refactor: Move nixpkgs attribute to third_party.nixpkgs

Please read b/108 to make sense of this. This gets rid of the explicit list of exposed packages from nixpkgs, and instead makes the entire package set available at `third_party.nixpkgs`. To accommodate this, a LOT of things have to be very slightly shuffled around. Some of this was done in already submitted CLs, but this change is unfortunately still quite noisy. Pay extra attention to: * overlay-like functionality that was partially moved to actual overlays (partially as in, the minimum required to get a green build) * modified uses of the package set path, esp. in NixOS systems Special notes: * xanthous has been disabled in CI because of issues with the Haskell overlay * //third_party/nix has been disabled because of other unclear dependency issues Both of these will be tackled in a followup CL. Change-Id: I2f9c60a4d275fdb5209264be0addfd7e06c53118 Reviewed-on: https://cl.tvl.fyi/c/depot/+/2910 Reviewed-by: glittershark <grfn@gws.fyi> Reviewed-by: sterni <sternenseemann@systemli.org> Tested-by: BuildkiteCI
2021-04-10 18:05:16 +02:00 · 2021-04-10 18:05:16 +02:00 · 473604f567
commit 473604f567
parent a83abc9024
46 changed files with 276 additions and 488 deletions
--- a/default.nix
+++ b/default.nix
@ -19,11 +19,11 @@ let
    inherit depot;

    # Expose lib attribute to packages.
-    inherit (depot) lib;
+    inherit (depot.third_party.nixpkgs) lib;

    # Pass third_party as 'pkgs' (for compatibility with external
    # imports for certain subdirectories)
-    pkgs = depot.third_party;
+    pkgs = depot.third_party.nixpkgs;
  };

  readTree' = import ./nix/readTree {};
@ -75,9 +75,6 @@ in fix(self: {
  __readTree = [];
  config = config self;

-  # Elevate 'lib' from nixpkgs
-  lib = import (self.third_party.nixpkgsSrc + "/lib");
-
  # Expose readTree for downstream repo consumers.
  readTree = {
    __functor = x: (readTree' x.config);
@ -97,6 +94,9 @@ in fix(self: {
    # generate pipelines because that also leads to infinite
    # recursion.
    ops = self.ops // { pipelines = null; };
+
+    # remove nixpkgs from the set, for obvious reasons.
+    third_party = self.third_party // { nixpkgs = null; };
  });
 }

--- a/fun/idual/default.nix
+++ b/fun/idual/default.nix
@ -1,7 +1,7 @@
-{ pkgs, lib, ... }:
+{ depot, pkgs, lib, ... }:

 let
-  inherit (pkgs) python python3 python3Packages;
+  inherit (pkgs) python3 python3Packages;

  opts = {
    pname   = "idualctl";
@ -9,12 +9,12 @@ let
    src     = ./.;

    propagatedBuildInputs = [
-      python.broadlink
+      depot.third_party.python.broadlink
    ];
  };
  package = python3Packages.buildPythonPackage opts;
  script  = python3Packages.buildPythonApplication opts;
-in {
+in depot.nix.utils.drvTargets {
  inherit script;
  python  = python3.withPackages (_: [ package ]);
  setAlarm = pkgs.writeShellScriptBin "set-alarm" ''
--- a/ops/nixos/default.nix
+++ b/ops/nixos/default.nix
@ -8,9 +8,7 @@
 # situation.
 { depot, lib, pkgs, ... }@args:

-let
-  inherit (lib) findFirst isAttrs;
-  nixos = import "${depot.third_party.nixpkgsSrc}/nixos";
+let inherit (lib) findFirst isAttrs;
 in rec {
  whitby = import ./whitby/default.nix args;

@ -25,7 +23,7 @@ in rec {
    };
  };

-  nixosFor = configuration: (nixos {
+  nixosFor = configuration: (depot.third_party.nixos {
    configuration = { ... }: {
      imports = [
        baseModule
--- a/ops/nixos/whitby/default.nix
+++ b/ops/nixos/whitby/default.nix
@ -1,10 +1,8 @@
-{ depot, lib, ... }:
+{ depot, lib, pkgs, ... }:

 let
  inherit (builtins) listToAttrs;
  inherit (lib) range;
-
-  nixpkgs = import depot.third_party.nixpkgsSrc {};
 in lib.fix(self: {
  imports = [
    "${depot.depotPath}/ops/nixos/clbot.nix"
@ -27,7 +25,7 @@ in lib.fix(self: {
    "${depot.depotPath}/ops/nixos/www/todo.tvl.fyi.nix"
    "${depot.depotPath}/ops/nixos/www/tvl.fyi.nix"
    "${depot.depotPath}/ops/nixos/www/wigglydonke.rs.nix"
-    "${depot.third_party.nixpkgsSrc}/nixos/modules/services/web-apps/gerrit.nix"
+    "${pkgs.path}/nixos/modules/services/web-apps/gerrit.nix"
  ];

  hardware = {
@ -140,14 +138,14 @@ in lib.fix(self: {
  # Generate an immutable /etc/resolv.conf from the nameserver settings
  # above (otherwise DHCP overwrites it):
  environment.etc."resolv.conf" = with lib; {
-    source = depot.third_party.writeText "resolv.conf" ''
+    source = pkgs.writeText "resolv.conf" ''
      ${concatStringsSep "\n" (map (ns: "nameserver ${ns}") self.networking.nameservers)}
      options edns0
    '';
  };

  # Disable background git gc system-wide, as it has a tendency to break CI.
-  environment.etc."gitconfig".source = depot.third_party.writeText "gitconfig" ''
+  environment.etc."gitconfig".source = pkgs.writeText "gitconfig" ''
    [gc]
    autoDetach = false
  '';
@ -304,7 +302,7 @@ in lib.fix(self: {
    bindAddress = "localhost";
  };

-  environment.systemPackages = with nixpkgs; [
+  environment.systemPackages = with pkgs; [
    bb
    curl
    emacs-nox
@ -332,7 +330,7 @@ in lib.fix(self: {
  # Regularly back up whitby to Google Cloud Storage.
  systemd.services.restic = {
    description = "Backups to Google Cloud Storage";
-    script = "${nixpkgs.restic}/bin/restic backup /var/lib/gerrit /var/backup/postgresql";
+    script = "${pkgs.restic}/bin/restic backup /var/lib/gerrit /var/backup/postgresql";

    environment = {
      GOOGLE_PROJECT_ID = "tazjins-infrastructure";
@ -369,7 +367,7 @@ in lib.fix(self: {
    users.tazjin = {
      isNormalUser = true;
      extraGroups = [ "git" "wheel" ];
-      shell = nixpkgs.fish;
+      shell = pkgs.fish;
      openssh.authorizedKeys.keys = depot.users.tazjin.keys.all;
    };

--- a/third_party/default.nix
+++ b/third_party/default.nix
@ -1,73 +1,23 @@
-# This file controls the import of external dependencies (i.e.
-# third-party code) into my package tree.
+# This file defines the root of all external dependency imports (i.e.
+# third-party code) in the TVL package tree.
 #
-# This includes *all packages needed from nixpkgs*.
-{ ... }:
+# There are two categories of third-party programs:
+#
+# 1) Programs in nixpkgs, the NixOS package set. For these, you might
+#    want to look at //third_party/nixpkgs (for the package set
+#    imports) and //third_party/overlays (for modifications in these
+#    imported package sets).
+#
+# 2) Third-party software packaged in this repository. This is all
+#    other folders below //third_party, other than the ones mentioned
+#    above.

