467cb89145
* //3p/nixpkgs: allow insecure qtwebkit, since a package in grfn's home depends on it. Reasoning for marking qtwebkit as insecure is given here: https://blogs.gnome.org/mcatanzaro/2022/11/04/stop-using-qtwebkit/ * //3p/gerrit: update nondeterministic bazel output hash Change-Id: Ie652905969bf43abb457f6af211f771cff093dce Reviewed-on: https://cl.tvl.fyi/c/depot/+/7353 Tested-by: BuildkiteCI Reviewed-by: tazjin <tazjin@tvl.su>
89 lines
3 KiB
Nix
89 lines
3 KiB
Nix
# This file imports the pinned nixpkgs sets and applies relevant
|
|
# modifications, such as our overlays.
|
|
#
|
|
# The actual source pinning happens via niv in //third_party/sources
|
|
#
|
|
# Note that the attribute exposed by this (third_party.nixpkgs) is
|
|
# "special" in that the fixpoint used as readTree's config parameter
|
|
# in //default.nix passes this attribute as the `pkgs` argument to all
|
|
# readTree derivations.
|
|
|
|
{ depot ? { }
|
|
, externalArgs ? { }
|
|
, depotOverlays ? true
|
|
, localSystem ? builtins.currentSystem
|
|
, ...
|
|
}:
|
|
|
|
let
|
|
# Arguments passed to both the stable nixpkgs and the main, unstable one.
|
|
# Includes everything but overlays which are only passed to unstable nixpkgs.
|
|
commonNixpkgsArgs = {
|
|
# allow users to inject their config into builds (e.g. to test CA derivations)
|
|
config =
|
|
(if externalArgs ? nixpkgsConfig then externalArgs.nixpkgsConfig else { })
|
|
// {
|
|
allowUnfree = true;
|
|
allowBroken = true;
|
|
# Forbids our meta.ci attribute
|
|
# https://github.com/NixOS/nixpkgs/pull/191171#issuecomment-1260650771
|
|
checkMeta = false;
|
|
# TODO(grfn): Currently needed for subsurface, set globally to avoid
|
|
# reimporting nixpkgs in home-manager
|
|
permittedInsecurePackages = [
|
|
"qtwebkit-5.212.0-alpha4"
|
|
];
|
|
};
|
|
|
|
inherit localSystem;
|
|
};
|
|
|
|
# import the nixos-unstable package set, or optionally use the
|
|
# source (e.g. a path) specified by the `nixpkgsBisectPath`
|
|
# argument. This is intended for use-cases where the depot is
|
|
# bisected against nixpkgs to find the root cause of an issue in a
|
|
# channel bump.
|
|
nixpkgsSrc = externalArgs.nixpkgsBisectPath or depot.third_party.sources.nixpkgs;
|
|
|
|
# Stable package set is imported, but not exposed, to overlay
|
|
# required packages into the unstable set.
|
|
stableNixpkgs = import depot.third_party.sources.nixpkgs-stable commonNixpkgsArgs;
|
|
|
|
# Overlay for packages that should come from the stable channel
|
|
# instead (e.g. because something is broken in unstable).
|
|
# Use `stableNixpkgs` from above.
|
|
stableOverlay = _unstableSelf: _unstableSuper: {
|
|
inherit (stableNixpkgs)
|
|
# bat syntaxes changed with syntect 5.0, but cheddar is still on 4.x
|
|
# TODO(tazjin): upgrade cheddar to syntect 5.0
|
|
bat
|
|
|
|
# ntfy does not build on unstable as of 2022-08-02
|
|
ntfy
|
|
|
|
# binaryen does not build on unstable as of 2022-08-22
|
|
binaryen
|
|
;
|
|
};
|
|
|
|
# Overlay to expose the nixpkgs commits we are using to other Nix code.
|
|
commitsOverlay = _: _: {
|
|
nixpkgsCommits = {
|
|
unstable = depot.third_party.sources.nixpkgs.rev;
|
|
stable = depot.third_party.sources.nixpkgs-stable.rev;
|
|
};
|
|
};
|
|
in
|
|
import nixpkgsSrc (commonNixpkgsArgs // {
|
|
overlays = [
|
|
commitsOverlay
|
|
stableOverlay
|
|
] ++ (if depotOverlays then [
|
|
depot.third_party.overlays.haskell
|
|
depot.third_party.overlays.emacs
|
|
depot.third_party.overlays.tvl
|
|
depot.third_party.overlays.ecl-static
|
|
depot.third_party.overlays.dhall
|
|
(import depot.third_party.sources.rust-overlay)
|
|
] else [ ]);
|
|
})
|