modules/qiskit-aer/default.nix
+++ b/pkgs/development/python-modules/qiskit-aer/default.nix
@@ -3,34 +3,39 @@
 , buildPythonPackage
 , fetchFromGitHub
 , fetchpatch
+  # C Inputs
+, blas
+, catch2
 , cmake
-, cvxpy
 , cython
 , muparserx
 , ninja
 , nlohmann_json
+, spdlog
+  # Python Inputs
+, cvxpy
 , numpy
-, openblas
 , pybind11
 , scikit-build
-, spdlog
   # Check Inputs
-, qiskit-terra
 , pytestCheckHook
-, python
+, ddt
+, fixtures
+, pytest-timeout
+, qiskit-terra
 }:
 
 buildPythonPackage rec {
   pname = "qiskit-aer";
-  version = "0.6.1";
+  version = "0.7.1";
 
-  disabled = pythonOlder "3.5";
+  disabled = pythonOlder "3.6";
 
   src = fetchFromGitHub {
     owner = "Qiskit";
     repo = "qiskit-aer";
     rev = version;
-    sha256 = "1fnv11diis0as8zcc57mamz0gbjd6vj7nw3arxzvwa77ja803sr4";
+    sha256 = "07l0wavdknx0y4vy0hwgw24365sg4nb6ygl3lpa098np85qgyn4y";
   };
 
   nativeBuildInputs = [
@@ -40,10 +45,11 @@ buildPythonPackage rec {
   ];
 
   buildInputs = [
-    openblas
-    spdlog
-    nlohmann_json
+    blas
+    catch2
     muparserx
+    nlohmann_json
+    spdlog
   ];
 
   propagatedBuildInputs = [
@@ -60,11 +66,6 @@ buildPythonPackage rec {
 
   dontUseCmakeConfigure = true;
 
-  cmakeFlags = [
-    "-DBUILD_TESTS=True"
-    "-DAER_THRUST_BACKEND=OMP"
-  ];
-
   # *** Testing ***
 
   pythonImportsCheck = [
@@ -72,11 +73,22 @@ buildPythonPackage rec {
     "qiskit.providers.aer.backends.qasm_simulator"
     "qiskit.providers.aer.backends.controller_wrappers" # Checks C++ files built correctly. Only exists if built & moved to output
   ];
-  checkInputs = [
-    qiskit-terra
-    pytestCheckHook
+  # Slow tests
+  disabledTests = [
+    "test_paulis_1_and_2_qubits"
+    "test_3d_oscillator"
+  ];
+  checkInputs = [
+    pytestCheckHook
+    ddt
+    fixtures
+    pytest-timeout
+    qiskit-terra
+  ];
+  pytestFlagsArray = [
+    "--timeout=30"
+    "--durations=10"
   ];
-  dontUseSetuptoolsCheck = true;  # Otherwise runs tests twice
 
   preCheck = ''
     # Tests include a compiled "circuit" which is auto-built in $HOME
@@ -87,9 +99,7 @@ buildPythonPackage rec {
     # Add qiskit-aer compiled files to cython include search
     pushd $HOME
   '';
-  postCheck = ''
-    popd
-  '';
+  postCheck = "popd";
 
   meta = with lib; {
     description = "High performance simulators for Qiskit";
diff --git a/pkgs/development/python-modules/qiskit-aqua/default.nix b/pkgs/development/python-modules/qiskit-aqua/default.nix
index c90f9ddf2e2..11274c525f0 100644
--- a/pkgs/development/python-modules/qiskit-aqua/default.nix
+++ b/pkgs/development/python-modules/qiskit-aqua/default.nix
@@ -2,8 +2,6 @@
 , pythonOlder
 , buildPythonPackage
 , fetchFromGitHub
-, fetchpatch
-# , cplex
 , cvxpy
 , dlx
 , docplex
@@ -18,38 +16,38 @@
 , quandl
 , scikitlearn
 , yfinance
+  # Optional inputs
+, withTorch ? false
+, pytorch
+, withPyscf ? false
+, pyscf ? null
+, withScikitQuant ? false
+, scikit-quant ? null
+, withCplex ? false
+, cplex ? null
   # Check Inputs
 , ddt
 , pytestCheckHook
+, pytest-timeout
 , qiskit-aer
 }:
 
 buildPythonPackage rec {
   pname = "qiskit-aqua";
-  version = "0.7.5";
+  version = "0.8.1";
 
-  disabled = pythonOlder "3.5";
+  disabled = pythonOlder "3.6";
 
   # Pypi's tarball doesn't contain tests
   src = fetchFromGitHub {
     owner = "Qiskit";
     repo = "qiskit-aqua";
     rev = version;
-    sha256 = "19sdv7lnc4b1c86rd1dv7pjpi8cmrpzbv7nav0fb899ki8ldqdwq";
+    sha256 = "11qyya3vyq50wpzrzzl8v46yx5p72rhpqhybwn47qgazxgg82r1b";
   };
 
-  # TODO: remove in next release
-  patches = [
-    (fetchpatch {
-      name = "qiskit-aqua-fix-test-issue-1214.patch";
-      url = "https://github.com/Qiskit/qiskit-aqua/commit/284a4323192ac85787b22cbe5f344996fae16f7d.patch";
-      sha256 = "0zl8hqa2fq9ng793x4dhh0ny67nnbjcd8l1cdsaaab4ca1y0xcfr";
-    })
-  ];
-
   # Optional packages: pyscf (see below NOTE) & pytorch. Can install via pip/nix if needed.
   propagatedBuildInputs = [
-    # cplex
     cvxpy
     docplex
     dlx # Python Dancing Links package
@@ -63,7 +61,10 @@ buildPythonPackage rec {
     quandl
     scikitlearn
     yfinance
-  ];
+  ] ++ lib.optionals (withTorch) [ pytorch ]
+  ++ lib.optionals (withPyscf) [ pyscf ]
+  ++ lib.optionals (withScikitQuant) [ scikit-quant ]
+  ++ lib.optionals (withCplex) [ cplex ];
 
   # *** NOTE ***
   # We make pyscf optional in this package, due to difficulties packaging it in Nix (test failures, complicated flags, etc).
@@ -97,8 +98,12 @@ buildPythonPackage rec {
 
   postInstall = "rm -rf $out/${python.sitePackages}/docs";  # Remove docs dir b/c it can cause conflicts.
 
-  checkInputs = [ ddt qiskit-aer pytestCheckHook ];
-  dontUseSetuptoolsCheck = true;
+  checkInputs = [
+    pytestCheckHook
+    ddt
+    pytest-timeout
+    qiskit-aer
+  ];
   pythonImportsCheck = [
     "qiskit.aqua"
     "qiskit.aqua.algorithms"
@@ -108,10 +113,13 @@ buildPythonPackage rec {
     "qiskit.optimization"
   ];
   pytestFlagsArray = [
-    # Disabled b/c missing pyscf
+    "--timeout=30"
+    "--durations=10"
+  ] ++ lib.optionals (!withPyscf) [
     "--ignore=test/chemistry/test_qeom_ee.py"
     "--ignore=test/chemistry/test_qeom_vqe.py"
     "--ignore=test/chemistry/test_vqe_uccsd_adapt.py"
+    "--ignore=test/chemistry/test_bopes_sampler.py"
   ];
   disabledTests = [
     # Disabled due to missing pyscf
@@ -123,8 +131,10 @@ buildPythonPackage rec {
 
