refactor: Move nixpkgs attribute to third_party.nixpkgs

Please read b/108 to make sense of this. This gets rid of the explicit list of exposed packages from nixpkgs, and instead makes the entire package set available at `third_party.nixpkgs`. To accommodate this, a LOT of things have to be very slightly shuffled around. Some of this was done in already submitted CLs, but this change is unfortunately still quite noisy. Pay extra attention to: * overlay-like functionality that was partially moved to actual overlays (partially as in, the minimum required to get a green build) * modified uses of the package set path, esp. in NixOS systems Special notes: * xanthous has been disabled in CI because of issues with the Haskell overlay * //third_party/nix has been disabled because of other unclear dependency issues Both of these will be tackled in a followup CL. Change-Id: I2f9c60a4d275fdb5209264be0addfd7e06c53118 Reviewed-on: https://cl.tvl.fyi/c/depot/+/2910 Reviewed-by: glittershark <grfn@gws.fyi> Reviewed-by: sterni <sternenseemann@systemli.org> Tested-by: BuildkiteCI
2021-04-10 18:05:16 +02:00 · 2021-04-10 18:05:16 +02:00 · 473604f567
commit 473604f567
parent a83abc9024
46 changed files with 276 additions and 488 deletions
--- a/default.nix
+++ b/default.nix
@ -19,11 +19,11 @@ let
    inherit depot;
    # Expose lib attribute to packages.
-    inherit (depot) lib;
+    inherit (depot.third_party.nixpkgs) lib;
    # Pass third_party as 'pkgs' (for compatibility with external
    # imports for certain subdirectories)
-    pkgs = depot.third_party;
+    pkgs = depot.third_party.nixpkgs;
  };
  readTree' = import ./nix/readTree {};
@ -75,9 +75,6 @@ in fix(self: {
  __readTree = [];
  config = config self;
  # Elevate 'lib' from nixpkgs
  lib = import (self.third_party.nixpkgsSrc + "/lib");
  # Expose readTree for downstream repo consumers.
  readTree = {
    __functor = x: (readTree' x.config);
@ -97,6 +94,9 @@ in fix(self: {
    # generate pipelines because that also leads to infinite
    # recursion.
    ops = self.ops // { pipelines = null; };
    # remove nixpkgs from the set, for obvious reasons.
    third_party = self.third_party // { nixpkgs = null; };
  });
 }
--- a/fun/idual/default.nix
+++ b/fun/idual/default.nix
@ -1,7 +1,7 @@
-{ pkgs, lib, ... }:
+{ depot, pkgs, lib, ... }:
 let
-  inherit (pkgs) python python3 python3Packages;
+  inherit (pkgs) python3 python3Packages;
  opts = {
    pname   = "idualctl";
@ -9,12 +9,12 @@ let
    src     = ./.;
    propagatedBuildInputs = [
-      python.broadlink
+      depot.third_party.python.broadlink
    ];
  };
  package = python3Packages.buildPythonPackage opts;
  script  = python3Packages.buildPythonApplication opts;
-in {
+in depot.nix.utils.drvTargets {
  inherit script;
  python  = python3.withPackages (_: [ package ]);
  setAlarm = pkgs.writeShellScriptBin "set-alarm" ''
--- a/ops/nixos/default.nix
+++ b/ops/nixos/default.nix
@ -8,9 +8,7 @@
 # situation.
 { depot, lib, pkgs, ... }@args:
-let
+let inherit (lib) findFirst isAttrs;
  inherit (lib) findFirst isAttrs;
  nixos = import "${depot.third_party.nixpkgsSrc}/nixos";
 in rec {
  whitby = import ./whitby/default.nix args;
@ -25,7 +23,7 @@ in rec {
    };
  };
-  nixosFor = configuration: (nixos {
+  nixosFor = configuration: (depot.third_party.nixos {
    configuration = { ... }: {
      imports = [
        baseModule
--- a/ops/nixos/whitby/default.nix
+++ b/ops/nixos/whitby/default.nix
@ -1,10 +1,8 @@
-{ depot, lib, ... }:
+{ depot, lib, pkgs, ... }:
 let
  inherit (builtins) listToAttrs;
  inherit (lib) range;
  nixpkgs = import depot.third_party.nixpkgsSrc {};
 in lib.fix(self: {
  imports = [
    "${depot.depotPath}/ops/nixos/clbot.nix"
@ -27,7 +25,7 @@ in lib.fix(self: {
    "${depot.depotPath}/ops/nixos/www/todo.tvl.fyi.nix"
    "${depot.depotPath}/ops/nixos/www/tvl.fyi.nix"
    "${depot.depotPath}/ops/nixos/www/wigglydonke.rs.nix"
-    "${depot.third_party.nixpkgsSrc}/nixos/modules/services/web-apps/gerrit.nix"
+    "${pkgs.path}/nixos/modules/services/web-apps/gerrit.nix"
  ];
  hardware = {
@ -140,14 +138,14 @@ in lib.fix(self: {
  # Generate an immutable /etc/resolv.conf from the nameserver settings
  # above (otherwise DHCP overwrites it):
  environment.etc."resolv.conf" = with lib; {
-    source = depot.third_party.writeText "resolv.conf" ''
+    source = pkgs.writeText "resolv.conf" ''
      ${concatStringsSep "\n" (map (ns: "nameserver ${ns}") self.networking.nameservers)}
      options edns0
    '';
  };
  # Disable background git gc system-wide, as it has a tendency to break CI.
-  environment.etc."gitconfig".source = depot.third_party.writeText "gitconfig" ''
+  environment.etc."gitconfig".source = pkgs.writeText "gitconfig" ''
    [gc]
    autoDetach = false
  '';
@ -304,7 +302,7 @@ in lib.fix(self: {
    bindAddress = "localhost";
  };
-  environment.systemPackages = with nixpkgs; [
+  environment.systemPackages = with pkgs; [
    bb
    curl
    emacs-nox
@ -332,7 +330,7 @@ in lib.fix(self: {
  # Regularly back up whitby to Google Cloud Storage.
  systemd.services.restic = {
    description = "Backups to Google Cloud Storage";
-    script = "${nixpkgs.restic}/bin/restic backup /var/lib/gerrit /var/backup/postgresql";
+    script = "${pkgs.restic}/bin/restic backup /var/lib/gerrit /var/backup/postgresql";
    environment = {
      GOOGLE_PROJECT_ID = "tazjins-infrastructure";
@ -369,7 +367,7 @@ in lib.fix(self: {
    users.tazjin = {
      isNormalUser = true;
      extraGroups = [ "git" "wheel" ];
-      shell = nixpkgs.fish;
+      shell = pkgs.fish;
      openssh.authorizedKeys.keys = depot.users.tazjin.keys.all;
    };
--- a/third_party/default.nix
+++ b/third_party/default.nix
@ -1,73 +1,23 @@
-# This file controls the import of external dependencies (i.e.
