Global configuration
Nix comes with certain defaults about what packages can and
cannot be installed, based on a package's metadata. By default, Nix
will prevent installation if any of the following criteria are
true:
The package is thought to be broken, and has had
its meta.broken set to
true.
The package's meta.license is set
to a license which is considered to be unfree.
The package has known security vulnerabilities but
has not or can not be updated for some reason, and a list of issues
has been entered in to the package's
meta.knownVulnerabilities.
Note that all this is checked during evaluation already,
and the check includes any package that is evaluated.
In particular, all build-time dependencies are checked.
nix-env -qa will (attempt to) hide any packages
that would be refused.
Each of these criteria can be altered in the nixpkgs
configuration.
The nixpkgs configuration for a NixOS system is set in the
configuration.nix, as in the following example:
{
nixpkgs.config = {
allowUnfree = true;
};
}
However, this does not allow unfree software for individual users.
Their configurations are managed separately.
A user's of nixpkgs configuration is stored in a user-specific
configuration file located at
~/.config/nixpkgs/config.nix. For example:
{
allowUnfree = true;
}
Installing broken packages
There are two ways to try compiling a package which has been
marked as broken.
For allowing the build of a broken package once, you can use an
environment variable for a single invocation of the nix tools:
$ export NIXPKGS_ALLOW_BROKEN=1
For permanently allowing broken packages to be built, you may
add allowBroken = true; to your user's
configuration file, like this:
{
allowBroken = true;
}
Installing unfree packages
There are several ways to tweak how Nix handles a package
which has been marked as unfree.
To temporarily allow all unfree packages, you can use an
environment variable for a single invocation of the nix tools:
$ export NIXPKGS_ALLOW_UNFREE=1
It is possible to permanently allow individual unfree packages,
while still blocking unfree packages by default using the
allowUnfreePredicate configuration
option in the user configuration file.
This option is a function which accepts a package as a
parameter, and returns a boolean. The following example
configuration accepts a package and always returns false:
{
allowUnfreePredicate = (pkg: false);
}
A more useful example, the following configuration allows
only allows flash player and visual studio code:
{
allowUnfreePredicate = (pkg: elem (builtins.parseDrvName pkg.name).name [ "flashplayer" "vscode" ]);
}
It is also possible to whitelist and blacklist licenses
that are specifically acceptable or not acceptable, using
whitelistedLicenses and
blacklistedLicenses, respectively.
The following example configuration whitelists the
licenses amd and wtfpl:
{
whitelistedLicenses = with stdenv.lib.licenses; [ amd wtfpl ];
}
The following example configuration blacklists the
gpl3 and agpl3 licenses:
{
blacklistedLicenses = with stdenv.lib.licenses; [ agpl3 gpl3 ];
}
A complete list of licenses can be found in the file
lib/licenses.nix of the nixpkgs tree.
Installing insecure packages
There are several ways to tweak how Nix handles a package
which has been marked as insecure.
To temporarily allow all insecure packages, you can use an
environment variable for a single invocation of the nix tools:
$ export NIXPKGS_ALLOW_INSECURE=1
It is possible to permanently allow individual insecure
packages, while still blocking other insecure packages by
default using the permittedInsecurePackages
configuration option in the user configuration file.
The following example configuration permits the
installation of the hypothetically insecure package
hello, version 1.2.3:
{
permittedInsecurePackages = [
"hello-1.2.3"
];
}
It is also possible to create a custom policy around which
insecure packages to allow and deny, by overriding the
allowInsecurePredicate configuration
option.
The allowInsecurePredicate option is a
function which accepts a package and returns a boolean, much
like allowUnfreePredicate.
The following configuration example only allows insecure
packages with very short names:
{
allowInsecurePredicate = (pkg: (builtins.stringLength (builtins.parseDrvName pkg.name).name) <= 5);
}
Note that permittedInsecurePackages is
only checked if allowInsecurePredicate is not
specified.
Modify
packages via packageOverrides
You can define a function called
packageOverrides in your local
~/.config/nixpkgs/config.nix to override nix packages. It
must be a function that takes pkgs as an argument and return modified
set of packages.
{
packageOverrides = pkgs: rec {
foo = pkgs.foo.override { ... };
};
}