     # Disabling slow tests > 10 seconds
     "TestVQE"
+    "TestOOVQE"
     "TestVQC"
     "TestQSVM"
+    "TestOptimizerAQGD"
     "test_graph_partition_vqe"
     "TestLookupRotation"
     "_vqe"
@@ -151,6 +161,7 @@ buildPythonPackage rec {
     "test_confidence_intervals_00001"
     "test_eoh"
     "test_qasm_5"
+    "test_uccsd_hf"
   ];
 
   meta = with lib; {
diff --git a/pkgs/development/python-modules/qiskit-ibmq-provider/default.nix b/pkgs/development/python-modules/qiskit-ibmq-provider/default.nix
index eaf10fd6082..7374d7ce017 100644
--- a/pkgs/development/python-modules/qiskit-ibmq-provider/default.nix
+++ b/pkgs/development/python-modules/qiskit-ibmq-provider/default.nix
@@ -9,24 +9,36 @@
 , requests_ntlm
 , websockets
   # Visualization inputs
-, ipykernel
+, withVisualization ? false
+, ipython
 , ipyvuetify
 , ipywidgets
 , matplotlib
-, nbconvert
-, nbformat
 , plotly
 , pyperclip
 , seaborn
   # check inputs
 , pytestCheckHook
+, nbconvert
+, nbformat
 , pproxy
 , vcrpy
 }:
 
+let
+  visualizationPackages = [
+    ipython
+    ipyvuetify
+    ipywidgets
+    matplotlib
+    plotly
+    pyperclip
+    seaborn
+  ];
+in
 buildPythonPackage rec {
   pname = "qiskit-ibmq-provider";
-  version = "0.8.0";
+  version = "0.11.1";
 
   disabled = pythonOlder "3.6";
 
@@ -34,7 +46,7 @@ buildPythonPackage rec {
     owner = "Qiskit";
     repo = pname;
     rev = version;
-    sha256 = "0rrpwr4a82j69j5ibl2g0nw8wbpg201cfz6f234k2v6pj500x9nl";
+    sha256 = "0b5mnq8f5844idnsmp84lpkvlpszfwwi998yvggcgaayw1dbk53h";
   };
 
   propagatedBuildInputs = [
@@ -44,31 +56,16 @@ buildPythonPackage rec {
     requests
     requests_ntlm
     websockets
-    # Visualization/Jupyter inputs
-    ipykernel
-    ipyvuetify
-    ipywidgets
-    matplotlib
-    nbconvert
-    nbformat
-    plotly
-    pyperclip
-    seaborn
-  ];
-
-  # websockets seems to be pinned b/c in v8+ it drops py3.5 support. Not an issue here (usually py3.7+, and disabled for older py3.6)
-  postPatch = ''
-    substituteInPlace requirements.txt --replace "websockets>=7,<8" "websockets"
-    substituteInPlace setup.py --replace "websockets>=7,<8" "websockets"
-  '';
+  ] ++ lib.optionals withVisualization visualizationPackages;
 
   # Most tests require credentials to run on IBMQ
   checkInputs = [
     pytestCheckHook
+    nbconvert
+    nbformat
     pproxy
     vcrpy
-  ];
-  dontUseSetuptoolsCheck = true;
+  ] ++ lib.optionals (!withVisualization) visualizationPackages;
 
   pythonImportsCheck = [ "qiskit.providers.ibmq" ];
   # These disabled tests require internet connection, aren't skipped elsewhere
@@ -76,6 +73,10 @@ buildPythonPackage rec {
     "test_old_api_url"
     "test_non_auth_url"
     "test_non_auth_url_with_hub"
+
+    # slow tests
+    "test_websocket_retry_failure"
+    "test_invalid_url"
   ];
 
   # Skip tests that rely on internet access (mostly to IBM Quantum Experience cloud).
diff --git a/pkgs/development/python-modules/qiskit-ignis/default.nix b/pkgs/development/python-modules/qiskit-ignis/default.nix
index d40afe43f9e..b5295dbd041 100644
--- a/pkgs/development/python-modules/qiskit-ignis/default.nix
+++ b/pkgs/development/python-modules/qiskit-ignis/default.nix
@@ -8,6 +8,13 @@
 , qiskit-terra
 , scikitlearn
 , scipy
+  # Optional package inputs
+, withVisualization ? false
+, matplotlib
+, withCvx ? false
+, cvxpy
+, withJit ? false
+, numba
   # Check Inputs
 , pytestCheckHook
 , ddt
@@ -17,7 +24,7 @@
 
 buildPythonPackage rec {
   pname = "qiskit-ignis";
-  version = "0.4.0";
+  version = "0.5.1";
 
   disabled = pythonOlder "3.6";
 
@@ -26,16 +33,24 @@ buildPythonPackage rec {
     owner = "Qiskit";
     repo = "qiskit-ignis";
     rev = version;
-    sha256 = "07mxhaknkp121xm6mgrpcrbj9qw6j924ra3k0s6vr8qgvfcxvh0y";
+    sha256 = "17kplmi17axcbbgw35dzfr3d5bzfymxfni9sf6v14223c5674p4y";
   };
 
+  # hacky, fix https://github.com/Qiskit/qiskit-ignis/issues/532.
+  # TODO: remove on qiskit-ignis v0.5.1
+  postPatch = ''
+    substituteInPlace qiskit/ignis/mitigation/expval/base_meas_mitigator.py --replace "plt.axes" "'plt.axes'"
+  '';
+
   propagatedBuildInputs = [
     numpy
     qiskit-terra
     scikitlearn
     scipy
-  ];
-  postInstall = "rm -rf $out/${python.sitePackages}/docs";  # this dir can create conflicts
+  ] ++ lib.optionals (withCvx) [ cvxpy ]
+  ++ lib.optionals (withVisualization) [ matplotlib ]
+  ++ lib.optionals (withJit) [ numba ];
+  postInstall = "rm -rf $out/${python.sitePackages}/docs"; # this dir can create conflicts
 
   # Tests
   pythonImportsCheck = [ "qiskit.ignis" ];
@@ -49,7 +64,7 @@ buildPythonPackage rec {
   ];
   disabledTests = [
     "test_tensored_meas_cal_on_circuit" # Flaky test, occasionally returns result outside bounds
-    "test_qv_fitter"  # execution hangs, ran for several minutes
+    "test_qv_fitter" # execution hangs, ran for several minutes
   ];
 
   meta = with lib; {
diff --git a/pkgs/development/python-modules/qiskit-terra/default.nix b/pkgs/development/python-modules/qiskit-terra/default.nix
index aad0370c3d7..89d39b718cd 100644
--- a/pkgs/development/python-modules/qiskit-terra/default.nix
+++ b/pkgs/development/python-modules/qiskit-terra/default.nix
@@ -16,7 +16,8 @@
 , retworkx
 , scipy
 , sympy
-  # Python visualization requirements, semi-optional
+, withVisualization ? false
+  # Python visualization requirements, optional
 , ipywidgets
 , matplotlib
 , pillow
@@ -24,6 +25,12 @@
 , pygments
 , pylatexenc
 , seaborn
+  # Crosstalk-adaptive layout pass
+, withCrosstalkPass ? false
+, z3
+  # Classical function -> Quantum Circuit compiler
+, withClassicalFunctionCompiler ? false
+, tweedledum ? null
   # test requirements
 , ddt
 , hypothesis
@@ -33,17 +40,31 @@
 , python
 }:
 
+let
+  visualizationPackages = [
+    ipywidgets
+    matplotlib
+    pillow
+    pydot
+    pygments
+    pylatexenc
+    seaborn
+  ];
+  crosstalkPackages = [ z3 ];
+  classicalCompilerPackages = [ tweedledum ];
+in
+
 buildPythonPackage rec {
   pname = "qiskit-terra";
-  version = "0.15.1";
+  version = "0.16.1";
 
-  disabled = pythonOlder "3.5";
+  disabled = pythonOlder "3.6";
 
   src = fetchFromGitHub {
     owner = "Qiskit";
     repo = pname;
     rev = version;
-    sha256 = "1p7y36gj3675dmp05nwi0m9nc7h0bwyimir3ncf9wbkx3crrh99c";
+    sha256 = "0007glsbrvq9swamvz8r76z9nzh46b388y0ds1dypczxpwlp9xcq";
   };
 
   nativeBuildInputs = [ cython ];
@@ -53,7 +74,6 @@ buildPythonPackage rec {
     fastjsonschema
     jsonschema
     numpy
-    matplotlib
     networkx
     ply
     psutil
@@ -62,26 +82,18 @@ buildPythonPackage rec {
     retworkx
     scipy
     sympy
-    # Optional/visualization inputs
-    ipywidgets
-    matplotlib
-    pillow
-    pydot
-    pygments
-    pylatexenc
-    seaborn
-  ];
-
+  ] ++ lib.optionals withVisualization visualizationPackages
+  ++ lib.optionals withCrosstalkPass crosstalkPackages
+  ++ lib.optionals withClassicalFunctionCompiler classicalCompilerPackages;
 
