13 files changed, 130 insertions, 18 deletions
diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
index 503dd87ad4d9..844fae536e95 100755
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@@ -254,6 +254,7 @@
   ./services/networking/kippo.nix
   ./services/networking/mailpile.nix
   ./services/networking/minidlna.nix
+  ./services/networking/mstpd.nix
   ./services/networking/murmur.nix
   ./services/networking/nat.nix
   ./services/networking/networkmanager.nix
@@ -306,6 +307,7 @@
   ./services/search/solr.nix
   ./services/security/clamav.nix
   ./services/security/fail2ban.nix
+  ./services/security/fprintd.nix
   ./services/security/fprot.nix
   ./services/security/frandom.nix
   ./services/security/haveged.nix
diff --git a/nixos/modules/programs/zsh/zsh.nix b/nixos/modules/programs/zsh/zsh.nix
index 39f9671316ee..74dd6af0bdde 100644
--- a/nixos/modules/programs/zsh/zsh.nix
+++ b/nixos/modules/programs/zsh/zsh.nix
@@ -100,15 +100,11 @@ in
         export HISTSIZE=2000
         export HISTFILE=$HOME/.zsh_history
 
-        setopt HIST_IGNORE_DUPS SHARE_HISTORY
+        setopt HIST_IGNORE_DUPS SHARE_HISTORY HIST_FCNTL_LOCK
       '';
 
     };
 
-    environment.profileRelativeEnvVars =
-      { FPATH = [ "/share/zsh/site-functions" ];
-      };
-
     environment.etc."zshenv".text =
       ''
         # /etc/zshenv: DO NOT EDIT -- this file has been generated automatically.
diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix
index 844a9da0eb46..3b5dd41868be 100644
--- a/nixos/modules/security/pam.nix
+++ b/nixos/modules/security/pam.nix
@@ -54,6 +54,15 @@ let
         '';
       };
 
+      fprintAuth = mkOption {
+        default = config.services.fprintd.enable;
+        type = types.bool;
+        description = ''
+          If set, fingerprint reader will be used (if exists and
+          your fingerprints are enrolled).
+        '';
+      };
+
       sshAgentAuth = mkOption {
         default = false;
         type = types.bool;
@@ -179,6 +188,8 @@ let
               "auth required pam_tally.so"}
           ${optionalString (config.security.pam.enableSSHAgentAuth && cfg.sshAgentAuth)
               "auth sufficient ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so file=~/.ssh/authorized_keys:~/.ssh/authorized_keys2:/etc/ssh/authorized_keys.d/%u"}
+          ${optionalString cfg.fprintAuth
+              "auth sufficient ${pkgs.fprintd}/lib/security/pam_fprintd.so"}
           ${optionalString cfg.usbAuth
               "auth sufficient ${pkgs.pam_usb}/lib/security/pam_usb.so"}
           ${optionalString cfg.unixAuth
diff --git a/nixos/modules/security/rngd.nix b/nixos/modules/security/rngd.nix
index 4d8fabc7696e..b14ea7a5f276 100644
--- a/nixos/modules/security/rngd.nix
+++ b/nixos/modules/security/rngd.nix
@@ -20,7 +20,7 @@ with lib;
       KERNEL=="random", TAG+="systemd"
       SUBSYSTEM=="cpu", ENV{MODALIAS}=="x86cpu:*feature:*009E*", TAG+="systemd", ENV{SYSTEMD_WANTS}+="rngd.service"
       KERNEL=="hw_random", TAG+="systemd", ENV{SYSTEMD_WANTS}+="rngd.service"
-      KERNEL=="tmp0", TAG+="systemd", ENV{SYSTEMD_WANTS}+="rngd.service"
+      ${if config.services.tcsd.enable then "" else ''KERNEL=="tpm0", TAG+="systemd", ENV{SYSTEMD_WANTS}+="rngd.service"''}
     '';
 
     systemd.services.rngd = {
@@ -32,8 +32,6 @@ with lib;
 
       serviceConfig.ExecStart = "${pkgs.rng_tools}/sbin/rngd -f -v" +
         (if config.services.tcsd.enable then " --no-tpm=1" else "");
-
-      restartTriggers = [ pkgs.rng_tools ];
     };
   };
 }
diff --git a/nixos/modules/services/databases/postgresql.xml b/nixos/modules/services/databases/postgresql.xml
index e98b431bd60a..a98026942959 100644
--- a/nixos/modules/services/databases/postgresql.xml
+++ b/nixos/modules/services/databases/postgresql.xml
@@ -24,11 +24,11 @@
 
