From f1936454ebe39f4c2b0214c4b16624209a3e4503 Mon Sep 17 00:00:00 2001
From: sommerfeld <sommerfeld@sommerfeld.dev>
Date: Thu, 14 May 2026 11:08:13 +0100
Subject: fix(remote-dev): whitelist claude-code/copilot-cli unfree
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The flake set `allowUnfree = false` so `home-manager switch` failed
with "Refusing to evaluate package 'claude-code-...' because it has
an unfree license". Switch to `allowUnfreePredicate` with an explicit
name allowlist — keeps the door closed for everything else while
permitting just the two AI agents we actually want.
---
 remote-dev/flake.nix | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

(limited to 'remote-dev')

diff --git a/remote-dev/flake.nix b/remote-dev/flake.nix
index 6622a72..69ddafd 100644
--- a/remote-dev/flake.nix
+++ b/remote-dev/flake.nix
@@ -12,7 +12,17 @@
   outputs = { self, nixpkgs, home-manager, ... }:
     let
       system = "x86_64-linux";
-      pkgs = import nixpkgs { inherit system; config.allowUnfree = false; };
+      pkgs = import nixpkgs {
+        inherit system;
+        # Whitelist specific unfree packages (claude-code, github-copilot-cli)
+        # instead of globally setting allowUnfree, so a typo elsewhere can't
+        # silently pull in additional unfree deps.
+        config.allowUnfreePredicate = pkg:
+          builtins.elem (nixpkgs.lib.getName pkg) [
+            "claude-code"
+            "github-copilot-cli"
+          ];
+      };
     in
     {
       homeConfigurations.vm = home-manager.lib.homeManagerConfiguration {
-- 
cgit v1.3.1