diff --git a/modules/config/networking.nix b/modules/config/networking.nix
index 757bb9e85e0..a91ce9c59e2 100644
--- a/modules/config/networking.nix
+++ b/modules/config/networking.nix
@@ -68,6 +68,9 @@ in
             # Invalidate the nscd cache whenever resolv.conf is
             # regenerated.
             libc_restart='${pkgs.systemd}/bin/systemctl start invalidate-nscd.service'
+          '' + optionalString config.services.bind.enable ''
+            # This hosts runs a full-blown DNS resolver.
+            name_servers='127.0.0.1'
           '' );
         target = "resolvconf.conf";
       }
diff --git a/modules/config/shells.nix b/modules/config/shells.nix
index 6286223752a..b0a946a8e6e 100644
--- a/modules/config/shells.nix
+++ b/modules/config/shells.nix
@@ -13,6 +13,7 @@ with pkgs.lib;
       { target = "shells";
         source = pkgs.writeText "shells"
           ''
+            /run/current-system/sw/bin/bash
             /var/run/current-system/sw/bin/bash
             /bin/sh
           '';
diff --git a/modules/config/system-path.nix b/modules/config/system-path.nix
index 7651f4760ca..3969be68098 100644
--- a/modules/config/system-path.nix
+++ b/modules/config/system-path.nix
@@ -1,5 +1,5 @@
 # This module defines the packages that appear in
-# /var/run/current-system/sw.
+# /run/current-system/sw.
 
 { config, pkgs, ... }:
 
@@ -64,7 +64,7 @@ let
         example = "[ pkgs.icecat3 pkgs.thunderbird ]";
         description = ''
           The set of packages that appear in
-          /var/run/current-system/sw.  These packages are
+          /run/current-system/sw.  These packages are
           automatically available to all users, and are
           automatically updated every time you rebuild the system
           configuration.  (The latter is the main difference with
@@ -79,7 +79,7 @@ let
         default = [];
         example = ["/"];
         description = "
-          Lists directories to be symlinked in `/var/run/current-system/sw'.
+          Lists directories to be symlinked in `/run/current-system/sw'.
         ";
       };
     };
diff --git a/modules/config/timezone.nix b/modules/config/timezone.nix
index 5dcf38c462d..38c698bc21c 100644
--- a/modules/config/timezone.nix
+++ b/modules/config/timezone.nix
@@ -5,13 +5,21 @@ with pkgs.lib;
 {
   options = {
 
-    time.timeZone = mkOption {
-      default = "CET";
-      type = with types; uniq string;
-      example = "America/New_York";
-      description = "The time zone used when displaying times and dates.";
-    };
+    time = {
+    
+      timeZone = mkOption {
+        default = "CET";
+        type = with types; uniq string;
+        example = "America/New_York";
+        description = "The time zone used when displaying times and dates.";
+      };
 
+      hardwareClockInLocalTime = mkOption {
+        default = false;
+        description = "If set, keep the hardware clock in local time instead of UTC.";
+      };
+      
+    };
   };
 
   config = {
diff --git a/modules/config/users-groups.nix b/modules/config/users-groups.nix
index beb21734652..598d68eb91d 100644
--- a/modules/config/users-groups.nix
+++ b/modules/config/users-groups.nix
@@ -48,7 +48,7 @@ let
       
       shell = mkOption {
         type = with types; uniq string;
-        default = "/var/run/current-system/sw/sbin/nologin";
+        default = "/run/current-system/sw/sbin/nologin";
         description = "The path to the user's shell.";
       };
       
diff --git a/modules/hardware/network/b43.nix b/modules/hardware/network/b43.nix
new file mode 100644
index 00000000000..077e0a1e11e
--- /dev/null
+++ b/modules/hardware/network/b43.nix
@@ -0,0 +1,30 @@
+{pkgs, config, ...}:
+
+let kernelVersion = config.boot.kernelPackages.kernel.version; in
+
+{
+
+  ###### interface
+
+  options = {
+
+    networking.enableB43Firmware = pkgs.lib.mkOption {
+      default = false;
+      type = pkgs.lib.types.bool;
+      description = ''
+        Turn on this option if you want firmware for the NICs supported by the b43 module.
+      '';
+    };
+
+  };
+
+
+  ###### implementation
+
+  config = pkgs.lib.mkIf config.networking.enableB43Firmware {
+    hardware.firmware = if builtins.lessThan (builtins.compareVersions kernelVersion "3.2") 0 then
+      throw "b43 firmware for kernels older than 3.2 not packaged yet!" else
+      [ pkgs.b43Firmware_5_1_138 ];
+  };
+
+}
diff --git a/modules/installer/cd-dvd/iso-image.nix b/modules/installer/cd-dvd/iso-image.nix
index cf76151c2ae..c1094daa49f 100644
--- a/modules/installer/cd-dvd/iso-image.nix
+++ b/modules/installer/cd-dvd/iso-image.nix
@@ -122,12 +122,12 @@ let
   efiShell = if pkgs.stdenv.isi686 then
     pkgs.fetchurl {
       url = "https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2/EdkShellBinPkg/FullShell/Ia32/Shell_Full.efi";
-      sha256 = "0ymm3mbbwx9f6cq0bp2nr7ikyagxgsg4sjs5q1s4xbnms27slwjq";
+      sha256 = "1gv6kyaspczdp7x8qnx5x76ilriaygkfs99ay7ihhdi6riclkhfl";
     }
   else
     pkgs.fetchurl {
       url = "https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2/EdkShellBinPkg/FullShell/X64/Shell_Full.efi";
-      sha256 = "1xchy8a05mgqzr82mmahdni0jbxsz6xf6vm2bg1bch9i6l72qgmh";
+      sha256 = "1g18z84rlavxr5gsrh2g942rfr6znv9fs3fqww5m7dhmnysgyv8p";
     };
 
   # The efi boot image
@@ -312,7 +312,7 @@ in
       # nixos-rebuild also requires a "system" profile and an
       # /etc/NIXOS tag.
       touch /etc/NIXOS
-      ${config.environment.nix}/bin/nix-env -p /nix/var/nix/profiles/system --set /var/run/current-system
+      ${config.environment.nix}/bin/nix-env -p /nix/var/nix/profiles/system --set /run/current-system
     '';
 
   # Add vfat support to the initrd to enable people to copy the
diff --git a/modules/installer/cd-dvd/system-tarball.nix b/modules/installer/cd-dvd/system-tarball.nix
index daffb94bc53..e0cbfd6e713 100644
--- a/modules/installer/cd-dvd/system-tarball.nix
+++ b/modules/installer/cd-dvd/system-tarball.nix
@@ -50,7 +50,7 @@ in
   # script and the top-level system configuration directory.
   tarball.storeContents =
     [ { object = config.system.build.toplevel;
-        symlink = "/var/run/current-system";
+        symlink = "/run/current-system";
       }
     ];
 
