Alright, I see. The This is caused by introducing a top-level config' or options' attribute. issue is because you misunderstood me, I'll try to be a bit more clear.

When you're importing / calling nixpkgs explicitly, its options are under an argument called config. In full, import nixpkgs { config = { permittedInsecurePackages = ... } };.

However, when you're configuring nixpkgs in a modular way through the NixOS machine config, then that same thing is nested under nixpkgs, e.g. the option to set is nixpkgs.config. In full, nixpkgs.config.permittedInsecurePackages = { ... }. https://search.nixos.org/options?channel=24.11&show=nixpkgs.config&from=0&size=50&sort=relevance&type=packages&query=nixpkgs.config

In the context of a NixOS configuration module, config refers to the system configuration itself.

Alright, I see. The This is caused by introducing a top-level config' or options' attribute. issue is because you misunderstood me, I'll try to be a bit more clear.

When you're importing / calling nixpkgs explicitly, its options are under an argument called config. In full, import nixpkgs { config = { permittedInsecurePackages = ... } };.

However, when you're configuring nixpkgs in a modular way through the NixOS machine config, then that same thing is nested under nixpkgs, e.g. the option to set is nixpkgs.config. In full, nixpkgs.config.permittedInsecurePackages = [ ... ]. https://search.nixos.org/options?channel=24.11&show=nixpkgs.config&from=0&size=50&sort=relevance&type=packages&query=nixpkgs.config

In the context of a NixOS configuration module, config refers to the system configuration itself.

      colmena = {
        meta = {
          nixpkgs = import inputs.nixpkgs {
            system = "x86_64-linux";
            config = { permittedInsecurePackages = [ "dotnet-sdk-6.0.428" ]; };
          };

paruk |        Known issues:
paruk |         - Dotnet SDK 6.0.428 is EOL, please use 8.0 (LTS) or 9.0 (Current)
paruk | 
paruk |        You can install it anyway by allowing this package, using the
paruk |        following methods:
paruk | 
paruk |        a) To temporarily allow all insecure packages, you can use an environment
paruk |           variable for a single invocation of the nix tools:
paruk | 
paruk |             $ export NIXPKGS_ALLOW_INSECURE=1
paruk | 
paruk |           Note: When using `nix shell`, `nix build`, `nix develop`, etc with a flake,
paruk |                 then pass `--impure` in order to allow use of environment variables.
paruk | 
paruk |        b) for `nixos-rebuild` you can add ‘dotnet-sdk-6.0.428’ to
paruk |           `nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
paruk |           like so:
paruk | 
paruk |             {
paruk |               nixpkgs.config.permittedInsecurePackages = [
paruk |                 "dotnet-sdk-6.0.428"
paruk |               ];
paruk |             }
paruk | 
paruk |        c) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
paruk |           ‘dotnet-sdk-6.0.428’ to `permittedInsecurePackages` in
paruk |           ~/.config/nixpkgs/config.nix, like so:
paruk | 
paruk |             {
paruk |               permittedInsecurePackages = [
paruk |                 "dotnet-sdk-6.0.428"
paruk |               ];
paruk |             }
paruk | Evaluation failed

That is the package, but I tried to include those Sonarr ones since sonarr is on that server.

In reply to @justinas:nixos.dev
Okay. Please see my gist, it is a very simple config that you can verify works in isolation. I also use the same nixpkgs.config from the gist in a personal machine with 24.11 and it works.

Your gist works fine, that isn't the problem. The problem I'm having is translating your trivial example into my non-trivial system (154 nix files, 7 nodes, plus a bunch of other flakes that I pull in). I've been working on this flake since 2021 with an imperfect understanding of Nix, so most of it is cobbled together.

A good example is that I haven't used nixosConfigurations but that is something I've been thinking about doing, so I was trying to retrofit my system to do it so I can bring my flake to the same layout in hopes of seeing what I'm doing differently.

I think I have the basic refactor that uses nixosConfigurations, but I'm getting stuck trying to get an input flake (remote flate) from my flake.nix into an inner file.

This in my inputs section of my flake.nix:

    dosage.url = "git+https://src.mfgames.com/nixos-contrib/dosage-dmoonfire-flake.git";
    sbmp4a.url = "git+https://src.mfgames.com/nixos-contrib/sickbeard-mp4-automator-flake.git";
    ficsit-cli.url = "git+https://src.mfgames.com/nixos-contrib/ficsit-cli-flake.git";

I want to get those into the files I need them which means going this path:

• flake.nix
• src/nodes/silud/default.nix (silud being one of my home servers)
• src/programs/sbmp4a.nix

The goal is to have inputs.sbmp4a available in the sbmp4a.nix file so I can have it included on the nodes that need to have Sickbeard's MP4A.

I also don't want to list every flake in every package, so I use inputs: {} or inputs@{pkgs,...}: {} fairly often.

Mostly, this is just trying to refactor to integrate your working gist into my setup. Does that make sense?

Right. This is a bit beyond the scope of your original question about building an insecure package. For getting inputs into individual NixOS modules, look into specialArgs.

Sorry about confusing you by dragging nixosConfigurations into the mix - my brain merged your question with another one together, so for some reason I assumed you were using the "flake shim" for Colmena as well.

Right. This is a bit beyond the scope of your original question about building an insecure package. For getting inputs into individual NixOS modules, look into specialArgs.

Sorry about confusing you by dragging nixosConfigurations into the mix - my brain merged your question with another one together, so for some reason I assumed you were using the "flake shim" for Colmena as well.

It does not matter if you use nixosConfigurations as an output or just colmena. What matters is configuring permittedInsecurePkgs for the relevant instance of Nixpkgs. Which is what I'm trying to figure out - since configuring it for the default pkgs for the node is not working, maybe there's another instance of Nixpkgs in play?