   # *** Tests ***
   checkInputs = [
+    pytestCheckHook
     ddt
     hypothesis
     nbformat
     nbconvert
-    pytestCheckHook
-  ];
-  dontUseSetuptoolsCheck = true;  # can't find setup.py, so fails. tested by pytest
+  ] ++ lib.optionals (!withVisualization) visualizationPackages;
 
   pythonImportsCheck = [
     "qiskit"
@@ -90,6 +102,34 @@ buildPythonPackage rec {
 
   pytestFlagsArray = [
     "--ignore=test/randomized/test_transpiler_equivalence.py" # collection requires qiskit-aer, which would cause circular dependency
+  ] ++ lib.optionals (!withClassicalFunctionCompiler ) [
+    "--ignore=test/python/classical_function_compiler/"
+  ];
+  disabledTests = [
+    # Flaky tests
+    "test_cx_equivalence"
+    "test_pulse_limits"
+  ]
+  # Disabling slow tests for build constraints
+  ++ [
+    "test_all_examples"
+    "test_controlled_random_unitary"
+    "test_controlled_standard_gates_1"
+    "test_jupyter_jobs_pbars"
+    "test_lookahead_swap_higher_depth_width_is_better"
+    "test_move_measurements"
+    "test_job_monitor"
+    "test_wait_for_final_state"
+    "test_multi_controlled_y_rotation_matrix_basic_mode"
+    "test_two_qubit_weyl_decomposition_abc"
+    "test_isometry"
+    "test_parallel"
+    "test_random_state"
+    "test_random_clifford_valid"
+    "test_to_matrix"
+    "test_block_collection_reduces_1q_gate"
+    "test_multi_controlled_rotation_gate_matrices"
+    "test_block_collection_runs_for_non_cx_bases"
   ];
 
   # Moves tests to $PACKAGEDIR/test. They can't be run from /build because of finding
diff --git a/pkgs/development/python-modules/qiskit/default.nix b/pkgs/development/python-modules/qiskit/default.nix
index 46fcf498597..7c79d517ce5 100644
--- a/pkgs/development/python-modules/qiskit/default.nix
+++ b/pkgs/development/python-modules/qiskit/default.nix
@@ -15,15 +15,15 @@
 buildPythonPackage rec {
   pname = "qiskit";
   # NOTE: This version denotes a specific set of subpackages. See https://qiskit.org/documentation/release_notes.html#version-history
-  version = "0.20.0";
+  version = "0.23.1";
 
-  disabled = pythonOlder "3.5";
+  disabled = pythonOlder "3.6";
 
   src = fetchFromGitHub {
-    owner = "Qiskit";
+    owner = "qiskit";
     repo = "qiskit";
     rev = version;
-    sha256 = "1r23pjnql49gczf4k4m6ir5rr95gqdxjrks60p8a93d243mxx3c9";
+    sha256 = "0x4cqx1wqqj7h5g3vdag694qjzsmvhpw25yrlcs70mh5ywdp28x1";
   };
 
   propagatedBuildInputs = [
@@ -35,7 +35,6 @@ buildPythonPackage rec {
   ];
 
   checkInputs = [ pytestCheckHook ];
-  dontUseSetuptoolsCheck = true;
 
   pythonImportsCheck = [
     "qiskit"
@@ -43,6 +42,7 @@ buildPythonPackage rec {
     "qiskit.circuit"
     "qiskit.ignis"
     "qiskit.providers.aer"
+    "qiskit.providers.ibmq"
   ];
 
   meta = with lib; {
diff --git a/pkgs/development/python-modules/retworkx/default.nix b/pkgs/development/python-modules/retworkx/default.nix
index 49e4b1c2fc3..02a3ef64c57 100644
--- a/pkgs/development/python-modules/retworkx/default.nix
+++ b/pkgs/development/python-modules/retworkx/default.nix
@@ -1,7 +1,6 @@
 { lib
 , rustPlatform
 , python
-, fetchpatch
 , fetchFromGitHub
 , pipInstallHook
 , maturin
@@ -13,35 +12,30 @@
 
 rustPlatform.buildRustPackage rec {
   pname = "retworkx";
-  version = "0.4.0";
+  version = "0.6.0";
 
   src = fetchFromGitHub {
     owner = "Qiskit";
     repo = "retworkx";
     rev = version;
-    sha256 = "1xqp6d39apkjvd0ad9vw81cp2iqzhpagfa4p171xqm3bwfn2imdc";
+    sha256 = "11n30ldg3y3y6qxg3hbj837pnbwjkqw3nxq6frds647mmmprrd20";
   };
 
-  cargoSha256 = "0bma0l14jv5qhcsxck7vw3ak1w3c8v84cq4hii86i4iqk523zns5";
-  cargoPatches = [
-      ( fetchpatch {
-        name = "retworkx-cargo-lock.patch";
-        url = "https://github.com/Qiskit/retworkx/commit/a02fd33d357a92dbe9530696a6d85aa59fe8a5b9.patch";
-        sha256 = "0gvxr1nqp9ll4skfks4p4d964pshal25kb1nbfzhpyipnzddizr5";
-      } )
-  ];
+  cargoSha256 = "1vg4yf0k6yypqf9z46zz818mz7fdrgxj7zl6zjf7pnm2r8mq3qw5";
 
   propagatedBuildInputs = [ python ];
 
   nativeBuildInputs = [ pipInstallHook maturin pip ];
 
-  # Need to check AFTER python wheel is installed (b/c using Rust Build, not buildPythonPackage)
+  # Needed b/c need to check AFTER python wheel is installed (using Rust Build, not buildPythonPackage)
   doCheck = false;
   doInstallCheck = true;
 
+  installCheckInputs = [ pytestCheckHook numpy ];
+
   buildPhase = ''
     runHook preBuild
-    maturin build --release --manylinux off --strip --interpreter ${python.interpreter}
+    maturin build --release --manylinux off --strip
     runHook postBuild
   '';
 
@@ -50,10 +44,9 @@ rustPlatform.buildRustPackage rec {
     pipInstallPhase
   '';
 
-  installCheckInputs = [ pytestCheckHook numpy ];
   preCheck = ''
     export TESTDIR=$(mktemp -d)
-    cp -r $TMP/$sourceRoot/tests $TESTDIR
+    cp -r tests/ $TESTDIR
     pushd $TESTDIR
   '';
   postCheck = "popd";
diff --git a/pkgs/development/tools/misc/blackfire/php-probe.nix b/pkgs/development/tools/misc/blackfire/php-probe.nix
index 8a02f615730..97b5f9ed82c 100644
--- a/pkgs/development/tools/misc/blackfire/php-probe.nix
+++ b/pkgs/development/tools/misc/blackfire/php-probe.nix
@@ -14,14 +14,15 @@ let
   soFile = {
     "7.3" = "blackfire-20180731";
     "7.4" = "blackfire-20190902";
+    "8.0" = "blackfire-20200930";
   }.${lib.versions.majorMinor php.version} or (throw "Unsupported PHP version.");
 in stdenv.mkDerivation rec {
   pname = "php-blackfire";
-  version = "1.44.0";
+  version = "1.46.4";
 
   src = fetchurl {
     url = "https://packages.blackfire.io/debian/pool/any/main/b/blackfire-php/blackfire-php_${version}_amd64.deb";
-    sha256 = "15y1244bbs07i7rg6cy8kynp1may4mbkmmwbxgq8q5zma3ldc8ci";
+    sha256 = "1p46zi1hh9calkcfgqz60c6rdi9i7i16ylj84iibi6k0pc690fjy";
   };
 
