diff --git a/flake.lock b/flake.lock
index 49bbaeaf093..ba9a7be73eb 100644
--- a/flake.lock
+++ b/flake.lock
@@ -3,11 +3,11 @@
     "libosi-src": {
       "flake": false,
       "locked": {
-        "lastModified": 1693574302,
-        "narHash": "sha256-rHbfp1llyVEvHw+sz+rCmx9DrR/e1nnJYRidhPM3jZY=",
+        "lastModified": 1728766783,
+        "narHash": "sha256-J1PD5pIYRK1tdIo4llhm/n3aa+bg066yrKNAx6zN1WE=",
         "owner": "panda-re",
         "repo": "libosi",
-        "rev": "c68bafdb7e2a4d83128ae6ba0f5f70e28318eda0",
+        "rev": "8b1d9f172d58761b646d2bc43fdcde1d0227f479",
         "type": "github"
       },
       "original": {
@@ -16,24 +16,68 @@
         "type": "github"
       }
     },
+    "nix-filter": {
+      "locked": {
+        "lastModified": 1731533336,
+        "narHash": "sha256-oRam5PS1vcrr5UPgALW0eo1m/5/pls27Z/pabHNy2Ms=",
+        "owner": "numtide",
+        "repo": "nix-filter",
+        "rev": "f7653272fd234696ae94229839a99b73c9ab7de0",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "nix-filter",
+        "type": "github"
+      }
+    },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1699725108,
-        "narHash": "sha256-NTiPW4jRC+9puakU4Vi8WpFEirhp92kTOSThuZke+FA=",
+        "lastModified": 0,
+        "narHash": "sha256-En+gSoVJ3iQKPDU1FHrR6zIxSLXKjzKY+pnh9tt+Yts=",
+        "path": "/nix/store/45bzbkwnyb6nikgc7jkrn7vjibhy4xhk-source",
+        "type": "path"
+      },
+      "original": {
+        "id": "nixpkgs",
+        "type": "indirect"
+      }
+    },
+    "nixpkgs-wireshark": {
+      "locked": {
+        "lastModified": 1654613154,
+        "narHash": "sha256-Kqpik8NNIzErNoeiQc6FS9F7RMVuG9ykZzVkL+Z7nXg=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "911ad1e67f458b6bcf0278fa85e33bb9924fed7e",
+        "rev": "e93823409f9e6b8e878edf060b430a14353a28f9",
         "type": "github"
       },
       "original": {
-        "id": "nixpkgs",
-        "type": "indirect"
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "e93823409f9e6b8e878edf060b430a14353a28f9",
+        "type": "github"
+      }
+    },
+    "panda-config": {
+      "flake": false,
+      "locked": {
+        "narHash": "sha256-d6xi4mKdjkX2JFicDIv5niSzpyI0m/Hnm8GGAIU04kY=",
+        "type": "file",
+        "url": "file:/dev/null"
+      },
+      "original": {
+        "type": "file",
+        "url": "file:/dev/null"
       }
     },
     "root": {
       "inputs": {
         "libosi-src": "libosi-src",
-        "nixpkgs": "nixpkgs"
+        "nix-filter": "nix-filter",
+        "nixpkgs": "nixpkgs",
+        "nixpkgs-wireshark": "nixpkgs-wireshark",
+        "panda-config": "panda-config"
       }
     }
   },
diff --git a/flake.nix b/flake.nix
index 2d556935b43..58240d2f643 100644
--- a/flake.nix
+++ b/flake.nix
@@ -2,63 +2,85 @@
   description = "PANDA: Platform for Architecture-Neutral Dynamic Analysis";
 
   inputs = {
+    # nixpkgs with a Wireshark version that works with the network plugin.
+    nixpkgs-wireshark = {
+      url = "github:NixOS/nixpkgs?rev=e93823409f9e6b8e878edf060b430a14353a28f9";
+    };
     libosi-src = {
       url = "github:panda-re/libosi";
       flake = false;
     };
+    # Override this input to change which plugins are built.
+    panda-config = {
+      url = "file:/dev/null";
+      flake = false;
+    };
+    nix-filter.url = "github:numtide/nix-filter";
   };
 
-  outputs = { self, nixpkgs, libosi-src }: {
+  outputs = { self, nixpkgs, nixpkgs-wireshark, libosi-src, panda-config, nix-filter }: 
+    let
+      system = "x86_64-linux";
+      
+      pkgs = import nixpkgs { inherit system; };
+      lib = pkgs.lib;
+      pyPkgs = pkgs.python3Packages;
 
