diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml
index 27fbd68a6f3a..d59af54aa2fa 100644
--- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml
+++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml
@@ -939,6 +939,16 @@
           <literal>true</literal>.
         </para>
       </listitem>
+      <listitem>
+        <para>
+          The <literal>element-desktop</literal> package now has an
+          <literal>useKeytar</literal> option (defaults to
+          <literal>true</literal>), which allows disabling
+          <literal>keytar</literal> and in turn
+          <literal>libsecret</literal> usage (which binds to native
+          credential managers / keychain libraries).
+        </para>
+      </listitem>
       <listitem>
         <para>
           The option <literal>services.thelounge.plugins</literal> has
diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md
index 388ddc67fb26..201969badc95 100644
--- a/nixos/doc/manual/release-notes/rl-2205.section.md
+++ b/nixos/doc/manual/release-notes/rl-2205.section.md
@@ -313,6 +313,10 @@ In addition to numerous new and upgraded packages, this release has the followin
   using `fetchgit` or `fetchhg` if the argument `fetchSubmodules`
   is set to `true`.
 
+- The `element-desktop` package now has an `useKeytar` option (defaults to `true`),
+  which allows disabling `keytar` and in turn `libsecret` usage
+  (which binds to native credential managers / keychain libraries).
+
 - The option `services.thelounge.plugins` has been added to allow installing plugins for The Lounge. Plugins can be found in `pkgs.theLoungePlugins.plugins` and `pkgs.theLoungePlugins.themes`.
 
 - The `firmwareLinuxNonfree` package has been renamed to `linux-firmware`.
diff --git a/pkgs/applications/networking/instant-messengers/element/element-desktop.nix b/pkgs/applications/networking/instant-messengers/element/element-desktop.nix
index d9683740667c..c9b45b2f8b68 100644
--- a/pkgs/applications/networking/instant-messengers/element/element-desktop.nix
+++ b/pkgs/applications/networking/instant-messengers/element/element-desktop.nix
@@ -13,12 +13,15 @@
 , AppKit
 , CoreServices
 , desktopToDarwinBundle
+, useKeytar ? true
 }:
 
 let
   pinData = lib.importJSON ./pin.json;
   executableName = "element-desktop";
   electron_exec = if stdenv.isDarwin then "${electron}/Applications/Electron.app/Contents/MacOS/Electron" else "${electron}/bin/electron";
+  keytar = callPackage ./keytar { inherit Security AppKit; };
+  seshat = callPackage ./seshat { inherit CoreServices; };
 in
 mkYarnPackage rec {
   pname = "element-desktop";
@@ -39,8 +42,7 @@ mkYarnPackage rec {
 
   nativeBuildInputs = [ makeWrapper ] ++ lib.optionals stdenv.isDarwin [ desktopToDarwinBundle ];
 
-  seshat = callPackage ./seshat { inherit CoreServices; };
-  keytar = callPackage ./keytar { inherit Security AppKit; };
+  inherit seshat;
 
   buildPhase = ''
     runHook preBuild
@@ -51,12 +53,14 @@ mkYarnPackage rec {
     node ./scripts/copy-res.js
     popd
     rm -rf node_modules/matrix-seshat node_modules/keytar
-    ln -s $keytar node_modules/keytar
+    ${lib.optionalString useKeytar "ln -s ${keytar} node_modules/keytar"}
     ln -s $seshat node_modules/matrix-seshat
     runHook postBuild
   '';
 
   installPhase = ''
+    runHook preInstall
+
     # resources
     mkdir -p "$out/share/element"
     ln -s '${element-web}' "$out/share/element/webapp"
@@ -83,6 +87,8 @@ mkYarnPackage rec {
       --set LD_PRELOAD ${sqlcipher}/lib/libsqlcipher.so \
       --add-flags "$out/share/element/electron" \
       --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--enable-features=UseOzonePlatform --ozone-platform=wayland}}"
+
+    runHook postInstall
   '';
 
