refactor: Move nixpkgs attribute to third_party.nixpkgs

Please read b/108 to make sense of this.

This gets rid of the explicit list of exposed packages from nixpkgs,
and instead makes the entire package set available at
`third_party.nixpkgs`.

To accommodate this, a LOT of things have to be very slightly shuffled
around. Some of this was done in already submitted CLs, but this
change is unfortunately still quite noisy.

Pay extra attention to:

* overlay-like functionality that was partially moved to actual
  overlays (partially as in, the minimum required to get a green
  build)

* modified uses of the package set path, esp. in NixOS systems

Special notes:

* xanthous has been disabled in CI because of issues with the Haskell
  overlay
* //third_party/nix has been disabled because of other unclear
  dependency issues

Both of these will be tackled in a followup CL.

Change-Id: I2f9c60a4d275fdb5209264be0addfd7e06c53118
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2910
Reviewed-by: glittershark <grfn@gws.fyi>
Reviewed-by: sterni <sternenseemann@systemli.org>
Tested-by: BuildkiteCI

ops/nixos/default.nix

@@ -8,9 +8,7 @@
 # situation.
 { depot, lib, pkgs, ... }@args:
 
-let
-  inherit (lib) findFirst isAttrs;
-  nixos = import "${depot.third_party.nixpkgsSrc}/nixos";
+let inherit (lib) findFirst isAttrs;
 in rec {
   whitby = import ./whitby/default.nix args;
 
@@ -25,7 +23,7 @@ in rec {
     };
   };
 
-  nixosFor = configuration: (nixos {
+  nixosFor = configuration: (depot.third_party.nixos {
     configuration = { ... }: {
       imports = [
         baseModule

ops/nixos/whitby/default.nix

@@ -1,10 +1,8 @@
-{ depot, lib, ... }:
+{ depot, lib, pkgs, ... }:
 
 let
   inherit (builtins) listToAttrs;
   inherit (lib) range;
-
-  nixpkgs = import depot.third_party.nixpkgsSrc {};
 in lib.fix(self: {
   imports = [
     "${depot.depotPath}/ops/nixos/clbot.nix"
@@ -27,7 +25,7 @@ in lib.fix(self: {
     "${depot.depotPath}/ops/nixos/www/todo.tvl.fyi.nix"
     "${depot.depotPath}/ops/nixos/www/tvl.fyi.nix"
     "${depot.depotPath}/ops/nixos/www/wigglydonke.rs.nix"
-    "${depot.third_party.nixpkgsSrc}/nixos/modules/services/web-apps/gerrit.nix"
+    "${pkgs.path}/nixos/modules/services/web-apps/gerrit.nix"
   ];
 
   hardware = {
@@ -140,14 +138,14 @@ in lib.fix(self: {
   # Generate an immutable /etc/resolv.conf from the nameserver settings
   # above (otherwise DHCP overwrites it):
   environment.etc."resolv.conf" = with lib; {
-    source = depot.third_party.writeText "resolv.conf" ''
+    source = pkgs.writeText "resolv.conf" ''
       ${concatStringsSep "\n" (map (ns: "nameserver ${ns}") self.networking.nameservers)}
       options edns0
     '';
   };
 
   # Disable background git gc system-wide, as it has a tendency to break CI.
-  environment.etc."gitconfig".source = depot.third_party.writeText "gitconfig" ''
+  environment.etc."gitconfig".source = pkgs.writeText "gitconfig" ''
     [gc]
     autoDetach = false
   '';
@@ -304,7 +302,7 @@ in lib.fix(self: {
     bindAddress = "localhost";
   };
 
-  environment.systemPackages = with nixpkgs; [
+  environment.systemPackages = with pkgs; [
     bb
     curl
     emacs-nox
@@ -332,7 +330,7 @@ in lib.fix(self: {
   # Regularly back up whitby to Google Cloud Storage.
   systemd.services.restic = {
     description = "Backups to Google Cloud Storage";
-    script = "${nixpkgs.restic}/bin/restic backup /var/lib/gerrit /var/backup/postgresql";
+    script = "${pkgs.restic}/bin/restic backup /var/lib/gerrit /var/backup/postgresql";
 
     environment = {
       GOOGLE_PROJECT_ID = "tazjins-infrastructure";
@@ -369,7 +367,7 @@ in lib.fix(self: {
     users.tazjin = {
       isNormalUser = true;
       extraGroups = [ "git" "wheel" ];
-      shell = nixpkgs.fish;
+      shell = pkgs.fish;
       openssh.authorizedKeys.keys = depot.users.tazjin.keys.all;
     };