@@ -87,6 +87,6 @@ in
       # nixos-rebuild also requires a "system" profile and an
       # /etc/NIXOS tag.
       touch /etc/NIXOS
-      ${config.environment.nix}/bin/nix-env -p /nix/var/nix/profiles/system --set /var/run/current-system
+      ${config.environment.nix}/bin/nix-env -p /nix/var/nix/profiles/system --set /run/current-system
     '';
 }
diff --git a/modules/installer/efi-boot-stub/efi-boot-stub.nix b/modules/installer/efi-boot-stub/efi-boot-stub.nix
index c12078e2a91..1ca3cb0001e 100644
--- a/modules/installer/efi-boot-stub/efi-boot-stub.nix
+++ b/modules/installer/efi-boot-stub/efi-boot-stub.nix
@@ -90,12 +90,12 @@ let
       if pkgs.stdenv.isi686 then
         pkgs.fetchurl {
           url = "https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2/EdkShellBinPkg/FullShell/Ia32/Shell_Full.efi";
-          sha256 = "0ymm3mbbwx9f6cq0bp2nr7ikyagxgsg4sjs5q1s4xbnms27slwjq";
+          sha256 = "1gv6kyaspczdp7x8qnx5x76ilriaygkfs99ay7ihhdi6riclkhfl";
         }
       else
         pkgs.fetchurl {
           url = "https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2/EdkShellBinPkg/FullShell/X64/Shell_Full.efi";
-          sha256 = "1xchy8a05mgqzr82mmahdni0jbxsz6xf6vm2bg1bch9i6l72qgmh";
+          sha256 = "1g18z84rlavxr5gsrh2g942rfr6znv9fs3fqww5m7dhmnysgyv8p";
         }
     else
       null;
diff --git a/modules/installer/tools/nixos-rebuild.sh b/modules/installer/tools/nixos-rebuild.sh
index 22aa847e192..72661cf4773 100644
--- a/modules/installer/tools/nixos-rebuild.sh
+++ b/modules/installer/tools/nixos-rebuild.sh
@@ -128,8 +128,7 @@ if [ -n "$pullManifest" -o "$action" = pull ]; then
     set -o pipefail
     manifests=$(nix-instantiate --eval-only --xml --strict '<nixos>' -A manifests \
         | grep '<string'  | sed 's^.*"\(.*\)".*^\1^g')
-
-    set -o nopipefail
+    set +o pipefail
     if [ $? -ne 0 ]; then exit 1; fi
 
     mkdir -p /nix/var/nix/channel-cache
diff --git a/modules/misc/crashdump.nix b/modules/misc/crashdump.nix
index fff459c9ab4..973abfd9327 100644
--- a/modules/misc/crashdump.nix
+++ b/modules/misc/crashdump.nix
@@ -48,9 +48,9 @@ in
   config = mkIf crashdump.enable {
     boot = {
       postBootCommands = ''
-        ${pkgs.kexectools}/sbin/kexec -p /var/run/current-system/kernel \
-        --initrd=/var/run/current-system/initrd \
-        --append="init=$(readlink -f /var/run/current-system/init) system=$(readlink -f /var/run/current-system) irqpoll maxcpus=1 reset_devices ${kernelParams}" --reset-vga --console-vga
+        ${pkgs.kexectools}/sbin/kexec -p /run/current-system/kernel \
+        --initrd=/run/current-system/initrd \
+        --append="init=$(readlink -f /run/current-system/init) system=$(readlink -f /run/current-system) irqpoll maxcpus=1 reset_devices ${kernelParams}" --reset-vga --console-vga
       '';
       kernelParams = [
        "crashkernel=64M"
diff --git a/modules/misc/lib.nix b/modules/misc/lib.nix
new file mode 100644
index 00000000000..18fc68a6988
--- /dev/null
+++ b/modules/misc/lib.nix
@@ -0,0 +1,15 @@
+{ config, pkgs, ... }:
+
+{
+  options = {
+    lib = pkgs.lib.mkOption {
+      default = {};
+
+      type = pkgs.lib.types.attrsOf pkgs.lib.types.attrs;
+
+      description = ''
+        This option allows modules to define helper functions, constants, etc.
+      '';
+    };
+  };
+}
diff --git a/modules/module-list.nix b/modules/module-list.nix
index 7bdc87e6a78..1046233c983 100644
--- a/modules/module-list.nix
+++ b/modules/module-list.nix
@@ -15,6 +15,7 @@
   ./config/unix-odbc-drivers.nix
   ./config/users-groups.nix
   ./hardware/cpu/intel-microcode.nix
+  ./hardware/network/b43.nix
   ./hardware/network/intel-2100bg.nix
   ./hardware/network/intel-2200bg.nix
   ./hardware/network/intel-3945abg.nix
@@ -34,6 +35,7 @@
   ./misc/crashdump.nix
   ./misc/ids.nix
   ./misc/locate.nix
+  ./misc/lib.nix
   ./misc/nixpkgs.nix
   ./misc/passthru.nix
   ./misc/version.nix
@@ -82,6 +84,7 @@
   ./services/hardware/upower.nix
   #./services/logging/klogd.nix
   ./services/logging/logrotate.nix
+  ./services/logging/logstash.nix
   ./services/logging/syslogd.nix
   ./services/mail/dovecot.nix
   ./services/mail/dovecot2.nix
diff --git a/modules/programs/bash/profile.sh b/modules/programs/bash/profile.sh
index 3da860388b1..1eef2a9e84a 100644
--- a/modules/programs/bash/profile.sh
+++ b/modules/programs/bash/profile.sh
@@ -12,8 +12,8 @@ __ETC_PROFILE_SOURCED=1
 export __ETC_PROFILE_DONE=1
 
 # Initialise a bunch of environment variables.
-export LOCALE_ARCHIVE=/var/run/current-system/sw/lib/locale/locale-archive
-export LD_LIBRARY_PATH=/var/run/opengl-driver/lib:/var/run/opengl-driver-32/lib # !!! only set if needed
+export LOCALE_ARCHIVE=/run/current-system/sw/lib/locale/locale-archive
+export LD_LIBRARY_PATH=/run/opengl-driver/lib:/run/opengl-driver-32/lib # !!! only set if needed
 export NIXPKGS_CONFIG=/etc/nix/nixpkgs-config.nix
 export NIX_PATH=/nix/var/nix/profiles/per-user/root/channels/nixos:nixpkgs=/etc/nixos/nixpkgs:nixos=/etc/nixos/nixos:nixos-config=/etc/nixos/configuration.nix:services=/etc/nixos/services
 export PAGER="less -R"
@@ -22,7 +22,7 @@ export LOCATE_PATH=/var/cache/locatedb
 