   nativeBuildInputs = [
diff --git a/pkgs/development/tools/the-way/default.nix b/pkgs/development/tools/the-way/default.nix
index 6042f5f891a..5506201b742 100644
--- a/pkgs/development/tools/the-way/default.nix
+++ b/pkgs/development/tools/the-way/default.nix
@@ -2,20 +2,20 @@
 
 rustPlatform.buildRustPackage rec {
   pname = "the-way";
-  version = "0.7.0";
+  version = "0.12.1";
 
   src = fetchFromGitHub {
     owner = "out-of-cheese-error";
     repo = pname;
     rev = "v${version}";
-    sha256 = "1whmvzpqm8x1q45mzrp4p40nj251drcryj9z4qjxgjlfsd5d1fxq";
+    sha256 = "0lvkrfszmn594n9qkf518c38c0fwzm32y997wlf28l3hpj6yqddq";
   };
 
   nativeBuildInputs = [ installShellFiles ];
 
   buildInputs = stdenv.lib.optionals stdenv.isDarwin  [ AppKit Security ];
 
-  cargoSha256 = "0adhgp6blwx7s1hlwqzzsgkzc43q9avxx8a9ykvvv2s1w7m9ql78";
+  cargoSha256 = "1aiyfsvmrqcmlw0z1944i9s5g3yxc39na5mf16pb9a4bhw8zcwjr";
   checkFlagsArray = stdenv.lib.optionals stdenv.isDarwin [ "--skip=copy" ];
   cargoParallelTestThreads = false;
 
diff --git a/pkgs/games/osu-lazer/default.nix b/pkgs/games/osu-lazer/default.nix
index 88f0c6abfc5..f41d684d83f 100644
--- a/pkgs/games/osu-lazer/default.nix
+++ b/pkgs/games/osu-lazer/default.nix
@@ -13,13 +13,13 @@ let
 
 in stdenv.mkDerivation rec {
   pname = "osu-lazer";
-  version = "2020.1121.0";
+  version = "2020.1128.0";
 
   src = fetchFromGitHub {
     owner = "ppy";
     repo = "osu";
     rev = version;
-    sha256 = "54AP3NZv5Nov3CAJoxn5E5tO9HhtlEY36x8OHAV8YVE=";
+    sha256 = "0qf1lvzd668zd405ll3bdbk91xdyr2l9qg42ph93vjcnmrs2jqic";
   };
 
   patches = [ ./bypass-tamper-detection.patch ];
diff --git a/pkgs/games/osu-lazer/deps.nix b/pkgs/games/osu-lazer/deps.nix
index 42e5969dfc4..4272a816a58 100644
--- a/pkgs/games/osu-lazer/deps.nix
+++ b/pkgs/games/osu-lazer/deps.nix
@@ -334,6 +334,11 @@
     version = "1.1.0";
     sha256 = "1dq5yw7cy6s42193yl4iqscfw5vzkjkgv0zyy32scr4jza6ni1a1";
   })
+  (fetchNuGet {
+    name = "Microsoft.Bcl.AsyncInterfaces";
+    version = "1.1.1";
+    sha256 = "0a1ahssqds2ympr7s4xcxv5y8jgxs7ahd6ah6fbgglj4rki1f1vw";
+  })
   (fetchNuGet {
     name = "Microsoft.Build.Framework";
     version = "15.3.409";
@@ -356,18 +361,18 @@
   })
   (fetchNuGet {
     name = "Microsoft.CodeAnalysis.Common";
-    version = "3.7.0";
-    sha256 = "0882492nx6x68b0pkh3q5xaawz0b2l5x35r40722ignyjnvjydph";
+    version = "3.8.0";
+    sha256 = "12n7rvr39bzkf2maw7zplw8rwpxpxss4ich3bb2pw770rx4nyvyw";
   })
   (fetchNuGet {
     name = "Microsoft.CodeAnalysis.CSharp";
-    version = "3.7.0";
-    sha256 = "0adw6rcag8wxydzyiyhls2mxaqkay5qlz25z1fxrlv5qnchqn0n5";
+    version = "3.8.0";
+    sha256 = "1kmry65csvfn72zzc16vj1nfbfwam28wcmlrk3m5rzb8ydbzgylb";
   })
   (fetchNuGet {
     name = "Microsoft.CodeAnalysis.CSharp.Workspaces";
-    version = "3.7.0";
-    sha256 = "15rlz65wbky0yq7b9s8xwk68dgrhgsk4rj88q9pyjxbm5938vrav";
+    version = "3.8.0";
+    sha256 = "1jfbqfngwwjx3x1cyqaamf26s7j6wag86ig1n7bh99ny85gd78wb";
   })
   (fetchNuGet {
     name = "Microsoft.CodeAnalysis.FxCopAnalyzers";
@@ -381,13 +386,13 @@
   })
   (fetchNuGet {
     name = "Microsoft.CodeAnalysis.Workspaces.Common";
-    version = "3.7.0";
-    sha256 = "00nm453w4n6kjsicmz5izvkf1ki9rp3xnc9n3y7a9b1g5sxg36fs";
+    version = "3.8.0";
+    sha256 = "0qbirv7wxllzw5120pfa42wailfgzvl10373yhacankmfmbz2gnw";
   })
   (fetchNuGet {
     name = "Microsoft.CodeAnalysis.Workspaces.MSBuild";
-    version = "3.7.0";
-    sha256 = "1sh8s7b16j06p3gmzsgwd8690vagah4908bpa3gyz2fxgfnj46ax";
+    version = "3.8.0";
+    sha256 = "1ag78ls51s88znv4v004sbklrx3qnbphpdngjq196188a3vljww7";
   })
   (fetchNuGet {
     name = "Microsoft.CodeQuality.Analyzers";
@@ -416,8 +421,8 @@
   })
   (fetchNuGet {
     name = "Microsoft.Diagnostics.Runtime";
-    version = "2.0.151903";
-    sha256 = "1y7hsgzjs6b3323fcq5km515knykfgvdx4x8l1g03sy5h3lwwhak";
+    version = "2.0.156101";
+    sha256 = "1k9f6x95mscq484f4sywpb84016v9yb9bz6ha77wsjbsarl96my0";
   })
   (fetchNuGet {
     name = "Microsoft.DotNet.PlatformAbstractions";
@@ -546,8 +551,8 @@
   })
   (fetchNuGet {
     name = "Microsoft.Extensions.ObjectPool";
-    version = "3.1.9";
-    sha256 = "1gq1i7rb50dzj9hp07q0w9siyqy3hl0zqpk8na37s4jq6ikb5q82";
+    version = "5.0.0";
+    sha256 = "0m0r7avz4ygxa1pyj5sai25y0n42y7kz9iznl7m3146csxi1paf0";
   })
   (fetchNuGet {
     name = "Microsoft.Extensions.Options";
@@ -676,8 +681,8 @@
   })
   (fetchNuGet {
     name = "ppy.osu.Framework";
-    version = "2020.1120.0";
-    sha256 = "13vm6qly09f9b9bnf8r4wkypbxz673x852fjllj33sz55qh6957m";
+    version = "2020.1127.0";
+    sha256 = "05vxdkw5z7bylj8dyw52lxf3g12mmvdifwvwlgz00v6ybkxr455j";
   })
   (fetchNuGet {
     name = "ppy.osu.Framework.NativeLibs";
@@ -954,6 +959,11 @@
     version = "1.7.1";
     sha256 = "1nh4nlxfc7lbnbl86wwk1a3jwl6myz5j6hvgh5sp4krim9901hsq";
   })
+  (fetchNuGet {
+    name = "System.Collections.Immutable";
+    version = "5.0.0";
+    sha256 = "1kvcllagxz2q92g81zkz81djkn2lid25ayjfgjalncyc68i15p0r";
+  })
   (fetchNuGet {
     name = "System.ComponentModel.Annotations";
     version = "4.5.0";
@@ -1301,13 +1311,13 @@
   })
   (fetchNuGet {
     name = "System.Reflection.Metadata";
-    version = "1.6.0";
-    sha256 = "1wdbavrrkajy7qbdblpbpbalbdl48q3h34cchz24gvdgyrlf15r4";
+    version = "1.8.1";
+    sha256 = "17xxl3m99wa4hcpqy42vl8qb1jk2jfq32rj3sfjc1a46hi2si5jj";
   })
   (fetchNuGet {
     name = "System.Reflection.Metadata";
-    version = "1.8.1";
-    sha256 = "17xxl3m99wa4hcpqy42vl8qb1jk2jfq32rj3sfjc1a46hi2si5jj";
+    version = "5.0.0";
+    sha256 = "17qsl5nanlqk9iz0l5wijdn6ka632fs1m1fvx18dfgswm258r3ss";
   })
   (fetchNuGet {
     name = "System.Reflection.Primitives";
@@ -1364,11 +1374,6 @@
     version = "4.5.3";
     sha256 = "1afi6s2r1mh1kygbjmfba6l4f87pi5sg13p4a48idqafli94qxln";
   })
-  (fetchNuGet {
-    name = "System.Runtime.CompilerServices.Unsafe";
-    version = "4.7.0";
-    sha256 = "16r6sn4czfjk8qhnz7bnqlyiaaszr0ihinb7mq9zzr1wba257r54";
-  })
   (fetchNuGet {
     name = "System.Runtime.CompilerServices.Unsafe";
     version = "4.7.1";
@@ -1594,11 +1599,6 @@
     version = "4.3.0";
     sha256 = "1xxcx2xh8jin360yjwm4x4cf5y3a2bwpn2ygkfkwkicz7zk50s2z";
   })
-  (fetchNuGet {
-    name = "System.Threading.Tasks.Extensions";
-    version = "4.5.3";
-    sha256 = "0g7r6hm572ax8v28axrdxz1gnsblg6kszq17g51pj14a5rn2af7i";
-  })
   (fetchNuGet {
     name = "System.Threading.Tasks.Extensions";
     version = "4.5.4";
diff --git a/pkgs/misc/tpm2-pkcs11/default.nix b/pkgs/misc/tpm2-pkcs11/default.nix
index 7533707ccf9..610a8e06385 100644
--- a/pkgs/misc/tpm2-pkcs11/default.nix
+++ b/pkgs/misc/tpm2-pkcs11/default.nix
@@ -6,13 +6,13 @@
 
