Usage of allowUnfreePredicate with overlays in flake

psychosis448 · March 6, 2024, 10:16am

Hey, I’m struggling to use allowUnfreePredicate in conjunction with the nixpkgs-terraform overlay, to more easily specify the used terraform version for my devshell.

The following works, and opens up a shell when I run nix develop with terraform available:

  outputs = {
    self,
    nixpkgs,
    flake-utils,
    nixpkgs-terraform,
  }:
    flake-utils.lib.eachDefaultSystem
    (
      system: let
        lib = nixpkgs.lib;
        pkgs = import nixpkgs {
          inherit system;
          config.allowUnfreePredicate = pkg:
            builtins.elem (lib.getName pkg) [
              "terraform"
            ];
        };
      in {
        devShells.default = pkgs.mkShell {
          buildInputs = with pkgs; [
            terraform
          ];
        };
      }
    );

While this does not work:

  outputs = {
    self,
    nixpkgs,
    flake-utils,
    nixpkgs-terraform,
  }:
    flake-utils.lib.eachDefaultSystem
    (
      system: let
        lib = nixpkgs.lib;
        pkgs = import nixpkgs {
          inherit system;
          config.allowUnfreePredicate = pkg:
            builtins.elem (lib.getName pkg) [
              "terraform"
              ## does not work either
              # "terraform-1.7.4"
            ];
          overlays = [nixpkgs-terraform.overlays.default];
        };
      in {
        devShells.default = pkgs.mkShell {
          buildInputs = with pkgs; [
            terraform-versions."1.7.4"
          ];
        };
      }
    );

Am I missing something in the functionality of overlays and the resulting package with regards to the allowed unfree software?

The error I’m getting with the second version is the default unfree package warning (doesn’t change when I allow unfree packages generally):

error: Package ‘terraform-1.7.4’ in /nix/store/kh5mw1hsalj27ha1wfvksljxyaikcmyb-source/pkgs/applications/networking/cluster/terraform/default.nix:52 has an unfree license (‘bsl11’), refusing to evaluate.

VTimofeenko · March 6, 2024, 6:42pm

I think the problem is in the way the nixpkgs-terraform is using pkgs-unstable.mkTerraform to build the package. Basically it disregards whatever changes you make to your “instance” of pkgs. See 1000 instances of nixpkgs.

Tiny patch to that flake to showcase this:

diff --git a/lib/build-terraform.nix b/lib/build-terraform.nix
index ec57d03..7f54183 100644
--- a/lib/build-terraform.nix
+++ b/lib/build-terraform.nix
@@ -4,7 +4,8 @@ if builtins.compareVersions version "1.6.0" >= 0
 then
 # https://github.com/NixOS/nixpkgs/blob/43d259f8d726113fac056e8bb17d5ac2dea3e0a8/pkgs/applications/networking/cluster/terraform/default.nix
   (pkgs-unstable.mkTerraform {
-    inherit version hash vendorHash;
+    version = pkgs-unstable.lib.trace pkgs-unstable.config.allowUnfree version;
+    inherit hash vendorHash;
     patches = [ ../patches/provider-path-0_15.patch ];
   })
 else

will output trace: false even for pkgs allowing unfree packages across the board in the source flake:

        pkgs = import nixpkgs {
          inherit system;
          config.allowUnfree = true;
          overlays = [ nixpkgs-terraform.overlays.default ];
        };

If it’s a matter of getting a specific version of terraform in your environment – probably an override local to your pkgs instance would work better than having a dependency on another flake.