 # Include the various profiles in the appropriate environment variables.
 export NIX_USER_PROFILE_DIR=/nix/var/nix/profiles/per-user/$USER
-export NIX_PROFILES="/var/run/current-system/sw /nix/var/nix/profiles/default $HOME/.nix-profile"
+export NIX_PROFILES="/run/current-system/sw /nix/var/nix/profiles/default $HOME/.nix-profile"
 
 unset PATH INFOPATH PKG_CONFIG_PATH PERL5LIB ALSA_PLUGIN_DIRS GST_PLUGIN_PATH KDEDIRS
 unset QT_PLUGIN_PATH QTWEBKIT_PLUGIN_PATH STRIGI_PLUGIN_PATH XDG_CONFIG_DIRS XDG_DATA_DIRS
diff --git a/modules/programs/shadow.nix b/modules/programs/shadow.nix
index 3a348818a97..137064bba85 100644
--- a/modules/programs/shadow.nix
+++ b/modules/programs/shadow.nix
@@ -21,6 +21,9 @@ let
       TTYGROUP     tty
       TTYPERM      0620
 
+      # Ensure privacy for newly created home directories.
+      UMASK        077
+
       # Uncomment this to allow non-root users to change their account
       #information.  This should be made configurable.
       #CHFN_RESTRICT frwh
@@ -35,7 +38,7 @@ in
   options = {
 
     users.defaultUserShell = pkgs.lib.mkOption {
-      default = "/var/run/current-system/sw/bin/bash";
+      default = "/run/current-system/sw/bin/bash";
       description = ''
         This option defines the default shell assigned to user
         accounts.  This must not be a store path, since the path is
diff --git a/modules/services/logging/klogd.nix b/modules/services/logging/klogd.nix
index af21f9cc959..907d83c7a6a 100644
--- a/modules/services/logging/klogd.nix
+++ b/modules/services/logging/klogd.nix
@@ -13,7 +13,7 @@
 
       exec =
         "klogd -c 1 -2 -n " +
-        "-k $(dirname $(readlink -f /var/run/booted-system/kernel))/System.map";
+        "-k $(dirname $(readlink -f /run/booted-system/kernel))/System.map";
     };
 
 }
diff --git a/modules/services/logging/logstash.nix b/modules/services/logging/logstash.nix
new file mode 100644
index 00000000000..bb3b83dd230
--- /dev/null
+++ b/modules/services/logging/logstash.nix
@@ -0,0 +1,162 @@
+{ config, pkgs, ... }:
+
+with pkgs.lib;
+
+let
+
+  cfg = config.services.logstash;
+
+  listToConfig = list: "[ " + (concatStringsSep ", " (map exprToConfig list)) + " ]";
+
+  hashToConfig = attrs:
+    let
+      attrNameToConfigList = name:
+        [ (exprToConfig name)  (exprToConfig (getAttr name attrs)) ];
+    in
+      "[ " +
+      (concatStringsSep ", " (map attrNameToConfigList (attrNames attrs))) +
+      " ]";
+
+  valueToConfig = nvpair: let name = nvpair.name; value = nvpair.value; in
+    if (isAttrs value) && ((!(value ? __type)) || value.__type == "repeated")
+      then ''
+        ${name} {
+          ${exprToConfig value}
+        }
+      ''
+      else "${name} => ${exprToConfig value}";
+
+  repeatedAttrsToConfig = values:
+      concatStringsSep "\n" (map valueToConfig values);
+
+  attrsToConfig = attrs:
+    let
+      attrToConfig = name: valueToConfig {
+        inherit name;
+        value = (getAttr name attrs);
+      };
+    in
+      concatStringsSep "\n" (map attrToConfig (attrNames attrs));
+
+  exprToConfig = expr:
+    let
+      isCustomType = expr: (isAttrs expr) && (expr ? __type);
+
+      isFloat = expr: (isCustomType expr) && (expr.__type == "float");
+
+      isHash = expr: (isCustomType expr) && (expr.__type == "hash");
+
+      isRepeatedAttrs = expr: (isCustomType expr) && (expr.__type == "repeated");
+    in
+      if builtins.isBool expr then (if expr then "true" else "false") else
+      if builtins.isString expr then ''"${expr}"'' else
+      if builtins.isInt expr then toString expr else
+      if isFloat expr then expr.value else
+      if isList expr then listToConfig expr else
+      if isHash expr then hashToConfig expr.value else
+      if isRepeatedAttrs expr then repeatedAttrsToConfig expr.values
+      else attrsToConfig expr;
+
+  mergeConfigs = configs:
+    let
+      op = attrs: newAttrs:
+        let
+          isRepeated = newAttrs ? __type && newAttrs.__type == "repeated";
+        in {
+            values = attrs.values ++ (if isRepeated then newAttrs.values else
+              map (name: { inherit name; value = getAttr name newAttrs; })
+              (attrNames newAttrs));
+          };
+    in (foldl op { values = []; } configs) // { __type = "repeated"; };
+
+in
+
+{
+  ###### interface
+
+  options = {
+    services.logstash = {
+      enable = mkOption {
+        default = false;
+        description = ''
+          Enable logstash.
+        '';
+      };
+
+      inputConfig = mkOption {
+        default = {};
+        description = ''
+          An attribute set (or an expression generated by mkNameValuePairs)
+          representing a logstash configuration's input section.
+          Logstash configs are name-value pairs, where values can be bools,
+          strings, numbers, arrays, hashes, or other name-value pairs,
+          and names are strings that can be repeated. Name-value pairs with no
+          repeats are represented by attr sets. Bools, strings, ints, and
+          arrays are mapped directly. Name-value pairs with repeats can be
+          generated by the config.lib.logstash.mkNameValuePairs function, which
+          takes a list of attrsets and combines them while preserving attribute
+          name duplicates if they occur. Similarly, there are the mkFloat and
+          mkHash functions, which take a string representation of a float and an
+          attrset, respectively.
+        '';
+        merge = mergeConfigs;
+      };
+
+      filterConfig = mkOption {
+        default = {};
+        description = ''
+          An attribute set (or an expression generated by mkNameValuePairs)
+          representing a logstash configuration's filter section.
+          See inputConfig description for details.
+        '';
+        merge = mergeConfigs;
+      };
+
+      outputConfig = mkOption {
+        default = {};
+        description = ''
+          An attribute set (or an expression generated by mkNameValuePairs)
+          representing a logstash configuration's output section.
+          See inputConfig description for details.
+        '';
+        merge = mergeConfigs;
+      };
+    };
+  };
+
+
+  ###### implementation
+
+  config = mkMerge [ {
+    lib.logstash = {
+      mkFloat = stringRep: { __type = "float"; value = stringRep; };
+
+      mkHash = attrs: { __type = "hash"; value = attrs; };
+
+      mkNameValuePairs = mergeConfigs;
+    };
+  } ( mkIf cfg.enable {
+    # Always log to stdout
+    services.logstash.outputConfig = { stdout = {}; };
+
+    jobs.logstash = with pkgs; {
+      description = "Logstash daemon";
+
+      path = [ jre ];
+
+      script = "cd /tmp && exec java -jar ${logstash} agent -f ${writeText "logstash.conf" ''
+        input {
+          ${exprToConfig cfg.inputConfig}
+        }
+
+        filter {
+          ${exprToConfig cfg.filterConfig}
+        }
+
+        output {
+          ${exprToConfig cfg.outputConfig}
+        }
+      ''}";
+    };
+  })];
+}
diff --git a/modules/services/misc/disnix.nix b/modules/services/misc/disnix.nix
index 645e92c39df..8d04c81ad68 100644
--- a/modules/services/misc/disnix.nix
+++ b/modules/services/misc/disnix.nix
@@ -130,7 +130,7 @@ in
         