 stdenv.mkDerivation rec {
   pname = "tpm2-pkcs11";
-  version = "1.3.0";
+  version = "1.5.0";
 
   src = fetchFromGitHub {
     owner = "tpm2-software";
     repo = pname;
     rev = version;
-    sha256 = "12zj8jfm8jrwbqm3cnay8gx28ladmpyv5d29lp8qlfjqgflvhkwh";
+    sha256 = "0sm73a762c7qd6x3f052m00d7daprifimsfa17dfdf4jvy9fqy56";
   };
 
   patches = lib.singleton (
diff --git a/pkgs/os-specific/linux/pcm/default.nix b/pkgs/os-specific/linux/pcm/default.nix
index 74042cf7023..66f5dcf338a 100644
--- a/pkgs/os-specific/linux/pcm/default.nix
+++ b/pkgs/os-specific/linux/pcm/default.nix
@@ -1,14 +1,14 @@
 { stdenv, fetchFromGitHub }:
 
 stdenv.mkDerivation rec {
-  version = "202010";
+  version = "202011";
   pname = "pcm";
 
   src = fetchFromGitHub {
     owner = "opcm";
     repo = "pcm";
     rev = version;
-    sha256 = "00i7bp7hqwnphh7qyjydvz5s14ydj8rwivz995bdnd37582dyij9";
+    sha256 = "09p8drp9xvvs5bahgnr9xx6987fryz27xs2zaf1mr7a9wsh5j912";
   };
 
   installPhase = ''
diff --git a/pkgs/servers/monitoring/thanos/default.nix b/pkgs/servers/monitoring/thanos/default.nix
index 7c2ac16399f..8d144148975 100644
--- a/pkgs/servers/monitoring/thanos/default.nix
+++ b/pkgs/servers/monitoring/thanos/default.nix
@@ -1,13 +1,13 @@
 { stdenv, buildGoModule, fetchFromGitHub }:
 buildGoModule rec {
   pname = "thanos";
-  version = "0.17.0";
+  version = "0.17.1";
 
   src = fetchFromGitHub {
     rev = "v${version}";
     owner = "thanos-io";
     repo = "thanos";
-    sha256 = "06pr9zqfd7nq13pgg02px2d9rp7phxlmnirpkdfgbw799zrfvpag";
+    sha256 = "07814hk6nmvvkf7xklrin24vp17wm6nby358gk20ri4man822q8c";
   };
 
   vendorSha256 = "1j3gnzas0hpb5dljf5m97nw2v4r1bp3l99z36gbqkm6lqzr6hqk8";
diff --git a/pkgs/servers/nats-streaming-server/default.nix b/pkgs/servers/nats-streaming-server/default.nix
index 0245f087c93..e6a9f95a1b9 100644
--- a/pkgs/servers/nats-streaming-server/default.nix
+++ b/pkgs/servers/nats-streaming-server/default.nix
@@ -4,14 +4,14 @@ with lib;
 
 buildGoPackage rec {
   pname   = "nats-streaming-server";
-  version = "0.17.0";
+  version = "0.19.0";
   goPackagePath = "github.com/nats-io/${pname}";
 
   src = fetchFromGitHub {
     rev    = "v${version}";
     owner  = "nats-io";
     repo   = pname;
-    sha256 = "1dla70k6rxg34qzspq0j12zcjk654jrf3gm7gd45w4qdg8h2fyyg";
+    sha256 = "1wa2xby7v45f9idnhbkglknipm24wqx7mxmkyqz3amq17j4xfy7c";
   };
 
   meta = {
diff --git a/pkgs/servers/peach/default.nix b/pkgs/servers/peach/default.nix
new file mode 100644
index 00000000000..59d5a6c2f60
--- /dev/null
+++ b/pkgs/servers/peach/default.nix
@@ -0,0 +1,22 @@
+{ lib, buildGoModule, fetchFromGitHub }:
+
+buildGoModule rec {
+  pname = "peach";
+  version = "0.9.8";
+
+  src = fetchFromGitHub {
+    owner = "peachdocs";
+    repo = "peach";
+    rev = "v${version}";
+    sha256 = "1pzk3sah39hz8n1kswxl35djh6wm0qcfcwrbfi50nd4k3bdgz7xl";
+  };
+
+  vendorSha256 = "0f215hd5a9d4fyvdirp2j14ghap5vwv12i28jmzm6wxjihj8nn1g";
+
+  meta = with lib; {
+    description = "Web server for multi-language, real-time synchronization and searchable documentation";
+    homepage = "https://peachdocs.org/";
+    license = licenses.asl20;
+    maintainers = [ maintainers.ivar ];
+  };
+}
diff --git a/pkgs/servers/plex/raw.nix b/pkgs/servers/plex/raw.nix
index 7ed3bf8bfec..a6ec8dc23d7 100644
--- a/pkgs/servers/plex/raw.nix
+++ b/pkgs/servers/plex/raw.nix
@@ -1,6 +1,10 @@
 { stdenv
 , fetchurl
 , dpkg
+, writeScript
+, curl
+, jq
+, common-updater-scripts
 }:
 
 # The raw package that fetches and extracts the Plex RPM. Override the source
@@ -52,6 +56,27 @@ stdenv.mkDerivation rec {
   dontPatchELF = true;
   dontAutoPatchelf = true;
 