 <programlisting>
 services.postgresql.enable = true;
-services.postgresql.package = pkgs.postgresql93;
+services.postgresql.package = pkgs.postgresql94;
 </programlisting>
 
 Note that you are required to specify the desired version of
-PostgreSQL (e.g. <literal>pkgs.postgresql93</literal>). Since
+PostgreSQL (e.g. <literal>pkgs.postgresql94</literal>). Since
 upgrading your PostgreSQL version requires a database dump and reload
 (see below), NixOS cannot provide a default value for
 <option>services.postgresql.package</option> such as the most recent
diff --git a/nixos/modules/services/monitoring/riemann.nix b/nixos/modules/services/monitoring/riemann.nix
index ab37d717b86d..ac5d0134a80d 100644
--- a/nixos/modules/services/monitoring/riemann.nix
+++ b/nixos/modules/services/monitoring/riemann.nix
@@ -17,7 +17,7 @@ let
 
   launcher = writeScriptBin "riemann" ''
     #!/bin/sh
-    exec ${openjdk}/bin/java ${concatStringsSep "\n" cfg.extraJavaOpts} \
+    exec ${jdk}/bin/java ${concatStringsSep "\n" cfg.extraJavaOpts} \
       -cp ${classpath} \
       riemann.bin ${writeText "riemann-config.clj" riemannConfig}
   '';
diff --git a/nixos/modules/services/networking/mstpd.nix b/nixos/modules/services/networking/mstpd.nix
new file mode 100644
index 000000000000..5d1fc4a65427
--- /dev/null
+++ b/nixos/modules/services/networking/mstpd.nix
@@ -0,0 +1,33 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.services.mstpd;
+in
+with lib;
+{
+  options.services.mstpd = {
+    
+    enable = mkOption {
+      default = false;
+      type = types.bool;
+      description = ''
+        Whether to enable the multiple spanning tree protocol daemon.
+      '';
+    };
+
+  };
+
+  config = mkIf cfg.enable {
+    environment.systemPackages = [ pkgs.mstpd ];
+
+    systemd.services.mstpd = {
+      description = "Multiple Spanning Tree Protocol Daemon";
+      wantedBy = [ "network.target" ];
+      unitConfig.ConditionCapability = "CAP_NET_ADMIN";
+      serviceConfig = {
+        Type = "forking";
+        ExecStart = "@${pkgs.mstpd}/bin/mstpd mstpd";
+        PIDFile = "/run/mstpd.pid";
+      };
+    };
+  };
+}
diff --git a/nixos/modules/services/search/solr.nix b/nixos/modules/services/search/solr.nix
index 38d9dedbe3cf..7886d1e2e8e6 100644
--- a/nixos/modules/services/search/solr.nix
+++ b/nixos/modules/services/search/solr.nix
@@ -22,7 +22,7 @@ let
       cp common/lib/*.jar $out/lib/
       ln -s ${pkgs.ant}/lib/ant/lib/ant.jar $out/lib/
       ln -s ${cfg.solrPackage}/lib/ext/* $out/lib/
-      ln -s ${pkgs.openjdk}/lib/openjdk/lib/tools.jar $out/lib/
+      ln -s ${pkgs.jdk.home}/lib/tools.jar $out/lib/
     '' + optionalString (cfg.extraJars != []) ''
       for f in ${concatStringsSep " " cfg.extraJars}; do
          cp $f $out/lib
@@ -44,7 +44,7 @@ in {
 
