diff --git a/nixos/modules/services/networking/firewall.nix b/nixos/modules/services/networking/firewall.nix
index e604ba23b87..42914bfe5d6 100644
--- a/nixos/modules/services/networking/firewall.nix
+++ b/nixos/modules/services/networking/firewall.nix
@@ -18,8 +18,6 @@
 
 */
 
-
-
 { config, lib, pkgs, ... }:
 
 with lib;
@@ -266,16 +264,23 @@ in
                      message = "This kernel does not support disabling conntrack helpers"; }
                  ];
 
-    jobs.firewall =
+    systemd.services.firewall =
       { description = "Firewall";
 
-        startOn = "started network-interfaces";
+        wantedBy = [ "network.target" ];
+        after = [ "network-interfaces.target" "systemd-modules-load.service" ];
 
         path = [ pkgs.iptables ];
 
-        after = [ "systemd-modules-load.service" ];
+        # FIXME: this module may also try to load kernel modules, but
+        # containers don't have CAP_SYS_MODULE. So the host system had
+        # better have all necessary modules already loaded.
+        unitConfig.ConditionCapability = "CAP_NET_ADMIN";
 
-        preStart =
+        serviceConfig.Type = "oneshot";
+        serviceConfig.RemainAfterExit = true;
+
+        script =
           ''
             ${helpers}
 
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index 0d81df6c31d..39da338126f 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -9927,7 +9927,7 @@ let
 
   hsetroot = callPackage ../tools/X11/hsetroot { };
 
-  kde4 = recurseIntoAttrs pkgs.kde411;
+  kde4 = recurseIntoAttrs pkgs.kde412;
 
   kde4_next = recurseIntoAttrs( lib.lowPrioSet pkgs.kde412 );