Disable allowUnfree by default

Fixes #2134.

4 files changed, 30 insertions, 6 deletions

diff --git a/nixos/doc/manual/release-notes.xml b/nixos/doc/manual/release-notes.xml
index 68feb80e090..10815ba613a 100644
--- a/nixos/doc/manual/release-notes.xml
+++ b/nixos/doc/manual/release-notes.xml
@@ -7,7 +7,7 @@
 
 <section xml:id="sec-release-14.02">
 
-<title>Release 14.02 (“Baboon”, 2014/02/??)</title>
+<title>Release 14.04 (“Baboon”, 2014/04/??)</title>
 
 <para>This is the second stable release branch of NixOS.  The main
 enhancements are the following:
@@ -18,7 +18,7 @@ enhancements are the following:
   <xref linkend="sec-uefi-installation"/> for
   details.</para></listitem>
 
-  <listitem><para>NixOS is now based on Glibc 2.18 and GCC
+  <listitem><para>NixOS is now based on Glibc 2.19 and GCC
   4.8.</para></listitem>
 
 </itemizedlist>
@@ -30,6 +30,23 @@ following incompatible changes:
 
 <itemizedlist>
 
+  <listitem><para>Nixpkgs no longer exposes unfree packages by
+  default. If your NixOS configuration requires unfree packages from
+  Nixpkgs, you need to enable support for them explicitly by setting:
+
+<programlisting>
+nixpkgs.config.allowUnfree = true;
+</programlisting>
+
+  Otherwise, you get an error message such as:
+
+<screen>
+error: package ‘nvidia-x11-331.49-3.12.17’ in ‘…/nvidia-x11/default.nix:56’
+  has an unfree license, refusing to evaluate
+</screen>
+
+  </para></listitem>
+
   <listitem><para>The firewall is now enabled by default. If you don’t
   want this, you need to disable it explicitly:
 
diff --git a/nixos/lib/eval-config.nix b/nixos/lib/eval-config.nix
index 4b8c7354a7e..e082b174454 100644
--- a/nixos/lib/eval-config.nix
+++ b/nixos/lib/eval-config.nix
@@ -26,10 +26,15 @@ rec {
 
   # These are the extra arguments passed to every module.  In
   # particular, Nixpkgs is passed through the "pkgs" argument.
+  # FIXME: we enable config.allowUnfree to make packages like
+  # nvidia-x11 available. This isn't a problem because if the user has
+  # ‘nixpkgs.config.allowUnfree = false’, then evaluation will fail on
+  # the 64-bit package anyway. However, it would be cleaner to respect
+  # nixpkgs.config here.
   extraArgs = extraArgs_ // {
     inherit pkgs modules baseModules;
     modulesPath = ../modules;
-    pkgs_i686 = import ./nixpkgs.nix { system = "i686-linux"; };
+    pkgs_i686 = import ./nixpkgs.nix { system = "i686-linux"; config.allowUnfree = true; };
     utils = import ./utils.nix pkgs;
   };
 
diff --git a/nixos/modules/services/security/fprot.nix b/nixos/modules/services/security/fprot.nix
index 9f1fc4ed6d8..a109191be55 100644
--- a/nixos/modules/services/security/fprot.nix
+++ b/nixos/modules/services/security/fprot.nix
@@ -18,7 +18,6 @@ in {
 	};
 
 	productData = mkOption {
-	  default = "${pkgs.fprot}/opt/f-prot/product.data";
 	  description = ''
 	    product.data file. Defaults to the one supplied with installation package.
 	  '';
@@ -32,7 +31,6 @@ in {
 	};
 
 	licenseKeyfile = mkOption {
-	  default = "${pkgs.fprot}/opt/f-prot/license.key";
 	  description = ''
 	    License keyfile. Defaults to the one supplied with installation package.
 	  '';
@@ -45,6 +43,10 @@ in {
   ###### implementation
 
   config = mkIf cfg.updater.enable {
+
+    services.fprot.updater.productData = "${pkgs.fprot}/opt/f-prot/product.data";
+    services.fprot.updater.licenseKeyfile = "${pkgs.fprot}/opt/f-prot/license.key";
+
     environment.systemPackages = [ pkgs.fprot ];
     environment.etc = singleton {
       source = "${pkgs.fprot}/opt/f-prot/f-prot.conf";
diff --git a/pkgs/stdenv/generic/default.nix b/pkgs/stdenv/generic/default.nix
index f1cf34b160c..03000d0cdd8 100644
--- a/pkgs/stdenv/generic/default.nix
+++ b/pkgs/stdenv/generic/default.nix
@@ -14,7 +14,7 @@ let lib = import ../../../lib; in lib.makeOverridable (
 
 let
 
-  allowUnfree = config.allowUnfree or true && builtins.getEnv "HYDRA_DISALLOW_UNFREE" != "1";
+  allowUnfree = config.allowUnfree or false && builtins.getEnv "HYDRA_DISALLOW_UNFREE" != "1";
 
   allowBroken = builtins.getEnv "NIXPKGS_ALLOW_BROKEN" == "1";