cryptsetup: separate binaries from libraries

This reduces closure sizes by making the libraries not depend on the
binaries, which is good for static builds, and (when statically
linked) making the binaries not depend on the libraries, which is good
for static builds.

When static building, we additionally have to disable loading LUKS
plugins from $lib to avoid a reference, which probably wouldn't have
worked anyway.

1 files changed, 7 insertions, 1 deletions

diff --git a/pkgs/os-specific/linux/cryptsetup/default.nix b/pkgs/os-specific/linux/cryptsetup/default.nix
index a9bd508d16e..be819802394 100644
--- a/pkgs/os-specific/linux/cryptsetup/default.nix
+++ b/pkgs/os-specific/linux/cryptsetup/default.nix
@@ -5,7 +5,7 @@ stdenv.mkDerivation rec {
   pname = "cryptsetup";
   version = "2.4.3";
 
-  outputs = [ "out" "dev" "man" ];
+  outputs = [ "bin" "out" "dev" "man" ];
   separateDebugInfo = true;
 
   src = fetchurl {
@@ -31,6 +31,12 @@ stdenv.mkDerivation rec {
     "--enable-cryptsetup-reencrypt"
     "--with-crypto_backend=openssl"
     "--disable-ssh-token"
+  ] ++ lib.optionals stdenv.hostPlatform.isStatic [
+    "--disable-external-tokens"
+    # We have to override this even though we're removing token
+    # support, because the path still gets included in the binary even
+    # though it isn't used.
+    "--with-luks2-external-tokens-path=/"
   ];
 
   nativeBuildInputs = [ pkg-config ];