-let
-  # Tracking nixos-unstable as of 2021-03-25.
-  nixpkgsCommit = "60dd94fb7e01a8288f6638eee71d7cb354c49327";
-  nixpkgsSrc = fetchTarball {
-    url = "https://github.com/NixOS/nixpkgs/archive/${nixpkgsCommit}.tar.gz";
-    sha256 = "0skdwk9bdld295kzrymirs8xrzycqmhsclaz8s18jhcz75hb8sk3";
-  };
-  nixpkgs = import nixpkgsSrc {
-    config.allowUnfree = true;
-    config.allowBroken = true;
+{ pkgs, ... }:

-    # Lutris depends on p7zip, which is considered insecure.
-    config.permittedInsecurePackages = [
-      "p7zip-16.02"
-    ];
-  };
-
-  # Tracking nixos-20.09 as of 2021-03-25.
-  stableCommit = "223d0d733a66b46504ea6b4c15f88b7cc4db58fb";
-  stableNixpkgsSrc = fetchTarball {
-    url = "https://github.com/NixOS/nixpkgs/archive/${stableCommit}.tar.gz";
-    sha256 = "073327ris0frqa3kpid3nsjr9w8yx2z83xpsc24w898mrs9r7d5v";
-  };
-  stableNixpkgs = import stableNixpkgsSrc {};
-
-  exposed = import ./nixpkgs-exposed/exposed { inherit nixpkgs stableNixpkgs; };
-
-in exposed.lib.fix(self: exposed // {
-  callPackage = nixpkgs.lib.callPackageWith self;
-
-  # Provide the source code of nixpkgs, but do not provide an imported
-  # version of it.
-  inherit nixpkgsCommit nixpkgsSrc stableNixpkgsSrc;
-
-  # Expose upstream attributes so they can be overridden in readTree nodes
-  originals = {
-    inherit (nixpkgs) gtest openldap go grpc notmuch rr;
-    inherit (stableNixpkgs) git tdlib;
-    ffmpeg = nixpkgs.ffmpeg-full;
-    telega = stableNixpkgs.emacsPackages.telega;
-
-  };
-
-  # Use LLVM 11
-  llvmPackages = nixpkgs.llvmPackages_11;
-  clangStdenv = nixpkgs.llvmPackages_11.stdenv;
-  stdenv = nixpkgs.llvmPackages_11.stdenv;
-
-  clang-tools = (nixpkgs.clang-tools.override {
-    llvmPackages = nixpkgs.llvmPackages_11;
-  });
-
-  # Provide Emacs 27
-  #
-  # The assert exists because the name of the attribute is unversioned
-  # (which is different from previous versions).
-  emacs27 = assert ((exposed.lib.versions.major nixpkgs.emacs.version) == "27");
-    nixpkgs.emacs.overrideAttrs(old: {
-      configureFlags = old.configureFlags ++ [ "--with-cairo" ];
-    });
-
-  emacs27-nox = assert ((exposed.lib.versions.major nixpkgs.emacs.version) == "27");
-    nixpkgs.emacs-nox;
-
-  # Make NixOS available
-  nixos = import "${nixpkgsSrc}/nixos";
-})
+{
+  # Expose a partially applied NixOS, expecting an attribute set with
+  # a `configuration` key. Exposing it like this makes it possible to
+  # modify some of the base configuration used by NixOS. passed to
+  # this.
+  nixos = import "${pkgs.path}/nixos";
+}
--- a/third_party/ffmpeg/default.nix
+++ b/third_party/ffmpeg/default.nix
@ -1,12 +0,0 @@
-{ pkgs, ... }:
-
-pkgs.originals.ffmpeg.overrideAttrs(old: {
-  buildInputs = old.buildInputs ++ [
-    pkgs.cudatoolkit.out
-  ];
-
-  configureFlags = old.configureFlags ++ [
-    "--enable-libnpp"
-    "--enable-nonfree"
-  ];
-})
--- a/third_party/git/default.nix
+++ b/third_party/git/default.nix
@ -1,15 +1,13 @@
 # Use the upstream git derivation (there's a lot of stuff happening in
 # there!) and just override the source:
-{ depot, ... }:
+{ pkgs, ... }:

-with depot.third_party;
-
-(originals.git.overrideAttrs(_: {
+(pkgs.git.overrideAttrs(_: {
  version = "2.29.2";
  src = ./.;
  doInstallCheck = false;
  preConfigure = ''
-    ${autoconf}/bin/autoreconf -i
+    ${pkgs.autoconf}/bin/autoreconf -i
  '';
 })).override {
  sendEmailSupport = true;
--- a/third_party/grpc/default.nix
+++ b/third_party/grpc/default.nix
@ -1,7 +1,7 @@
-{ pkgs, ... }:
+{ depot, pkgs, ... }:

-(pkgs.originals.grpc.override {
-  protobuf = pkgs.protobuf;
+(pkgs.grpc.override {
+  protobuf = depot.third_party.protobuf;
  stdenv = pkgs.llvmPackages.libcxxStdenv;
 }).overrideAttrs(orig: rec {
  version = "1.30.0";
--- a/third_party/gtest/default.nix
+++ b/third_party/gtest/default.nix
@ -1,6 +1,6 @@
 { pkgs, ... }:

-(pkgs.originals.gtest.override {
+(pkgs.gtest.override {
  stdenv = pkgs.llvmPackages.libcxxStdenv;
 }).overrideAttrs(_: {
  src = pkgs.fetchFromGitHub {
--- a/third_party/nix/default.nix
+++ b/third_party/nix/default.nix
@ -1,5 +1,6 @@
 args@{
-  pkgs ? (import ../.. {}).third_party
+  depot ? (import ../.. {})
+, pkgs ? depot.third_party.nixpkgs
 , lib
 , buildType ? "release"
 , depotPath ? ../..
@ -43,10 +44,11 @@ let
  protoSrcs = pkgs.runCommand "nix-proto-srcs" {} ''
    export PROTO_SRCS=${./src/proto}
    mkdir -p $out/libproto
-    ${pkgs.protobuf}/bin/protoc -I=$PROTO_SRCS \
+    ${depot.third_party.protobuf}/bin/protoc -I=$PROTO_SRCS \
      --cpp_out=$out/libproto \
-      --plugin=protoc-gen-grpc=${pkgs.grpc}/bin/grpc_cpp_plugin --grpc_out=$out/libproto \
-      $PROTO_SRCS/*.proto
+      --plugin=protoc-gen-grpc=${depot.third_party.grpc}/bin/grpc_cpp_plugin \
+        --grpc_out=$out/libproto \
+        $PROTO_SRCS/*.proto
  '';

