1 files changed, 18 insertions, 5 deletions

diff --git a/pkgs/os-specific/linux/cryptsetup/default.nix b/pkgs/os-specific/linux/cryptsetup/default.nix
index be819802394..9f324a2b73b 100644
--- a/pkgs/os-specific/linux/cryptsetup/default.nix
+++ b/pkgs/os-specific/linux/cryptsetup/default.nix
@@ -1,5 +1,9 @@
-{ lib, stdenv, fetchurl, lvm2, json_c
-, openssl, libuuid, pkg-config, popt }:
+{ lib, stdenv, fetchurl, fetchpatch, pkg-config
+, lvm2, json_c, openssl, libuuid, popt
+# Programs enabled by default upstream are implicitly enabled unless
+# manually set to false.
+, programs ? { cryptsetup-reencrypt = true; }
+}:
 
 stdenv.mkDerivation rec {
   pname = "cryptsetup";
@@ -13,8 +17,17 @@ stdenv.mkDerivation rec {
     sha256 = "sha256-/A35RRiBciZOxb8dC9oIJk+tyKP4VtR+upHzH+NUtQc=";
   };
 
-  # Disable 4 test cases that fail in a sandbox
-  patches = [ ./disable-failing-tests.patch ];
+  patches = [
+    # Disable 4 test cases that fail in a sandbox
+    ./disable-failing-tests.patch
+
+    # If the cryptsetup program is disabled, skip tests that require it.
+    # https://gitlab.com/cryptsetup/cryptsetup/-/merge_requests/267
+    (fetchpatch {
+      url = "https://gitlab.com/cryptsetup/cryptsetup/-/commit/42e7e4144ce4d0923b3dc4d860fc3b67ce29dbb9.patch";
+      sha256 = "19s0pw5055skjsanf90akppjzs7lbyl7ay09lsn8v65msw7jqr2s";
+    })
+  ];
 
   postPatch = ''
     patchShebangs tests
@@ -37,7 +50,7 @@ stdenv.mkDerivation rec {
     # support, because the path still gets included in the binary even
     # though it isn't used.
     "--with-luks2-external-tokens-path=/"
-  ];
+  ] ++ (with lib; mapAttrsToList (flip enableFeature)) programs;
 
   nativeBuildInputs = [ pkg-config ];
   buildInputs = [ lvm2 json_c openssl libuuid popt ];