-    packages.x86_64-linux.default = let
+      filter = nix-filter.lib;
 
-      pkgs = import nixpkgs {
-        system = "x86_64-linux";
-        config.permittedInsecurePackages = [ "libdwarf-20210528" ];
-      };
+      panda-config-content = builtins.readFile panda-config;
+      panda-config-enabled = if panda-config-content == "" then (builtins.readFile ./panda/plugins/config.panda) else panda-config-content;
 
-      pyPkgs = pkgs.python3Packages;
+      # Is any plugin in `plugins` enabled in config.panda?
+      plugin-enabled = plugins:
+        (builtins.match "(^|.*\n)(${builtins.concatStringsSep "|" plugins})(\n.*|$)" panda-config-enabled) != null;
 
-      # We need to use an older version of wireshark, since 2.5.1 breaks the network plugin
-      wireshark = (import (pkgs.fetchFromGitHub {
-        owner = "NixOS";
-        repo = "nixpkgs";
-        rev = "a7e0fb6ffcae252bdd0c85928f179c74c3492a89";
-        hash = "sha256-RdXz/U0JJvsABkGWhF4Cukl4KuZvOJvkci7EuizKid0=";
-      }) { localSystem.system = "x86_64-linux"; }).wireshark-cli.overrideAttrs
+      wireshark = (import nixpkgs-wireshark { inherit system; }).wireshark-cli.overrideAttrs
         (prev: {
           outputs = [ "out" "dev" ];
           postInstall = ''
             ${prev.postInstall}
 
-            # Install headers
-            mkdir $dev/include/wireshark/{epan/{wmem,ftypes,dfilter},wsutil,wiretap} -pv
             cp config.h $dev/include/wireshark
-            cp ../ws_*.h $dev/include/wireshark
-            cp ../epan/*.h $dev/include/wireshark/epan/
-            cp ../epan/wmem/*.h $dev/include/wireshark/epan/wmem/
-            cp ../epan/ftypes/*.h $dev/include/wireshark/epan/ftypes/
-            cp ../epan/dfilter/*.h $dev/include/wireshark/epan/dfilter/
-            cp ../wsutil/*.h $dev/include/wireshark/wsutil/
-            cp ../wiretap/*.h $dev/include/wireshark/wiretap
           '';
         });
 
+      libdwarf = pkgs.stdenv.mkDerivation rec {
+        pname = "libdwarf";
+        version = "20210528";
+
+        src = pkgs.fetchurl {
+          url = "https://www.prevanders.net/libdwarf-${version}.tar.gz";
+          hash = "sha512-4PnIhVQFPubBsTM5YIkRieeCDEpN3DArfmN1Skzc/CrLG0tgg6ci0SBKdemU//NAHswlG4w7JAkPjLQEbZD4cA==";
+        };
+
+        configureFlags = [ "--enable-shared" "--disable-nonshared" ];
+        buildInputs = with pkgs; [ zlib libelf ];
+        outputs = [ "bin" "lib" "dev" "out" ];
+        enableParallelBuilding = true;
+      };
+
       libosi = pkgs.stdenv.mkDerivation {
         name = "libosi";
         src = libosi-src;
         buildInputs = with pkgs; [ cmake pkg-config glib ];
       };
 