  # Derivation for busybox that just has the `busybox` binary in bin/, not all
@ -73,7 +75,6 @@ in lib.fix (self: pkgs.llvmPackages.libcxxStdenv.mkDerivation {

 # TODO(tazjin): Some of these might only be required for native inputs
  buildInputs = with pkgs; [
-    abseil_cpp
    aws-s3-cpp
    brotli
    bzip2
@ -81,16 +82,18 @@ in lib.fix (self: pkgs.llvmPackages.libcxxStdenv.mkDerivation {
    curl
    editline
    flex
-    glog
-    grpc
    libseccomp
    libsodium
    systemd.dev
    openssl
-    protobuf
    sqlite
    xz
-  ];
+  ] ++ (with depot.third_party; [
+    abseil_cpp
+    glog
+    grpc
+    protobuf
+  ]);

  doCheck = false;
  doInstallCheck = true;
@ -99,8 +102,8 @@ in lib.fix (self: pkgs.llvmPackages.libcxxStdenv.mkDerivation {
  dontStrip = true;

  installCheckInputs = with pkgs; [
+    depot.third_party.gtest
    fd
-    gtest
    rapidcheck
  ];

@ -185,6 +188,9 @@ in lib.fix (self: pkgs.llvmPackages.libcxxStdenv.mkDerivation {
  # TODO(tazjin): integration test setup?
  # TODO(tazjin): docs generation?

+  # TODO(tazjin): Sort out after CL/2910 lands
+  meta.ci = false;
+
  passthru = {
    build-shell = self.overrideAttrs (up: rec {
      run_clang_tidy = pkgs.writeShellScriptBin "run-clang-tidy" ''
--- a/third_party/nix/test-vm.nix
+++ b/third_party/nix/test-vm.nix
@ -1,10 +1,9 @@
 { depot, pkgs, ... }:

 let
-
  configuration = { ... }: {
    imports = [
-      "${pkgs.nixpkgsSrc}/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix"
+      "${pkgs.path}/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix"
    ];

    nix.package = depot.third_party.nix;
@ -16,6 +15,5 @@ let
    ];
  };

-  system = pkgs.nixos { inherit configuration; };
-
+  system = depot.third_party.nixos { inherit configuration; };
 in system.vm
--- a/third_party/nixpkgs-exposed/.skip-subtree
+++ b/third_party/nixpkgs-exposed/.skip-subtree
@ -1 +0,0 @@
-This subtree is responsible for setting up the read tree arguments in the first place.
--- a/third_party/nixpkgs-exposed/OWNERS
+++ b/third_party/nixpkgs-exposed/OWNERS
@ -1,8 +0,0 @@
-# The nixpkgs whitelist needs to be changed every time we reference
-# a new attribute, so every commiter should be able to change it,
-# otherwise we create undue blockers on superowners.
-inherited: true
-owners:
-  - Profpatsch
-  - sterni
-  - glittershark
--- a/third_party/nixpkgs-exposed/exposed/default.nix
+++ b/third_party/nixpkgs-exposed/exposed/default.nix
@ -1,210 +0,0 @@
-# This file has to be in yet another subdir
-# because of how readTree interprets .skip-subtree
-# see https://b.tvl.fyi/issues/89
-{ nixpkgs, stableNixpkgs }:
-{
-  # Inherit the packages from nixos-unstable that should be available inside
-  # of the repo. They become available under `pkgs.third_party.<name>`
-  inherit (nixpkgs)
-    age
-    atk
-    autoconf
-    autoreconfHook
-    avrdude
-    avrlibc
-    bashInteractive
-    bat
-    bc
-    bind
-    buildBazelPackage
-    buildFHSUserEnv
-    buildGoModule
-    buildGoPackage
-    buildPackages
-    buildRustCrate
-    buildkite-agent
-    busybox
-    bzip2
-    c-ares
-    cacert
-    cachix
-    cairo
-    cargo
-    cgit
-    clang_11
-    cmake
-    coreutils
-    cudatoolkit
-    darwin
-    dbus-glib
-    dbus_libs
-    dfu-programmer
-    dfu-util
-    diffutils
-    docker-compose
-    dockerTools
-    emacs27
-    emacs27-nox
-    emacsPackages
-    emacsPackagesGen
-    execline
-    fd
-    fdtools
-    fetchFromGitHub
-    fetchFromGitLab
-    fetchgit
-    fetchurl
-    fetchzip
-    ffmpeg-full
-    findutils
-    fira
-    fira-code
-    fira-mono
-    flamegraph
-    fontconfig
-    freetype
-    gdk-pixbuf
-    gettext
-    glibc
-    glib
-    gtk3
-    gmock
-    gnused
-    gnutar
-    go
-    google-cloud-sdk
-    graphviz
-    gzip
-    haskell
-    iana-etc
-    imagemagickBig
-    installShellFiles
-    jdk
-    jdk11
-    jdk11_headless
-    jetbrains-mono
-    jq
-    kontemplate
-    lib
-    libappindicator-gtk3
-    libredirect
-    libffi
-    linuxPackages
-    linuxPackages_5_11
-    lr
-    luajit
-    lutris
-    makeFontsConf
-    makeWrapper
-    mandoc
-    mdbook
-    meson
-    mime-types
-    minify
-    mkShell
-    moreutils
-    nano
-    ncurses
-    nginx
-    ninja
-    nix
-    ocamlPackages
-    openssh
-    openssl
-    overrideCC
-    pandoc
-    pango
-    parallel
-    path
-    pkgconfig
-    pkgsCross
-    plantuml
-    postgresql
-    pounce
-    pulseaudio
-    python3
-    python3Packages
-    quassel
-    remarshal
-    rink
-    ripgrep
-    rsync
-    runCommand
-    runCommandLocal
-    runCommandNoCC
-    rustPlatform
-    rustc
-    s6-portable-utils
-    sbcl
-    shellcheck
-    sqlite
-    stdenvNoCC
-    stern
-    substituteAll
-    symlinkJoin
-    systemd
-    tdlib
-    teensy-loader-cli
-    terraform_0_12
-    texlive
-    thttpd
-    tree
-    tree-sitter
-    unzip
-    which
-    writers
-    writeShellScript
-    writeShellScriptBin
-    writeText
-    xorg
-    xz
-    zlib
-    zstd;
-
-  # Inherit packages from the stable channel for things that are
-  # broken on unstable
-  inherit (stableNixpkgs)
-    awscli # TODO(grfn): Move back to unstable once it is fixed
-    ;
-
-  # Required by //third_party/nix
-  inherit (nixpkgs)
-    aws-sdk-cpp
-    bison
-    boehmgc
-    boost # urgh
-    brotli
-    busybox-sandbox-shell
-    curl
-    docbook5
-    docbook_xsl_ns
-    editline
-    flex
-    libseccomp
-    libsodium
-    libxml2
-    libxslt
-    mercurial
-    perl
-    perlPackages
-    ;
-
-  haskellPackages = (nixpkgs.haskellPackages.override {
-    overrides = (import ../../overlays/haskell
-    { /* empty readTree arg */ }
-    { pkgs = nixpkgs; });
-  });
-
-  gradle_6 = (nixpkgs.gradleGen.override {
-    java = nixpkgs.jdk11;
-    jdk = nixpkgs.jdk11;
-  }).gradleGen rec {
-    name = "gradle-6.5.1";
-    nativeVersion = "0.22-milestone-3";
-
-    src = builtins.fetchurl {
-      url = "https://services.gradle.org/distributions/${name}-bin.zip";
-      sha256 = "0jmmipjh4fbsn92zpifa5cqg5ws2a4ha0s4jzqhrg4zs542x79sh";
-    };
-  };
-}
--- a/third_party/nixpkgs/default.nix
+++ b/third_party/nixpkgs/default.nix
@ -0,0 +1,56 @@
+# This file imports the pinned nixpkgs sets and applies relevant
+# modifications, such as our overlays.
+#
+# Note that the attribute exposed by this (third_party.nixpkgs) is
+# "special" in that the fixpoint used as readTree's config parameter
+# in //default.nix passes this attribute as the `pkgs` argument to all
+# readTree derivations.
+
+{ depot, ... }:
+
+let
+  # This provides the sources of nixpkgs. We track both
+  # nixos-unstable, and the current stable channel of the latest NixOS
+  # release.
+
+  # Tracking nixos-unstable as of 2021-03-25.
+  unstableHashes = {
+    commit = "60dd94fb7e01a8288f6638eee71d7cb354c49327";
+    sha256 = "0skdwk9bdld295kzrymirs8xrzycqmhsclaz8s18jhcz75hb8sk3";
+  };
+
+  # Tracking nixos-20.09 as of 2021-03-25.
+  stableHashes = {
+    commit = "223d0d733a66b46504ea6b4c15f88b7cc4db58fb";
+    sha256 = "073327ris0frqa3kpid3nsjr9w8yx2z83xpsc24w898mrs9r7d5v";
+  };
+
+  nixpkgsSrc = fetchTarball {
+    url = "https://github.com/NixOS/nixpkgs/archive/${unstableHashes.commit}.tar.gz";
+    sha256 = unstableHashes.sha256;
+  };
+  stableNixpkgsSrc = fetchTarball {
+    url = "https://github.com/NixOS/nixpkgs/archive/${stableHashes.commit}.tar.gz";
+    sha256 = stableHashes.sha256;
+  };
+
+  # Stable package set is imported, but not exposed, to overlay
+  # required packages into the unstable set.
+  stableNixpkgs = import stableNixpkgsSrc {};
+
+  # Overlay for packages that should come from the stable channel
+  # instead (e.g. because something is broken in unstable).
+  stableOverlay = self: super: {
+    inherit (stableNixpkgs)
+      awscli # TODO(grfn): Move back to unstable once it is fixed
+      ;
+  };
+in import nixpkgsSrc {
+  config.allowUnfree = true;
+  config.allowBroken = true;
+  overlays = [
+    stableOverlay
+    depot.third_party.overlays.tvl
+    depot.third_party.overlays.haskell
+  ];
+}
--- a/third_party/notmuch/default.nix
+++ b/third_party/notmuch/default.nix
@ -1,6 +1,7 @@
+# Notmuch, but with support for https://dotti.me/
 { pkgs, ... }:

-pkgs.originals.notmuch.overrideAttrs(old: {
+pkgs.notmuch.overrideAttrs(old: {
  doCheck = false;
  patches = [ ./dottime.patch ] ++ (if old ? patches then old.patches else []);
 })
--- a/third_party/openldap/default.nix
+++ b/third_party/openldap/default.nix
@ -6,7 +6,7 @@
 # derivation to include this module.
 { pkgs, ... }:

-pkgs.originals.openldap.overrideAttrs(old: {
+pkgs.openldap.overrideAttrs(old: {
  buildInputs = old.buildInputs ++ [ pkgs.libsodium ];

  postBuild = ''
--- a/third_party/overlays/haskell/default.nix
+++ b/third_party/overlays/haskell/default.nix
@ -1,34 +1,41 @@
-# Defines overrides for Haskell packages, for example to avoid
-# breakage currently present in nixpkgs or to modify package versions.
+# Defines an overlay for overriding Haskell packages, for example to
+# avoid breakage currently present in nixpkgs or to modify package
+# versions.

 { ... }: # This file needs nothing from readTree
-{ pkgs }: # ... but is called with a separate package set in the overlay

-self: super: with pkgs.haskell.lib; rec {
-  generic-arbitrary = appendPatch
-    super.generic-arbitrary
-    [ ./patches/generic-arbitrary-export-garbitrary.patch ];
+self: super: # overlay parameters for the nixpkgs overlay

-  random = dontCheck (self.callHackageDirect {
-    pkg = "random";
-    ver = "1.2.0";
-    sha256 = "06s3mmqbsfwv09j2s45qnd66nrxfp9280gnl9ng8yh128pfr7bjh";
-  } {});
+let
+  overrides = hsSelf: hsSuper: with super.haskell.lib; rec {
+    generic-arbitrary = appendPatch hsSuper.generic-arbitrary
+      [ ./patches/generic-arbitrary-export-garbitrary.patch ];

-  # random <1.2
-  test-framework = doJailbreak super.test-framework;
-  hashable = doJailbreak super.hashable;
-  test-framework-quickcheck2 = doJailbreak super.test-framework-quickcheck2;
+    # random = dontCheck (hsSuper.callHackageDirect {
+    #   pkg = "random";
+    #   ver = "1.2.0";
+    #   sha256 = "06s3mmqbsfwv09j2s45qnd66nrxfp9280gnl9ng8yh128pfr7bjh";
+    # } {});