+# This file defines the root of all external dependency imports (i.e.
-# third-party code) into my package tree.
+# third-party code) in the TVL package tree.
 #
-# This includes *all packages needed from nixpkgs*.
+# There are two categories of third-party programs:
-{ ... }:
+#
 # 1) Programs in nixpkgs, the NixOS package set. For these, you might
 #    want to look at //third_party/nixpkgs (for the package set
 #    imports) and //third_party/overlays (for modifications in these
 #    imported package sets).
 #
 # 2) Third-party software packaged in this repository. This is all
 #    other folders below //third_party, other than the ones mentioned
 #    above.
-let
+{ pkgs, ... }:
  # Tracking nixos-unstable as of 2021-03-25.
  nixpkgsCommit = "60dd94fb7e01a8288f6638eee71d7cb354c49327";
  nixpkgsSrc = fetchTarball {
    url = "https://github.com/NixOS/nixpkgs/archive/${nixpkgsCommit}.tar.gz";
    sha256 = "0skdwk9bdld295kzrymirs8xrzycqmhsclaz8s18jhcz75hb8sk3";
  };
  nixpkgs = import nixpkgsSrc {
    config.allowUnfree = true;
    config.allowBroken = true;
-    # Lutris depends on p7zip, which is considered insecure.
+{
-    config.permittedInsecurePackages = [
+  # Expose a partially applied NixOS, expecting an attribute set with
-      "p7zip-16.02"
+  # a `configuration` key. Exposing it like this makes it possible to
-    ];
+  # modify some of the base configuration used by NixOS. passed to
-  };
+  # this.
-
+  nixos = import "${pkgs.path}/nixos";
-  # Tracking nixos-20.09 as of 2021-03-25.
+}
  stableCommit = "223d0d733a66b46504ea6b4c15f88b7cc4db58fb";
  stableNixpkgsSrc = fetchTarball {
    url = "https://github.com/NixOS/nixpkgs/archive/${stableCommit}.tar.gz";
    sha256 = "073327ris0frqa3kpid3nsjr9w8yx2z83xpsc24w898mrs9r7d5v";
  };
  stableNixpkgs = import stableNixpkgsSrc {};
  exposed = import ./nixpkgs-exposed/exposed { inherit nixpkgs stableNixpkgs; };
 in exposed.lib.fix(self: exposed // {
  callPackage = nixpkgs.lib.callPackageWith self;
  # Provide the source code of nixpkgs, but do not provide an imported
  # version of it.
  inherit nixpkgsCommit nixpkgsSrc stableNixpkgsSrc;
  # Expose upstream attributes so they can be overridden in readTree nodes
  originals = {
    inherit (nixpkgs) gtest openldap go grpc notmuch rr;
    inherit (stableNixpkgs) git tdlib;
    ffmpeg = nixpkgs.ffmpeg-full;
    telega = stableNixpkgs.emacsPackages.telega;
  };
  # Use LLVM 11
  llvmPackages = nixpkgs.llvmPackages_11;
  clangStdenv = nixpkgs.llvmPackages_11.stdenv;
  stdenv = nixpkgs.llvmPackages_11.stdenv;
  clang-tools = (nixpkgs.clang-tools.override {
    llvmPackages = nixpkgs.llvmPackages_11;
  });
  # Provide Emacs 27
  #
  # The assert exists because the name of the attribute is unversioned
  # (which is different from previous versions).
  emacs27 = assert ((exposed.lib.versions.major nixpkgs.emacs.version) == "27");
    nixpkgs.emacs.overrideAttrs(old: {
      configureFlags = old.configureFlags ++ [ "--with-cairo" ];
    });
  emacs27-nox = assert ((exposed.lib.versions.major nixpkgs.emacs.version) == "27");
    nixpkgs.emacs-nox;
  # Make NixOS available
  nixos = import "${nixpkgsSrc}/nixos";
 })
--- a/third_party/ffmpeg/default.nix
+++ b/third_party/ffmpeg/default.nix
@ -1,12 +0,0 @@
 { pkgs, ... }:
 pkgs.originals.ffmpeg.overrideAttrs(old: {
  buildInputs = old.buildInputs ++ [
    pkgs.cudatoolkit.out
  ];
  configureFlags = old.configureFlags ++ [
    "--enable-libnpp"
    "--enable-nonfree"
  ];
 })
--- a/third_party/git/default.nix
+++ b/third_party/git/default.nix
@ -1,15 +1,13 @@
 # Use the upstream git derivation (there's a lot of stuff happening in
 # there!) and just override the source:
-{ depot, ... }:
+{ pkgs, ... }:
-with depot.third_party;
+(pkgs.git.overrideAttrs(_: {
 (originals.git.overrideAttrs(_: {
  version = "2.29.2";
  src = ./.;
  doInstallCheck = false;
  preConfigure = ''
-    ${autoconf}/bin/autoreconf -i
+    ${pkgs.autoconf}/bin/autoreconf -i
  '';
 })).override {
  sendEmailSupport = true;
--- a/third_party/grpc/default.nix
+++ b/third_party/grpc/default.nix
@ -1,7 +1,7 @@
-{ pkgs, ... }:
+{ depot, pkgs, ... }:
-(pkgs.originals.grpc.override {
+(pkgs.grpc.override {
-  protobuf = pkgs.protobuf;
+  protobuf = depot.third_party.protobuf;
  stdenv = pkgs.llvmPackages.libcxxStdenv;
 }).overrideAttrs(orig: rec {
  version = "1.30.0";
--- a/third_party/gtest/default.nix
+++ b/third_party/gtest/default.nix
@ -1,6 +1,6 @@
 { pkgs, ... }:
-(pkgs.originals.gtest.override {
+(pkgs.gtest.override {
  stdenv = pkgs.llvmPackages.libcxxStdenv;
 }).overrideAttrs(_: {
  src = pkgs.fetchFromGitHub {
--- a/third_party/nix/default.nix
+++ b/third_party/nix/default.nix
@ -1,5 +1,6 @@
 args@{
-  pkgs ? (import ../.. {}).third_party
+  depot ? (import ../.. {})
 , pkgs ? depot.third_party.nixpkgs
 , lib
 , buildType ? "release"
 , depotPath ? ../..