+  passthru.updateScript = writeScript "${pname}-updater" ''
+    #!${stdenv.shell}
+    set -eu -o pipefail
+    PATH=${stdenv.lib.makeBinPath [curl jq common-updater-scripts]}:$PATH
+
+    plexApiJson=$(curl -sS https://plex.tv/api/downloads/5.json)
+    latestVersion="$(echo $plexApiJson | jq .computer.Linux.version | tr -d '"\n')"
+
+    for platform in ${stdenv.lib.concatStringsSep " " meta.platforms}; do
+      arch=$(echo $platform | cut -d '-' -f1)
+      dlUrl="$(echo $plexApiJson | jq --arg arch "$arch" -c '.computer.Linux.releases[] | select(.distro == "debian") | select(.build | contains($arch)) .url' | tr -d '"\n')"
+
+      latestSha="$(nix-prefetch-url $dlUrl)"
+
+      # The script will not perform an update when the version attribute is up to date from previous platform run
+      # We need to clear it before each run
+      update-source-version plexRaw 0 $(yes 0 | head -64 | tr -d "\n") --system=$platform
+      update-source-version plexRaw "$latestVersion" "$latestSha" --system=$platform
+    done
+  '';
+
   meta = with stdenv.lib; {
     homepage = "https://plex.tv/";
     license = licenses.unfree;
diff --git a/pkgs/servers/rtsp-simple-server/default.nix b/pkgs/servers/rtsp-simple-server/default.nix
index 254c24754c2..94a15d35489 100644
--- a/pkgs/servers/rtsp-simple-server/default.nix
+++ b/pkgs/servers/rtsp-simple-server/default.nix
@@ -5,16 +5,16 @@
 
 buildGoModule rec {
   pname = "rtsp-simple-server";
-  version = "0.12.1";
+  version = "0.12.2";
 
   src = fetchFromGitHub {
     owner = "aler9";
     repo = pname;
     rev = "v${version}";
-    sha256 = "0x8di6zkbn7v77awlybp3m722a27kw20vrpjgalifv8p87238x24";
+    sha256 = "094brxiiapm7402q0ysaha2xk3wymc2kz8vqisjyiswz7wf4wsx0";
   };
 
-  vendorSha256 = "0p7d0c6zgbzj7wd2qdz578cgamydl6mp5sc8jmvnwb50h10n45af";
+  vendorSha256 = "007dyw825jsfma7sq5llxllhrzbkhqxr985s1nhg5cdd803gz42p";
 
   # Tests need docker
   doCheck = false;
diff --git a/pkgs/servers/sabnzbd/default.nix b/pkgs/servers/sabnzbd/default.nix
index f6b0574fa5c..f2cbb2f820c 100644
--- a/pkgs/servers/sabnzbd/default.nix
+++ b/pkgs/servers/sabnzbd/default.nix
@@ -20,14 +20,14 @@ let
   ]);
   path = stdenv.lib.makeBinPath [ par2cmdline unrar unzip p7zip ];
 in stdenv.mkDerivation rec {
-  version = "3.0.1";
+  version = "3.1.1";
   pname = "sabnzbd";
 
   src = fetchFromGitHub {
     owner = pname;
     repo = pname;
     rev = version;
-    sha256 = "1zp8cxz56qmai1z6xcscnq85gxhv64dv1s5zqsqdn0zpbxyqqdlr";
+    sha256 = "0m39r2il7d014kf2p6v28lw2hzshm6bhhdchqa8wzyvvmygqmwf2";
   };
 
   buildInputs = [ pythonEnv makeWrapper ];
diff --git a/pkgs/servers/tarssh/default.nix b/pkgs/servers/tarssh/default.nix
index 72e636b303f..4e9ef3e0b58 100644
--- a/pkgs/servers/tarssh/default.nix
+++ b/pkgs/servers/tarssh/default.nix
@@ -4,16 +4,16 @@ with rustPlatform;
 
 buildRustPackage rec {
   pname = "tarssh";
-  version = "0.4.0";
+  version = "0.5.0";
 
   src = fetchFromGitHub {
     rev = "v${version}";
     owner = "Freaky";
     repo = pname;
-    sha256 = "0fm0rwknhm39nhd6g0pnxby34i5gpmi5ri795d9ylsw0pqwz6kd0";
+    sha256 = "1waxfbw9lqbqv8igb291pjqg22324lzv4p7fsdfrkvxf95jd2i03";
   };
 
-  cargoSha256 = "108xdpgfgfd4z455snif0mzbla0rv8gjqxci5qgwjzfyshwkprgv";
+  cargoSha256 = "1f3anrh2y8yg7l4nilwk0a7c7kq5yvg07cqh75igjdb5a7p9di0j";
 
   meta = with stdenv.lib; {
     description = "A simple SSH tarpit inspired by endlessh";
diff --git a/pkgs/tools/admin/procs/default.nix b/pkgs/tools/admin/procs/default.nix
index c8e8528cff1..2c11b6f4523 100644
--- a/pkgs/tools/admin/procs/default.nix
+++ b/pkgs/tools/admin/procs/default.nix
@@ -2,16 +2,16 @@
 
 rustPlatform.buildRustPackage rec {
   pname = "procs";
-  version = "0.10.9";
+  version = "0.10.10";
 
   src = fetchFromGitHub {
     owner = "dalance";
     repo = pname;
     rev = "v${version}";
-    sha256 = "1bxzwcj7jxv1hkbq84wigshni1ivdga7g77k3h9fxzn7c223yccd";
+    sha256 = "12p95nybsisqpji01qgkp5wfg7fwk814xdsz338q9wac8nvqw9w3";
   };
 
-  cargoSha256 = "1bf0r9kymc1w1rxpc0bjgj5faagmad9vh404n9860rpganrdjvkx";
+  cargoSha256 = "13wfz0ig9dsl0h085rzlrx0dg9la957c50xyzjfxq1ybw2qr266b";
 
   buildInputs = stdenv.lib.optional stdenv.isDarwin Security;
 