           script =
           ''
-            export PATH=/var/run/current-system/sw/bin:/var/run/current-system/sw/sbin
+            export PATH=/run/current-system/sw/bin:/run/current-system/sw/sbin
             export HOME=/root
 
             ${pkgs.disnix}/bin/disnix-service --activation-modules-dir=${disnix_activation_scripts}/libexec/disnix/activation-scripts
diff --git a/modules/services/monitoring/systemhealth.nix b/modules/services/monitoring/systemhealth.nix
index 71389be5b2f..0a3e666ad4e 100644
--- a/modules/services/monitoring/systemhealth.nix
+++ b/modules/services/monitoring/systemhealth.nix
@@ -86,8 +86,8 @@ in
         [paths]
         rrdtool = ${pkgs.rrdtool}/bin/rrdtool
         loadavg_rrd = loadavg
-        ps = /var/run/current-system/sw/bin/ps
-        df = /var/run/current-system/sw/bin/df
+        ps = /run/current-system/sw/bin/ps
+        df = /run/current-system/sw/bin/df
         meminfo_rrd = meminfo
         uptime_rrd = uptime
         rrd_path = ${rrdDir}
diff --git a/modules/services/network-filesystems/drbd.nix b/modules/services/network-filesystems/drbd.nix
index 1c70d44f6ba..1a00ccab0a6 100644
--- a/modules/services/network-filesystems/drbd.nix
+++ b/modules/services/network-filesystems/drbd.nix
@@ -44,7 +44,7 @@ let cfg = config.services.drbd; in
 
     boot.extraModprobeConfig =
       ''
-        options drbd usermode_helper=/var/run/current-system/sw/sbin/drbdadm
+        options drbd usermode_helper=/run/current-system/sw/sbin/drbdadm
       '';
 
     environment.etc = singleton
diff --git a/modules/services/network-filesystems/samba.nix b/modules/services/network-filesystems/samba.nix
index 7461d12d78b..2cf4e8c11ff 100644
--- a/modules/services/network-filesystems/samba.nix
+++ b/modules/services/network-filesystems/samba.nix
@@ -70,7 +70,7 @@ let
       environment = {
         LD_LIBRARY_PATH = nssModulesPath;
         TZ = config.time.timeZone;
-        LOCALE_ARCHIVE = "/var/run/current-system/sw/lib/locale/locale-archive";
+        LOCALE_ARCHIVE = "/run/current-system/sw/lib/locale/locale-archive";
       };
 
       daemonType = "fork";
diff --git a/modules/services/networking/ssh/sshd.nix b/modules/services/networking/ssh/sshd.nix
index 3bf4bf642fa..d89978a852c 100644
--- a/modules/services/networking/ssh/sshd.nix
+++ b/modules/services/networking/ssh/sshd.nix
@@ -92,7 +92,7 @@ let
       userLoop = flip concatMapStrings usersWithKeys (u:
         let
           authKeys = concatStringsSep "," u.openssh.authorizedKeys.keys;
-          authKeyFiles = concatStringsSep " " u.openssh.authorizedKeys.keyFiles;
+          authKeyFiles = concatStrings (map (x: " ${x}") u.openssh.authorizedKeys.keyFiles);
           preserveExisting = if u.openssh.authorizedKeys.preserveExistingKeys then "true" else "false";
         in ''
           mkAuthKeysFile "${u.name}" "${authKeys}" "${authKeyFiles}" "${preserveExisting}"
@@ -105,25 +105,34 @@ let
         local authKeyFiles="$3"
         local preserveExisting="$4"
 
-        eval authfile=~$userName/.ssh/authorized_keys
-        mkdir -p "$(dirname $authfile)"
-        touch "$authfile"
+        eval homeDir=~$userName
+        if ! [ -d "$homeDir" ]; then
+          echo "User $userName does not exist"
+          return
+        fi
+        if ! [ -d "$homeDir/.ssh" ]; then
+          mkdir -v -m 700 "$homeDir/.ssh"
+          chown "$userName":users "$homeDir/.ssh"
+        fi
+        local authKeysFile="$homeDir/.ssh/authorized_keys"
+        touch "$authKeysFile"
         if [ "$preserveExisting" == false ]; then
-          rm -f "$authfile"
-          echo "${marker2}" > "$authfile"
+          rm -f "$authKeysFile"
+          echo "${marker2}" > "$authKeysFile"
         else
-          sed -i '/${marker1}/ d' "$authfile"
+          sed -i '/${marker1}/ d' "$authKeysFile"
         fi
         IFS=,
         for f in $authKeys; do
-          echo "$f ${marker1}" >> "$authfile"
+          echo "$f ${marker1}" >> "$authKeysFile"
         done
         unset IFS
         for f in $authKeyFiles; do
           if [ -f "$f" ]; then
-            echo "$(cat "$f") ${marker1}" >> "$authfile"
+            echo "$(cat "$f") ${marker1}" >> "$authKeysFile"
           fi
         done
+        chown "$userName" "$authKeysFile"
       }
 
