`nix run` pure unfree packages

[arduano]

There appears to be no way to run unfree packages in a pure nix run/shell.

The only workaround seems to be NIXPKGS_ALLOW_UNFREE=1 nix run --impure <pkg>, but that doesn't allow for a pure shell.

I understand that nix3 attempts to provide as much isolation as possible, hence it not reading any system-wide configuration (e.g. { allowUnfree = true; } in my ~/.config/nixpkgs/config.nix.).

However, it would be nice to at least have a CLI flag, e.g. --allow-unfree on nix run and nix shell to bypass the check.

[thufschmitt]

That's quite a bummer, I agree. You can get that in a pure shell if you're using your own flake (because you can import nixpkgs with { allowUnfree = true; } in it) but it indeed doesn't work if you want to nix run nixpkgs#<something>.

A dedicated flag would be quite ad-hoc and a nasty layer violation (Nix doesn't know about free/unfree things, that's just something encoded in Nixpkgs), but we should find a replacement for that. Maybe that could be solved on the Nixpkgs side by providing an unfreePkgs attribute that allows unfree packages?

[7c6f434c]

A command-line parameter to pass arguments when importing a flake wouldn't break the command-level purity and would be rather similar to one of the purer ways of achieving it with the previous CLI. (And, as you say, would not do anything that a dependent flake couldn't cause from the caching point of view)

[arduano]

What about adding a CLI arg for injecting env variables into a pure environment? It should be ok from a sandboxing perspective because it's explicitly specified, rather than inheriting the variables from the host, so I don't see what issues it could cause. Then the solution would just be something like

nix run -e NIXPKGS_ALLOW_UNFREE=1 <pkg>

[tomberek]

This is similar to https://github.com/NixOS/nix/issues/5663 and related issues.

A workaround is to use https://github.com/numtide/nixpkgs-unfree. Or to craft your own that specifies a license policy that you want. So while this can be solved by using your own flake, this is a feature that used to exist, but led to problems resulting in the creation of the pure-evaluation mode.

If we want something that makes this easier and built into upstream, one can imagine adding a "config" input to the nixpkgs flake, empty by default allowing something like nix run --override-input config my-policy nixpkgs#slack.

I don't think we've considered adding env var injection. As opposed to making it an explicit input, this would break things like the eval cache if not tracked.

[nixos-discourse]

This issue has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/2024-02-16-nix-team-meeting-minutes-124/39870/1

[arduano]

Possibly related: #5567

Maybe it would be nice to inject things like

nixpkgs.config.allowUnfree = true;

or even

nixpkgs.config.cudaSupport = true;

within the command line nix run or nix shell. E.g. personally I want to make an alias or something that always injects unfree/cuda for my invocations because I always use them, but I'm not sure what would be the cleanest approach to adding this to the nix command.

[bobvanderlinden]

Having it behave the same for nix run and referring to nixpkgs inside a flake would be very welcome.

How about making these configuration options part of the flake uri? We already allow some query parameters for some sources, but it could support config options as well.

github:nixos/nixpkgs/nixpkgs-unstable?config.allowUnfree=true

It would work for package uris as well:

github:nixos/nixpkgs/nixpkgs-unstable?config.allowUnfree=true#<pkgs>

The referred flake would get config as one of its inputs (next to other flake inputs).

outputs = { nixpkgs, config ? {} }:

nixpkgs would need to support this.