   # Do not attempt generating a tarball for element-web again.
@@ -107,7 +113,20 @@ mkYarnPackage rec {
     '';
   };
 
-  passthru.updateScript = ./update.sh;
+  passthru = {
+    updateScript = ./update.sh;
+
+    # TL;DR: keytar is optional while seshat isn't.
+    #
+    # This prevents building keytar when `useKeytar` is set to `false`, because
+    # if libsecret is unavailable (e.g. set to `null` or fails to build), then
+    # this package wouldn't even considered for building because
+    # "one of the dependencies failed to build",
+    # although the dependency wouldn't even be used.
+    #
+    # It needs to be `passthru` anyways because other packages do depend on it.
+    inherit keytar;
+  };
 
   meta = with lib; {
     description = "A feature-rich client for Matrix.org";
diff --git a/pkgs/applications/networking/instant-messengers/element/keytar/default.nix b/pkgs/applications/networking/instant-messengers/element/keytar/default.nix
index ae9627afe30d..292b0dfa075d 100644
--- a/pkgs/applications/networking/instant-messengers/element/keytar/default.nix
+++ b/pkgs/applications/networking/instant-messengers/element/keytar/default.nix
@@ -28,6 +28,7 @@ in stdenv.mkDerivation rec {
   };
 
   buildPhase = ''
+    runHook preBuild
     cp ${./yarn.lock} ./yarn.lock
     chmod u+w . ./yarn.lock
     export HOME=$PWD/tmp
@@ -37,16 +38,19 @@ in stdenv.mkDerivation rec {
     yarn install --offline --frozen-lockfile --ignore-platform --ignore-scripts --no-progress --non-interactive
     patchShebangs node_modules/
     node_modules/.bin/node-gyp rebuild
+    runHook postBuild
   '';
 
   doCheck = false;
 
   installPhase = ''
+    runHook preInstall
     shopt -s extglob
     rm -rf node_modules
     rm -rf $HOME
     mkdir -p $out
     cp -r ./!(build) $out
     install -D -t $out/build/Release build/Release/keytar.node
+    runHook postInstall
   '';
 }
diff --git a/pkgs/applications/networking/instant-messengers/element/seshat/default.nix b/pkgs/applications/networking/instant-messengers/element/seshat/default.nix
index de38c7a90bad..5017f8531179 100644
--- a/pkgs/applications/networking/instant-messengers/element/seshat/default.nix
+++ b/pkgs/applications/networking/instant-messengers/element/seshat/default.nix
@@ -27,6 +27,7 @@ in rustPlatform.buildRustPackage rec {
   };
 
   buildPhase = ''
+    runHook preBuild
     cd ..
     chmod u+w . ./yarn.lock
     export HOME=$PWD/tmp
@@ -36,16 +37,18 @@ in rustPlatform.buildRustPackage rec {
     yarn install --offline --frozen-lockfile --ignore-platform --ignore-scripts --no-progress --non-interactive
     patchShebangs node_modules/
     node_modules/.bin/neon build --release
+    runHook postBuild
   '';
 
   doCheck = false;
 
   installPhase = ''
+    runHook preInstall
     shopt -s extglob
     rm -rf native/!(index.node)
-    rm -rf node_modules
-    rm -rf $HOME
+    rm -rf node_modules $HOME
     cp -r . $out
+    runHook postInstall
   '';
 
   cargoSha256 = pinData.cargoHash;
diff --git a/pkgs/applications/networking/remote/remmina/default.nix b/pkgs/applications/networking/remote/remmina/default.nix
index 58ce130a7305..efce24a06f9a 100644
--- a/pkgs/applications/networking/remote/remmina/default.nix
+++ b/pkgs/applications/networking/remote/remmina/default.nix
@@ -7,6 +7,7 @@
 , openssl, gsettings-desktop-schemas, json-glib, libsodium, webkitgtk, harfbuzz
 # The themes here are soft dependencies; only icons are missing without them.
 , gnome
+, withLibsecret ? true
 }:
 