       ${userLoop}
@@ -329,7 +338,7 @@ in
         path = [ pkgs.openssh ];
         
         environment.LD_LIBRARY_PATH = nssModulesPath;
-        environment.LOCALE_ARCHIVE = "/var/run/current-system/sw/lib/locale/locale-archive";
+        environment.LOCALE_ARCHIVE = "/run/current-system/sw/lib/locale/locale-archive";
 
         preStart =
           ''
diff --git a/modules/services/networking/wpa_supplicant.nix b/modules/services/networking/wpa_supplicant.nix
index fe4fecaf0ba..5dc203fd177 100644
--- a/modules/services/networking/wpa_supplicant.nix
+++ b/modules/services/networking/wpa_supplicant.nix
@@ -18,7 +18,7 @@ in
   ###### interface
 
   options = {
-  
+
     networking.WLANInterface = mkOption {
       default = "";
       description = "Obsolete. Use <option>networking.wireless.interfaces</option> instead.";
@@ -44,7 +44,9 @@ in
         example = [ "wlan0" "wlan1" ];
         description = ''
           The interfaces <command>wpa_supplicant</command> will use.  If empty, it will
-          automatically use all wireless interfaces.
+          automatically use all wireless interfaces. (Note that auto-detection is currently
+	  broken on Linux 3.4.x kernels. See http://github.com/NixOS/nixos/issues/10 for
+	  further details.)
         '';
       };
 
@@ -80,14 +82,14 @@ in
 
 
   ###### implementation
-  
+
   config = mkIf cfg.enable {
 
     environment.systemPackages =  [ pkgs.wpa_supplicant ];
 
     services.dbus.packages = [ pkgs.wpa_supplicant ];
 
-    jobs.wpa_supplicant = 
+    jobs.wpa_supplicant =
       { startOn = "started network-interfaces";
         stopOn = "stopping network-interfaces";
 
@@ -117,13 +119,13 @@ in
             exec wpa_supplicant -s -u ${optionalString (cfg.driver != "") "-D${cfg.driver}"} -c ${configFile} $ifaces
           '';
       };
-  
+
     powerManagement.resumeCommands =
       ''
         ${config.system.build.upstart}/sbin/restart wpa_supplicant
       '';
 
-    assertions = [{ assertion = !cfg.userControlled.enable || cfg.interfaces != []; 
+    assertions = [{ assertion = !cfg.userControlled.enable || cfg.interfaces != [];
                     message = "user controlled wpa_supplicant needs explicit networking.wireless.interfaces";}];
 
   };
diff --git a/modules/services/scheduling/fcron.nix b/modules/services/scheduling/fcron.nix
index 6d274bf5973..812af1edfc0 100644
--- a/modules/services/scheduling/fcron.nix
+++ b/modules/services/scheduling/fcron.nix
@@ -87,7 +87,7 @@ in
             fcrondeny   =       /etc/fcron.deny
             shell       =       /bin/sh
             sendmail    =       /var/setuid-wrappers/sendmail
-            editor      =       /var/run/current-system/sw/bin/vi
+            editor      =       /run/current-system/sw/bin/vi
           '';
           target = "fcron.conf";
           mode = "0600"; # max allowed is 644
@@ -104,7 +104,7 @@ in
         startOn = "startup and filesystem";
 
         environment =
-          { PATH = "/var/run/current-system/sw/bin";
+          { PATH = "/run/current-system/sw/bin";
           };
 
         preStart =
diff --git a/modules/services/ttys/agetty.nix b/modules/services/ttys/agetty.nix
index 43ee81481bf..42d276c9666 100644
--- a/modules/services/ttys/agetty.nix
+++ b/modules/services/ttys/agetty.nix
@@ -72,7 +72,7 @@ with pkgs.lib;
 
         [Service]
         Environment=TERM=linux
-        Environment=LOCALE_ARCHIVE=/var/run/current-system/sw/lib/locale/locale-archive
+        Environment=LOCALE_ARCHIVE=/run/current-system/sw/lib/locale/locale-archive
         ExecStart=@${pkgs.utillinux}/sbin/agetty agetty --noclear --login-program ${pkgs.shadow}/bin/login %I 38400
         Type=idle
         Restart=always
diff --git a/modules/services/web-servers/apache-httpd/default.nix b/modules/services/web-servers/apache-httpd/default.nix
index 259847d0726..ceb93cd8b01 100644
--- a/modules/services/web-servers/apache-httpd/default.nix
+++ b/modules/services/web-servers/apache-httpd/default.nix
@@ -6,7 +6,9 @@ let
 
   mainCfg = config.services.httpd;
 
-  httpd = pkgs.apacheHttpd;
+  httpd = pkgs.apacheHttpd.override { mpm = mainCfg.multiProcessingModule; };
+
+  php = pkgs.php.override { apacheHttpd = httpd; };
 
   getPort = cfg: if cfg.port != 0 then cfg.port else if cfg.enableSSL then 443 else 80;
 
@@ -105,10 +107,11 @@ let
       # Other modules.
       "ext_filter" "include" "log_config" "env" "mime_magic"
       "cern_meta" "expires" "headers" "usertrack" /* "unique_id" */ "setenvif"
-      "mime" "dav" "status" "autoindex" "asis" "info" "cgi" "dav_fs"
+      "mime" "dav" "status" "autoindex" "asis" "info" "dav_fs"
       "vhost_alias" "negotiation" "dir" "imagemap" "actions" "speling"
       "userdir" "alias" "rewrite" "proxy" "proxy_http"
     ]
+    ++ (if mainCfg.multiProcessingModule == "prefork" then [ "cgi" ] else [ "cgid" ])
     ++ optional enableSSL "ssl"
     ++ extraApacheModules;
 
@@ -283,6 +286,11 @@ let
 
     PidFile ${mainCfg.stateDir}/httpd.pid
 
+    ${optionalString (mainCfg.multiProcessingModule != "prefork") ''
+      # mod_cgid requires this.
+      ScriptSock ${mainCfg.stateDir}/cgisock
+    ''}
+
     <IfModule prefork.c>
         MaxClients           ${toString mainCfg.maxClients}
         MaxRequestsPerChild  ${toString mainCfg.maxRequestsPerChild}
@@ -302,7 +310,7 @@ let
         allModules =
           concatMap (svc: svc.extraModulesPre) allSubservices
           ++ map (name: {inherit name; path = "${httpd}/modules/mod_${name}.so";}) apacheModules
-          ++ optional enablePHP { name = "php5"; path = "${pkgs.php}/modules/libphp5.so"; }
+          ++ optional enablePHP { name = "php5"; path = "${php}/modules/libphp5.so"; }
           ++ concatMap (svc: svc.extraModules) allSubservices
           ++ extraForeignModules;
       in concatMapStrings load allModules
@@ -373,7 +381,7 @@ let
         ([ mainCfg.phpOptions ] ++ (map (svc: svc.phpOptions) allSubservices));
     }
     ''
-      cat ${pkgs.php}/etc/php-recommended.ini > $out
+      cat ${php}/etc/php-recommended.ini > $out
       echo "$options" >> $out
     '';
 
