Add NixOS permittedInsecurePackages when using flakes

Help
1

I’ve avoided the complexity of flakes, but recently gave them a shot for a NixOS machine.

{
  description = "Flake experiment";
  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.11";
  };

  outputs = { self, nixpkgs}: {
    nixosConfigurations.laptop = nixpkgs.lib.nixosSystem {
      system = "x86_64-linux";
      modules = [
        ./configuration.nix
      ];
    };
  };
}

A few weeks later, I go to nix flake update, but I’m not allowed because one package is marked as insecure. Somewhat pedantic given I’m trying to update and I’m on stable, but continuing along.

b) for `nixos-rebuild` you can add ‘vault-1.14.10’ to
          `nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
          like so:

            {
              nixpkgs.config.permittedInsecurePackages = [
                "vault-1.14.10"
              ];
            }

Adding that to configuration.nix doesn’t change the error. Reading online, it seems like with flakes there are special considerations like making sure you git checkin your changes and maybe trying to modify nixpkgs at the top level for some reason?

{
  description = "Flake experiment";
  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.11";
  };

  outputs = { self, nixpkgs}: {
    nixosConfigurations.laptop = let
      system = "x86_64-linux";
      pkgs = import nixpkgs {
        inherit system;
        config = {
          permittedInsecurePackages = [
            "vault-1.14.10"
          ];
        };
      };
    in
    pkgs.lib.nixosSystem {
      system = "x86_64-linux";
      modules = [
        {
          nixpkgs.config = {
            allowUnfree = true;
            permittedInsecurePackages = [
              "vault-1.14.10"
            ];
          };
        }
        ./configuration.nix
      ];
    };
  };
}

This flake.nix tries to define permittedInsecurePackages in multiple places without any luck. And it’s already pretty unreadable. What am I missing? Why is this so unintuitive?

error: attribute 'nixosSystem' missing

       at /nix/store/zqr15lyn9a8hh1dzgzhf50axgh67agcd-source/nix/machines/laptop/flake.nix:19:5:

Or on re-run, this unhelpful message

error: cached failure of attribute 'nixosConfigurations.laptop'
2

Replace pkgs.lib.nixosSystem with nixpkgs.lib.nixosSystem. You can also leave out the let block that you have there before.

3

You’re saying this should work? No let block, just putting it into the modules. nixos-rebuild shows the same message about needing to add permittedInsecurePackages.

{
  description = "Flake experiment";
  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.11";
  };

  outputs = { self, nixpkgs}: {
    nixosConfigurations.laptop = nixpkgs.lib.nixosSystem {
      system = "x86_64-linux";
      modules = [
        {
          nixpkgs.config = {
            allowUnfree = true;
            permittedInsecurePackages = [
              "vault-1.14.10"
            ];
          };
        }
        ./configuration.nix
      ];
    };
  };
}
4

Maybe a better question is why don’t any of these settings get picked up. My expectation was I could just put it in configuration.nix, which declares the entire NixOS system and flake.nix is just a tiny wrapper to define inputs and outputs.

5

Yes, that is what I am doing and it’s working for me. I also agree that adding these settings to your configuration.nix should be fine, it doesn’t really matter in which module you define them.

Maybe post your configuration.nix as well?

6

So it turns out, this package is installed through home-manager. home-manager seems to use it’s own nixpkgs unless you specifically configure it not to, which is done differently between flakes and non-flakes.

  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.11";
    home-manager = {
      url = "github:nix-community/home-manager/release-23.11";
      inputs.nixpkgs.follows = "nixpkgs";   
    };
  };