diff --git a/pkgs/tools/audio/tts/default.nix b/pkgs/tools/audio/tts/default.nix
new file mode 100644
index 00000000000..770e898f2ee
--- /dev/null
+++ b/pkgs/tools/audio/tts/default.nix
@@ -0,0 +1,123 @@
+{ lib
+, python3Packages
+, fetchFromGitHub
+, fetchpatch
+, python3
+}:
+
+#
+# Tested in the following setup:
+#
+# TTS model:
+#   Tacotron2 DDC
+#   https://drive.google.com/drive/folders/1Y_0PcB7W6apQChXtbt6v3fAiNwVf4ER5
+# Vocoder model:
+#   Multi-Band MelGAN
+#   https://drive.google.com/drive/folders/1XeRT0q4zm5gjERJqwmX5w84pMrD00cKD
+#
+# Arrange /tmp/tts like this:
+#   scale_stats.npy
+#   tts
+#   tts/checkpoint_130000.pth.tar
+#   tts/checkpoint_130000_tf.pkl
+#   tts/checkpoint_130000_tf_2.3rc0.tflite
+#   tts/config.json
+#   tts/scale_stats.npy
+#   vocoder
+#   vocoder/checkpoint_1450000.pth.tar
+#   vocoder/checkpoint_2750000_tf.pkl
+#   vocoder/checkpoint_2750000_tf_v2.3rc.tflite
+#   vocoder/config.json
+#   vocoder/scale_stats.npy
+#
+# Start like this:
+#   cd /tmp/tts
+#   tts-server \
+#     --vocoder_config ./tts/vocoder/config.json \
+#     --vocoder_checkpoint ./tts/vocoder/checkpoint_1450000.pth.tar \
+#     --tts_config ./tts/config.json \
+#     --tts_checkpoint ./tts/checkpoint_130000.pth.tar
+#
+# For now, for deployment check the systemd unit in the pull request:
+#   https://github.com/NixOS/nixpkgs/pull/103851#issue-521121136
+#
+
+python3Packages.buildPythonApplication rec {
+  pname = "tts";
+  # until https://github.com/mozilla/TTS/issues/424 is resolved
+  # we treat released models as released versions:
+  # https://github.com/mozilla/TTS/wiki/Released-Models
+  version = "unstable-2020-06-17";
+
+  src = fetchFromGitHub {
+    owner = "mozilla";
+    repo = "TTS";
+    rev = "72a6ac54c8cfaa407fc64b660248c6a788bdd381";
+    sha256 = "1wvs264if9n5xzwi7ryxvwj1j513szp6sfj6n587xk1fphi0921f";
+  };
+
+  patches = [
+    (fetchpatch {
+      url = "https://github.com/mozilla/TTS/commit/36fee428b9f3f4ec1914b090a2ec9d785314d9aa.patch";
+      sha256 = "sha256-pP0NxiyrsvQ0A7GEleTdT87XO08o7WxPEpb6Bmj66dc=";
+    })
+  ];
+
+  preBuild = ''
+    # numba jit tries to write to its cache directory
+    export HOME=$TMPDIR
+    sed -i -e 's!tensorflow==.*!tensorflow!' requirements.txt
+    sed -i -e 's!librosa==[^"]*!librosa!' requirements.txt setup.py
+    sed -i -e 's!unidecode==[^"]*!unidecode!' requirements.txt setup.py
+    sed -i -e 's!bokeh==[^"]*!bokeh!' requirements.txt setup.py
+    sed -i -e 's!numba==[^"]*!numba!' requirements.txt setup.py
+    # Not required for building/installation but for their development/ci workflow
+    sed -i -e '/pylint/d' requirements.txt setup.py
+    sed -i -e '/cardboardlint/d' requirements.txt setup.py
+  '';
+
+
+  propagatedBuildInputs = with python3Packages; [
+    matplotlib
+    scipy
+    pytorch
+    flask
+    attrdict
+    bokeh
+    soundfile
+    tqdm
+    librosa
+    unidecode
+    phonemizer
+    tensorboardx
+    fuzzywuzzy
+    tensorflow_2
+    inflect
+    gdown
+    pysbd
+  ];
+
+  postInstall = ''
+    cp -r TTS/server/templates/ $out/${python3.sitePackages}/TTS/server
+  '';
+
+  checkInputs = with python3Packages; [ pytestCheckHook ];
+
+  disabledTests = [
+    # RuntimeError: fft: ATen not compiled with MKL support
+    "test_torch_stft"
+    "test_stft_loss"
+    "test_multiscale_stft_loss"
+    # AssertionErrors that I feel incapable of debugging
+    "test_phoneme_to_sequence"
+    "test_text2phone"
+    "test_parametrized_gan_dataset"
+  ];
+
+  meta = with lib; {
+    homepage = "https://github.com/mozilla/TTS";
+    description = "Deep learning for Text to Speech";
+    license = licenses.mpl20;
+    maintainers = with maintainers; [ hexa mic92 ];
+  };
+}
diff --git a/pkgs/tools/misc/hdl-dump/default.nix b/pkgs/tools/misc/hdl-dump/default.nix
new file mode 100644
index 00000000000..96e81fe8bd4
--- /dev/null
+++ b/pkgs/tools/misc/hdl-dump/default.nix
@@ -0,0 +1,35 @@
+{ stdenv
+, fetchFromGitHub
+, upx
+}:
+
+let
+  version = "20202807";
+  pname = "hdl-dump";
+in stdenv.mkDerivation {
+  inherit pname version;
+
+  # Using AkuHAK's repo because playstation2's repo is outdated
+  src = fetchFromGitHub {
+    owner = "AKuHAK";
+    repo = pname;
+    rev = "be37e112a44772a1341c867dc3dfee7381ce9e59";
+    sha256 = "0akxak6hm11h8z6jczxgr795s4a8czspwnhl3swqxp803dvjdx41";
+  };
+
+  buildInputs = [ upx ];
+
+  makeFlags = [ "RELEASE=yes" ];
+
+  installPhase = ''
+    install -Dm755 hdl_dump -t $out/bin
+  '';
+
+  meta = with stdenv.lib; {
+    homepage = "https://github.com/AKuHAK/hdl-dump";
+    description = "PlayStation 2 HDLoader image dump/install utility";
+    platforms = platforms.linux;
+    license = licenses.gpl2Only;
+    maintainers = with maintainers; [ makefu ];
+  };
+}
diff --git a/pkgs/tools/misc/rmtrash/default.nix b/pkgs/tools/misc/rmtrash/default.nix
index 073871b0f43..d50079f82c2 100644
--- a/pkgs/tools/misc/rmtrash/default.nix
+++ b/pkgs/tools/misc/rmtrash/default.nix
@@ -3,13 +3,13 @@
 
 stdenv.mkDerivation rec {
   pname = "rmtrash";
-  version = "1.13";
+  version = "1.14";
 
   src = fetchFromGitHub {
     owner = "PhrozenByte";
     repo = pname;
     rev = "v${version}";
-    sha256 = "04a9c65wnkq1fj8qhdsdbps88xjbp7rn6p27y25v47kaysvrw01j";
+    sha256 = "0wfb2ykzlsxyqn9krfsis9jxhaxy3pxl71a4f15an1ngfndai694";
   };
 
   dontConfigure = true;
diff --git a/pkgs/tools/package-management/nfpm/default.nix b/pkgs/tools/package-management/nfpm/default.nix
index 66ea91a56d4..f10b90d0173 100644
--- a/pkgs/tools/package-management/nfpm/default.nix
+++ b/pkgs/tools/package-management/nfpm/default.nix
@@ -2,16 +2,16 @@
 
 buildGoModule rec {
   pname = "nfpm";
-  version = "1.10.1";
+  version = "1.10.2";
 
   src = fetchFromGitHub {
     owner = "goreleaser";
     repo = pname;
     rev = "v${version}";
-    sha256 = "1j9b6kkhlw2sx6qwnxkhsk7bj9vm2vr0z1hj1jf257fxw9m2q6mz";
+    sha256 = "08qz9zfk19iwf8qfv7vmzvbl8w1vpjrry25w3pxsg93gyjw8v7mi";
   };
 
-  vendorSha256 = "0x7r7qn4852q57fx5mcrw3aqdydmidk9g0hvj6apj81q77k5svqs";
+  vendorSha256 = "0qnfd47ykb6g28d3mnfncgmkvqd1myx47x563sxx4lcsq542q83n";
 
   doCheck = false;
 
diff --git a/pkgs/tools/text/miller/default.nix b/pkgs/tools/text/miller/default.nix
index 3bacd53c713..ca71c3a1b3d 100644
--- a/pkgs/tools/text/miller/default.nix
+++ b/pkgs/tools/text/miller/default.nix
@@ -3,13 +3,13 @@
 stdenv.mkDerivation rec {
   pname = "miller";
 
-  version = "5.9.1";
+  version = "5.10.0";
 
   src = fetchFromGitHub {
     owner = "johnkerl";
     repo = "miller";
     rev = "v${version}";
-    sha256 = "1i9bcpfjnl2yjnfmf0ar1l62zwq01ph0yylz0dby8k2l7cvq5ci6";
+    sha256 = "02jqbxnchljyqnmlbxjaf5zpdi03gxapfy38dfikl5j4f7yyxvjs";
   };
 
   nativeBuildInputs = [ autoreconfHook flex libtool ];
diff --git a/pkgs/tools/text/vale/default.nix b/pkgs/tools/text/vale/default.nix
index 0a9ec734e3a..893f54eedc6 100644
--- a/pkgs/tools/text/vale/default.nix
+++ b/pkgs/tools/text/vale/default.nix
@@ -2,7 +2,7 @@
 
 buildGoModule rec {
   pname = "vale";
-  version = "2.6.3";
+  version = "2.6.4";
 
   subPackages = [ "." ];
   outputs = [ "out" "data" ];
@@ -11,7 +11,7 @@ buildGoModule rec {
     owner  = "errata-ai";
     repo   = "vale";
     rev    = "v${version}";
-    sha256 = "1svzsm40jm694s5gxg807k0jib8pl5vk2rb2ih8qr9bb23a4h95x";
+    sha256 = "192w98ghfldxamkx717wqa4v3lsr2imlf8xd6ygjpgx78b5zvvcx";
   };
 
   vendorSha256 = null;
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index 7e317aca5ec..4b245c4ccb4 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -10494,6 +10494,12 @@ in
   phpExtensions = php74Extensions;
   phpPackages = php74Packages;
 