@ -43,10 +44,11 @@ let
  protoSrcs = pkgs.runCommand "nix-proto-srcs" {} ''
    export PROTO_SRCS=${./src/proto}
    mkdir -p $out/libproto
-    ${pkgs.protobuf}/bin/protoc -I=$PROTO_SRCS \
+    ${depot.third_party.protobuf}/bin/protoc -I=$PROTO_SRCS \
      --cpp_out=$out/libproto \
-      --plugin=protoc-gen-grpc=${pkgs.grpc}/bin/grpc_cpp_plugin --grpc_out=$out/libproto \
+      --plugin=protoc-gen-grpc=${depot.third_party.grpc}/bin/grpc_cpp_plugin \
-      $PROTO_SRCS/*.proto
+        --grpc_out=$out/libproto \
        $PROTO_SRCS/*.proto
  '';
  # Derivation for busybox that just has the `busybox` binary in bin/, not all
@ -73,7 +75,6 @@ in lib.fix (self: pkgs.llvmPackages.libcxxStdenv.mkDerivation {
 # TODO(tazjin): Some of these might only be required for native inputs
  buildInputs = with pkgs; [
    abseil_cpp
    aws-s3-cpp
    brotli
    bzip2
@ -81,16 +82,18 @@ in lib.fix (self: pkgs.llvmPackages.libcxxStdenv.mkDerivation {
    curl
    editline
    flex
    glog
    grpc
    libseccomp
    libsodium
    systemd.dev
    openssl
    protobuf
    sqlite
    xz
-  ];
+  ] ++ (with depot.third_party; [
    abseil_cpp
    glog
    grpc
    protobuf
  ]);
  doCheck = false;
  doInstallCheck = true;
@ -99,8 +102,8 @@ in lib.fix (self: pkgs.llvmPackages.libcxxStdenv.mkDerivation {
  dontStrip = true;
  installCheckInputs = with pkgs; [
    depot.third_party.gtest
    fd
    gtest
    rapidcheck
  ];
@ -185,6 +188,9 @@ in lib.fix (self: pkgs.llvmPackages.libcxxStdenv.mkDerivation {
  # TODO(tazjin): integration test setup?
  # TODO(tazjin): docs generation?
  # TODO(tazjin): Sort out after CL/2910 lands
  meta.ci = false;
  passthru = {
    build-shell = self.overrideAttrs (up: rec {
      run_clang_tidy = pkgs.writeShellScriptBin "run-clang-tidy" ''
--- a/third_party/nix/test-vm.nix
+++ b/third_party/nix/test-vm.nix
@ -1,10 +1,9 @@
 { depot, pkgs, ... }:
 let
  configuration = { ... }: {
    imports = [
-      "${pkgs.nixpkgsSrc}/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix"
+      "${pkgs.path}/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix"
    ];
    nix.package = depot.third_party.nix;
@ -16,6 +15,5 @@ let
    ];
  };
-  system = pkgs.nixos { inherit configuration; };
+  system = depot.third_party.nixos { inherit configuration; };
 in system.vm
--- a/third_party/nixpkgs-exposed/.skip-subtree
+++ b/third_party/nixpkgs-exposed/.skip-subtree
@ -1 +0,0 @@
 This subtree is responsible for setting up the read tree arguments in the first place.
--- a/third_party/nixpkgs-exposed/OWNERS
+++ b/third_party/nixpkgs-exposed/OWNERS
@ -1,8 +0,0 @@
 # The nixpkgs whitelist needs to be changed every time we reference
 # a new attribute, so every commiter should be able to change it,
 # otherwise we create undue blockers on superowners.
 inherited: true
 owners:
  - Profpatsch
  - sterni
  - glittershark
--- a/third_party/nixpkgs-exposed/exposed/default.nix
+++ b/third_party/nixpkgs-exposed/exposed/default.nix
@ -1,210 +0,0 @@
 # This file has to be in yet another subdir
 # because of how readTree interprets .skip-subtree
 # see https://b.tvl.fyi/issues/89
 { nixpkgs, stableNixpkgs }:
 {
  # Inherit the packages from nixos-unstable that should be available inside
  # of the repo. They become available under `pkgs.third_party.<name>`
  inherit (nixpkgs)
    age
    atk
    autoconf
    autoreconfHook
    avrdude
    avrlibc
    bashInteractive
    bat
    bc
    bind
    buildBazelPackage
    buildFHSUserEnv
    buildGoModule
    buildGoPackage
    buildPackages
    buildRustCrate
    buildkite-agent
    busybox
    bzip2
    c-ares
    cacert
    cachix
    cairo
    cargo
    cgit
    clang_11
    cmake
    coreutils
    cudatoolkit
    darwin
    dbus-glib
    dbus_libs
    dfu-programmer
    dfu-util
    diffutils
    docker-compose
    dockerTools
    emacs27
    emacs27-nox
    emacsPackages
    emacsPackagesGen
    execline
    fd
    fdtools
    fetchFromGitHub
    fetchFromGitLab
    fetchgit
    fetchurl
    fetchzip
    ffmpeg-full
    findutils
    fira
    fira-code
    fira-mono
    flamegraph
    fontconfig
    freetype
    gdk-pixbuf
    gettext
    glibc
    glib
    gtk3
    gmock
    gnused
    gnutar
    go
    google-cloud-sdk
    graphviz
    gzip
    haskell
    iana-etc
    imagemagickBig
    installShellFiles
    jdk
    jdk11
    jdk11_headless
    jetbrains-mono
    jq
    kontemplate
    lib
    libappindicator-gtk3
    libredirect
    libffi
    linuxPackages
    linuxPackages_5_11
    lr
    luajit
    lutris
    makeFontsConf
    makeWrapper
    mandoc
    mdbook
    meson
    mime-types
    minify
    mkShell
    moreutils
    nano
    ncurses
    nginx
    ninja
    nix
    ocamlPackages
    openssh
    openssl
    overrideCC
    pandoc
    pango
    parallel
    path
    pkgconfig
    pkgsCross
    plantuml
    postgresql
    pounce
    pulseaudio
    python3
    python3Packages
    quassel
    remarshal
    rink
    ripgrep
    rsync
    runCommand
    runCommandLocal
    runCommandNoCC
    rustPlatform
    rustc
    s6-portable-utils
    sbcl
    shellcheck
    sqlite
    stdenvNoCC
    stern
    substituteAll
    symlinkJoin
    systemd
    tdlib
    teensy-loader-cli
    terraform_0_12
    texlive
    thttpd
    tree
    tree-sitter
    unzip
    which
    writers
    writeShellScript
    writeShellScriptBin
    writeText
    xorg
    xz
    zlib
    zstd;
  # Inherit packages from the stable channel for things that are
  # broken on unstable
  inherit (stableNixpkgs)
    awscli # TODO(grfn): Move back to unstable once it is fixed
    ;
  # Required by //third_party/nix
  inherit (nixpkgs)
    aws-sdk-cpp
    bison
    boehmgc
    boost # urgh
    brotli
    busybox-sandbox-shell
    curl
    docbook5
    docbook_xsl_ns
    editline
    flex
    libseccomp
    libsodium
    libxml2
    libxslt
    mercurial
    perl
    perlPackages
    ;
  haskellPackages = (nixpkgs.haskellPackages.override {
    overrides = (import ../../overlays/haskell
    { /* empty readTree arg */ }
    { pkgs = nixpkgs; });
  });
  gradle_6 = (nixpkgs.gradleGen.override {
    java = nixpkgs.jdk11;
    jdk = nixpkgs.jdk11;
  }).gradleGen rec {
    name = "gradle-6.5.1";
    nativeVersion = "0.22-milestone-3";
    src = builtins.fetchurl {
      url = "https://services.gradle.org/distributions/${name}-bin.zip";
      sha256 = "0jmmipjh4fbsn92zpifa5cqg5ws2a4ha0s4jzqhrg4zs542x79sh";
    };
  };