 with lib;
@@ -29,15 +30,16 @@ stdenv.mkDerivation rec {
     freerdp libssh libgcrypt gnutls
     pcre2 libdbusmenu-gtk3 libappindicator-gtk3
     libvncserver libpthreadstubs libXdmcp libxkbcommon
-    libsecret libsoup spice-protocol spice-gtk libepoxy at-spi2-core
+    libsoup spice-protocol spice-gtk libepoxy at-spi2-core
     openssl gnome.adwaita-icon-theme json-glib libsodium webkitgtk
     harfbuzz
-  ];
+  ] ++ optionals withLibsecret [ libsecret ];
 
   cmakeFlags = [
     "-DWITH_VTE=OFF"
     "-DWITH_TELEPATHY=OFF"
     "-DWITH_AVAHI=OFF"
+    "-DWITH_LIBSECRET=${if withLibsecret then "ON" else "OFF"}"
     "-DFREERDP_LIBRARY=${freerdp}/lib/libfreerdp2.so"
     "-DFREERDP_CLIENT_LIBRARY=${freerdp}/lib/libfreerdp-client2.so"
     "-DFREERDP_WINPR_LIBRARY=${freerdp}/lib/libwinpr2.so"
diff --git a/pkgs/desktops/gnome/core/evince/default.nix b/pkgs/desktops/gnome/core/evince/default.nix
index 74987c07a5b9..28406e412844 100644
--- a/pkgs/desktops/gnome/core/evince/default.nix
+++ b/pkgs/desktops/gnome/core/evince/default.nix
@@ -44,6 +44,7 @@
 , libgxps
 , supportXPS ? true # Open XML Paper Specification via libgxps
 , withPantheon ? false
+, withLibsecret ? true
 }:
 
 stdenv.mkDerivation rec {
@@ -103,13 +104,14 @@ stdenv.mkDerivation rec {
     libarchive
     libhandy
     librsvg
-    libsecret
     libspectre
     libxml2
     pango
     poppler
     t1lib
     texlive.bin.core # kpathsea for DVI support
+  ] ++ lib.optionals withLibsecret [
+    libsecret
   ] ++ lib.optionals supportXPS [
     libgxps
   ] ++ lib.optionals supportMultimedia (with gst_all_1; [
@@ -126,6 +128,8 @@ stdenv.mkDerivation rec {
   mesonFlags = [
     "-Dnautilus=false"
     "-Dps=enabled"
+  ] ++ lib.optionals (!withLibsecret) [
+    "-Dkeyring=disabled"
   ];
 
   NIX_CFLAGS_COMPILE = "-I${glib.dev}/include/gio-unix-2.0";
diff --git a/pkgs/development/libraries/gvfs/default.nix b/pkgs/development/libraries/gvfs/default.nix
index 547c35e66eca..c79f849d22f1 100644
--- a/pkgs/development/libraries/gvfs/default.nix
+++ b/pkgs/development/libraries/gvfs/default.nix
@@ -108,6 +108,8 @@ stdenv.mkDerivation rec {
     "-Dkeyring=false"
     "-Dhttp=false"
     "-Dgoogle=false"
+  ] ++ lib.optionals (avahi == null) [
+    "-Ddnssd=false"
   ] ++ lib.optionals (samba == null) [
     # Xfce don't want samba
     "-Dsmb=false"
diff --git a/pkgs/development/libraries/webkitgtk/default.nix b/pkgs/development/libraries/webkitgtk/default.nix
index b5a16df21add..92405b35de29 100644
--- a/pkgs/development/libraries/webkitgtk/default.nix
+++ b/pkgs/development/libraries/webkitgtk/default.nix
@@ -1,4 +1,5 @@
-{ lib, stdenv
+{ lib
+, stdenv
 , runCommand
 , fetchurl
 , perl
@@ -44,7 +45,6 @@
 , lcms2
 , libmanette
 , openjpeg
-, enableGeoLocation ? true
 , geoclue2
 , sqlite
 , enableGLES ? true
@@ -58,10 +58,10 @@
 , substituteAll
 , glib
 , addOpenGLRunpath
+, enableGeoLocation ? true
+, withLibsecret ? true
 }:
 
