diff --git a/nixos/modules/installer/tools/nix-fallback-paths.nix b/nixos/modules/installer/tools/nix-fallback-paths.nix
index 0bc5787af676d..36ce0fb728f08 100644
--- a/nixos/modules/installer/tools/nix-fallback-paths.nix
+++ b/nixos/modules/installer/tools/nix-fallback-paths.nix
@@ -1,8 +1,8 @@
 {
-  x86_64-linux = "/nix/store/2nhrwv91g6ycpyxvhmvc0xs8p92wp4bk-nix-2.24.9";
-  i686-linux = "/nix/store/idaxj9ji6ggpn1h47a35mf0c8ns4ma39-nix-2.24.9";
-  aarch64-linux = "/nix/store/7b5q44l2p70bf6m6dprr8f0587ypwq1z-nix-2.24.9";
-  riscv64-linux = "/nix/store/mgw3il1qk59750g5hbf02km79rgyx00y-nix-riscv64-unknown-linux-gnu-2.24.9";
-  x86_64-darwin = "/nix/store/rp8rc0pfgham7d7spj5s9syzb138dmmd-nix-2.24.9";
-  aarch64-darwin = "/nix/store/1n95r340s7p3vdwqh7m94q0a42crahqq-nix-2.24.9";
+  x86_64-linux = "/nix/store/hdy82qidsybc3fg561pqfwagv44vschb-nix-2.24.10";
+  i686-linux = "/nix/store/dyx4p79q6blva585bf90wbjjb7iyq8ra-nix-2.24.10";
+  aarch64-linux = "/nix/store/30gnc15nig1awa11vii9yz3z8518rnr3-nix-2.24.10";
+  riscv64-linux = "/nix/store/bxc2pyp1vj8kr77khyx5nglw73jqb98w-nix-riscv64-unknown-linux-gnu-2.24.10";
+  x86_64-darwin = "/nix/store/6mrkghigrci6dz2lnncqpgf80yi8gl7h-nix-2.24.10";
+  aarch64-darwin = "/nix/store/3f81gjiv836rjmsb29zab0pbjwf9did8-nix-2.24.10";
 }
diff --git a/pkgs/tools/package-management/nix/README.md b/pkgs/tools/package-management/nix/README.md
index 0105b504e9b0e..968eae026f1b0 100644
--- a/pkgs/tools/package-management/nix/README.md
+++ b/pkgs/tools/package-management/nix/README.md
@@ -33,3 +33,9 @@ curl https://releases.nixos.org/nix/nix-$version/fallback-paths.nix > nixos/modu
 If you're updating `nixVersions.stable`, follow all the steps mentioned above, but use the **staging** branch for your pull request (or **staging-next** after coordinating with the people in matrix `#staging:nixos.org`)
 This is necessary because, at the end of the staging-next cycle, the NixOS tests are built through the [staging-next-small](https://hydra.nixos.org/jobset/nixos/staging-next-small) jobset.
 Especially nixos installer test are important to look at here.
+
+There is a script to update minor versions:
+
+```
+./pkgs/tools/package-management/nix/update-all.sh
+```
diff --git a/pkgs/tools/package-management/nix/common.nix b/pkgs/tools/package-management/nix/common.nix
index 4d04cbb6274d7..07e58a41e400d 100644
--- a/pkgs/tools/package-management/nix/common.nix
+++ b/pkgs/tools/package-management/nix/common.nix
@@ -16,6 +16,7 @@ let
   atLeast210 = lib.versionAtLeast version "2.10pre";
   atLeast213 = lib.versionAtLeast version "2.13pre";
   atLeast214 = lib.versionAtLeast version "2.14pre";
+  atLeast218 = lib.versionAtLeast version "2.18pre";
   atLeast219 = lib.versionAtLeast version "2.19pre";
   atLeast220 = lib.versionAtLeast version "2.20pre";
   atLeast221 = lib.versionAtLeast version "2.21pre";
@@ -42,6 +43,7 @@ in
 , callPackage
 , coreutils
 , curl
+, darwin
 , docbook_xsl_ns
 , docbook5
 , editline
@@ -158,6 +160,8 @@ self = stdenv.mkDerivation {
     libseccomp
   ] ++ lib.optionals withAWS [
     aws-sdk-cpp
+  ] ++ lib.optional (atLeast218 && stdenv.hostPlatform.isDarwin) [
+    darwin.apple_sdk.libs.sandbox
   ];
 
 
diff --git a/pkgs/tools/package-management/nix/update-all.sh b/pkgs/tools/package-management/nix/update-all.sh
index 00a5bea821691..916e8122799fc 100755
--- a/pkgs/tools/package-management/nix/update-all.sh
+++ b/pkgs/tools/package-management/nix/update-all.sh
@@ -8,11 +8,22 @@ NIXPKGS_DIR=$(readlink -f "$SCRIPT_DIR/../../../..")
 cd "$NIXPKGS_DIR"
 
 nix_versions=$(nix eval --impure --json --expr "with import ./. { config.allowAliases = false; }; builtins.filter (name: builtins.match \"nix_.*\" name != null) (builtins.attrNames nixVersions)" | jq -r '.[]')
+stable_version_full=$(nix eval --impure --json --expr "with import ./. { config.allowAliases = false; }; nixVersions.stable.version" | jq -r)
+
+# strip patch version
+stable_version_trimmed=${stable_version_full%.*}
+
 for name in $nix_versions; do
     minor_version=${name#nix_*_}
     if [[ "$name" = "nix_2_3" ]]; then # not maintained by the nix team
         continue
     fi
+    if [[ "$name" = "nix_${stable_version_trimmed//./_}" ]]; then
+        curl https://releases.nixos.org/nix/nix-$stable_version_full/fallback-paths.nix > "$NIXPKGS_DIR/nixos/modules/installer/tools/nix-fallback-paths.nix"
+        # nix-update will commit the file if it has changed
+        git add "$NIXPKGS_DIR/nixos/modules/installer/tools/nix-fallback-paths.nix"
+    fi
+
     nix-update --override-filename "$SCRIPT_DIR/default.nix" --version-regex "(2\\.${minor_version}\..+)" --build --commit "nixVersions.$name"
 done