@@ -404,7 +412,7 @@ in
 
       extraModules = mkOption {
         default = [];
-        example = [ "proxy_connect" { name = "php5"; path = "${pkgs.php}/modules/libphp5.so"; } ];
+        example = [ "proxy_connect" { name = "php5"; path = "${php}/modules/libphp5.so"; } ];
         description = ''
           Specifies additional Apache modules.  These can be specified
           as a string in the case of modules distributed with Apache,
@@ -484,6 +492,23 @@ in
           "Options appended to the PHP configuration file <filename>php.ini</filename>.";
       };
 
+      multiProcessingModule = mkOption {
+        default = "prefork";
+        example = "worker";
+        type = types.uniq types.string;
+        description =
+          ''
+            Multi-processing module to be used by Apache.  Available
+            modules are <literal>prefork</literal> (the default;
+            handles each request in a separate child process),
+            <literal>worker</literal> (hybrid approach that starts a
+            number of child processes each running a number of
+            threads) and <literal>event</literal> (a recent variant of
+            <literal>worker</literal> that handles persistent
+            connections more efficiently).
+          '';
+      };
+
       maxClients = mkOption {
         default = 150;
         example = 8;
@@ -558,7 +583,8 @@ in
 
         preStart =
           ''
-            mkdir -m 0700 -p ${mainCfg.stateDir}
+            mkdir -m 0750 -p ${mainCfg.stateDir}
+            chown root.wwwrun ${mainCfg.stateDir}
             mkdir -m 0700 -p ${mainCfg.logDir}
 
             ${optionalString (mainCfg.documentRoot != null)
@@ -582,9 +608,7 @@ in
             done
           '';
 
-        daemonType = "fork";
-
-        exec = "httpd -f ${httpdConf}";
+        exec = "httpd -f ${httpdConf} -DNO_DETACH";
 
         preStop =
           ''
diff --git a/modules/services/web-servers/apache-httpd/mediawiki.nix b/modules/services/web-servers/apache-httpd/mediawiki.nix
index d45d477b671..9f321b173d3 100644
--- a/modules/services/web-servers/apache-httpd/mediawiki.nix
+++ b/modules/services/web-servers/apache-httpd/mediawiki.nix
@@ -4,16 +4,6 @@ with pkgs.lib;
 
 let
 
-  src_clean_skin = pkgs.fetchurl {
-    url = "http://lastlog.de/misc/clean-1.01.tar.gz";
-    sha256 = "5fb1736b64b33ca3429d035f1358cf8217da2d02019d8a80b14c7985367f659f";
-  };
-
-  src_nixos_skin = pkgs.fetchurl {
-    url = "http://lastlog.de/misc/nixos-1.0.tar.gz";
-    sha256 = "413b0f451bde81ac2dd0bede17dd088f9abcd0f3cea1722279311ca648a855cf";
-  };
-
   mediawikiConfig = pkgs.writeText "LocalSettings.php"
     ''
       <?php
@@ -89,15 +79,14 @@ let
       sha256 = "1d8afbdh3lsg54b69mnh6a47psb3lg978xpp277qs08yz15cjf7q";
     };
 
-    skinTarball = if config.defaultSkin == "clean" then src_clean_skin
-             else if config.defaultSkin == "nixos" then src_nixos_skin
-             else "";
+    skins = config.skins;
 
-    buildPhase = "
-      if [ '${skinTarball}' ]; then
-         tar xfz ${skinTarball} -C skins/;
-      fi
-    ";
+    buildPhase =
+      ''
+        for skin in $skins; do
+          cp -prvd $skin/* skins/
+        done
+      ''; # */
 
     installPhase =
       ''
@@ -259,6 +248,16 @@ in
       description = "Set this value to change the default skin used by MediaWiki.";
     };
 
+    skins = mkOption {
+      default = [];
+      type = types.listOf types.path;
+      description =
+        ''
+          List of paths whose content is copied to the ‘skins’
+          subdirectory of the MediaWiki installation.
+        '';
+    };
+
     extraConfig = mkOption {
       default = "";
       example =
diff --git a/modules/services/x11/display-managers/kdm.nix b/modules/services/x11/display-managers/kdm.nix
index 47d9299fb79..ec4d033a597 100644
--- a/modules/services/x11/display-managers/kdm.nix
+++ b/modules/services/x11/display-managers/kdm.nix
@@ -106,7 +106,7 @@ in
             mkdir -m 0755 -p /var/lib/kdm
             chown kdm /var/lib/kdm
             ${(optionalString (config.system.boot.loader.id == "grub") "PATH=${config.system.build.grub}/sbin:$PATH ") +
-              "KDEDIRS=/var/run/current-system/sw exec ${kdebase_workspace}/bin/kdm -config ${kdmrc} -nodaemon"}
+              "KDEDIRS=/run/current-system/sw exec ${kdebase_workspace}/bin/kdm -config ${kdmrc} -nodaemon"}
           '';
         logsXsession = true;
       };
diff --git a/modules/services/x11/hardware/multitouch.nix b/modules/services/x11/hardware/multitouch.nix
index 3aa2760f3f0..4f9048bfd91 100644
--- a/modules/services/x11/hardware/multitouch.nix
+++ b/modules/services/x11/hardware/multitouch.nix
@@ -2,6 +2,8 @@
 
 with pkgs.lib;
 
+let cfg = config.services.xserver.multitouch; in
+
 {
 
   options = {
@@ -14,11 +16,25 @@ with pkgs.lib;
         description = "Whether to enable multitouch touchpad support.";
       };
 
+      invertScroll = mkOption {
+        default = false;
+        example = true;
+        type = types.bool;
+        description = "Whether to invert scrolling direction à la OSX Lion";
+      };
+
+      ignorePalm = mkOption {
+        default = false;
+        example = true;
+        type = types.bool;
+        description = "Whether to ignore touches detected as being the palm (i.e when typing)";
+      };
+
     };
 
   };
 
-  config = mkIf config.services.xserver.multitouch.enable {
+  config = mkIf cfg.enable {
 
     services.xserver.modules = [ pkgs.xf86_input_mtrack ];
 
@@ -29,6 +45,13 @@ with pkgs.lib;
           MatchIsTouchpad "on"
           Identifier "Touchpads"
           Driver "mtrack"
+          Option "IgnorePalm" "${if cfg.ignorePalm then "true" else "false"}"
+          ${optionalString cfg.invertScroll ''
+            Option "ScrollUpButton" "5"
+            Option "ScrollDownButton" "4"
+            Option "ScrollLeftButton" "7"
+            Option "ScrollRightButton" "6"
+          ''}
         EndSection
       '';
 
diff --git a/modules/services/x11/window-managers/i3.nix b/modules/services/x11/window-managers/i3.nix
index 7699d064eef..d688c064c5a 100644
--- a/modules/services/x11/window-managers/i3.nix
+++ b/modules/services/x11/window-managers/i3.nix
@@ -16,9 +16,9 @@ in
     };
   };
 
