Add permittedInsecurePackages setting

[johantiden]

Description

Adding packages via home.packages can result in build failure due to being marked as insecure in the upstream.

Let's use pkgs.pulsar as an example, which has been marked insecure in the unstable branch.

  home.packages = [
    pkgs.pulsar
  ];

The home-manager build now fails with

Package ‘pulsar-1.109.0’ in /nix/store/i1w4m7alrgg7vwgcylkycwbq7cr5rvk4-nixpkgs/nixpkgs/pkgs/applications/editors/pulsar/default.nix:202 is marked as insecure, refusing to evaluate.

...
       You can install it anyway by allowing this package, using the
       following methods:

       a) To temporarily allow all insecure packages, you can use an environment
          variable for a single invocation of the nix tools:

            $ export NIXPKGS_ALLOW_INSECURE=1

          Note: When using `nix shell`, `nix build`, `nix develop`, etc with a flake,
                then pass `--impure` in order to allow use of environment variables.

       b) for `nixos-rebuild` you can add ‘pulsar-1.109.0’ to
          `nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
          like so:

            {
              nixpkgs.config.permittedInsecurePackages = [
                "pulsar-1.109.0"
              ];
            }

       c) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
          ‘pulsar-1.109.0’ to `permittedInsecurePackages` in
          ~/.config/nixpkgs/config.nix, like so:

            {
              permittedInsecurePackages = [
                "pulsar-1.109.0"
              ];
            }

Option a) works with home-manager build but is not very nice because I'd have to add that every time I want to rebuild (or god forbid add it permanently to my env).

The other options don't work at all with home-manager build.

It would be a nicer experience if

1. home-manager checked and wrapped this so as to give relevant tips on how to solve it.
2. home-manager added a way to add exceptions per package & version like above.

[KiaraGrouwstra]

potential workaround possible now: separately add a flake input for nixpkgs-unfree

[stale[bot]]

Thank you for your contribution! I marked this issue as stale due to inactivity. Please be considerate of people watching this issue and receiving notifications before commenting 'I have this issue too'. We welcome additional information that will help resolve this issue. Please read the relevant sections below before commenting.

If you are the original author of the issue

• If this is resolved, please consider closing it so that the maintainers know not to focus on this.
• If this might still be an issue, but you are not interested in promoting its resolution, please consider closing it while encouraging others to take over and reopen an issue if they care enough.
• If you know how to solve the issue, please consider submitting a Pull Request that addresses this issue.

If you are not the original author of the issue

• If you are also experiencing this issue, please add details of your situation to help with the debugging process.
• If you know how to solve the issue, please consider submitting a Pull Request that addresses this issue.

Memorandum on closing issues

Don't be afraid to manually close an issue, even if it holds valuable information. Closed issues stay in the system for people to search, read, cross-reference, or even reopen – nothing is lost! Closing obsolete issues is an important way to help maintainers focus their time and effort.

[Cadair]

I have just run into this issue with the olm package, for which it's probably going to be common to want to add an exception for, at least for a while. I am really surprised that there's no way to configure ignores for this with home-manager, I just followed the instructions printed out and was very surprised when it didn't "just work".