 }
--- a/third_party/nixpkgs/default.nix
+++ b/third_party/nixpkgs/default.nix
@ -0,0 +1,56 @@
 # This file imports the pinned nixpkgs sets and applies relevant
 # modifications, such as our overlays.
 #
 # Note that the attribute exposed by this (third_party.nixpkgs) is
 # "special" in that the fixpoint used as readTree's config parameter
 # in //default.nix passes this attribute as the `pkgs` argument to all
 # readTree derivations.
 { depot, ... }:
 let
  # This provides the sources of nixpkgs. We track both
  # nixos-unstable, and the current stable channel of the latest NixOS
  # release.
  # Tracking nixos-unstable as of 2021-03-25.
  unstableHashes = {
    commit = "60dd94fb7e01a8288f6638eee71d7cb354c49327";
    sha256 = "0skdwk9bdld295kzrymirs8xrzycqmhsclaz8s18jhcz75hb8sk3";
  };
  # Tracking nixos-20.09 as of 2021-03-25.
  stableHashes = {
    commit = "223d0d733a66b46504ea6b4c15f88b7cc4db58fb";
    sha256 = "073327ris0frqa3kpid3nsjr9w8yx2z83xpsc24w898mrs9r7d5v";
  };
  nixpkgsSrc = fetchTarball {
    url = "https://github.com/NixOS/nixpkgs/archive/${unstableHashes.commit}.tar.gz";
    sha256 = unstableHashes.sha256;
  };
  stableNixpkgsSrc = fetchTarball {
    url = "https://github.com/NixOS/nixpkgs/archive/${stableHashes.commit}.tar.gz";
    sha256 = stableHashes.sha256;
  };
  # Stable package set is imported, but not exposed, to overlay
  # required packages into the unstable set.
  stableNixpkgs = import stableNixpkgsSrc {};
  # Overlay for packages that should come from the stable channel
  # instead (e.g. because something is broken in unstable).
  stableOverlay = self: super: {
    inherit (stableNixpkgs)
      awscli # TODO(grfn): Move back to unstable once it is fixed
      ;
  };
 in import nixpkgsSrc {
  config.allowUnfree = true;
  config.allowBroken = true;
  overlays = [
    stableOverlay
    depot.third_party.overlays.tvl
    depot.third_party.overlays.haskell
  ];
 }
--- a/third_party/notmuch/default.nix
+++ b/third_party/notmuch/default.nix
@ -1,6 +1,7 @@
 # Notmuch, but with support for https://dotti.me/
 { pkgs, ... }:
-pkgs.originals.notmuch.overrideAttrs(old: {
+pkgs.notmuch.overrideAttrs(old: {
  doCheck = false;
  patches = [ ./dottime.patch ] ++ (if old ? patches then old.patches else []);
 })
--- a/third_party/openldap/default.nix
+++ b/third_party/openldap/default.nix
@ -6,7 +6,7 @@
 # derivation to include this module.
 { pkgs, ... }:
-pkgs.originals.openldap.overrideAttrs(old: {
+pkgs.openldap.overrideAttrs(old: {
  buildInputs = old.buildInputs ++ [ pkgs.libsodium ];
  postBuild = ''
--- a/third_party/overlays/haskell/default.nix
+++ b/third_party/overlays/haskell/default.nix
@ -1,34 +1,41 @@
-# Defines overrides for Haskell packages, for example to avoid
+# Defines an overlay for overriding Haskell packages, for example to
-# breakage currently present in nixpkgs or to modify package versions.
+# avoid breakage currently present in nixpkgs or to modify package
 # versions.
 { ... }: # This file needs nothing from readTree
 { pkgs }: # ... but is called with a separate package set in the overlay
-self: super: with pkgs.haskell.lib; rec {
+self: super: # overlay parameters for the nixpkgs overlay
  generic-arbitrary = appendPatch
    super.generic-arbitrary
    [ ./patches/generic-arbitrary-export-garbitrary.patch ];
-  random = dontCheck (self.callHackageDirect {
+let
-    pkg = "random";
+  overrides = hsSelf: hsSuper: with super.haskell.lib; rec {
-    ver = "1.2.0";
+    generic-arbitrary = appendPatch hsSuper.generic-arbitrary
-    sha256 = "06s3mmqbsfwv09j2s45qnd66nrxfp9280gnl9ng8yh128pfr7bjh";
+      [ ./patches/generic-arbitrary-export-garbitrary.patch ];
  } {});
-  # random <1.2
+    # random = dontCheck (hsSuper.callHackageDirect {
-  test-framework = doJailbreak super.test-framework;
+    #   pkg = "random";
-  hashable = doJailbreak super.hashable;
+    #   ver = "1.2.0";
-  test-framework-quickcheck2 = doJailbreak super.test-framework-quickcheck2;
+    #   sha256 = "06s3mmqbsfwv09j2s45qnd66nrxfp9280gnl9ng8yh128pfr7bjh";
    # } {});
-  # can be removed if we have the following PR or equivalent
+    # random <1.2
-  # https://github.com/NixOS/nixpkgs/pull/116931
+    test-framework = doJailbreak hsSuper.test-framework;
-  hedgehog-classes = overrideCabal super.hedgehog-classes (attrs: {
+    hashable = doJailbreak hsSuper.hashable;
-    # remove version bound on semirings which is inside a
+    test-framework-quickcheck2 = doJailbreak hsSuper.test-framework-quickcheck2;
    # conditional, so doJailbreak doesn't work
    prePatch = ''
      sed -i 's|semirings.*0.6|semirings|g' hedgehog-classes.cabal
    '';
  });
-  hgeometry-combinatorial = dontCheck super.hgeometry-combinatorial;
+    # can be removed if we have the following PR or equivalent
    # https://github.com/NixOS/nixpkgs/pull/116931
    hedgehog-classes = overrideCabal hsSuper.hedgehog-classes (attrs: {
      # remove version bound on semirings which is inside a
      # conditional, so doJailbreak doesn't work
      prePatch = ''
        sed -i 's|semirings.*0.6|semirings|g' hedgehog-classes.cabal
      '';
    });
    hgeometry-combinatorial = dontCheck hsSuper.hgeometry-combinatorial;
  };
 in {
  haskellPackages = super.haskellPackages.override {
    inherit overrides;
  };
