search

stackbuilders / nixpkgs-terraform

A collection of Terraform versions that are automatically updated.
MIT License
71 stars 4 forks source link

`allowUnfree` in a flake doesn't seem to be used #71

Closed sentientmonkey closed 6 months ago

sentientmonkey commented 7 months ago

Hello again!

I have a flake and envrc for direnv. I've set the nixpkgs config to allow for unfree packages, but it doesn't seem to be used by nixpkgs-terraform. Is there something I'm missing in my configuration?

flake.nix

{
  description = "Terraform flake";

  inputs = {
    nixpkgs.url = "github:nixos/nixpkgs?ref=nixos-unstable";
    flake-utils.url = "github:numtide/flake-utils";
    nixpkgs-terraform = {
      url = "github:stackbuilders/nixpkgs-terraform";
      inputs.nixpkgs.follows = "nixpkgs";
    };
  };

  nixConfig = {
    extra-substituters = "https://nixpkgs-terraform.cachix.org";
    extra-trusted-public-keys =
      "nixpkgs-terraform.cachix.org-1:8Sit092rIdAVENA3ZVeH9hzSiqI/jng6JiCrQ1Dmusw=";
  };

  outputs = { self, nixpkgs, nixpkgs-terraform, flake-utils, }:
    flake-utils.lib.eachDefaultSystem (system:
      let
        pkgs = import nixpkgs {
          inherit system;
          config.allowUnfree = true;
          overlays = [ nixpkgs-terraform.overlays.default ];
        };
      in {
        devShells.default = with pkgs;
          mkShell {
            buildInputs = [
              terraform-versions."1.8.0"
            ];
          };
      });
}

.envrc

use flake . --accept-flake-config

When I run direnv allow I get the following error:

error:
       … while calling the 'derivationStrict' builtin
         at <nix/derivation-internal.nix>:9:12:
            8|
            9|   strict = derivationStrict drvAttrs;
             |            ^
           10|

       … while evaluating derivation 'nix-shell'
         whose name attribute is located at /nix/store/6bf943g0mlhymyffs9dflzgc78r93s60-source/pkgs/stdenv/generic/make-derivation.nix:331:7

       … while evaluating attribute 'buildInputs' of derivation 'nix-shell'
         at /nix/store/6bf943g0mlhymyffs9dflzgc78r93s60-source/pkgs/stdenv/generic/make-derivation.nix:378:7:
          377|       depsHostHost                = elemAt (elemAt dependencies 1) 0;
          378|       buildInputs                 = elemAt (elemAt dependencies 1) 1;
             |       ^
          379|       depsTargetTarget            = elemAt (elemAt dependencies 2) 0;

       error: Package ‘terraform-1.8.0’ in /nix/store/bjv2qk3gg1iv69rbama3q9aprcp6d9wp-source/pkgs/applications/networking/cluster/terraform/default.nix:52 has an unfree license (‘bsl11’), refusing to evaluate.

       a) To temporarily allow unfree packages, you can use an environment variable
          for a single invocation of the nix tools.

            $ export NIXPKGS_ALLOW_UNFREE=1

          Note: When using `nix shell`, `nix build`, `nix develop`, etc with a flake,
                then pass `--impure` in order to allow use of environment variables.

       b) For `nixos-rebuild` you can set
         { nixpkgs.config.allowUnfree = true; }
       in configuration.nix to override this.

       Alternatively you can configure a predicate to allow specific packages:
         { nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
             "terraform-1.8.0"
           ];
         }

       c) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
         { allowUnfree = true; }
       to ~/.config/nixpkgs/config.nix.
sestrella commented 7 months ago

@sentientmonkey Yes, this is a bit annoying. The main issue is that config.allowUnfree is not being propagated to the nixpkgs input that nixpkgs-terraform uses behind the scenes. Domen, give me some pointers about this issue here:

https://github.com/cachix/devenv/issues/1090

Try the following workaround:

NIXPKGS_ALLOW_UNFREE=1 use flake . --impure

Using impure is not ideal, but I ended up doing something similar to get it to work with use devenv.

sentientmonkey commented 7 months ago

@sestrella That does work for now, but the impure is a bit of a bummer.

