How to permit insecure package as input to another package?

I have a service that uses a package. Overriding an input of that package causes it to use another insecure package, which produces an error message. The advice is to add nixpkgs.config.permittedInsecurePackages but that doesn’t help in this case. How can get rid of it?


NixOS config:

  nixpkgs.config.permittedInsecurePackages = [
    "nodejs-12.22.12"
  ];

  services.github-runner = {
    enable = true;
    package = pkgs.unstable.github-runner.override {withNode12 = true;};
    url = "<snip>";
    extraPackages = with pkgs; [
    ];
  };

Shot in the dark, but the nodejs packages aren’t named with their full versions: nodejs-12_x

Maybe this is an odd edge case, and you need to add nodejs-12_x, despite what the error says. If that’s the case, maybe raise an issue upstream.

I think the problem is with the way I do it. While figuring it out another config I tried was:

  services.github-runner = {
    enable = true;
    package = pkgs.unstable.github-runner;
    url = "<snip>";
    extraPackages = with pkgs; [
        pkgs.nodejs-12_x
    ];
  };

And that had the same issue. After adding this:

  nixpkgs.config.permittedInsecurePackages = [
    "nodejs-12.22.12"
  ];

It worked, so that’s why I’m assuming the problem is you have to do something else to allow an insecure package when doing an override instead of extraPackages. But this is not the way to go as this just adds node to path, whereas I need the override as seen in my first message

Ah, no, not at all - I just noticed you’re using pkgs.unstable, which is probably created with an overlay somewhere :slight_smile: Maybe even using flakes?

The problem is that the nixpkgs config in your configuration.nix doesn’t apply to that nixpkgs. You need to override the config of the unstable nixpkgs in your overlay:

final: prev: {
    unstable = import unstable {
        config = {
            permittedInsecurePackages = [ "nodejs-12_x" ];
        };
    };
}

I don’t recall if permittedInsecurePackages is a valid setting for that particular attrset, but allowInsecure will definitely work :slight_smile:

I’d still try setting the 12_x, because that’s the actual package name, but the string you’re setting should almost certainly work.

1 Like

:man_facepalming: You are exactly right, that’s what I get for changing two things at once and when it doesn’t work assuming which change cause the issue. It works when not using the unstable overlay.

I’ve lost a day to this before as well :wink: It’s not exactly obvious. Maybe the doc string could be improved to point this out, at least.