 }
--- a/third_party/overlays/tvl.nix
+++ b/third_party/overlays/tvl.nix
@ -0,0 +1,27 @@
 # This overlay is used to make TVL-specific modifications in the
 # nixpkgs tree, where required.
 { ... }:
 self: super: {
  # Required for apereo-cas
  # TODO(lukegb): Document why?
  gradle_6 = (super.gradleGen.override {
    java = self.jdk11;
    jdk = self.jdk11;
  }).gradleGen rec {
    name = "gradle-6.5.1";
    nativeVersion = "0.22-milestone-3";
    src = builtins.fetchurl {
      url = "https://services.gradle.org/distributions/${name}-bin.zip";
      sha256 = "0jmmipjh4fbsn92zpifa5cqg5ws2a4ha0s4jzqhrg4zs542x79sh";
    };
  };
  # Use LLVM 11
  llvmPackages = self.llvmPackages_11;
  clangStdenv = self.llvmPackages_11.stdenv;
  clang-tools = (super.clang-tools.override {
    llvmPackages = self.llvmPackages_11;
  });
 }
--- a/third_party/protobuf/default.nix
+++ b/third_party/protobuf/default.nix
@ -1,7 +1,7 @@
 # Pin protobuf to version 3.12, with LLVM.
 { depot, pkgs, ... }:
-pkgs.callPackage "${depot.third_party.nixpkgsSrc}/pkgs/development/libraries/protobuf/generic-v3.nix" {
+pkgs.callPackage "${pkgs.path}/pkgs/development/libraries/protobuf/generic-v3.nix" {
  version = "3.12.2";
  sha256 = "1lp368aa206vpic9fmax4k6llnmf28plfvkkm4vqhgphmjqykvl2";
  stdenv = pkgs.llvmPackages.libcxxStdenv;
--- a/third_party/rr/default.nix
+++ b/third_party/rr/default.nix
@ -1,16 +0,0 @@
 { pkgs, ... }:
 pkgs.originals.rr.overrideAttrs(_: {
  src = pkgs.fetchFromGitHub {
    owner = "mozilla";
    repo = "rr";
    rev = "8fc7d2a09a739fee1883d262501e88613165c1dd";
    sha256 = "0avq5lv082z2sasggfn2awnfrh08cr8f0i9iw1dnrcxa6pc3bi9k";
    fetchSubmodules = false;
  };
  # Workaround as documented on https://github.com/mozilla/rr/wiki/Zen
  postInstall = ''
    cp $src/scripts/zen_workaround.py $out/bin/rr_zen_workaround
  '';
 })
--- a/users/Profpatsch/writers/tests/default.nix
+++ b/users/Profpatsch/writers/tests/default.nix
@ -1,4 +1,4 @@
-{ depot, ... }:
+{ depot, pkgs, ... }:
 let
  inherit (depot.users.Profpatsch.writers)
@ -9,7 +9,7 @@ let
    rustSimpleBin
    ;
-  inherit (depot.third_party)
+  inherit (pkgs)
    coreutils
    ;
--- a/users/glittershark/achilles/default.nix
+++ b/users/glittershark/achilles/default.nix
@ -1,6 +1,6 @@
-{ pkgs, ... }:
+{ depot, pkgs, ... }:
-pkgs.naersk.buildPackage {
+depot.third_party.naersk.buildPackage {
  src = ./.;
  buildInputs = with pkgs; [
--- a/users/glittershark/owothia/default.nix
+++ b/users/glittershark/owothia/default.nix
@ -1,4 +1,6 @@
-{ pkgs ? (import ../../../. {}).third_party, ... }:
+{ depot ? (import ../../../. {})
 , pkgs ? depot.third_party.nixpkgs
 , ... }:
 pkgs.haskellPackages.callCabal2nix "owothia"
-  (pkgs.gitignoreSource ./.) { }
+  (depot.third_party.gitignoreSource ./.) { }
--- a/users/glittershark/pkgs/fprintd/default.nix
+++ b/users/glittershark/pkgs/fprintd/default.nix
@ -1,9 +1,11 @@
-args @ { pkgs, ... }:
+{ depot, pkgs, ... }:
 let
-  nixpkgs = import pkgs.nixpkgsSrc {
+  nixpkgs = import pkgs.path {
    config.allowUnfree = true;
