Your gist works fine, that isn't the problem. The problem I'm having is translating your trivial example into my non-trivial system (154 nix files, 7 nodes, plus a bunch of other flakes that I pull in). I've been working on this flake since 2021 with an imperfect understanding of Nix, so most of it is cobbled together.

A good example is that I haven't used nixosConfigurations but that is something I've been thinking about doing, so I was trying to retrofit my system to do it so I can bring my flake to the same layout in hopes of seeing what I'm doing differently.

I think I have the basic refactor that uses nixosConfigurations, but I'm getting stuck trying to get an input flake (remote flate) from my flake.nix into an inner file.

This in my inputs section of my flake.nix:

    dosage.url = "git+https://src.mfgames.com/nixos-contrib/dosage-dmoonfire-flake.git";
    sbmp4a.url = "git+https://src.mfgames.com/nixos-contrib/sickbeard-mp4-automator-flake.git";
    ficsit-cli.url = "git+https://src.mfgames.com/nixos-contrib/ficsit-cli-flake.git";

I want to get those into the files I need them which means going this path:

• flake.nix
• src/nodes/silud/default.nix (silud being one of my home servers)
• src/programs/sbmp4a.nix

The goal is to have inputs.sbmp4a available in the sbmp4a.nix file so I can have it included on the nodes that need to have Sickbeard's MP4A.

I also don't want to list every flake in every package, so I use inputs: {} or inputs@{pkgs,...}: {} fairly often.

Mostly, this is just trying to refactor to integrate your working gist into my setup. Does that make sense?

Right. This is a bit beyond the scope of your original question about building an insecure package. For getting inputs into individual NixOS modules, look into specialArgs.

Sorry about confusing you by dragging nixosConfigurations into the mix - my brain merged your question with another one together, so for some reason I assumed you were using the "flake shim" for Colmena as well.

Right. This is a bit beyond the scope of your original question about building an insecure package. For getting inputs into individual NixOS modules, look into specialArgs.

Sorry about confusing you by dragging nixosConfigurations into the mix - my brain merged your question with another one together, so for some reason I assumed you were using the "flake shim" for Colmena as well.

It does not matter if you use nixosConfigurations as an output or just colmena. What matters is configuring permittedInsecurePkgs for the relevant instance of Nixpkgs. Which is what I'm trying to figure out - since configuring it for the default pkgs for the node is not working, maybe there's another instance of Nixpkgs in play?