From cf545496603818c61fba1ef2c4811e1d67476812 Mon Sep 17 00:00:00 2001
From: Leona Maroni <dev@leona.is>
Date: Mon, 10 Nov 2025 15:13:55 +0100
Subject: [PATCH] treewide: remove in-tree usages of nixpkgs.config.allowUnfree

In multiple NixOS tests, nixpkgs.config.allowUnfree or
nixpkgs.config.allowUnfreePredicate was set. This leads to Hydra building and
redistributing packages with a unfree license. This is a quite huge legal
problem. This changes removes these use cases.
---
 nixos/tests/breitbandmessung.nix     |  3 ---
 nixos/tests/brscan5.nix              |  1 -
 nixos/tests/consul.nix               |  4 ----
 nixos/tests/deconz.nix               |  1 -
 nixos/tests/minecraft-server.nix     |  2 --
 nixos/tests/n8n.nix                  |  6 ------
 nixos/tests/outline.nix              |  1 -
 nixos/tests/prometheus-exporters.nix |  3 ---
 nixos/tests/quake3.nix               | 14 --------------
 nixos/tests/sabnzbd.nix              |  3 ---
 nixos/tests/unifi.nix                |  2 --
 nixos/tests/virtualbox.nix           |  2 --
 nixos/tests/vscode-remote-ssh.nix    | 18 +-----------------
 13 files changed, 1 insertion(+), 59 deletions(-)

diff --git a/nixos/tests/breitbandmessung.nix b/nixos/tests/breitbandmessung.nix
index 3b5ba5584af6..f7c51887e872 100644
--- a/nixos/tests/breitbandmessung.nix
+++ b/nixos/tests/breitbandmessung.nix
@@ -23,9 +23,6 @@
 
       environment.systemPackages = with pkgs; [ breitbandmessung ];
       environment.variables.XAUTHORITY = "/home/alice/.Xauthority";
-
-      # breitbandmessung is unfree
-      nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ "breitbandmessung" ];
     };
 
   enableOCR = true;
diff --git a/nixos/tests/brscan5.nix b/nixos/tests/brscan5.nix
index 9155846c14a8..419518859891 100644
--- a/nixos/tests/brscan5.nix
+++ b/nixos/tests/brscan5.nix
@@ -7,7 +7,6 @@
   node.pkgsReadOnly = false;
 
   nodes.machine = {
-    nixpkgs.config.allowUnfree = true;
     hardware.sane = {
       enable = true;
       brscan5 = {
diff --git a/nixos/tests/consul.nix b/nixos/tests/consul.nix
index da72d1d132bd..141e51940b47 100644
--- a/nixos/tests/consul.nix
+++ b/nixos/tests/consul.nix
@@ -57,8 +57,6 @@ let
       ];
       networking.firewall = firewallSettings;
 
-      nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ "consul" ];
-
       services.consul = {
         enable = true;
         inherit webUi;
@@ -87,8 +85,6 @@ let
       ];
       networking.firewall = firewallSettings;
 
-      nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ "consul" ];
-
       services.consul =
         assert builtins.elem thisConsensusServerHost allConsensusServerHosts;
         {
diff --git a/nixos/tests/deconz.nix b/nixos/tests/deconz.nix
index 6272e44ff77c..23cea5d0c752 100644
--- a/nixos/tests/deconz.nix
+++ b/nixos/tests/deconz.nix
@@ -12,7 +12,6 @@ in
   node.pkgsReadOnly = false;
 
   nodes.machine = {
-    nixpkgs.config.allowUnfree = true;
     services.deconz = {
       enable = true;
       inherit httpPort;
diff --git a/nixos/tests/minecraft-server.nix b/nixos/tests/minecraft-server.nix
index 32d4619cd5cd..f84a79949e63 100644
--- a/nixos/tests/minecraft-server.nix
+++ b/nixos/tests/minecraft-server.nix
@@ -15,8 +15,6 @@ in
     {
       environment.systemPackages = [ pkgs.mcrcon ];
 
-      nixpkgs.config.allowUnfree = true;
-
       services.minecraft-server = {
         declarative = true;
         enable = true;
diff --git a/nixos/tests/n8n.nix b/nixos/tests/n8n.nix
index 673e322f786b..ee1f835f8c99 100644
--- a/nixos/tests/n8n.nix
+++ b/nixos/tests/n8n.nix
@@ -15,12 +15,6 @@ in
   nodes.machine =
     { ... }:
     {
-      nixpkgs.config.allowUnfreePredicate =
-        pkg:
-        builtins.elem (lib.getName pkg) [
-          "n8n"
-        ];
-
       services.n8n = {
         enable = true;
         environment.WEBHOOK_URL = webhookUrl;
diff --git a/nixos/tests/outline.nix b/nixos/tests/outline.nix
index 9dc6bab39ecc..1085db6bf5b7 100644
--- a/nixos/tests/outline.nix
+++ b/nixos/tests/outline.nix
@@ -8,7 +8,6 @@
 
   nodes.outline = {
     virtualisation.memorySize = 2 * 1024;
-    nixpkgs.config.allowUnfree = true;
     services.outline = {
       enable = true;
       forceHttps = false;
diff --git a/nixos/tests/prometheus-exporters.nix b/nixos/tests/prometheus-exporters.nix
index c4e60a72416a..f40875b30a52 100644
--- a/nixos/tests/prometheus-exporters.nix
+++ b/nixos/tests/prometheus-exporters.nix
@@ -1502,9 +1502,6 @@ let
       metricProvider = {
         services.sabnzbd.enable = true;
 