    overlays = [(self: super: {
      # TODO(grfn): Can we not override this here? It bootstraps
      # rustc, builds firefox, and many other things.
      gcc = super.gcc9;
    })];
  };
--- a/users/glittershark/system/home/default.nix
+++ b/users/glittershark/system/home/default.nix
@ -3,15 +3,13 @@
 with lib;
 rec {
-  nixpkgs = import pkgs.nixpkgsSrc {};
+  home = confPath: (import "${pkgs.home-manager.src}/modules" {
-
+    inherit pkgs;
  home = confPath: (import "${nixpkgs.home-manager.src}/modules" {
    pkgs = nixpkgs;
    configuration = { config, lib, ... }: {
      imports = [confPath];
      _module.args.pkgs = mkForce
-        (import pkgs.nixpkgsSrc (filterAttrs (n: v: v != null) config.nixpkgs));
+        (import pkgs.path (filterAttrs (n: v: v != null) config.nixpkgs));
      lib.depot = depot;
    };
--- a/users/glittershark/system/home/modules/development.nix
+++ b/users/glittershark/system/home/modules/development.nix
@ -54,7 +54,7 @@ with lib;
    gdb
    lldb
    hyperfine
-    config.lib.depot.third_party.clang-tools
+    clang-tools
    clj2nix
    clojure
--- a/users/glittershark/system/system/default.nix
+++ b/users/glittershark/system/system/default.nix
@ -1,19 +1,15 @@
 args @ { depot, pkgs, ... }:
 let
  nixpkgs = import pkgs.nixpkgsSrc {};
 in
 rec {
  chupacabra = import ./machines/chupacabra.nix;
-  chupacabraSystem = (pkgs.nixos {
+  chupacabraSystem = (depot.third_party.nixos {
    configuration = chupacabra;
  }).system;
  mugwump = import ./machines/mugwump.nix;
-  mugwumpSystem = (pkgs.nixos {
+  mugwumpSystem = (depot.third_party.nixos {
    configuration = mugwump;
  }).system;
@ -22,14 +18,14 @@ rec {
  roswellSystem = (depot.ops.nixos.nixosFor ({ ... }: {
    imports = [
      ./machines/roswell.nix
-      "${nixpkgs.home-manager.src}/nixos"
+      "${pkgs.home-manager.src}/nixos"
    ];
    home-manager.users.grfn = { config, lib, ... }: {
      imports = [ ../home/machines/roswell.nix ];
      lib.depot = depot;
      _module.args.pkgs = lib.mkForce
-        (import pkgs.nixpkgsSrc
+        (import pkgs.path
          (lib.filterAttrs (n: v: v != null) config.nixpkgs));
    };
  })).system;
@ -60,7 +56,7 @@ rec {
          system=$(nix-build -E '(import ${depotPath} {}).users.glittershark.system.system.${hostname}' --no-out-link)
          ;;
      '';
-    in depot.third_party.writeShellScriptBin "rebuilder" ''
+    in pkgs.writeShellScriptBin "rebuilder" ''
      set -ue
      if [[ $EUID -ne 0 ]]; then
        echo "Oh no! Only root is allowed to rebuild the system!" >&2
--- a/users/glittershark/system/system/iso.nix
+++ b/users/glittershark/system/system/iso.nix
@ -1,17 +1,17 @@
-{ pkgs, ... }:
+{ depot, lib, pkgs, ... }:
 let
  configuration = { ... }: {
    imports = [
-      "${pkgs.nixpkgsSrc}/nixos/modules/installer/cd-dvd/installation-cd-minimal-new-kernel.nix"
+      "${pkgs.path}/nixos/modules/installer/cd-dvd/installation-cd-minimal-new-kernel.nix"
-      "${pkgs.nixpkgsSrc}/nixos/modules/installer/cd-dvd/channel.nix"
+      "${pkgs.path}/nixos/modules/installer/cd-dvd/channel.nix"
    ];
    networking.networkmanager.enable = true;
    networking.useDHCP = false;
    networking.firewall.enable = false;
-    networking.wireless.enable = pkgs.lib.mkForce false;
+    networking.wireless.enable = lib.mkForce false;
  };
-in (pkgs.nixos {
+in (depot.third_party.nixos {
  inherit configuration;
 }).config.system.build.isoImage
--- a/users/glittershark/xanthous/default.nix
+++ b/users/glittershark/xanthous/default.nix
@ -4,4 +4,6 @@
 }:
 pkgs.haskell.lib.failOnAllWarnings (
  pkgs.haskellPackages.callPackage (import ./pkg.nix { inherit pkgs; }) {}
-)
+) // {
  meta.ci = false;
 }
--- a/users/glittershark/xanthous/pkg.nix
+++ b/users/glittershark/xanthous/pkg.nix
@ -1,10 +1,10 @@
-{ pkgs ? (import ../../../. {}).third_party }:
+{ depot ? (import ../../../. {})
 , pkgs ? depot.third_party.nixpkgs
 , ... }:
 let
-  ignore = pkgs.gitignoreSource.gitignoreFilter ./.;
+  ignore = depot.third_party.gitignoreSource.gitignoreFilter ./.;
-in
+in import (pkgs.haskellPackages.haskellSrc2nix {
 import (pkgs.haskellPackages.haskellSrc2nix {
  name = "xanthous";
  src = builtins.path {
    name = "xanthous-source";
--- a/users/tazjin/aoc2020/default.nix
+++ b/users/tazjin/aoc2020/default.nix
@ -1,7 +1,7 @@
 # Solutions for Advent of Code 2020, written in Emacs Lisp.
 #
 # For each day a new file is created as "solution-day$n.el".
-{ depot, ... }:
+{ depot, pkgs, ... }:
 let
  inherit (builtins) attrNames filter head listToAttrs match readDir;
@ -16,7 +16,7 @@ let
      deps = p: with p; [ dash s ht p.f ];
      src = ./. + ("/" + f);
  }) solutionFiles;
-in depot.third_party.symlinkJoin {
+in pkgs.symlinkJoin {
  name = "aoc2020";
  paths = solutions;
 }
--- a/users/tazjin/atom-feed/default.nix
+++ b/users/tazjin/atom-feed/default.nix
@ -1,13 +1,13 @@
 # This file defines functions for generating an Atom feed.
-{ depot, lib, ... }:
+{ depot, lib, pkgs, ... }:
 with depot.nix.yants;
 let
  inherit (builtins) map readFile replaceStrings;
  inherit (lib) concatStrings concatStringsSep removeSuffix;
-  inherit (depot.third_party) runCommandNoCC;
+  inherit (pkgs) runCommandNoCC;
  # 'link' describes a related link to a feed, or feed element.
  #
--- a/users/tazjin/blog/default.nix
+++ b/users/tazjin/blog/default.nix
@ -2,7 +2,7 @@
 # files in this repository.
 #
 # All blog posts are rendered from Markdown by cheddar.
-{ depot, lib, ... }@args:
+{ depot, lib, pkgs, ... }@args:
 with depot.nix.yants;
@ -36,7 +36,7 @@ let
  posts = list post (import ./posts.nix);
  fragments = import ./fragments.nix args;
-  rendered = depot.third_party.runCommandNoCC "tazjins-blog" {} ''
+  rendered = pkgs.runCommandNoCC "tazjins-blog" {} ''
    mkdir -p $out
    ${lib.concatStringsSep "\n" (map (post:
--- a/users/tazjin/blog/fragments.nix
+++ b/users/tazjin/blog/fragments.nix
@ -7,11 +7,11 @@
 #
 # The post index is generated by //users/tazjin/homepage, not by this
 # code.
-{ depot, lib, ... }:
+{ depot, lib, pkgs, ... }:
 let
  inherit (builtins) filter map hasAttr replaceStrings;
-  inherit (depot.third_party) runCommandNoCC writeText;
+  inherit (pkgs) runCommandNoCC writeText;
  inherit (depot.users.tazjin) renderMarkdown;
