diff --git a/flake.nix b/flake.nix
index a52ab4a09..e300f7570 100644
--- a/flake.nix
+++ b/flake.nix
@@ -1,64 +1,63 @@
 {
   description = "Comm flake";
 
   inputs = {
     utils.url = "github:numtide/flake-utils";
     nixpkgs-unstable.url = "github:nixos/nixpkgs/nixpkgs-unstable";
     nixpkgs-grpc-web.url = "github:NixOS/nixpkgs/9957cd48326fe8dbd52fdc50dd2502307f188b0d";
     # Do not update, used for EOL versions of mariaDB and arcanist+php8.0
     nixpkgs.url = "github:nixos/nixpkgs/nixpkgs-unstable";
   };
 
   outputs = { self, nixpkgs, nixpkgs-grpc-web, nixpkgs-unstable, utils, ... }:
     let
       # Overlays allow for extending a package set, in this case, we are
       # extending nixpkgs with our devShell
       localOverlay = import ./nix/overlay.nix;
       grpcWebOverlay = final: prev: {
         protoc-gen-grpc-web = nixpkgs-grpc-web.legacyPackages.aarch64-darwin.protoc-gen-grpc-web;
       };
       overlays = [
         localOverlay
         grpcWebOverlay
         (_: _: { commSrc = toString self; } )
       ];
 
       # Since we build for many systems (e.g. aarch64, x86_64-linux), we
       # create a helper function to help facilitate instantiation of the related
       # package set
       pkgsForSystem = system: let
         oldNixpkgs = import nixpkgs { inherit system; };
       in
         import nixpkgs-unstable {
           inherit system;
           config.allowUnfree = true;
           overlays = overlays ++ [
             # Re-introduce older packages that were removed in latest nixpkgs
             (_: _: {
               emscripten = oldNixpkgs.emscripten; # Changed signficantly
               php80 = oldNixpkgs.php80; # Used for arcanist
-              mariadb = oldNixpkgs.mariadb_108;
             })
           ];
         };
 
     # utils.lib.eachSystem helps create a result set of expected flake outputs
     # of the form <output>.<system>
     # https://github.com/numtide/flake-utils#usage for more examples
     in utils.lib.eachSystem [ "x86_64-linux" "x86_64-darwin" "aarch64-darwin" ] (system: rec {
       legacyPackages = pkgsForSystem system;
       inherit (legacyPackages) devShell devShells;
     }) // {
       # these outputs will lack the system suffix (e.g.
       # devShell.aarch64-darwin), thus should be system agnostic such as
       # overlays or utility functions.
       overlays.default = localOverlay;
 
       nixConfig = {
         substitutors = "https://comm.cachix.org";
         extra-trusted-substitutors = "https://comm.cachix.org";
         trusted-public-keys = "comm.cachix.org-1:70RF31rkmCEhQ9HrXA2uXcpqQKGcUK3TxLJdgcUCaA4=";
         extra-trusted-public-keys = "comm.cachix.org-1:70RF31rkmCEhQ9HrXA2uXcpqQKGcUK3TxLJdgcUCaA4=";
       };
     };
 }
diff --git a/nix/mariadb-up-mac.nix b/nix/mariadb-up-mac.nix
index c65c43fc0..22bfd3f77 100644
--- a/nix/mariadb-up-mac.nix
+++ b/nix/mariadb-up-mac.nix
@@ -1,128 +1,141 @@
 { lib
 , gnused
 , openssl
 , mariadb
 , writeShellApplication
 , writeTextFile
 }:
 
 let
   # Use small script executed by bash to have a normal shell environment.
   mariadb-entrypoint = writeShellApplication {
     name = "mariadb-init";
     text = ''
       MARIADB_DIR=''${XDG_DATA_HOME:-$HOME/.local/share}/MariaDB
 
       echo "View MariaDB logs: tail -f $MARIADB_DIR/logs" >&2
       echo "Kill MariaDB server: pkill mariadbd" >&2
 
       # Explicitly close fd3 to prevent `direnv` from hanging
       # (https://linear.app/comm/issue/ENG-3254/remove-wait-logic-in-nix-develop)
       exec 3>&-
 
       # 'exec' allows for us to replace bash process with MariaDB
       exec "${mariadb}/bin/mariadbd" \
         --performance-schema \
         --socket "$MARIADB_DIR"/mysql.sock \
         --datadir "$MARIADB_DIR" \
         --innodb-ft-min-token-size=1 \
         --innodb-ft-enable-stopword=0 \
         &> "$MARIADB_DIR"/logs
     '';
   };
 
   mariadb-version = let
     versions = lib.versions;
   in "${versions.major mariadb.version}.${versions.minor mariadb.version}";
 