-assert enableGeoLocation -> geoclue2 != null;
-
 stdenv.mkDerivation rec {
   pname = "webkitgtk";
   version = "2.34.6";
@@ -125,12 +125,8 @@ stdenv.mkDerivation rec {
     libidn
     libintl
     lcms2
-  ] ++ lib.optionals stdenv.isLinux [
-    libmanette
-  ] ++ [
     libnotify
     libpthreadstubs
-    libsecret
     libtasn1
     libwebp
     libxkbcommon
@@ -155,28 +151,36 @@ stdenv.mkDerivation rec {
     # (We pick just that one because using the other headers from `sdk` is not
     # compatible with our C++ standard library. This header is already in
     # the standard library on aarch64)
-    runCommand "${pname}_headers" {} ''
+    runCommand "${pname}_headers" { } ''
       install -Dm444 "${lib.getDev apple_sdk.sdk}"/include/libproc.h "$out"/include/libproc.h
     ''
   ) ++ lib.optionals stdenv.isLinux [
     bubblewrap
     libseccomp
+    libmanette
     systemd
     wayland
     xdg-dbus-proxy
-  ] ++ lib.optional enableGeoLocation geoclue2;
+  ] ++ lib.optionals enableGeoLocation [
+    geoclue2
+  ] ++ lib.optionals withLibsecret [
+    libsecret
+  ];
 
   propagatedBuildInputs = [
     gtk3
     libsoup
   ];
 
-  cmakeFlags = [
+  cmakeFlags = let
+    cmakeBool = x: if x then "ON" else "OFF";
+  in [
     "-DENABLE_INTROSPECTION=ON"
     "-DPORT=GTK"
     "-DUSE_LIBHYPHEN=OFF"
     "-DUSE_WPE_RENDERER=OFF"
-    "-DUSE_SOUP2=${if lib.versions.major libsoup.version == "2" then "ON" else "OFF"}"
+    "-DUSE_SOUP2=${cmakeBool (lib.versions.major libsoup.version == "2")}"
+    "-DUSE_LIBSECRET=${cmakeBool withLibsecret}"
   ] ++ lib.optionals stdenv.isDarwin [
     "-DENABLE_GAMEPAD=OFF"
     "-DENABLE_GTKDOC=OFF"
@@ -191,7 +195,9 @@ stdenv.mkDerivation rec {
     "-DUSE_SYSTEM_MALLOC=ON"
   ] ++ lib.optionals (!stdenv.isLinux) [
     "-DUSE_SYSTEMD=OFF"
-  ] ++ lib.optional (stdenv.isLinux && enableGLES) "-DENABLE_GLES2=ON";
+  ] ++ lib.optionals (stdenv.isLinux && enableGLES) [
+    "-DENABLE_GLES2=ON"
+  ];
 
   postPatch = ''
     patchShebangs .
diff --git a/pkgs/development/libraries/xdg-desktop-portal/default.nix b/pkgs/development/libraries/xdg-desktop-portal/default.nix
index 16ede7f511f2..19a671e7e0b0 100644
--- a/pkgs/development/libraries/xdg-desktop-portal/default.nix
+++ b/pkgs/development/libraries/xdg-desktop-portal/default.nix
@@ -1,22 +1,24 @@
-{ stdenv
-, lib
-, fetchFromGitHub
-, nixosTests
-, substituteAll
-, autoreconfHook
-, pkg-config
-, libxml2
-, glib
-, pipewire
-, flatpak
-, gsettings-desktop-schemas
+{ lib
 , acl
+, autoreconfHook
 , dbus
+, fetchFromGitHub
+, fetchpatch
+, flatpak
 , fuse
-, libportal
 , geoclue2
+, glib
+, gsettings-desktop-schemas
 , json-glib
+, libportal
+, libxml2
+, nixosTests
+, pipewire
+, pkg-config
+, stdenv
+, substituteAll
 , wrapGAppsHook
+, enableGeoLocation ? true
 }:
 