-  config = {
+  config = mkIf cfg.enable {
     services.xserver.windowManager = {
-      session = mkIf cfg.enable [{
+      session = [{
         name = "i3";
         start = "
           ${pkgs.i3}/bin/i3 &
@@ -26,5 +26,6 @@ in
         ";
       }];
     };
+    environment.x11Packages = [ pkgs.i3 ];
   };
 }
diff --git a/modules/services/x11/xfs.conf b/modules/services/x11/xfs.conf
index 5352d74faa0..13dcf803db2 100644
--- a/modules/services/x11/xfs.conf
+++ b/modules/services/x11/xfs.conf
@@ -12,4 +12,4 @@ default-resolutions = 75,75,100,100
 cache-hi-mark = 2048
 cache-low-mark = 1433
 cache-balance = 70
-catalogue = /var/run/current-system/sw/share/X11-fonts/
+catalogue = /run/current-system/sw/share/X11-fonts/
diff --git a/modules/services/x11/xserver.nix b/modules/services/x11/xserver.nix
index 61af0459a6b..5d795e5d57d 100644
--- a/modules/services/x11/xserver.nix
+++ b/modules/services/x11/xserver.nix
@@ -405,21 +405,21 @@ in
 
         preStart =
           ''
-            rm -f /var/run/opengl-driver
-            rm -f /var/run/opengl-driver-32
+            rm -f /run/opengl-driver
+            rm -f /run/opengl-driver-32
             ${# !!! The OpenGL driver depends on what's detected at runtime.
               if elem "nvidia" driverNames then
                 ''
-                  ln -sf ${kernelPackages.nvidia_x11} /var/run/opengl-driver
+                  ln -sf ${kernelPackages.nvidia_x11} /run/opengl-driver
                   ${optionalString (pkgs.stdenv.system == "x86_64-linux" && cfg.driSupport32Bit)
-                    "ln -sf ${pkgs_i686.linuxPackages.nvidia_x11.override { libsOnly = true; kernel = null; } } /var/run/opengl-driver-32"}
+                    "ln -sf ${pkgs_i686.linuxPackages.nvidia_x11.override { libsOnly = true; kernel = null; } } /run/opengl-driver-32"}
                 ''
               else if elem "nvidiaLegacy96" driverNames then
-                "ln -sf ${kernelPackages.nvidia_x11_legacy96} /var/run/opengl-driver"
+                "ln -sf ${kernelPackages.nvidia_x11_legacy96} /run/opengl-driver"
               else if elem "nvidiaLegacy173" driverNames then
-                "ln -sf ${kernelPackages.nvidia_x11_legacy173} /var/run/opengl-driver"
+                "ln -sf ${kernelPackages.nvidia_x11_legacy173} /run/opengl-driver"
               else if cfg.driSupport then
-                "ln -sf ${pkgs.mesa} /var/run/opengl-driver"
+                "ln -sf ${pkgs.mesa} /run/opengl-driver"
               else ""
             }
 
diff --git a/modules/system/activation/activation-script.nix b/modules/system/activation/activation-script.nix
index 083e3767ed8..41c3ced1bc2 100644
--- a/modules/system/activation/activation-script.nix
+++ b/modules/system/activation/activation-script.nix
@@ -74,12 +74,12 @@ in
 
             # Make this configuration the current configuration.
             # The readlink is there to ensure that when $systemConfig = /system
-            # (which is a symlink to the store), /var/run/current-system is still
+            # (which is a symlink to the store), /run/current-system is still
             # used as a garbage collection root.
-            ln -sfn "$(readlink -f "$systemConfig")" /var/run/current-system
+            ln -sfn "$(readlink -f "$systemConfig")" /run/current-system
 
             # Prevent the current configuration from being garbage-collected.
-            ln -sfn /var/run/current-system /nix/var/nix/gcroots/current-system
+            ln -sfn /run/current-system /nix/var/nix/gcroots/current-system
           '';
       };
 
diff --git a/modules/system/activation/switch-to-configuration.sh b/modules/system/activation/switch-to-configuration.sh
index da1471cf550..62af63ec39f 100644
--- a/modules/system/activation/switch-to-configuration.sh
+++ b/modules/system/activation/switch-to-configuration.sh
@@ -59,7 +59,7 @@ fi
 # Activate the new configuration.
 if [ "$action" != switch -a "$action" != test ]; then exit 0; fi
 
-oldVersion=$(cat /var/run/current-system/upstart-interface-version 2> /dev/null || echo 0)
+oldVersion=$(cat /run/current-system/upstart-interface-version 2> /dev/null || echo 0)
 newVersion=$(cat @out@/upstart-interface-version 2> /dev/null || echo 0)
 
 if test "$oldVersion" -ne "$newVersion"; then
diff --git a/modules/system/boot/modprobe.nix b/modules/system/boot/modprobe.nix
index 1b34e78ab78..03d9222af21 100644
--- a/modules/system/boot/modprobe.nix
+++ b/modules/system/boot/modprobe.nix
@@ -23,7 +23,7 @@ with pkgs.lib;
             # modules in the current configuration don't match the
             # running kernel.
             if [ ! -d "$MODULE_DIR/$(${pkgs.coreutils}/bin/uname -r)" ]; then
-                MODULE_DIR=/var/run/booted-system/kernel-modules/lib/modules/
+                MODULE_DIR=/run/booted-system/kernel-modules/lib/modules/
             fi
 
             exec ${pkgs.kmod}/sbin/modprobe "$@"
diff --git a/modules/system/boot/stage-2-init.sh b/modules/system/boot/stage-2-init.sh
index 5c915db08e0..e8b01788900 100644
--- a/modules/system/boot/stage-2-init.sh
+++ b/modules/system/boot/stage-2-init.sh
@@ -143,12 +143,12 @@ $systemConfig/activate
 
 
 # Record the boot configuration.
-ln -sfn "$systemConfig" /var/run/booted-system
+ln -sfn "$systemConfig" /run/booted-system
 
 # Prevent the booted system form being garbage-collected If it weren't
 # a gcroot, if we were running a different kernel, switched system,
 # and garbage collected all, we could not load kernel modules anymore.
-ln -sfn /var/run/booted-system /nix/var/nix/gcroots/booted-system
+ln -sfn /run/booted-system /nix/var/nix/gcroots/booted-system
 
