permittedInsecurePackages = [
        "hello-1.2.3"
      ];
    }
    ```

-   It is also possible to create a custom policy around which insecure packages to allow and deny, by overriding the `allowInsecurePredicate` configuration option.

    The `allowInsecurePredicate` option is a function which accepts a package and returns a boolean, much like `allowUnfreePredicate`.

    The following configuration example allows any version of the `ovftool` package:

    ```nix
    {
      allowInsecurePredicate =
        pkg:
        builtins.elem (lib.getName pkg) [
          "ovftool"
        ];
    }
    ```

    Note that `permittedInsecurePackages` is only checked if `allowInsecurePredicate` is not specified.

## Modify packages via `packageOverrides` {#sec-modify-via-packageOverrides}

You can define a function called `packageOverrides` in your local `~/.config/nixpkgs/config.nix` to override Nix packages. It must be a function that takes pkgs as an argument and returns a modified set of packages.

```nix
{
  packageOverrides = pkgs: rec {
    foo = pkgs.foo.override {
      # ...
    };
  };
}
```

## `config` Options Reference {#sec-config-options-reference}

The following attributes can be passed in [`config`](#chap-packageconfig).

```{=include=} options
id-prefix: opt-
list-id: configuration-variable-list
source: ../config-options.json
```


## Declarative Package Management {#sec-declarative-package-management}

### Build an environment {#sec-building-environment}

Using `packageOverrides`, it is possible to manage packages declaratively. This means that we can list all of our desired packages within a declarative Nix expression. For example, to have `aspell`, `bc`, `ffmpeg`, `coreutils`, `gdb`, `nix`, `emscripten`, `jq`, `nox`, and `silver-searcher`, we could use the following in `~/.config/nixpkgs/config.nix`:

```nix
{
  packageOverrides =
    pkgs: with pkgs; {
      myPackages = pkgs.buildEnv {
        name = "my-packages";
        paths = [
          aspell
          bc
          coreutils
          gdb
          ffmpeg
          nix
          emscripten
          jq
          nox
          silver-searcher
        ];
      };
    };
}
```

To install it into our environment, you can just run `nix-env -iA nixpkgs.myPackages`. If you want to load the packages to be built from a working copy of `nixpkgs` you just run `nix-env -f. -iA myPackages`. To explore what's been installed, just look through `~/.nix-profile/`. You can see that a lot of stuff has been installed. Some of this stuff is useful some of it isn't. Let's tell Nixpkgs to only link the stuff that we want:

```nix
{
  packageOverrides =
    pkgs: with pkgs; {
      myPackages = pkgs.buildEnv {
        name = "my-packages";
        paths = [
          aspell
          bc
          coreutils
          gdb
          ffmpeg
          nix
          emscripten
          jq
          nox
          silver-searcher
        ];
        pathsToLink = [
          "/share"
          "/bin"
        ];
      };
    };
}
```

`pathsToLink` tells Nixpkgs to only link the paths listed which gets rid of the extra stuff in the profile. `/bin` and `/share` are good defaults for a user environment, getting rid of the clutter. If you are running on Nix on MacOS, you may want to add another path as well, `/Applications`, that makes GUI apps available.

### Getting documentation {#sec-getting-documentation}

After building that new environment, look through `~/.nix-profile` to make sure everything is there that we wanted. Discerning readers will note that some files are missing. Look inside `~/.nix-profile/share/man/man1/` to verify this. There are no man pages for any of the Nix tools! This is because some packages like Nix have multiple outputs for things like documentation (see section 4). Let's make Nix install those as well.

```nix
{
  packageOverrides =