-        # unrar is required for sabnzbd
-        nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (pkgs.lib.getName pkg) [ "unrar" ];
-
         # extract the generated api key before starting
         systemd.services.sabnzbd-apikey = {
           requires = [ "sabnzbd.service" ];
diff --git a/nixos/tests/quake3.nix b/nixos/tests/quake3.nix
index f16d2240851f..0ecfade54e59 100644
--- a/nixos/tests/quake3.nix
+++ b/nixos/tests/quake3.nix
@@ -7,18 +7,6 @@ let
     });
   };
 
-  # Only allow the demo data to be used (only if it's unfreeRedistributable).
-  unfreePredicate =
-    pkg:
-    let
-      allowPackageNames = [
-        "quake3-demodata"
-        "quake3-pointrelease"
-      ];
-      allowLicenses = [ lib.licenses.unfreeRedistributable ];
-    in
-    lib.elem pkg.pname allowPackageNames && lib.elem (pkg.meta.license or null) allowLicenses;
-
   client =
     { pkgs, ... }:
     {
@@ -26,7 +14,6 @@ let
       hardware.graphics.enable = true;
       environment.systemPackages = [ pkgs.quake3demo ];
       nixpkgs.config.packageOverrides = overrides;
-      nixpkgs.config.allowUnfreePredicate = unfreePredicate;
     };
 in
 {
@@ -49,7 +36,6 @@ in
             + "+map q3dm7 +addbot grunt +addbot daemia 2> /tmp/log";
         };
         nixpkgs.config.packageOverrides = overrides;
-        nixpkgs.config.allowUnfreePredicate = unfreePredicate;
         networking.firewall.allowedUDPPorts = [ 27960 ];
       };
 
diff --git a/nixos/tests/sabnzbd.nix b/nixos/tests/sabnzbd.nix
index 92d574d717b2..03aa4dc9e9f2 100644
--- a/nixos/tests/sabnzbd.nix
+++ b/nixos/tests/sabnzbd.nix
@@ -11,9 +11,6 @@
       services.sabnzbd = {
         enable = true;
       };
-
-      # unrar is unfree
-      nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ "unrar" ];
     };
 
   testScript = ''
diff --git a/nixos/tests/unifi.nix b/nixos/tests/unifi.nix
index ee3c8e1bdb84..0f357630b587 100644
--- a/nixos/tests/unifi.nix
+++ b/nixos/tests/unifi.nix
@@ -11,8 +11,6 @@
   node.pkgsReadOnly = false;
 
   nodes.machine = {
-    nixpkgs.config.allowUnfree = true;
-
     services.unifi.enable = true;
   };
 
diff --git a/nixos/tests/virtualbox.nix b/nixos/tests/virtualbox.nix
index 98125aec0328..8355c69cd692 100644
--- a/nixos/tests/virtualbox.nix
+++ b/nixos/tests/virtualbox.nix
@@ -426,8 +426,6 @@ let
             enable = true;
           }
           // vboxHostConfig;
-
-          nixpkgs.config.allowUnfree = config.virtualisation.virtualbox.host.enableExtensionPack;
         };
 
       testScript = ''
diff --git a/nixos/tests/vscode-remote-ssh.nix b/nixos/tests/vscode-remote-ssh.nix
index 7e563820b581..852011735e27 100644
--- a/nixos/tests/vscode-remote-ssh.nix
+++ b/nixos/tests/vscode-remote-ssh.nix
@@ -1,22 +1,6 @@
 import ./make-test-python.nix (
-  { lib, ... }@args:
+  { lib, pkgs, ... }@args:
   let
-    pkgs = args.pkgs.extend (
-      self: super: {
-        stdenv = super.stdenv.override {
-          config = super.config // {
-            allowUnfreePredicate =
-              pkg:
-              builtins.elem (lib.getName pkg) [
-                "vscode"
-                "vscode-with-extensions"
-                "vscode-extension-ms-vscode-remote-remote-ssh"
-              ];
-          };
-        };
-      }
-    );
-
     inherit (import ./ssh-keys.nix pkgs) snakeOilPrivateKey snakeOilPublicKey;
 
     inherit (pkgs.vscode.passthru) rev vscodeServer;