  # Generate a post list for all listed, non-draft posts.
--- a/users/tazjin/dt/default.nix
+++ b/users/tazjin/dt/default.nix
@ -1,13 +1,11 @@
 { depot, pkgs, ... }:
-let
+let stdenv = with pkgs; overrideCC clangStdenv clang_11;
  stdenv = with pkgs; overrideCC clangStdenv clang_11;
  abseil_cpp = pkgs.abseil_cpp;
 in stdenv.mkDerivation {
  name = "dt";
  src = ./.;
  nativeBuildInputs = [ pkgs.cmake ];
-  buildInputs = with pkgs; [
+  buildInputs = with depot.third_party; [
    abseil_cpp
    farmhash
  ];
--- a/users/tazjin/emacs/default.nix
+++ b/users/tazjin/emacs/default.nix
@ -10,12 +10,10 @@
 { depot, lib, pkgs, ... }:
 let
-  inherit (depot) third_party;
+  emacsWithPackages = (pkgs.emacsPackagesGen pkgs.emacs27).emacsWithPackages;
  emacsWithPackages = (third_party.emacsPackagesGen third_party.emacs27).emacsWithPackages;
  # $PATH for binaries that need to be available to Emacs
-  emacsBinPath = lib.makeBinPath [ third_party.emacsPackages.telega ];
+  emacsBinPath = lib.makeBinPath [ pkgs.emacsPackages.telega ];
  identity = x: x;
@ -109,7 +107,7 @@ let
    depot.third_party.emacs.vterm
    depot.third_party.emacs.explain-pause-mode
  ]))));
-in lib.fix(self: l: f: third_party.writeShellScriptBin "tazjins-emacs" ''
+in lib.fix(self: l: f: pkgs.writeShellScriptBin "tazjins-emacs" ''
  export PATH="${emacsBinPath}:$PATH"
  exec ${tazjinsEmacs f}/bin/emacs \
    --debug-init \
@ -129,7 +127,7 @@ in lib.fix(self: l: f: third_party.writeShellScriptBin "tazjins-emacs" ''
    # Build a derivation that uses the specified local Emacs (i.e.
    # built outside of Nix) instead
-    withLocalEmacs = emacsBin: third_party.writeShellScriptBin "tazjins-emacs" ''
+    withLocalEmacs = emacsBin: pkgs.writeShellScriptBin "tazjins-emacs" ''
      export PATH="${emacsBinPath}:$PATH"
      export EMACSLOADPATH="${(tazjinsEmacs f).deps}/share/emacs/site-lisp:"
      exec ${emacsBin} \
--- a/users/tazjin/homepage/default.nix
+++ b/users/tazjin/homepage/default.nix
@ -5,14 +5,14 @@
 # elements for things such as blog posts and projects.
 #
 # Content for the blog is in //users/tazjin/blog instead of here.
-{ depot, lib, ... }@args:
+{ depot, lib, pkgs, ... }@args:
 with depot;
 with nix.yants;
 let
  inherit (builtins) readFile replaceStrings sort;
-  inherit (third_party) writeFile runCommandNoCC;
+  inherit (pkgs) writeFile runCommandNoCC;
  # The different types of entries on the homepage.
  entryClass = enum "entryClass" [ "blog" "project" "misc" ];
@ -58,7 +58,7 @@ let
    </a>
  '');
-  index = entries: third_party.writeText "index.html" (lib.concatStrings (
+  index = entries: pkgs.writeText "index.html" (lib.concatStrings (
    [ (builtins.readFile ./header.html) ]
    ++ (map entryToDiv (sort (a: b: a.date > b.date) entries))
    ++ [ (builtins.readFile ./footer.html) ]
--- a/users/tazjin/nixos/camden/default.nix
+++ b/users/tazjin/nixos/camden/default.nix
@ -2,7 +2,7 @@
 { depot, pkgs, lib, ... }:
 config: let
-  nixpkgs = import depot.third_party.nixpkgsSrc {
+  nixpkgs = import pkgs.path {
    config.allowUnfree = true;
  };
@ -85,7 +85,7 @@ in lib.fix(self: {
    nixPath = [
      "depot=/home/tazjin/depot"
-      "nixpkgs=${depot.third_party.nixpkgsSrc}"
+      "nixpkgs=${pkgs.path}"
    ];
    trustedUsers = [ "root" "tazjin" ];
@ -131,7 +131,6 @@ in lib.fix(self: {
    (with depot; [
      fun.idual.script
      fun.idual.setAlarm
      third_party.pounce
    ]) ++
    # programs from nixpkgs
--- a/users/tazjin/nixos/frog/default.nix
+++ b/users/tazjin/nixos/frog/default.nix
@ -1,23 +1,20 @@
-{ depot, lib, ... }:
+{ depot, lib, pkgs, ... }:
 config: let
  inherit (depot.third_party) lieer;
  nixpkgs = import depot.third_party.nixpkgsSrc {
    config.allowUnfree = true;
  };
  # add google-c-style here because other machines get it from, eh,
  # elsewhere.
  frogEmacs = (depot.users.tazjin.emacs.overrideEmacs(epkgs: epkgs ++ [
-    depot.third_party.emacsPackages.google-c-style
+    pkgs.emacsPackages.google-c-style
  ]));
-  quasselClient = depot.third_party.quassel.override {
+  quasselClient = pkgs.quassel.override {
    client = true;
    enableDaemon = false;
    monolithic = false;
  };
-in depot.lib.fix(self: {
+in lib.fix(self: {
  imports = [
    "${depot.depotPath}/ops/nixos/v4l2loopback.nix"
  ];
@ -37,7 +34,7 @@ in depot.lib.fix(self: {
      kernelModules = [ "dm-snapshot" ];
    };
-    kernelPackages = nixpkgs.linuxPackages_latest;
+    kernelPackages = pkgs.linuxPackages_latest;
    kernel.sysctl = {
      "kernel.perf_event_paranoid" = -1;
    };
@ -58,7 +55,7 @@ in depot.lib.fix(self: {
    pulseaudio = {
      enable = true;
-      package = nixpkgs.pulseaudioFull;
+      package = pkgs.pulseaudioFull;
    };
    bluetooth = {
@ -70,14 +67,14 @@ in depot.lib.fix(self: {
    maxJobs = 48;
    nixPath = [
      "depot=/depot"
-      "nixpkgs=${depot.third_party.nixpkgsSrc}"
+      "nixpkgs=${pkgs.path}"
    ];
    binaryCaches = ["ssh://nix-ssh@whitby.tvl.fyi"];
    binaryCachePublicKeys = ["cache.tvl.fyi:fd+9d1ceCPvDX/xVhcfv8nAa6njEhAGAEe+oGJDEeoc="];
  };
-  nixpkgs.pkgs = nixpkgs;
+  nixpkgs.pkgs = pkgs;
  networking = {
    hostName = "frog";
@ -95,7 +92,7 @@ in depot.lib.fix(self: {
  # Generate an immutable /etc/resolv.conf from the nameserver settings
  # above (otherwise DHCP overwrites it):
  environment.etc."resolv.conf" = with lib; {
-    source = depot.third_party.writeText "resolv.conf" ''
+    source = pkgs.writeText "resolv.conf" ''
      ${concatStringsSep "\n" (map (ns: "nameserver ${ns}") self.networking.nameservers)}
      options edns0
    '';
@ -114,7 +111,7 @@ in depot.lib.fix(self: {
    extraGroups = [ "wheel" "audio" "docker" ];
    isNormalUser = true;
    uid = 1000;
-    shell = nixpkgs.fish;
+    shell = pkgs.fish;
  };
  security.sudo = {
@ -123,7 +120,7 @@ in depot.lib.fix(self: {
  };
  fonts = {
-    fonts = with nixpkgs; [
+    fonts = with pkgs; [
      corefonts
      dejavu_fonts
      jetbrains-mono
@ -158,7 +155,7 @@ in depot.lib.fix(self: {
  # Required for Yubikey usage as smartcard
  services.pcscd.enable = true;
  services.udev.packages = [
-    nixpkgs.yubikey-personalization
+    pkgs.yubikey-personalization
  ];
  # Enable Docker for Nixery testing
@ -175,7 +172,7 @@ in depot.lib.fix(self: {
    videoDrivers = [ "amdgpu" ];