 stdenv.mkDerivation rec {
@@ -42,26 +44,29 @@ stdenv.mkDerivation rec {
 
   nativeBuildInputs = [
     autoreconfHook
-    pkg-config
     libxml2
+    pkg-config
     wrapGAppsHook
   ];
 
   buildInputs = [
-    glib
-    pipewire
-    flatpak
     acl
     dbus
-    geoclue2
+    flatpak
     fuse
-    libportal
+    glib
     gsettings-desktop-schemas
     json-glib
+    libportal
+    pipewire
+  ] ++ lib.optionals enableGeoLocation [
+    geoclue2
   ];
 
   configureFlags = [
     "--enable-installed-tests"
+  ] ++ lib.optionals (!enableGeoLocation) [
+    "--disable-geoclue"
   ];
 
   makeFlags = [
diff --git a/pkgs/misc/cups/filters.nix b/pkgs/misc/cups/filters.nix
index a20e3b71b093..5efa78edcd9a 100644
--- a/pkgs/misc/cups/filters.nix
+++ b/pkgs/misc/cups/filters.nix
@@ -1,13 +1,37 @@
-{ lib, stdenv, fetchurl, pkg-config, cups, poppler, poppler_utils, fontconfig
-, libjpeg, libpng, perl, ijs, qpdf, dbus, avahi
-, makeWrapper, coreutils, gnused, bc, gawk, gnugrep, which, ghostscript
-, mupdf, dejavu_fonts, liblouis
+{ lib
+, avahi
+, bc
+, coreutils
+, cups
+, dbus
+, dejavu_fonts
+, fetchurl
+, fontconfig
+, gawk
+, ghostscript
+, gnugrep
+, gnused
+, ijs
+, libjpeg
+, liblouis
+, libpng
+, makeWrapper
+, mupdf
+, perl
+, pkg-config
+, poppler
+, poppler_utils
+, qpdf
+, stdenv
+, which
+, withAvahi ? true
 }:
 
 let
-  binPath = lib.makeBinPath [ coreutils gnused bc gawk gnugrep which ];
+  binPath = lib.makeBinPath [ bc coreutils gawk gnused gnugrep which ];
 
-in stdenv.mkDerivation rec {
+in
+stdenv.mkDerivation rec {
   pname = "cups-filters";
   version = "1.28.11";
 
@@ -19,10 +43,20 @@ in stdenv.mkDerivation rec {
   nativeBuildInputs = [ pkg-config makeWrapper ];
 
   buildInputs = [
-    cups poppler poppler_utils fontconfig libjpeg libpng perl
-    ijs qpdf dbus avahi ghostscript mupdf
+    cups
+    dbus
+    fontconfig
+    ghostscript
+    ijs
+    libjpeg
     liblouis # braille embosser support
-  ];
+    libpng
+    mupdf
+    perl
+    poppler
+    poppler_utils
+    qpdf
+  ] ++ lib.optionals withAvahi [ avahi ];
 
   configureFlags = [
     "--with-mutool-path=${mupdf}/bin/mutool"
@@ -37,7 +71,7 @@ in stdenv.mkDerivation rec {
     "--with-test-font-path=${dejavu_fonts}/share/fonts/truetype/DejaVuSans.ttf"
     "--localstatedir=/var"
     "--sysconfdir=/etc"
-  ];
+  ] ++ lib.optionals (!withAvahi) [ "--disable-avahi" ];
 
   makeFlags = [ "CUPS_SERVERBIN=$(out)/lib/cups" "CUPS_DATADIR=$(out)/share/cups" "CUPS_SERVERROOT=$(out)/etc/cups" ];