       javaPackage = mkOption {
         type = types.package;
-        default = pkgs.openjre;
+        default = pkgs.jre;
         description = ''
           Which Java derivation to use for running solr.
         '';
diff --git a/nixos/modules/services/security/fprintd.nix b/nixos/modules/services/security/fprintd.nix
new file mode 100644
index 000000000000..a35b065ba815
--- /dev/null
+++ b/nixos/modules/services/security/fprintd.nix
@@ -0,0 +1,53 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+
+  cfg = config.services.fprintd;
+
+in
+
+
+{
+
+  ###### interface
+
+  options = {
+
+    services.fprintd = {
+
+      enable = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Whether to enable fprintd daemon and PAM module for fingerprint readers handling.
+        '';
+      };
+
+    };
+    
+  };
+  
+  
+  ###### implementation
+  
+  config = mkIf cfg.enable {
+
+    services.dbus.packages = [ pkgs.fprintd ];
+
+    environment.systemPackages = [ pkgs.fprintd ];
+
+    systemd.services.fprintd = {
+      description = "Fingerprint Authentication Daemon";
+
+      serviceConfig = {
+        Type = "dbus";
+        BusName = "net.reactivated.Fprint";
+        ExecStart = "${pkgs.fprintd}/libexec/fprintd";
+      };
+    };
+
+  };
+  
+}
diff --git a/nixos/modules/services/web-servers/winstone.nix b/nixos/modules/services/web-servers/winstone.nix
index 7f48012f158e..eed16a64f2a8 100644
--- a/nixos/modules/services/web-servers/winstone.nix
+++ b/nixos/modules/services/web-servers/winstone.nix
@@ -30,7 +30,7 @@ let
 
       javaPackage = mkOption {
         type = types.package;
-        default = pkgs.openjre;
+        default = pkgs.jre;
         description = ''
           Which Java derivation to use for running Winstone.
         '';
diff --git a/nixos/modules/tasks/network-interfaces-scripted.nix b/nixos/modules/tasks/network-interfaces-scripted.nix
index 9d61a4b05301..da0d8530241b 100644
--- a/nixos/modules/tasks/network-interfaces-scripted.nix
+++ b/nixos/modules/tasks/network-interfaces-scripted.nix
@@ -37,6 +37,8 @@ let
     ip link del "${i}" 2>/dev/null || true
   '';
 
+  needsMstpd = any ({ rstp, ... }: rstp) (attrValues cfg.bridges);
+
 in
 
 {
@@ -185,13 +187,14 @@ in
           in
           { description = "Bridge Interface ${n}";
             wantedBy = [ "network.target" (subsystemDevice n) ];
-            bindsTo = deps;
-            after = [ "network-pre.target" ] ++ deps
+            bindsTo = deps ++ optional v.rstp "mstpd.service";
+            partOf = optional v.rstp "mstpd.service";
+            after = [ "network-pre.target" "mstpd.service" ] ++ deps
               ++ concatMap (i: [ "network-addresses-${i}.service" "network-link-${i}.service" ]) v.interfaces;
             before = [ "network-interfaces.target" (subsystemDevice n) ];
             serviceConfig.Type = "oneshot";
             serviceConfig.RemainAfterExit = true;
-            path = [ pkgs.iproute ];
+            path = [ pkgs.iproute ] ++ optional v.rstp pkgs.mstpd;
             script = ''
               # Remove Dead Interfaces
               echo "Removing old bridge ${n}..."
@@ -206,6 +209,13 @@ in
                 ip link set "${i}" up
               '')}
 
+              # Enable rstp on the interface
+              ${optionalString v.rstp ''
+                echo 1 >/sys/class/net/${n}/bridge/stp_state
+                mstpctl addbridge "${n}"
+                mstpctl setforcevers "${n}" rstp
+              ''}
+
               ip link set "${n}" up
             '';
             postStop = ''
@@ -343,6 +353,8 @@ in
         KERNEL=="tun", TAG+="systemd"
       '';
 
+    services.mstpd = mkIf needsMstpd { enable = true; };
+
   };
 
 }
diff --git a/nixos/modules/tasks/network-interfaces.nix b/nixos/modules/tasks/network-interfaces.nix
index 4a272483e549..9f72e0f0d509 100644
--- a/nixos/modules/tasks/network-interfaces.nix
+++ b/nixos/modules/tasks/network-interfaces.nix
@@ -368,6 +368,13 @@ in
             "The physical network interfaces connected by the bridge.";
         };
 
+        rstp = mkOption {
+          example = true;
+          default = false;
+          type = types.bool;
+          description = "Whether the bridge interface should enable rstp.";
+        };
+
       };
 
     };
diff --git a/nixos/release-small.nix b/nixos/release-small.nix
index 07cd672843ea..7f53a101bdfc 100644
--- a/nixos/release-small.nix
+++ b/nixos/release-small.nix
@@ -61,12 +61,12 @@ in rec {
       gettext
       git
       imagemagick
+      jdk
       linux
       mysql51
       mysql55
       nginx
       nodejs
-      openjdk
       openssh
       php
       postgresql92