How to configure a graphical boot screen with LUKS unlock

Linux systems show a lot of useful info when booting. On NixOS this is the default. The LUKS password entry finishes “Stage 1”, in “Stage 2” the unlocked system is booted.

All of this is shown in text only, which works fine, is efficient and simple, but might not suit your taste.

Fedora and other distributions primarily show a graphical boot screen, only when pressing Esc you see the text output.

We can achieve the same with a small config.

:warning: Note

If you use LUKS encryption with a keyfile, read below on how to make this work.

There also seems to be a bug where the password screen disappears when waiting for some time, requiring a reboot.

Needed Changes

But NixOS has quite some defaults set, but you need to change some configs to enable it fully.

  • prevent some information from being displayed
  • enable systemd in an early stage
  • enable the plymouth boot screen

Optionally you can use a custom theme, logo, font and more.

Configuration

To keep things clean, you can create a /etc/nixos/configuration/boot.nix file and import it in your configuration.nix. In there you can set

{ config, lib, pkgs, ... }:
{
boot = {
    # silence first boot output
    consoleLogLevel = 3;
    initrd.verbose = false;
    initrd.systemd.enable = true;
    kernelParams = [
        "quiet"
        "splash"
        "intremap=on"
        "boot.shell_on_fail"
        "udev.log_priority=3"
        "rd.systemd.show_status=auto"
    ];

    # plymouth, showing after LUKS unlock
    plymouth.enable = true;
    plymouth.font = "${pkgs.hack-font}/share/fonts/truetype/Hack-Regular.ttf";
    plymouth.logo = "${pkgs.nixos-icons}/share/icons/hicolor/128x128/apps/nix-snowflake.png";
};
}

Font and logo are optional, by default a white NixOS snowflake is used.

You can also set a custom theme, but this can be more complex. As motivation, have a look at this repo

14 Likes

This is very nice: thanks for sharing!

2 Likes

Just FYI - depending on what exact LUKS setup you have, it might not be as simple as that.

I had to figure out how to properly implement a socket-activated unit that provides the key file during systems stage1 for my setup (it wasn’t easy, probably wouldn’t have managed to do it with some opportune rubber-ducking session at NixCon). Hopefully a person who has atypical LUKS setup also has the skills to hack it out, but it’s a bit of a shame you have to in such a configurable OS.

1 Like