-      default = pkgs.stdenv.mkDerivation {
+      panda = pkgs.stdenv.mkDerivation {
         name = "panda";
-        src = ./.;
+        src = filter {
+          root = ./.;
+          # exclude flake files to prevent unnecessary rebuilds
+          exclude = [
+            ./flake.nix
+            ./flake.lock
+          ];
+        };
         cargoRoot = "panda/plugins";
         cargoDeps = pkgs.rustPlatform.importCargoLock {
           lockFile = ./panda/plugins/Cargo.lock;
         };
         buildInputs = (with pkgs; [
-          pkg-config
           python3
           zlib
           glib
@@ -69,14 +91,16 @@
           protobufc
           protobuf
           cargo
-          curl
-          libdwarf_20210528
           zip
-          libelf
-          jsoncpp
-        ]) ++ [ wireshark libosi ]
+        ])
+          ++ (lib.optionals (plugin-enabled [ "network" ]) [ wireshark ])
+          ++ (lib.optionals (plugin-enabled [ "wintrospection" ]) [ libosi ])
+          ++ (lib.optionals (plugin-enabled [ "pri_dwarf" ]) [ libdwarf ])
+          ++ (lib.optionals (plugin-enabled [ "pri_dwarf" "dwarf2" ]) [ pkgs.libelf ])
+          ++ (lib.optionals (plugin-enabled [ "dwarf2" "syscalls_logger" ]) [ pkgs.jsoncpp ])
+          ++ (lib.optionals (plugin-enabled [ "osi_linux" ]) [ pkgs.curl ])
           ++ (with pyPkgs; [ pycparser libfdt setuptools ]);
-        nativeBuildInputs = [ pkgs.rustPlatform.cargoSetupHook ];
+        nativeBuildInputs = [ pkgs.pkg-config pkgs.rustPlatform.cargoSetupHook ];
         propagatedBuildInputs = with pyPkgs; [ cffi colorama ];
         enableParallelBuilding = true;
         patches = [
@@ -113,16 +137,10 @@
             --replace '/usr/include/wireshark' '${wireshark.dev}/include/wireshark'
           substituteInPlace panda/plugins/pri_dwarf/*.{h,cpp} \
             --replace '<libdwarf/' '<'
-          substituteInPlace panda/python/core/pandare/utils.py \
-            --replace \
-            'pjoin(python_package, arch_dir), pjoin(local_build, arch_dir)' \
-            'realpath(pjoin(dirname(__file__), "../../../../bin"))'
-          substituteInPlace panda/python/core/pandare/panda.py \
-            --replace 'self.plugin_path = plugin_path' "self.plugin_path = plugin_path or pjoin('$out', 'lib/panda', arch)" \
-            --replace 'if libpanda_path:' 'if True:' \
-            --replace '= libpanda_path' "= libpanda_path or pjoin('$out', 'bin', f'libpanda-{arch}.so')" \
-            --replace 'realpath(pjoin(self.get_build_dir(), "pc-bios"))' "pjoin('$out', 'share/panda')"
-        '';
+        ''
+          + lib.optionalString (panda-config-content != "") ''
+            cp "${panda-config}" panda/plugins/config.panda
+          '';
         preConfigure = "mkdir build && cd build";
         configureScript = "../configure";
         configureFlags = [
@@ -142,15 +160,59 @@
           # TODO: "--enable-llvm"
         ];
         postInstall = ''
-          rm -r $out/lib/panda/*/{cosi,cosi_strace,gdb,snake_hook,rust_skeleton}
-          (
-            cd ../panda/python/core
-            python3 setup.py install --prefix "$out"
-          )
+          rm -rf $out/lib/panda/*/{cosi,cosi_strace,gdb,snake_hook,rust_skeleton}
+          # Generated files for PyPANDA (built separately)
+          (cd ../panda/python/core && python ./create_panda_datatypes.py)
+          mkdir "$out/lib/panda/python"
+          cp -r ../panda/python/core/pandare/{autogen,include,plog_pb2.py} "$out/lib/panda/python"
+          rm -r "$out/lib/python3"
         '';
       };
 
-    in default;
+      pypanda = let
+        panda = self.packages.x86_64-linux.default;
+      in pyPkgs.buildPythonPackage {
+        pname = "pandare";
+        version = "1.8";
+        format = "setuptools";
+        src = ./panda/python/core;
 
-  };
+        propagatedBuildInputs = with pyPkgs; [
+          cffi
+          protobuf
+          colorama
+        ];
+
+        nativeBuildInputs = [
+          pyPkgs.setuptools_scm
+        ];
+
+        buildInputs = [ panda ];
+
+        postPatch = ''
+          substituteInPlace setup.py \
+            --replace 'install_requires=parse_requirements("requirements.txt"),' ""
+          substituteInPlace pandare/utils.py \
+            --replace '/usr/local/bin/' '${panda}'
+          substituteInPlace pandare/panda.py \
+            --replace 'self.plugin_path = plugin_path' "self.plugin_path = plugin_path or pjoin('${panda}', 'lib/panda', arch)" \
+            --replace 'if libpanda_path:' 'if True:' \
+            --replace '= libpanda_path' "= libpanda_path or pjoin('${panda}', 'bin', f'libpanda-{arch}.so')" \
+            --replace 'realpath(pjoin(self.get_build_dir(), "pc-bios"))' "pjoin('${panda}', 'share/panda')"
+
+          # Use auto-generated files from separate derivation above.
+          rm create_panda_datatypes.py
+          rm -r pandare/{include,autogen}
+          cp -rt pandare "${panda}"/lib/panda/python/{include,autogen,plog_pb2.py}
+        '';
+      };
+
+    in {
+      packages.x86_64-linux = {
+        default = panda;
+        pypanda = pypanda;
+        wireshark = wireshark;
+        libdwarf = libdwarf;
+      };
+    };
 }