diff --git a/includes.container/usr/share/init.d/090-abroot-unlock-var.sh b/includes.container/usr/share/init.d/090-abroot-unlock-var.sh
new file mode 100644
index 0000000..b52302a
--- /dev/null
+++ b/includes.container/usr/share/init.d/090-abroot-unlock-var.sh
@@ -0,0 +1,65 @@
+#!/bin/bash
+
+log() {
+  local level="$1"
+  local message="$2"
+  echo "[abroot-unlock-var] ($level): $message"
+  echo "[abroot-unlock-var] ($level): $message" > /dev/kmsg
+}
+
+graphicalpwd() {
+  local varunlockcmd="$1"
+
+  plymouth --ping
+  if [[ "$?" -ne 0 ]]; then
+    /usr/sbin/plymouthd
+  fi
+
+  plymouth --show-splash
+
+  plymouth ask-for-password --prompt="Please enter passphrase to unlock your data." --command="$varunlockcmd" 2> /dev/kmsg
+  if [[ "$?" -ne 0 ]]; then
+    plymouth --quit
+    log "warning" "falling back to cli password entry"
+    clipwd
+    return
+  fi
+}
+
+clipwd() {
+  local varunlockcmd="$1"
+
+  $varunlockcmd
+}
+
+/lib/systemd/systemd-udevd --daemon
+
+deviceName=""
+
+if [ -L "/dev/disk/by-label/vos-var" ]; then
+  # var drive is not encrypted, just continue
+  exit 0
+else
+  if [ -L "/dev/mapper/vos--var-var" ]; then
+    # var is encrypted LV
+    deviceName="/dev/mapper/vos--var-var"
+  elif [ -L "/dev/disk/by-partlabel/vos-var" ]; then
+    # var is encrypted regular partition
+    deviceName="$( realpath '/dev/disk/by-partlabel/vos-var' )"
+  else
+    log "error" "could not find var drive"
+    exit 55
+  fi
+fi
+
+varunlockcmd="/usr/bin/abroot unlock-var --var-disk $deviceName"
+
+if command -v plymouth &> /dev/null ; then
+  log "info" "using plymouth password entry"
+  graphicalpwd "$varunlockcmd"
+  exit
+else
+  log "info" "using cli password entry"
+  clipwd "$varunlockcmd"
+  exit
+fi
diff --git a/includes.container/usr/share/init.d/100-abroot-mount-sys.sh b/includes.container/usr/share/init.d/100-abroot-mount-sys.sh
new file mode 100644
index 0000000..eb04c67
--- /dev/null
+++ b/includes.container/usr/share/init.d/100-abroot-mount-sys.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+abroot mount-sys 2> /dev/kmsg
+if [[ "$?" -ne 0 ]]; then
+  exit 1
+fi
diff --git a/modules/150-init-executable.yml b/modules/150-init-executable.yml
index 3a03166..26bffab 100644
--- a/modules/150-init-executable.yml
+++ b/modules/150-init-executable.yml
@@ -4,5 +4,5 @@ commands:
   - rm /usr/sbin/init
   - mv /usr/sbin/init.new /usr/sbin/init
   - chmod +x /usr/sbin/init
-  - chmod +x /usr/share/init.d/050-mount-tmp.sh
+  - chmod +x /usr/share/init.d/*