 
 # Run any user-specified commands.
@@ -177,6 +177,6 @@ fi
 
 # Start systemd.
 echo "starting systemd..."
-PATH=/var/run/current-system/systemd/lib/systemd \
-    MODULE_DIR=/var/run/current-system/kernel-modules/lib/modules \
+PATH=/run/current-system/systemd/lib/systemd \
+    MODULE_DIR=/run/current-system/kernel-modules/lib/modules \
     exec systemd --log-target journal # --log-level debug --crash-shell
diff --git a/modules/system/upstart-events/shutdown.nix b/modules/system/upstart-events/shutdown.nix
new file mode 100644
index 00000000000..59fbcc0d878
--- /dev/null
+++ b/modules/system/upstart-events/shutdown.nix
@@ -0,0 +1,162 @@
+{ config, pkgs, ... }:
+
+with pkgs.lib;
+
+{
+
+  jobs.shutdown =
+    { name = "shutdown";
+
+      task = true;
+
+      stopOn = ""; # must override the default ("starting shutdown")
+
+      environment = { MODE = "poweroff"; };
+
+      extraConfig = "console owner";
+
+      script =
+        ''
+          set +e # continue in case of errors
+
+          ${pkgs.kbd}/bin/chvt 1
+
+          exec < /dev/console > /dev/console 2>&1
+          echo ""
+          if test "$MODE" = maintenance; then
+              echo "<<< Entering maintenance mode >>>"
+          else
+              echo "<<< System shutdown >>>"
+          fi
+          echo ""
+
+          ${config.powerManagement.powerDownCommands}
+
+          export PATH=${pkgs.utillinux}/bin:${pkgs.utillinux}/sbin:$PATH
+
+
+          # Do an initial sync just in case.
+          sync
+
+
+          # Kill all remaining processes except init, this one and any
+          # Upstart jobs that don't stop on the "starting shutdown"
+          # event, as these are necessary to complete the shutdown.
+          omittedPids=$(initctl list | sed -e 's/.*process \([0-9]\+\)/-o \1/;t;d')
+          #echo "saved PIDs: $omittedPids"
+
+          echo "sending the TERM signal to all processes..."
+          ${pkgs.sysvtools}/bin/killall5 -15 $job $omittedPids
+
+          sleep 1 # wait briefly
+
+          echo "sending the KILL signal to all processes..."
+          ${pkgs.sysvtools}/bin/killall5 -9 $job $omittedPids
+
+
+          # If maintenance mode is requested, start a root shell, and
+          # afterwards emit the "startup" event to bring everything
+          # back up.
+          if test "$MODE" = maintenance; then
+              echo ""
+              echo "<<< Maintenance shell >>>"
+              echo ""
+              ${pkgs.shadow}/bin/login root
+              initctl emit -n startup
+              exit 0
+          fi
+
+
+          # Write a shutdown record to wtmp while /var/log is still writable.
+          reboot --wtmp-only
+
+
+          # Set the hardware clock to the system time.
+          echo "setting the hardware clock..."
+          hwclock --systohc ${if config.time.hardwareClockInLocalTime then "--localtime" else "--utc"}
+
+
+          # Stop all swap devices.
+          swapoff -a
+
+
+          # Unmount file systems.  We repeat this until no more file systems
+          # can be unmounted.  This is to handle loopback devices, file
+          # systems mounted on other file systems and so on.
+          tryAgain=1
+          while test -n "$tryAgain"; do
+              tryAgain=
+              failed= # list of mount points that couldn't be unmounted/remounted
+
+              # Get rid of loopback devices.
+              loDevices=$(losetup -a | sed 's#^\(/dev/loop[0-9]\+\).*#\1#')
+              if [ -n "$loDevices" ]; then
+                  echo "removing loopback devices $loDevices..."
+                  losetup -d $loDevices
+              fi
+
+              cp /proc/mounts /dev/.mounts # don't read /proc/mounts while it's changing
+              exec 4< /dev/.mounts
+              while read -u 4 device mp fstype options rest; do
+                  # Skip various special filesystems.  Non-existent
+                  # mount points are typically tmpfs/aufs mounts from
+                  # the initrd.
+                  if [ "$mp" = /proc -o "$mp" = /sys -o "$mp" = /dev -o "$device" = "rootfs" -o "$mp" = /run -o "$mp" = /var/run -o "$mp" = /var/lock -o ! -e "$mp" ]; then continue; fi
+
+                  echo "unmounting $mp..."
+
+                  # We need to remount,ro before attempting any
+                  # umount, or bind mounts may get confused, with
+                  # the fs not being properly flushed at the end.
+
+                  # `-i' is to workaround a bug in mount.cifs (it
+                  # doesn't recognise the `remount' option, and
+                  # instead mounts the FS again).
+                  success=
+                  if mount -t "$fstype" -n -i -o remount,ro "device" "$mp"; then success=1; fi
+
+                  # Note: don't use `umount -f'; it's very buggy.
+                  # (For instance, when applied to a bind-mount it
+                  # unmounts the target of the bind-mount.)  !!! But
+                  # we should use `-f' for NFS.
+                  if [ "$mp" != / -a "$mp" != /nix -a "$mp" != /nix/store ]; then
+                      if umount -n "$mp"; then success=1; tryAgain=1; fi
+                  fi
+
+                  if [ -z "$success" ]; then failed="$failed $mp"; fi
+              done
+          done
+
+
+          # Warn about filesystems that could not be unmounted or
+          # remounted read-only.
+          if [ -n "$failed" ]; then
+              echo "warning: the following filesystems could not be unmounted:"
+              for mp in $failed; do echo "  $mp"; done
+              echo Enter 'i' to launch a shell, or wait 10 seconds to continue.
+              read -t 10 A
+              if [ "$A" == "i" ]; then
+                ${pkgs.bashInteractive}/bin/bash -i < /dev/console &> /dev/console
+              fi
+              sleep 5
+          fi
+
+
+          # Final sync.
+          sync
+
+
+          # Either reboot or power-off the system.
+          if test "$MODE" = reboot; then
+              echo "rebooting..."
+              sleep 1
+              exec reboot -f
+          else
+              echo "powering off..."
+              sleep 1
+              exec halt -f -p
+          fi
+        '';
+    };
+
+}
diff --git a/modules/tasks/kbd.nix b/modules/tasks/kbd.nix
index b563d33dc5b..dd4b9f382c0 100644
--- a/modules/tasks/kbd.nix
+++ b/modules/tasks/kbd.nix
@@ -67,7 +67,7 @@ in
 
         script = ''
           export LANG=${defaultLocale}
-          export LOCALE_ARCHIVE=/var/run/current-system/sw/lib/locale/locale-archive
+          export LOCALE_ARCHIVE=/run/current-system/sw/lib/locale/locale-archive
           export PATH=${pkgs.gzip}/bin:$PATH # Needed by setfont
 
           set +e # continue in case of errors