I would think that the inputs.nixpkgs.follows = "nixpkgs"; line would allow us to change the nixpkgs used, but it doesn't seem to use that in the flake.

sestrella commented 7 months ago

@sentientmonkey there are two major inputs in this project nixpkgs and nixpkgs-unstable:

https://github.com/stackbuilders/nixpkgs-terraform/blob/main/lib/build-terraform.nix#L3

nixpkgs builds Terraform versions from 1.0 to 1.5, whereas nixpkgs-unstable builds Terraform versions from 1.6 onwards. Based on the previous example, for 1.8.0, you may want to override the nixpkgs-unstable input instead.

sestrella commented 7 months ago

@oscar-izval when @pedorich-n worked on the migration to flake-parts #40 , I recall initially adding config.allowUnfree = true to the nixpkgs-unstable input, but I later pushed back, believing that it would be better for end users to decide whether or not to use unfree packages. Based on my experience with the devenv integration and this issue, I'm beginning to believe that it would be preferable to include config.allowUnfree = true directly in the nixpkgs-unstable, as the alternative for end users is to pass --impure to read the NIXPKGS_ALLOW_UNFREE environment variable. What are your thoughts?

lexun commented 7 months ago

Another option to consider might be exporting an overlay that doesn't pre-determine the version of nixpkgs used. Here is a quick patch for example:

diff --git a/flake.nix b/flake.nix
index c30151a..7183bbe 100644
--- a/flake.nix
+++ b/flake.nix
@@ -36,6 +36,8 @@
     };

     flake = {
+      overlays.custom = import ./lib/custom-overlay.nix;
+
       templates = {
         default = {
           description = "Simple nix-shell with Terraform installed via nixpkgs-terraform";
diff --git a/lib/custom-overlay.nix b/lib/custom-overlay.nix
new file mode 100644
index 0000000..c5d3dac
--- /dev/null
+++ b/lib/custom-overlay.nix
@@ -0,0 +1,20 @@
+_final: prev:
+
+let
+  versions = builtins.fromJSON (builtins.readFile ../versions.json);
+
+  releases = builtins.mapAttrs
+    (version: { hash, vendorHash }: prev.mkTerraform {
+      inherit version hash vendorHash;
+      patches = [ ../patches/provider-path-0_15.patch ];
+    })
+    versions.releases;
+
+  latestVersionAliases = builtins.mapAttrs
+    (_cycle: version: releases.${version})
+    versions.latest;
+
+in
+{
+  terraform-versions = releases // latestVersionAliases;
+}

That would allow the consumer to do something like this with their own reference to the unstable branch:

pkgs = import nixpkgs {
  inherit system;
  config.allowUnfree = true;
  overlays = [ nixpkgs-terraform.overlays.custom ];
};

Then they wouldn't need the env var or the --impure flag.

Of course, this means the consumer is responsible for using compatible nixpkgs and terraform combinations, and they're more likely to end up with builds that aren't available in the cache.

In my case though, we only use more recent versions of terraform with unstable and have our own cache for anything our development shell produces. So there are at least some use cases for an option like this.

sestrella commented 7 months ago

@lexun I like that idea, and I will look into it further.

sestrella commented 7 months ago

After discussing with @oscar-izval, we reached the following agreement:

As much as we wish to delegate the decision to utilize unfree packages to end users, we considered that the NIXPKGS_ALLOW_UNFREE=1 + --impure workaround delivers a worse user experience than enabling this flag directly within the project. Given that the allowUnfree option is required for Terraform versions greater than 1.5 as a result of HashiCorp's most recent license change, we decided to enable this flag for users while giving them the option to override this configuration and disable it if they want to; more details will be published on the PR #72 associated with this issue.

As we recognize that this decision may affect certain users, we developed the following release strategy:

We welcome feedback from others, as this is a community-driven project.

sestrella commented 6 months ago

@sentientmonkey The most recent release includes a fix for this issue. It should now be possible to reference a package from this Flake without using the NIXPKGS_ALLOW_UNFREE workaround. I am closing this issue for the time being.