-  # can be removed if we have the following PR or equivalent
-  # https://github.com/NixOS/nixpkgs/pull/116931
-  hedgehog-classes = overrideCabal super.hedgehog-classes (attrs: {
-    # remove version bound on semirings which is inside a
-    # conditional, so doJailbreak doesn't work
-    prePatch = ''
-      sed -i 's|semirings.*0.6|semirings|g' hedgehog-classes.cabal
-    '';
-  });
+    # random <1.2
+    test-framework = doJailbreak hsSuper.test-framework;
+    hashable = doJailbreak hsSuper.hashable;
+    test-framework-quickcheck2 = doJailbreak hsSuper.test-framework-quickcheck2;

-  hgeometry-combinatorial = dontCheck super.hgeometry-combinatorial;
+    # can be removed if we have the following PR or equivalent
+    # https://github.com/NixOS/nixpkgs/pull/116931
+    hedgehog-classes = overrideCabal hsSuper.hedgehog-classes (attrs: {
+      # remove version bound on semirings which is inside a
+      # conditional, so doJailbreak doesn't work
+      prePatch = ''
+        sed -i 's|semirings.*0.6|semirings|g' hedgehog-classes.cabal
+      '';
+    });
+
+    hgeometry-combinatorial = dontCheck hsSuper.hgeometry-combinatorial;
+  };
+in {
+  haskellPackages = super.haskellPackages.override {
+    inherit overrides;
+  };
 }
--- a/third_party/overlays/tvl.nix
+++ b/third_party/overlays/tvl.nix
@ -0,0 +1,27 @@
+# This overlay is used to make TVL-specific modifications in the
+# nixpkgs tree, where required.
+{ ... }:
+
+self: super: {
+  # Required for apereo-cas
+  # TODO(lukegb): Document why?
+  gradle_6 = (super.gradleGen.override {
+    java = self.jdk11;
+    jdk = self.jdk11;
+  }).gradleGen rec {
+    name = "gradle-6.5.1";
+    nativeVersion = "0.22-milestone-3";
+
+    src = builtins.fetchurl {
+      url = "https://services.gradle.org/distributions/${name}-bin.zip";
+      sha256 = "0jmmipjh4fbsn92zpifa5cqg5ws2a4ha0s4jzqhrg4zs542x79sh";
+    };
+  };
+
+  # Use LLVM 11
+  llvmPackages = self.llvmPackages_11;
+  clangStdenv = self.llvmPackages_11.stdenv;
+  clang-tools = (super.clang-tools.override {
+    llvmPackages = self.llvmPackages_11;
+  });
+}
--- a/third_party/protobuf/default.nix
+++ b/third_party/protobuf/default.nix
@ -1,7 +1,7 @@
 # Pin protobuf to version 3.12, with LLVM.
 { depot, pkgs, ... }:

-pkgs.callPackage "${depot.third_party.nixpkgsSrc}/pkgs/development/libraries/protobuf/generic-v3.nix" {
+pkgs.callPackage "${pkgs.path}/pkgs/development/libraries/protobuf/generic-v3.nix" {
  version = "3.12.2";
  sha256 = "1lp368aa206vpic9fmax4k6llnmf28plfvkkm4vqhgphmjqykvl2";
  stdenv = pkgs.llvmPackages.libcxxStdenv;
--- a/third_party/rr/default.nix
+++ b/third_party/rr/default.nix
@ -1,16 +0,0 @@
-{ pkgs, ... }:
-
-pkgs.originals.rr.overrideAttrs(_: {
-  src = pkgs.fetchFromGitHub {
-    owner = "mozilla";
-    repo = "rr";
-    rev = "8fc7d2a09a739fee1883d262501e88613165c1dd";
-    sha256 = "0avq5lv082z2sasggfn2awnfrh08cr8f0i9iw1dnrcxa6pc3bi9k";
-    fetchSubmodules = false;
-  };
-
-  # Workaround as documented on https://github.com/mozilla/rr/wiki/Zen
-  postInstall = ''
-    cp $src/scripts/zen_workaround.py $out/bin/rr_zen_workaround
-  '';
-})
--- a/users/Profpatsch/writers/tests/default.nix
+++ b/users/Profpatsch/writers/tests/default.nix
@ -1,4 +1,4 @@
-{ depot, ... }:
+{ depot, pkgs, ... }:

 let
  inherit (depot.users.Profpatsch.writers)
@ -9,7 +9,7 @@ let
    rustSimpleBin
    ;

-  inherit (depot.third_party)
+  inherit (pkgs)
    coreutils
    ;

--- a/users/glittershark/achilles/default.nix
+++ b/users/glittershark/achilles/default.nix
@ -1,6 +1,6 @@
-{ pkgs, ... }:
+{ depot, pkgs, ... }:

-pkgs.naersk.buildPackage {
+depot.third_party.naersk.buildPackage {
  src = ./.;

  buildInputs = with pkgs; [
--- a/users/glittershark/owothia/default.nix
+++ b/users/glittershark/owothia/default.nix
@ -1,4 +1,6 @@
-{ pkgs ? (import ../../../. {}).third_party, ... }:
+{ depot ? (import ../../../. {})
+, pkgs ? depot.third_party.nixpkgs
+, ... }:

 pkgs.haskellPackages.callCabal2nix "owothia"
-  (pkgs.gitignoreSource ./.) { }
+  (depot.third_party.gitignoreSource ./.) { }
--- a/users/glittershark/pkgs/fprintd/default.nix
+++ b/users/glittershark/pkgs/fprintd/default.nix
@ -1,9 +1,11 @@
-args @ { pkgs, ... }:
+{ depot, pkgs, ... }:

 let
-  nixpkgs = import pkgs.nixpkgsSrc {
+  nixpkgs = import pkgs.path {
    config.allowUnfree = true;
    overlays = [(self: super: {
+      # TODO(grfn): Can we not override this here? It bootstraps
+      # rustc, builds firefox, and many other things.
      gcc = super.gcc9;
    })];
  };
--- a/users/glittershark/system/home/default.nix
+++ b/users/glittershark/system/home/default.nix
@ -3,15 +3,13 @@
 with lib;

 rec {
-  nixpkgs = import pkgs.nixpkgsSrc {};
-
-  home = confPath: (import "${nixpkgs.home-manager.src}/modules" {
-    pkgs = nixpkgs;
+  home = confPath: (import "${pkgs.home-manager.src}/modules" {
+    inherit pkgs;
    configuration = { config, lib, ... }: {
      imports = [confPath];

      _module.args.pkgs = mkForce
-        (import pkgs.nixpkgsSrc (filterAttrs (n: v: v != null) config.nixpkgs));
+        (import pkgs.path (filterAttrs (n: v: v != null) config.nixpkgs));

      lib.depot = depot;
    };
--- a/users/glittershark/system/home/modules/development.nix
+++ b/users/glittershark/system/home/modules/development.nix
@ -54,7 +54,7 @@ with lib;
    gdb
    lldb
    hyperfine
-    config.lib.depot.third_party.clang-tools
+    clang-tools

    clj2nix
    clojure
--- a/users/glittershark/system/system/default.nix
+++ b/users/glittershark/system/system/default.nix
@ -1,19 +1,15 @@
 args @ { depot, pkgs, ... }:

-let
-  nixpkgs = import pkgs.nixpkgsSrc {};
-in
-
 rec {
  chupacabra = import ./machines/chupacabra.nix;

-  chupacabraSystem = (pkgs.nixos {
+  chupacabraSystem = (depot.third_party.nixos {
    configuration = chupacabra;
  }).system;

  mugwump = import ./machines/mugwump.nix;

-  mugwumpSystem = (pkgs.nixos {
+  mugwumpSystem = (depot.third_party.nixos {
    configuration = mugwump;
  }).system;

@ -22,14 +18,14 @@ rec {
  roswellSystem = (depot.ops.nixos.nixosFor ({ ... }: {
    imports = [
      ./machines/roswell.nix
-      "${nixpkgs.home-manager.src}/nixos"
+      "${pkgs.home-manager.src}/nixos"
    ];

    home-manager.users.grfn = { config, lib, ... }: {
      imports = [ ../home/machines/roswell.nix ];
      lib.depot = depot;
      _module.args.pkgs = lib.mkForce
-        (import pkgs.nixpkgsSrc
+        (import pkgs.path
          (lib.filterAttrs (n: v: v != null) config.nixpkgs));
    };
  })).system;
@ -60,7 +56,7 @@ rec {
          system=$(nix-build -E '(import ${depotPath} {}).users.glittershark.system.system.${hostname}' --no-out-link)
          ;;
      '';
-    in depot.third_party.writeShellScriptBin "rebuilder" ''
+    in pkgs.writeShellScriptBin "rebuilder" ''
      set -ue
      if [[ $EUID -ne 0 ]]; then
        echo "Oh no! Only root is allowed to rebuild the system!" >&2
--- a/users/glittershark/system/system/iso.nix
+++ b/users/glittershark/system/system/iso.nix
@ -1,17 +1,17 @@
-{ pkgs, ... }:
+{ depot, lib, pkgs, ... }:

 let
  configuration = { ... }: {
    imports = [
-      "${pkgs.nixpkgsSrc}/nixos/modules/installer/cd-dvd/installation-cd-minimal-new-kernel.nix"
-      "${pkgs.nixpkgsSrc}/nixos/modules/installer/cd-dvd/channel.nix"
+      "${pkgs.path}/nixos/modules/installer/cd-dvd/installation-cd-minimal-new-kernel.nix"
+      "${pkgs.path}/nixos/modules/installer/cd-dvd/channel.nix"
    ];

    networking.networkmanager.enable = true;
    networking.useDHCP = false;
    networking.firewall.enable = false;
-    networking.wireless.enable = pkgs.lib.mkForce false;
+    networking.wireless.enable = lib.mkForce false;
  };
-in (pkgs.nixos {
+in (depot.third_party.nixos {
  inherit configuration;
 }).config.system.build.isoImage
--- a/users/glittershark/xanthous/default.nix
+++ b/users/glittershark/xanthous/default.nix
@ -4,4 +4,6 @@
 }:
 pkgs.haskell.lib.failOnAllWarnings (
  pkgs.haskellPackages.callPackage (import ./pkg.nix { inherit pkgs; }) {}
-)
+) // {
+  meta.ci = false;
+}
--- a/users/glittershark/xanthous/pkg.nix
+++ b/users/glittershark/xanthous/pkg.nix
@ -1,10 +1,10 @@
-{ pkgs ? (import ../../../. {}).third_party }:
+{ depot ? (import ../../../. {})
+, pkgs ? depot.third_party.nixpkgs
+, ... }:

 let
-  ignore = pkgs.gitignoreSource.gitignoreFilter ./.;
-in
-
-import (pkgs.haskellPackages.haskellSrc2nix {
+  ignore = depot.third_party.gitignoreSource.gitignoreFilter ./.;
+in import (pkgs.haskellPackages.haskellSrc2nix {
  name = "xanthous";
  src = builtins.path {
    name = "xanthous-source";
--- a/users/tazjin/aoc2020/default.nix
+++ b/users/tazjin/aoc2020/default.nix
@ -1,7 +1,7 @@
 # Solutions for Advent of Code 2020, written in Emacs Lisp.
 #
 # For each day a new file is created as "solution-day$n.el".
-{ depot, ... }:
+{ depot, pkgs, ... }:

 let
  inherit (builtins) attrNames filter head listToAttrs match readDir;
@ -16,7 +16,7 @@ let
      deps = p: with p; [ dash s ht p.f ];
      src = ./. + ("/" + f);
  }) solutionFiles;
-in depot.third_party.symlinkJoin {
+in pkgs.symlinkJoin {
  name = "aoc2020";
  paths = solutions;
 }
--- a/users/tazjin/atom-feed/default.nix
+++ b/users/tazjin/atom-feed/default.nix
@ -1,13 +1,13 @@
 # This file defines functions for generating an Atom feed.

-{ depot, lib, ... }:
+{ depot, lib, pkgs, ... }:

 with depot.nix.yants;

 let
  inherit (builtins) map readFile replaceStrings;
  inherit (lib) concatStrings concatStringsSep removeSuffix;
-  inherit (depot.third_party) runCommandNoCC;
+  inherit (pkgs) runCommandNoCC;

  # 'link' describes a related link to a feed, or feed element.
  #
--- a/users/tazjin/blog/default.nix
+++ b/users/tazjin/blog/default.nix
@ -2,7 +2,7 @@
 # files in this repository.
 #
 # All blog posts are rendered from Markdown by cheddar.
-{ depot, lib, ... }@args:
+{ depot, lib, pkgs, ... }@args:

 with depot.nix.yants;

@ -36,7 +36,7 @@ let
  posts = list post (import ./posts.nix);
  fragments = import ./fragments.nix args;

-  rendered = depot.third_party.runCommandNoCC "tazjins-blog" {} ''
+  rendered = pkgs.runCommandNoCC "tazjins-blog" {} ''
    mkdir -p $out

    ${lib.concatStringsSep "\n" (map (post:
--- a/users/tazjin/blog/fragments.nix
+++ b/users/tazjin/blog/fragments.nix
@ -7,11 +7,11 @@
 #
 # The post index is generated by //users/tazjin/homepage, not by this
 # code.
-{ depot, lib, ... }:
+{ depot, lib, pkgs, ... }:

 let
  inherit (builtins) filter map hasAttr replaceStrings;
-  inherit (depot.third_party) runCommandNoCC writeText;
+  inherit (pkgs) runCommandNoCC writeText;
  inherit (depot.users.tazjin) renderMarkdown;

  # Generate a post list for all listed, non-draft posts.
--- a/users/tazjin/dt/default.nix
+++ b/users/tazjin/dt/default.nix
@ -1,13 +1,11 @@
 { depot, pkgs, ... }:

-let
-  stdenv = with pkgs; overrideCC clangStdenv clang_11;
-  abseil_cpp = pkgs.abseil_cpp;
+let stdenv = with pkgs; overrideCC clangStdenv clang_11;
 in stdenv.mkDerivation {
  name = "dt";
  src = ./.;
  nativeBuildInputs = [ pkgs.cmake ];
-  buildInputs = with pkgs; [
+  buildInputs = with depot.third_party; [
    abseil_cpp
    farmhash
  ];
--- a/users/tazjin/emacs/default.nix
+++ b/users/tazjin/emacs/default.nix
@ -10,12 +10,10 @@
 { depot, lib, pkgs, ... }:

 let
-  inherit (depot) third_party;
-
-  emacsWithPackages = (third_party.emacsPackagesGen third_party.emacs27).emacsWithPackages;
+  emacsWithPackages = (pkgs.emacsPackagesGen pkgs.emacs27).emacsWithPackages;

  # $PATH for binaries that need to be available to Emacs
-  emacsBinPath = lib.makeBinPath [ third_party.emacsPackages.telega ];
+  emacsBinPath = lib.makeBinPath [ pkgs.emacsPackages.telega ];

  identity = x: x;

@ -109,7 +107,7 @@ let
    depot.third_party.emacs.vterm
    depot.third_party.emacs.explain-pause-mode
  ]))));
-in lib.fix(self: l: f: third_party.writeShellScriptBin "tazjins-emacs" ''
+in lib.fix(self: l: f: pkgs.writeShellScriptBin "tazjins-emacs" ''
  export PATH="${emacsBinPath}:$PATH"
  exec ${tazjinsEmacs f}/bin/emacs \
    --debug-init \
@ -129,7 +127,7 @@ in lib.fix(self: l: f: third_party.writeShellScriptBin "tazjins-emacs" ''

    # Build a derivation that uses the specified local Emacs (i.e.
    # built outside of Nix) instead
-    withLocalEmacs = emacsBin: third_party.writeShellScriptBin "tazjins-emacs" ''
+    withLocalEmacs = emacsBin: pkgs.writeShellScriptBin "tazjins-emacs" ''
      export PATH="${emacsBinPath}:$PATH"
      export EMACSLOADPATH="${(tazjinsEmacs f).deps}/share/emacs/site-lisp:"
      exec ${emacsBin} \
--- a/users/tazjin/homepage/default.nix
+++ b/users/tazjin/homepage/default.nix
@ -5,14 +5,14 @@
 # elements for things such as blog posts and projects.
 #
 # Content for the blog is in //users/tazjin/blog instead of here.
-{ depot, lib, ... }@args:
+{ depot, lib, pkgs, ... }@args:

 with depot;
 with nix.yants;

 let
  inherit (builtins) readFile replaceStrings sort;
-  inherit (third_party) writeFile runCommandNoCC;
+  inherit (pkgs) writeFile runCommandNoCC;

  # The different types of entries on the homepage.
  entryClass = enum "entryClass" [ "blog" "project" "misc" ];
@ -58,7 +58,7 @@ let
    </a>
  '');

-  index = entries: third_party.writeText "index.html" (lib.concatStrings (
+  index = entries: pkgs.writeText "index.html" (lib.concatStrings (
    [ (builtins.readFile ./header.html) ]
    ++ (map entryToDiv (sort (a: b: a.date > b.date) entries))
    ++ [ (builtins.readFile ./footer.html) ]
--- a/users/tazjin/nixos/camden/default.nix
+++ b/users/tazjin/nixos/camden/default.nix
@ -2,7 +2,7 @@
 { depot, pkgs, lib, ... }:

 config: let
-  nixpkgs = import depot.third_party.nixpkgsSrc {
+  nixpkgs = import pkgs.path {
    config.allowUnfree = true;
  };

@ -85,7 +85,7 @@ in lib.fix(self: {

    nixPath = [
      "depot=/home/tazjin/depot"
-      "nixpkgs=${depot.third_party.nixpkgsSrc}"
+      "nixpkgs=${pkgs.path}"
    ];

    trustedUsers = [ "root" "tazjin" ];
@ -131,7 +131,6 @@ in lib.fix(self: {
    (with depot; [
      fun.idual.script
      fun.idual.setAlarm
-      third_party.pounce
    ]) ++

    # programs from nixpkgs
--- a/users/tazjin/nixos/frog/default.nix
+++ b/users/tazjin/nixos/frog/default.nix
@ -1,23 +1,20 @@
-{ depot, lib, ... }:
+{ depot, lib, pkgs, ... }:

 config: let
  inherit (depot.third_party) lieer;
-  nixpkgs = import depot.third_party.nixpkgsSrc {
-    config.allowUnfree = true;
-  };

  # add google-c-style here because other machines get it from, eh,
  # elsewhere.
  frogEmacs = (depot.users.tazjin.emacs.overrideEmacs(epkgs: epkgs ++ [
-    depot.third_party.emacsPackages.google-c-style
+    pkgs.emacsPackages.google-c-style
  ]));

-  quasselClient = depot.third_party.quassel.override {
+  quasselClient = pkgs.quassel.override {
    client = true;
    enableDaemon = false;
    monolithic = false;
  };
-in depot.lib.fix(self: {
+in lib.fix(self: {
  imports = [
    "${depot.depotPath}/ops/nixos/v4l2loopback.nix"
  ];
@ -37,7 +34,7 @@ in depot.lib.fix(self: {
      kernelModules = [ "dm-snapshot" ];
    };

-    kernelPackages = nixpkgs.linuxPackages_latest;
+    kernelPackages = pkgs.linuxPackages_latest;
    kernel.sysctl = {
      "kernel.perf_event_paranoid" = -1;
    };
@ -58,7 +55,7 @@ in depot.lib.fix(self: {

    pulseaudio = {
      enable = true;
-      package = nixpkgs.pulseaudioFull;
+      package = pkgs.pulseaudioFull;
    };

    bluetooth = {
@ -70,14 +67,14 @@ in depot.lib.fix(self: {
    maxJobs = 48;
    nixPath = [
      "depot=/depot"
-      "nixpkgs=${depot.third_party.nixpkgsSrc}"
+      "nixpkgs=${pkgs.path}"
    ];

    binaryCaches = ["ssh://nix-ssh@whitby.tvl.fyi"];
    binaryCachePublicKeys = ["cache.tvl.fyi:fd+9d1ceCPvDX/xVhcfv8nAa6njEhAGAEe+oGJDEeoc="];
  };

