feat(third_party): separate nixpkgs whitelist to allow more owners

The exposed package list has to be changed/amended quite frequently,
every time somebody wants to use a package not yet in that list and
thus has to whitelist it here.

This effectively requires a superowner review every single time, which
is an unreasonable blocker for many CLs.

I thus propose moving the list into a separate file (I called it
`nixpkgs-whitelist.nix` which is more descriptive than `exposed.nix`
and letting anybody add themselves to the OWNERS on that file.

Change-Id: Ied8bac066e4b9a91ddd642db805fe33dc37872c9
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2323
Tested-by: BuildkiteCI
Reviewed-by: lukegb <lukegb@tvl.fyi>

third_party/OWNERS

@@ -0,0 +1,9 @@
+inherited: true
+
+matchers:
+  # The nixpkgs whitelist needs to be changed every time we reference
+  # a new attribute, so every commiter should be able to change it,
+  # otherwise we create undue blockers on superowners.
+  - exact: nixpkgs-exposed.nix
+    owners:
+      - Profpatsch

third_party/default.nix

@@ -29,184 +29,7 @@ let
   };
   stableNixpkgs = import stableNixpkgsSrc {};
 
-  exposed = {
-    # Inherit the packages from nixos-unstable that should be available inside
-    # of the repo. They become available under `pkgs.third_party.<name>`
-    inherit (nixpkgs)
-      age
-      autoconf
-      autoreconfHook
-      avrdude
-      avrlibc
-      bashInteractive
-      bat
-      buildBazelPackage
-      buildFHSUserEnv
-      buildGoModule
-      buildGoPackage
-      buildPackages
-      buildkite-agent
-      busybox
-      bzip2
-      c-ares
-      cacert
-      cachix
-      cairo
-      cargo
-      cgit
-      clang_11
-      cmake
-      coreutils
-      cudatoolkit
-      darwin
-      dfu-programmer
-      dfu-util
-      diffutils
-      docker-compose
-      dockerTools
-      emacs26
-      emacs26-nox
-      emacsPackages
-      emacsPackagesGen
-      execline
-      fd
-      fetchFromGitHub
-      fetchgit
-      fetchurl
-      fetchzip
-      fira
-      fira-code
-      fira-mono
-      flamegraph
-      fontconfig
-      freetype
-      gettext
-      glibc
-      gmock
-      gnutar
-      google-cloud-sdk
-      graphviz
-      gzip
-      haskell
-      iana-etc
-      imagemagickBig
-      installShellFiles
-      jdk
-      jdk11
-      jdk11_headless
-      jetbrains-mono
-      jq
-      kontemplate
-      lib
-      libredirect
-      linuxPackages
-      luajit
-      lutris
-      makeFontsConf
-      makeWrapper
-      mdbook
-      meson
-      mime-types
-      mkShell
-      moreutils
-      nano
-      nginx
-      ninja
-      nix
-      openssh
-      openssl
-      overrideCC
-      pandoc
-      parallel
-      pkgconfig
-      pkgsCross
-      postgresql
-      pounce
-      pulseaudio
-      python3
-      python3Packages
-      quassel
-      remarshal
-      rink
-      ripgrep
-      rsync
-      runCommand
-      runCommandLocal
-      runCommandNoCC
-      rustPlatform
-      rustc
-      buildRustCrate
-      s6-portable-utils
-      sbcl
-      shellcheck
-      sqlite
-      stdenvNoCC
-      stern
-      symlinkJoin
-      systemd
-      tdlib
-      teensy-loader-cli
-      terraform_0_12
-      texlive
-      thttpd
-      tree
-      tree-sitter
-      unzip
-      which
-      writeShellScript
-      writeShellScriptBin
-      writeText
-      writers
-      xorg
-      xz
-      zlib
-      zstd;
-
-    # Inherit packages from the stable channel for things that are
-    # broken on unstable
-    inherit (stableNixpkgs)
-      awscli # TODO(grfn): Move back to unstable once it is fixed
-      ;
-
-    # Required by //third_party/nix
-    inherit (nixpkgs)
-      aws-sdk-cpp
-      bison
-      boehmgc
-      boost # urgh
-      brotli
-      busybox-sandbox-shell
-      curl
-      docbook5
-      docbook_xsl_ns
-      editline
-      flex
-      libseccomp
-      libsodium
-      libxml2
-      libxslt
-      mercurial
-      perl
-      perlPackages
-      utillinuxMinimal;
-
-    haskellPackages = (nixpkgs.haskellPackages.override {
-      overrides = (import ./haskell_overlay { pkgs = nixpkgs; });
-    });
-
-    gradle_6 = (nixpkgs.gradleGen.override {
-      java = nixpkgs.jdk11;
-      jdk = nixpkgs.jdk11;
-    }).gradleGen rec {
-      name = "gradle-6.5.1";
-      nativeVersion = "0.22-milestone-3";
-
-      src = builtins.fetchurl {
-        url = "https://services.gradle.org/distributions/${name}-bin.zip";
-        sha256 = "0jmmipjh4fbsn92zpifa5cqg5ws2a4ha0s4jzqhrg4zs542x79sh";
-      };
-    };
-  };
+  exposed = import ./nixpkgs-exposed.nix { inherit nixpkgs stableNixpkgs; };
 
