=== modified file 'Makefile'
--- Makefile	2025-06-27 20:06:35 +0000
+++ Makefile	2026-05-01 23:11:34 +0000
@@ -520,6 +520,7 @@
 		--target-directory=$(DRACUTMODULE) \
 		dracut-module/module-setup.sh \
 		dracut-module/cmdline-mandos.sh \
+		dracut-module/cmdline-mandos-systemd.sh \
 		dracut-module/password-agent
 	install --mode=u=rw,go=r plugin-runner.conf $(CONFDIR)
 	install --directory $(MANDIR)/man8
@@ -596,6 +597,7 @@
 		$(DRACUTMODULE)/ask-password-mandos.service \
 		$(DRACUTMODULE)/module-setup.sh \
 		$(DRACUTMODULE)/cmdline-mandos.sh \
+		$(DRACUTMODULE)/cmdline-mandos-systemd.sh \
 		$(DRACUTMODULE)/password-agent \
 		$(MANDIR)/man8/mandos-keygen.8.gz \
 		$(MANDIR)/man8/plugin-runner.8mandos.gz \

=== modified file 'debian/mandos-client.lintian-overrides'
--- debian/mandos-client.lintian-overrides	2024-09-16 21:01:52 +0000
+++ debian/mandos-client.lintian-overrides	2026-05-01 23:11:34 +0000
@@ -41,6 +41,7 @@
 # initial RAM disk image by the dracut/90mandos/module-setup.sh
 # script.
 mandos-client binary: executable-in-usr-lib [usr/lib/dracut/modules.d/90mandos/cmdline-mandos.sh]
+mandos-client binary: executable-in-usr-lib [usr/lib/dracut/modules.d/90mandos/cmdline-mandos-systemd.sh]
 mandos-client binary: executable-in-usr-lib [usr/lib/dracut/modules.d/90mandos/password-agent]
 
 # The directory /etc/mandos/plugins.d can be used by local system

=== modified file 'dracut-module/ask-password-mandos.service'
--- dracut-module/ask-password-mandos.service	2025-06-27 19:49:05 +0000
+++ dracut-module/ask-password-mandos.service	2026-05-01 23:11:34 +0000
@@ -48,7 +48,7 @@
 ConditionPathIsMountPoint=!/sysroot
 
 [Service]
-ExecStart=/lib/mandos/password-agent $PASSWORD_AGENT_OPTIONS -- /lib/mandos/mandos-client --pubkey=/etc/mandos/keys/pubkey.txt --seckey=/etc/mandos/keys/seckey.txt --tls-pubkey=/etc/mandos/keys/tls-pubkey.pem --tls-privkey=/etc/mandos/keys/tls-privkey.pem $MANDOS_CLIENT_OPTIONS
+ExecStart=/lib/mandos/password-agent $PASSWORD_AGENT_OPTIONS -- /lib/mandos/mandos-client --pubkey=/etc/mandos/keys/pubkey.txt --seckey=/etc/mandos/keys/seckey.txt --tls-pubkey=/etc/mandos/keys/tls-pubkey.pem --tls-privkey=/etc/mandos/keys/tls-privkey.pem $MANDOS_CLIENT_OPTIONS $MANDOS_CLIENT_CONNECT
 #
 # Please keep the above line intact, exactly as it is!  To add extra
 # options to mandos-client, instead create an override file (e.g. with

=== added file 'dracut-module/cmdline-mandos-systemd.sh'
--- dracut-module/cmdline-mandos-systemd.sh	1970-01-01 00:00:00 +0000
+++ dracut-module/cmdline-mandos-systemd.sh	2026-05-01 23:11:34 +0000
@@ -0,0 +1,34 @@
+#!/bin/sh
+#
+# This file should be present in the root file system directory
+# /usr/lib/dracut/modules.d/90mandos.  When dracut creates the
+# initramfs image, dracut will run the "module-setup.sh" file in the
+# same directory, which (when using the "systemd" dracut module) will
+# copy this file ("cmdline-mandos-systemd.sh") into the initramfs as
+# "/lib/dracut/hooks/cmdline/20-cmdline-mandos-systemd.sh".
+# 
+# Despite the above #!/bin/sh line and the executable flag, this file
+# is not executed; this file is sourced by the /init script in the
+# initramfs image created by dracut.
+
+type getarg > /dev/null 2>&1 || . /lib/dracut-lib.sh
+
+if getargbool 1 mandos && [ -e /lib/dracut-crypt-lib.sh ]; then
+    if mandos=$(getarg mandos); then
+	case "$mandos" in
+	    connect:*) mandos_connect="${mandos#connect:}" ;;
+	esac
+	if [ -n "$mandos_connect" ]; then
+	    # systemd >= 254
+	    # systemctl edit --runtime ask-password-mandos.service --stdin <<-EOF
+	    # ...
+	    # EOF
+	    mkdir --parents /run/systemd/system/ask-password-mandos.service.d
+	    cat > /run/systemd/system/ask-password-mandos.service.d/connect.conf <<-EOF
+		[Service]
+		Environment="MANDOS_CLIENT_CONNECT=--connect=$mandos_connect"
+		EOF
+	    systemctl daemon-reload
+	fi
+    fi
+fi

=== modified file 'dracut-module/cmdline-mandos.sh'
--- dracut-module/cmdline-mandos.sh	2019-07-27 10:11:45 +0000
+++ dracut-module/cmdline-mandos.sh	2026-05-01 23:11:34 +0000
@@ -12,6 +12,15 @@
 # initramfs image created by dracut.
 
 if getargbool 1 mandos && [ -e /lib/dracut-crypt-lib.sh ]; then
+    if mandos=$(getarg mandos); then
+	case "$mandos" in
+	    connect:*) mandos_connect="${mandos#connect:}" ;;
+	esac
+	if [ -n "$mandos_connect" ]; then
+	    printf -- '\n--options-for=mandos-client:--connect=%s\n' "$mandos_connect" >> /etc/mandos/plugin-runner.conf
+	fi
+    fi
+
     cat >> /lib/dracut-crypt-lib.sh <<- "EOF"
 	ask_for_password(){
 	    local cmd; local prompt; local tries=3

=== modified file 'dracut-module/module-setup.sh'
--- dracut-module/module-setup.sh	2020-02-05 21:39:28 +0000
+++ dracut-module/module-setup.sh	2026-05-01 23:11:34 +0000
@@ -66,6 +66,7 @@
     local mandos_group="$2"
     inst "${libdir}" /lib/mandos
     if dracut_module_included "systemd"; then
+	inst_hook cmdline 20 "$moddir"/cmdline-mandos-systemd.sh
 	plugindir=/lib/mandos
 	inst "${libdir}/plugins.d/mandos-client" \
 	     "${plugindir}/mandos-client"