-  nixpkgs.pkgs = nixpkgs;
+  nixpkgs.pkgs = pkgs;

  networking = {
    hostName = "frog";
@ -95,7 +92,7 @@ in depot.lib.fix(self: {
  # Generate an immutable /etc/resolv.conf from the nameserver settings
  # above (otherwise DHCP overwrites it):
  environment.etc."resolv.conf" = with lib; {
-    source = depot.third_party.writeText "resolv.conf" ''
+    source = pkgs.writeText "resolv.conf" ''
      ${concatStringsSep "\n" (map (ns: "nameserver ${ns}") self.networking.nameservers)}
      options edns0
    '';
@ -114,7 +111,7 @@ in depot.lib.fix(self: {
    extraGroups = [ "wheel" "audio" "docker" ];
    isNormalUser = true;
    uid = 1000;
-    shell = nixpkgs.fish;
+    shell = pkgs.fish;
  };

  security.sudo = {
@ -123,7 +120,7 @@ in depot.lib.fix(self: {
  };

  fonts = {
-    fonts = with nixpkgs; [
+    fonts = with pkgs; [
      corefonts
      dejavu_fonts
      jetbrains-mono
@ -158,7 +155,7 @@ in depot.lib.fix(self: {
  # Required for Yubikey usage as smartcard
  services.pcscd.enable = true;
  services.udev.packages = [
-    nixpkgs.yubikey-personalization
+    pkgs.yubikey-personalization
  ];

  # Enable Docker for Nixery testing
@ -175,7 +172,7 @@ in depot.lib.fix(self: {
    videoDrivers = [ "amdgpu" ];
    displayManager = {
      # Give EXWM permission to control the session.
-      sessionCommands = "${nixpkgs.xorg.xhost}/bin/xhost +SI:localuser:$USER";
+      sessionCommands = "${pkgs.xorg.xhost}/bin/xhost +SI:localuser:$USER";

      lightdm.enable = true;
      lightdm.greeters.gtk.clock-format = "%H·%M"; # TODO(tazjin): TZ?
@ -224,15 +221,12 @@ in depot.lib.fix(self: {
      lieer
      ops.kontemplate
      quasselClient
-      third_party.ffmpeg
      third_party.git
-      third_party.lutris
-      third_party.rr
      tools.nsfv-setup
    ]) ++

    # programs from nixpkgs
-    (with nixpkgs; [
+    (with pkgs; [
      age
      bat
      chromium
@ -245,6 +239,7 @@ in depot.lib.fix(self: {
      emacs27 # mostly for emacsclient
      exa
      fd
+      ffmpeg-full
      file
      gdb
      gnupg
@ -259,6 +254,7 @@ in depot.lib.fix(self: {
      jq
      kubectl
      linuxPackages.perf
+      # lutris
      manpages
      miller
      msmtp
@ -276,6 +272,7 @@ in depot.lib.fix(self: {
      pmutils
      pwgen
      ripgrep
+      rr
      rustup
      screen
      scrot
--- a/users/tazjin/nixos/tverskoy/default.nix
+++ b/users/tazjin/nixos/tverskoy/default.nix
@ -1,17 +1,17 @@
-{ depot, lib, ... }:
+{ depot, lib, pkgs, ... }:

 config: let
  # add google-c-style here because other machines get it from, eh,
  # elsewhere.
  emacs = (depot.users.tazjin.emacs.overrideEmacs(epkgs: epkgs ++ [
-    depot.third_party.emacsPackages.google-c-style
+    pkgs.emacsPackages.google-c-style
  ]));

-  nixpkgs = import depot.third_party.nixpkgsSrc {
+  nixpkgs = import pkgs.path {
    config.allowUnfree = true;
  };

-  quasselClient = depot.third_party.quassel.override {
+  quasselClient = pkgs.quassel.override {
    client = true;
    enableDaemon = false;
    monolithic = false;
@ -33,8 +33,8 @@ in lib.fix(self: {

  nix = {
    nixPath = lib.mkForce [
-      "nixpkgs=${depot.third_party.nixpkgsSrc}"
-      "nixos=${depot.third_party.nixpkgsSrc}"
+      "nixpkgs=${pkgs.path}"
+      "nixos=${pkgs.path}"
      "depot=/depot"
    ];

--- a/users/tazjin/renderMarkdown.nix
+++ b/users/tazjin/renderMarkdown.nix
@ -1,9 +1,9 @@
 # Render a Markdown file to HTML.
-{ depot, ... }:
+{ depot, pkgs, ... }:

 with depot.nix.yants;

-defun [ path drv ] (file: depot.third_party.runCommandNoCC "${file}.rendered.html" {} ''
+defun [ path drv ] (file: pkgs.runCommandNoCC "${file}.rendered.html" {} ''
  cat ${file} | ${depot.tools.cheddar}/bin/cheddar --about-filter ${file} > $out
 '')

--- a/users/tazjin/rlox/default.nix
+++ b/users/tazjin/rlox/default.nix
@ -1,5 +1,5 @@
-{ pkgs, ... }:
+{ depot, ... }:

-pkgs.naersk.buildPackage {
+depot.third_party.naersk.buildPackage {
  src = ./.;
 }
--- a/web/cgit-taz/default.nix
+++ b/web/cgit-taz/default.nix
@ -1,11 +1,15 @@
 # This derivation configures a 'cgit' instance to serve repositories
 # from a different source.
-
-{ depot, ... }:
-
-with depot.third_party;
+{ depot, pkgs, ... }:

 let
+  inherit (pkgs)
+    mime-types
+    thttpd
+    writeShellScriptBin
+    writeText
+    ;
+
  sourceFilter = writeShellScriptBin "cheddar-about" ''
    exec ${depot.tools.cheddar}/bin/cheddar --about-filter $@
  '';
@ -33,7 +37,7 @@ let

  thttpdConfig = writeText "thttpd.conf" ''
    port=2448
-    dir=${cgit}/cgit
+    dir=${depot.third_party.cgit}/cgit
    nochroot
    novhost
    cgipat=**.cgi
--- a/web/converse/default.nix
+++ b/web/converse/default.nix
@ -1,6 +1,6 @@
-{ pkgs, ... }:
+{ depot, pkgs, ... }:

-pkgs.naersk.buildPackage {
+depot.third_party.naersk.buildPackage {
  src = ./.;
  buildInputs = with pkgs; [ openssl postgresql.lib ];
  nativeBuildInputs = [ pkgs.pkgconfig ];
--- a/web/todolist/default.nix
+++ b/web/todolist/default.nix
@ -2,12 +2,12 @@
 #
 # Only TODOs that match the form 'TODO($username)' are considered, and
 # only for users that are known to us.
-{ depot, lib, ... }:
+{ depot, lib, pkgs, ... }:

 with depot.nix.yants;

 let
-  inherit (depot.third_party)
+  inherit (pkgs)
    jq
    ripgrep
    runCommandNoCC
				`@ -1 +0,0 @@`
				`This subtree is responsible for setting up the read tree arguments in the first place.`