 in exposed.lib.fix(self: exposed // {
   callPackage = nixpkgs.lib.callPackageWith self;

third_party/nixpkgs-exposed.nix

@@ -0,0 +1,179 @@
+{ nixpkgs, stableNixpkgs }:
+{
+  # Inherit the packages from nixos-unstable that should be available inside
+  # of the repo. They become available under `pkgs.third_party.<name>`
+  inherit (nixpkgs)
+    age
+    autoconf
+    autoreconfHook
+    avrdude
+    avrlibc
+    bashInteractive
+    bat
+    buildBazelPackage
+    buildFHSUserEnv
+    buildGoModule
+    buildGoPackage
+    buildPackages
+    buildRustCrate
+    buildkite-agent
+    busybox
+    bzip2
+    c-ares
+    cacert
+    cachix
+    cairo
+    cargo
+    cgit
+    clang_11
+    cmake
+    coreutils
+    cudatoolkit
+    darwin
+    dfu-programmer
+    dfu-util
+    diffutils
+    docker-compose
+    dockerTools
+    emacs26
+    emacs26-nox
+    emacsPackages
+    emacsPackagesGen
+    execline
+    fd
+    fetchFromGitHub
+    fetchgit
+    fetchurl
+    fetchzip
+    fira
+    fira-code
+    fira-mono
+    flamegraph
+    fontconfig
+    freetype
+    gettext
+    glibc
+    gmock
+    gnutar
+    google-cloud-sdk
+    graphviz
+    gzip
+    haskell
+    iana-etc
+    imagemagickBig
+    installShellFiles
+    jdk
+    jdk11
+    jdk11_headless
+    jetbrains-mono
+    jq
+    kontemplate
+    lib
+    libredirect
+    linuxPackages
+    luajit
+    lutris
+    makeFontsConf
+    makeWrapper
+    mdbook
+    meson
+    mime-types
+    mkShell
+    moreutils
+    nano
+    nginx
+    ninja
+    nix
+    openssh
+    openssl
+    overrideCC
+    pandoc
+    parallel
+    pkgconfig
+    pkgsCross
+    postgresql
+    pounce
+    pulseaudio
+    python3
+    python3Packages
+    quassel
+    remarshal
+    rink
+    ripgrep
+    rsync
+    runCommand
+    runCommandLocal
+    runCommandNoCC
+    rustPlatform
+    rustc
+    s6-portable-utils
+    sbcl
+    shellcheck
+    sqlite
+    stdenvNoCC
+    stern
+    symlinkJoin
+    systemd
+    tdlib
+    teensy-loader-cli
+    terraform_0_12
+    texlive
+    thttpd
+    tree
+    tree-sitter
+    unzip
+    which
+    writers
+    writeShellScript
+    writeShellScriptBin
+    writeText
+    xorg
+    xz
+    zlib
+    zstd;
+
+  # Inherit packages from the stable channel for things that are
+  # broken on unstable
+  inherit (stableNixpkgs)
+    awscli # TODO(grfn): Move back to unstable once it is fixed
+    ;
+
+  # Required by //third_party/nix
+  inherit (nixpkgs)
+    aws-sdk-cpp
+    bison
+    boehmgc
+    boost # urgh
+    brotli
+    busybox-sandbox-shell
+    curl
+    docbook5
+    docbook_xsl_ns
+    editline
+    flex
+    libseccomp
+    libsodium
+    libxml2
+    libxslt
+    mercurial
+    perl
+    perlPackages
+    utillinuxMinimal;
+
+  haskellPackages = (nixpkgs.haskellPackages.override {
+    overrides = (import ./haskell_overlay { pkgs = nixpkgs; });
+  });
+
+  gradle_6 = (nixpkgs.gradleGen.override {
+    java = nixpkgs.jdk11;
+    jdk = nixpkgs.jdk11;
+  }).gradleGen rec {
+    name = "gradle-6.5.1";
+    nativeVersion = "0.22-milestone-3";
+
+    src = builtins.fetchurl {
+      url = "https://services.gradle.org/distributions/${name}-bin.zip";
+      sha256 = "0jmmipjh4fbsn92zpifa5cqg5ws2a4ha0s4jzqhrg4zs542x79sh";
+    };
+  };
+}