+  php80 = callPackage ../development/interpreters/php/8.0.nix {
+    stdenv = if stdenv.cc.isClang then llvmPackages_6.stdenv else stdenv;
+  };
+  php80Extensions = recurseIntoAttrs php80.extensions;
+  php80Packages = recurseIntoAttrs php80.packages;
+
   # Import PHP74 interpreter, extensions and packages
   php74 = callPackage ../development/interpreters/php/7.4.nix {
     stdenv = if stdenv.cc.isClang then llvmPackages_6.stdenv else stdenv;
@@ -21666,6 +21672,8 @@ in
 
   howl = callPackage ../applications/editors/howl { };
 
+  hdl-dump = callPackage ../tools/misc/hdl-dump { };
+
   hpcg = callPackage ../tools/misc/hpcg/default.nix { };
 
   hpl = callPackage ../tools/misc/hpl { mpi = openmpi; };
@@ -23163,6 +23171,8 @@ in
     inherit (gst_all_1) gstreamer gst-plugins-base gst-plugins-good gst-libav;
   };
 
+  peach = callPackage ../servers/peach { };
+
   peaclock = callPackage ../applications/misc/peaclock {
     stdenv = gccStdenv;
   };
@@ -25982,6 +25992,8 @@ in
 
   tremulous = callPackage ../games/tremulous { };
 
+  tts = callPackage ../tools/audio/tts { };
+
   tuxpaint = callPackage ../games/tuxpaint { };
 
   tuxtype = callPackage ../games/tuxtype { };
diff --git a/pkgs/top-level/perl-packages.nix b/pkgs/top-level/perl-packages.nix
index 1863ae0b36d..0cb1b2334da 100644
--- a/pkgs/top-level/perl-packages.nix
+++ b/pkgs/top-level/perl-packages.nix
@@ -598,10 +598,10 @@ let
 
   Appcpm = buildPerlModule {
     pname = "App-cpm";
-    version = "0.994";
+    version = "0.995";
     src = fetchurl {
-      url = "mirror://cpan/authors/id/S/SK/SKAJI/App-cpm-0.994.tar.gz";
-      sha256 = "4242ecb64aaae09034eddb1b338e005567ace29f2ac2d1bca4d4bcf4e15d21c4";
+      url = "mirror://cpan/authors/id/S/SK/SKAJI/App-cpm-0.995.tar.gz";
+      sha256 = "b17fb0b7f97eb86430952bf387b6f08b5252413cb97474d1bf26e3376a4cc496";
     };
     buildInputs = [ ModuleBuildTiny ];
     propagatedBuildInputs = [ CPANCommonIndex CPANDistnameInfo ClassTiny CommandRunner ExtUtilsInstallPaths FileCopyRecursive Filepushd HTTPTinyish MenloLegacy ModuleCPANfile ParallelPipes locallib ];
@@ -8429,10 +8429,10 @@ let
 
   FutureAsyncAwait = buildPerlModule rec {
     pname = "Future-AsyncAwait";
-    version = "0.46";
+    version = "0.47";
     src = fetchurl {
       url = "mirror://cpan/authors/id/P/PE/PEVANS/Future-AsyncAwait-${version}.tar.gz";
-      sha256 = "1iqbs7n8923xjkai51hiczn5an8cskddl7qrfi30axjl1d56h6r0";
+      sha256 = "1ja85hzzl36sjikcyavjqy4m41f2yyrsr1ipypzi5mlw7clhmdi3";
     };
     buildInputs = [ TestRefcount ];
     propagatedBuildInputs = [ Future XSParseSublike ];
diff --git a/pkgs/top-level/php-packages.nix b/pkgs/top-level/php-packages.nix
index d4518b60d24..d5bebb9bd84 100644
--- a/pkgs/top-level/php-packages.nix
+++ b/pkgs/top-level/php-packages.nix
@@ -3,7 +3,7 @@
 , html-tidy, libzip, zlib, pcre, pcre2, libxslt, aspell, openldap, cyrus_sasl
 , uwimap, pam, libiconv, enchant1, libXpm, gd, libwebp, libjpeg, libpng
 , freetype, libffi, freetds, postgresql, sqlite, net-snmp, unixODBC, libedit
-, readline, rsync, fetchpatch
+, readline, rsync, fetchpatch, valgrind
 }:
 
 let
@@ -331,7 +331,7 @@ in
           sha256 = "055l40lpyhb0rbjn6y23qkzdhvpp7inbnn6x13cpn4inmhjqfpg4";
         });
       }
-      { name = "json"; }
+      { name = "json"; enable = lib.versionOlder php.version "8.0"; }
       { name = "ldap";
         buildInputs = [ openldap cyrus_sasl ];
         configureFlags = [
@@ -341,7 +341,9 @@ in
           "LDAP_LIBDIR=${openldap.out}/lib"
         ] ++ lib.optional stdenv.isLinux "--with-ldap-sasl=${cyrus_sasl.dev}";
         doCheck = false; }
-      { name = "mbstring"; buildInputs = [ oniguruma ]; doCheck = false; }
+      { name = "mbstring"; buildInputs = [ oniguruma ] ++ lib.optionals (lib.versionAtLeast php.version "8.0") [
+          pcre'
+        ]; doCheck = false; }
       { name = "mysqli";
         internalDeps = [ php.extensions.mysqlnd ];
         configureFlags = [ "--with-mysqli=mysqlnd" "--with-mysql-sock=/run/mysqld/mysqld.sock" ];
@@ -388,11 +390,13 @@ in
       # oci8 (7.4, 7.3, 7.2)
       # odbc (7.4, 7.3, 7.2)
       { name = "opcache";
-        buildInputs = [ pcre' ];
+        buildInputs = [ pcre' ] ++ lib.optionals (lib.versionAtLeast php.version "8.0") [
+          valgrind.dev
+        ];
         # HAVE_OPCACHE_FILE_CACHE is defined in config.h, which is
         # included from ZendAccelerator.h, but ZendAccelerator.h is
         # included after the ifdef...
-        patches = lib.optional (lib.versionOlder php.version "7.4") [
+        patches = [] ++ lib.optional (lib.versionAtLeast php.version "8.0") [ ../development/interpreters/php/fix-opcache-configure.patch ] ++lib.optional (lib.versionOlder php.version "7.4") [
           (pkgs.writeText "zend_file_cache_config.patch" ''
             --- a/ext/opcache/zend_file_cache.c
             +++ b/ext/opcache/zend_file_cache.c
@@ -456,7 +460,7 @@ in
         doCheck = false;
       }
       # recode (7.3, 7.2)
-      { name = "session"; }
+      { name = "session"; doCheck = !(lib.versionAtLeast php.version "8.0"); }
       { name = "shmop"; }
       { name = "simplexml";
         buildInputs = [ libxml2 pcre' ];
diff --git a/pkgs/top-level/python-packages.nix b/pkgs/top-level/python-packages.nix
index c09db155003..1b47ea9b35d 100644
--- a/pkgs/top-level/python-packages.nix
+++ b/pkgs/top-level/python-packages.nix
@@ -4611,6 +4611,8 @@ in {
 
   pkuseg = callPackage ../development/python-modules/pkuseg { };
 
+  pysbd = callPackage ../development/python-modules/pysbd { };
+
   python-csxcad = callPackage ../development/python-modules/python-csxcad { };
 
   python-openems = callPackage ../development/python-modules/python-openems { };