feat(third_party): separate nixpkgs whitelist to allow more owners

The exposed package list has to be changed/amended quite frequently,
every time somebody wants to use a package not yet in that list and
thus has to whitelist it here.

This effectively requires a superowner review every single time, which
is an unreasonable blocker for many CLs.

I thus propose moving the list into a separate file (I called it
`nixpkgs-whitelist.nix` which is more descriptive than `exposed.nix`
and letting anybody add themselves to the OWNERS on that file.

Change-Id: Ied8bac066e4b9a91ddd642db805fe33dc37872c9
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2323
Tested-by: BuildkiteCI
Reviewed-by: lukegb <lukegb@tvl.fyi>

third_party/nixpkgs-exposed.nix

@@ -0,0 +1,179 @@
+{ nixpkgs, stableNixpkgs }:
+{
+  # Inherit the packages from nixos-unstable that should be available inside
+  # of the repo. They become available under `pkgs.third_party.<name>`
+  inherit (nixpkgs)
+    age
+    autoconf
+    autoreconfHook
+    avrdude
+    avrlibc
+    bashInteractive
+    bat
+    buildBazelPackage
+    buildFHSUserEnv
+    buildGoModule
+    buildGoPackage
+    buildPackages
+    buildRustCrate
+    buildkite-agent
+    busybox
+    bzip2
+    c-ares
+    cacert
+    cachix
+    cairo
+    cargo
+    cgit
+    clang_11
+    cmake
+    coreutils
+    cudatoolkit
+    darwin
+    dfu-programmer
+    dfu-util
+    diffutils
+    docker-compose
+    dockerTools
+    emacs26
+    emacs26-nox
+    emacsPackages
+    emacsPackagesGen
+    execline
+    fd
+    fetchFromGitHub
+    fetchgit
+    fetchurl
+    fetchzip
+    fira
+    fira-code
+    fira-mono
+    flamegraph
+    fontconfig
+    freetype
+    gettext
+    glibc
+    gmock
+    gnutar
+    google-cloud-sdk
+    graphviz
+    gzip
+    haskell
+    iana-etc
+    imagemagickBig
+    installShellFiles
+    jdk
+    jdk11
+    jdk11_headless
+    jetbrains-mono
+    jq
+    kontemplate
+    lib
+    libredirect
+    linuxPackages
+    luajit
+    lutris
+    makeFontsConf
+    makeWrapper
+    mdbook
+    meson
+    mime-types
+    mkShell
+    moreutils
+    nano
+    nginx
+    ninja
+    nix
+    openssh
+    openssl
+    overrideCC
+    pandoc
+    parallel
+    pkgconfig
+    pkgsCross
+    postgresql
+    pounce
+    pulseaudio
+    python3
+    python3Packages
+    quassel
+    remarshal
+    rink
+    ripgrep
+    rsync
+    runCommand
+    runCommandLocal
+    runCommandNoCC
+    rustPlatform
+    rustc
+    s6-portable-utils
+    sbcl
+    shellcheck
+    sqlite
+    stdenvNoCC
+    stern
+    symlinkJoin
+    systemd
+    tdlib
+    teensy-loader-cli
+    terraform_0_12
+    texlive
+    thttpd
+    tree
+    tree-sitter
+    unzip
+    which
+    writers
+    writeShellScript
+    writeShellScriptBin
+    writeText
+    xorg
+    xz
+    zlib
+    zstd;
+
+  # Inherit packages from the stable channel for things that are
+  # broken on unstable
+  inherit (stableNixpkgs)
+    awscli # TODO(grfn): Move back to unstable once it is fixed
+    ;
+
+  # Required by //third_party/nix
+  inherit (nixpkgs)
+    aws-sdk-cpp
+    bison
+    boehmgc
+    boost # urgh
+    brotli
+    busybox-sandbox-shell
+    curl
+    docbook5
+    docbook_xsl_ns
+    editline
+    flex
+    libseccomp
+    libsodium
+    libxml2
+    libxslt
+    mercurial
+    perl
+    perlPackages
+    utillinuxMinimal;
+
+  haskellPackages = (nixpkgs.haskellPackages.override {
+    overrides = (import ./haskell_overlay { pkgs = nixpkgs; });
+  });
+
+  gradle_6 = (nixpkgs.gradleGen.override {
+    java = nixpkgs.jdk11;
+    jdk = nixpkgs.jdk11;
+  }).gradleGen rec {
+    name = "gradle-6.5.1";
+    nativeVersion = "0.22-milestone-3";
+
+    src = builtins.fetchurl {
+      url = "https://services.gradle.org/distributions/${name}-bin.zip";
+      sha256 = "0jmmipjh4fbsn92zpifa5cqg5ws2a4ha0s4jzqhrg4zs542x79sh";
+    };
+  };
+}