    displayManager = {
      # Give EXWM permission to control the session.
-      sessionCommands = "${nixpkgs.xorg.xhost}/bin/xhost +SI:localuser:$USER";
+      sessionCommands = "${pkgs.xorg.xhost}/bin/xhost +SI:localuser:$USER";
      lightdm.enable = true;
      lightdm.greeters.gtk.clock-format = "%H·%M"; # TODO(tazjin): TZ?
@ -224,15 +221,12 @@ in depot.lib.fix(self: {
      lieer
      ops.kontemplate
      quasselClient
      third_party.ffmpeg
      third_party.git
      third_party.lutris
      third_party.rr
      tools.nsfv-setup
    ]) ++
    # programs from nixpkgs
-    (with nixpkgs; [
+    (with pkgs; [
      age
      bat
      chromium
@ -245,6 +239,7 @@ in depot.lib.fix(self: {
      emacs27 # mostly for emacsclient
      exa
      fd
      ffmpeg-full
      file
      gdb
      gnupg
@ -259,6 +254,7 @@ in depot.lib.fix(self: {
      jq
      kubectl
      linuxPackages.perf
      # lutris
      manpages
      miller
      msmtp
@ -276,6 +272,7 @@ in depot.lib.fix(self: {
      pmutils
      pwgen
      ripgrep
      rr
      rustup
      screen
      scrot
--- a/users/tazjin/nixos/tverskoy/default.nix
+++ b/users/tazjin/nixos/tverskoy/default.nix
@ -1,17 +1,17 @@
-{ depot, lib, ... }:
+{ depot, lib, pkgs, ... }:
 config: let
  # add google-c-style here because other machines get it from, eh,
  # elsewhere.
  emacs = (depot.users.tazjin.emacs.overrideEmacs(epkgs: epkgs ++ [
-    depot.third_party.emacsPackages.google-c-style
+    pkgs.emacsPackages.google-c-style
  ]));
-  nixpkgs = import depot.third_party.nixpkgsSrc {
+  nixpkgs = import pkgs.path {
    config.allowUnfree = true;
  };
-  quasselClient = depot.third_party.quassel.override {
+  quasselClient = pkgs.quassel.override {
    client = true;
    enableDaemon = false;
    monolithic = false;
@ -33,8 +33,8 @@ in lib.fix(self: {
  nix = {
    nixPath = lib.mkForce [
-      "nixpkgs=${depot.third_party.nixpkgsSrc}"
+      "nixpkgs=${pkgs.path}"
-      "nixos=${depot.third_party.nixpkgsSrc}"
+      "nixos=${pkgs.path}"
      "depot=/depot"
    ];
--- a/users/tazjin/renderMarkdown.nix
+++ b/users/tazjin/renderMarkdown.nix
@ -1,9 +1,9 @@
 # Render a Markdown file to HTML.
-{ depot, ... }:
+{ depot, pkgs, ... }:
 with depot.nix.yants;
-defun [ path drv ] (file: depot.third_party.runCommandNoCC "${file}.rendered.html" {} ''
+defun [ path drv ] (file: pkgs.runCommandNoCC "${file}.rendered.html" {} ''
  cat ${file} | ${depot.tools.cheddar}/bin/cheddar --about-filter ${file} > $out
 '')
--- a/users/tazjin/rlox/default.nix
+++ b/users/tazjin/rlox/default.nix
@ -1,5 +1,5 @@
-{ pkgs, ... }:
+{ depot, ... }:
-pkgs.naersk.buildPackage {
+depot.third_party.naersk.buildPackage {
  src = ./.;
 }
--- a/web/cgit-taz/default.nix
+++ b/web/cgit-taz/default.nix
@ -1,11 +1,15 @@
 # This derivation configures a 'cgit' instance to serve repositories
 # from a different source.
-
+{ depot, pkgs, ... }:
 { depot, ... }:
 with depot.third_party;
 let
  inherit (pkgs)
    mime-types
    thttpd
    writeShellScriptBin
    writeText
    ;
  sourceFilter = writeShellScriptBin "cheddar-about" ''
    exec ${depot.tools.cheddar}/bin/cheddar --about-filter $@
  '';
@ -33,7 +37,7 @@ let
  thttpdConfig = writeText "thttpd.conf" ''
    port=2448
-    dir=${cgit}/cgit
+    dir=${depot.third_party.cgit}/cgit
    nochroot
    novhost
    cgipat=**.cgi
--- a/web/converse/default.nix
+++ b/web/converse/default.nix
@ -1,6 +1,6 @@
-{ pkgs, ... }:
+{ depot, pkgs, ... }:
-pkgs.naersk.buildPackage {
+depot.third_party.naersk.buildPackage {
  src = ./.;
  buildInputs = with pkgs; [ openssl postgresql.lib ];
  nativeBuildInputs = [ pkgs.pkgconfig ];
--- a/web/todolist/default.nix
+++ b/web/todolist/default.nix
@ -2,12 +2,12 @@
 #
 # Only TODOs that match the form 'TODO($username)' are considered, and
 # only for users that are known to us.
-{ depot, lib, ... }:
+{ depot, lib, pkgs, ... }:
 with depot.nix.yants;
 let
-  inherit (depot.third_party)
+  inherit (pkgs)
    jq
    ripgrep
    runCommandNoCC
		`@ -1 +0,0 @@`
			`This subtree is responsible for setting up the read tree arguments in the first place.`