Non-free external package in your OS config

I’m having trouble including a non-free package in my OS config when it comes “from outside”. I can do this fine:

    environment.systemPackages = [ pkgs._1password ];
    nixpkgs.config.allowUnfree = true;

But when I import an external flake which, itself, somehow references pkgs._1password, I get in trouble. E.g.:

  inputs.nix-tools.url = "github:hraban/nix-tools";
  outputs = ...

    environment.systemPackages = [
    nixpkgs.config.allowUnfree = true;

Gives me the dreaded:

       … while calling the 'head' builtin

         at /nix/store/yy5l09gfsagkv8rswblknmsjc2gyr20d-source/lib/attrsets.nix:1541:11:

         1540|         || pred here (elemAt values 1) (head values) then
         1541|           head values
             |           ^
         1542|         else

       … while evaluating the attribute 'value'

         at /nix/store/yy5l09gfsagkv8rswblknmsjc2gyr20d-source/lib/modules.nix:809:9:

          808|     in warnDeprecation opt //
          809|       { value = builtins.addErrorContext "while evaluating the option `${showOption loc}':" value;
             |         ^
          810|         inherit (res.defsFinal') highestPrio;

       (stack trace truncated; use '--show-trace' to show the full trace)

       error: Package ‘1password-cli-2.26.1’ in /nix/store/w3mmrsd59kzqx98ik5mwk48j85zia5cv-source/pkgs/applications/misc/1password/default.nix:71 has an unfree license (‘unfree’), refusing to evaluate.

       a) To temporarily allow unfree packages, you can use an environment variable
          for a single invocation of the nix tools.

            $ export NIXPKGS_ALLOW_UNFREE=1

          Note: When using `nix shell`, `nix build`, `nix develop`, etc with a flake,
                then pass `--impure` in order to allow use of environment variables.

       b) For `nixos-rebuild` you can set
         { nixpkgs.config.allowUnfree = true; }
       in configuration.nix to override this.

       Alternatively you can configure a predicate to allow specific packages:
         { nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [

       c) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
         { allowUnfree = true; }
       to ~/.config/nixpkgs/config.nix.

on NixOS and nix-darwin.

I don’t want to have to pass --impure and NIXPKGS_ALLOW_UNFREE=1 every single time I switch my OS config, and while I think I maybe understand the difference between the two, it feels quite arbitrary in the end.

How would you solve this?

I found a solution: make the derivation a callPackage call which allows the caller to override the non free package. The source flake becomes:

outputs { nixpkgs }: {
  packages.somesystem.mypackage = let
    pkgs = nixpkgs.legacyPackages.somesystem;
    pkgs.callPackage ({ _1password, mkDerivation, and, other, dependencies }: mkDerivation {
      buildInputs = [ _1password ];
    }) {};

And the system flake becomes:

    environment.systemPackages = [
        (nix-tools.packages.${pkgs.system}.mypackage.override { inherit (pkgs) _1password; })
    nixpkgs.config.allowUnfree = true;