   # Small boiler-plate text file for us to write for keyserver
   db_config_template = writeTextFile {
     name = "db-config";
     text = ''
       {
         "host": "127.0.0.1",
         "user": "comm",
         "password": "PASS",
         "database": "comm",
       }
     '';
   };
 
 # writeShellApplication is a "writer helper" which
 # will create a shellchecked executable shell script located in $out/bin/<name>
 # This shell script will be used to allow for impure+stateful actions
 in writeShellApplication {
   name = "mariadb-up";
   text = ''
     # "$HOME/Library/Application Support/<app>" is the canonical path to use
     # on darwin for storing user data for installed applications.
     # However, mysql and mariadb don't quote paths in the mariadbd script,
     # so use XDG conventions and hope $HOME doesn't have a space.
     MARIADB_DATA_HOME="''${XDG_DATA_HOME:-$HOME/.local/share}/MariaDB"
     MARIADB_PIDFILE="$MARIADB_DATA_HOME"/mariadb.pid
     export MYSQL_UNIX_PORT="$MARIADB_DATA_HOME"/mysql.sock
 
     if [[ ! -d "$MARIADB_DATA_HOME"/mysql ]]; then
       # mysql directory should exist if MariaDB has been initialized
       echo "Initializing MariaDB database at $MARIADB_DATA_HOME" >&2
       "${lib.getBin mariadb}/bin/mariadb-install-db" \
         --datadir="$MARIADB_DATA_HOME" \
         --auth-root-authentication-method=socket
     fi
 
     "${../scripts/start_comm_daemon.sh}" \
       mariadbd \
       MariaDB \
       "${mariadb-entrypoint}/bin/mariadb-init" \
       "$MARIADB_PIDFILE"
 
     while [[ ! -S "$MYSQL_UNIX_PORT" ]]; do
       echo "Waiting for MariaDB socket"
       sleep 3
     done
 
     # Assume this was run from git repository
     PRJ_ROOT=$(git rev-parse --show-toplevel)
     KEYSERVER_DB_CONFIG="$PRJ_ROOT"/keyserver/secrets/db_config.json
 
     # Check if database exists
     commDBCount=$("${lib.getBin mariadb}/bin/mariadb" -u "$USER" \
       -Bse "SELECT COUNT(1) FROM INFORMATION_SCHEMA.SCHEMATA WHERE SCHEMA_NAME = 'comm';"
     )
     if [[ "$commDBCount" -eq 0 ]]; then
       "${lib.getBin mariadb}/bin/mariadb" -u "$USER" \
         -Bse "CREATE DATABASE comm"
     fi
 
     # Initialize comm user, database, and secrets file for MariaDB
     # Connecting through socket doesn't require a password
     userCount=$("${lib.getBin mariadb}/bin/mariadb" -u "$USER" \
       -Bse "SELECT COUNT(1) FROM mysql.user WHERE user = 'comm';"
     )
     if [[ "$userCount" -eq 0 ]]; then
       echo "Creating comm user" >&2
       "${lib.getBin mariadb}/bin/mariadb" -u "$USER" \
         -Bse "CREATE USER comm@localhost;
               GRANT ALL ON "'comm.*'" TO comm@localhost;"
     fi
 
     if [[ ! -f "$KEYSERVER_DB_CONFIG" ]]; then
       echo "Writing connection information to $KEYSERVER_DB_CONFIG" >&2
       mkdir -p "$(dirname "$KEYSERVER_DB_CONFIG")"
 
       PASS=$("${lib.getBin openssl}/bin/openssl" rand -hex 6)
 
       "${lib.getBin mariadb}/bin/mariadb" -u "$USER" \
         -Bse "ALTER USER comm@localhost IDENTIFIED BY '$PASS'"
       # It's very difficult to write json from bash, just copy a nix
       # file then use sed to subsitute
       cp "${db_config_template}" "$KEYSERVER_DB_CONFIG"
       chmod +w "$KEYSERVER_DB_CONFIG" # Nix files are read-only
       "${gnused}/bin/sed" -i -e "s|PASS|$PASS|g" "$KEYSERVER_DB_CONFIG"
     fi
 
+    # check if MariaDB requires an upgrade
+    "${lib.getBin mariadb}/bin/mariadb-upgrade" -u "$USER" \
+      --socket="$MYSQL_UNIX_PORT" \
+      --check-if-upgrade-is-needed >/dev/null 2>&1
+
+    exit_code=$?
+    if [[ $exit_code -eq 0 ]]; then
+      "${lib.getBin mariadb}/bin/mariadb-upgrade" -u "$USER" \
+        --socket="$MYSQL_UNIX_PORT" \
+
+      echo "Upgrade complete" >&2
+    fi
+
     # Explicitly exit this script so the parent shell can determine
     # when it's safe to return control of terminal to user
     exit 0
   '';
 }