diff --git a/ansible/roles/cacerts/tasks/export.yml b/ansible/roles/cacerts/tasks/export.yml
index 8e036a156..f3070627a 100644
--- a/ansible/roles/cacerts/tasks/export.yml
+++ b/ansible/roles/cacerts/tasks/export.yml
@@ -3,9 +3,9 @@
   ansible.builtin.copy:
     src: "{{ item }}"
     dest: /exports/cluster/cacerts/
-    owner: slurm
-    group: root
-    mode: "0644"
+    owner: ansible-init
+    group: ansible-init
+    mode: u=rw,go=
   with_fileglob:
     - "{{ cacerts_cert_dir }}/*"
   delegate_to: "{{ groups['control'] | first }}"
diff --git a/ansible/roles/compute_init/files/compute-init.yml b/ansible/roles/compute_init/files/compute-init.yml
index 91eaa86c1..059f0a458 100644
--- a/ansible/roles/compute_init/files/compute-init.yml
+++ b/ansible/roles/compute_init/files/compute-init.yml
@@ -83,7 +83,7 @@
         - ansible.builtin.meta: end_play
     - name: Check if hostvars exist
       become: true
-      become_user: slurm
+      become_user: ansible-init # share is root-squashed
       ansible.builtin.stat:
         path: "/mnt/cluster/hostvars/{{ ansible_hostname }}/hostvars.yml"
       register: hostvars_stat
@@ -98,7 +98,7 @@
         - ansible.builtin.meta: end_play
     - name: Sync /mnt/cluster to /var/tmp
       become: true
-      become_user: slurm
+      become_user: ansible-init # share is root-squashed
       ansible.posix.synchronize:
         src: "/mnt/cluster/"
         dest: "/var/tmp/cluster/"
diff --git a/ansible/roles/compute_init/tasks/export.yml b/ansible/roles/compute_init/tasks/export.yml
index caf0cdc67..21e0ea4b5 100644
--- a/ansible/roles/compute_init/tasks/export.yml
+++ b/ansible/roles/compute_init/tasks/export.yml
@@ -1,41 +1,47 @@
 ---
-- name: Ensure the /exports/cluster directory exists
+- name: Ensure /exports/cluster directory structure exists
   ansible.builtin.file:
     path: /exports/cluster
     state: directory
-    owner: slurm
-    group: root
+    owner: ansible-init
+    group: ansible-init
     mode: u=rX,g=rwX,o=
   run_once: true
+  loop:
+    - /exports/cluster
+    - /exports/cluster/hostvars
+    - /exports/cluster/cacerts
+    - /exports/cluster/cvmfs
+    - /exports/cluster/hostconfig
   delegate_to: "{{ groups['control'] | first }}"
 
 - name: Copy /etc/hosts to /exports/cluster
   ansible.builtin.copy:
     src: /etc/hosts
     dest: /exports/cluster/hosts
-    owner: slurm
-    group: root
-    mode: u=r,g=rw,o=
+    owner: ansible-init
+    group: ansible-init
+    mode: u=rw,go=r
     remote_src: true
   run_once: true
   delegate_to: "{{ groups['control'] | first }}"
 
-- name: Create hostvars directory
+- name: Create per-host hostvars directory
   ansible.builtin.file:
     path: /exports/cluster/hostvars/{{ inventory_hostname }}/
     state: directory
-    owner: slurm
-    group: root
-    mode: u=rX,g=rwX,o=
+    owner: ansible-init
+    group: ansible-init
+    mode: u=rwX,go=
   delegate_to: "{{ groups['control'] | first }}"
 
 - name: Template out hostvars
   ansible.builtin.template:
     src: hostvars.yml.j2
     dest: /exports/cluster/hostvars/{{ inventory_hostname }}/hostvars.yml
-    owner: slurm
-    group: root
-    mode: u=r,g=rw,o=
+    owner: ansible-init
+    group: ansible-init
+    mode: u=rw,go=
   delegate_to: "{{ groups['control'] | first }}"
 
 - name: Copy manila share info to /exports/cluster
@@ -52,29 +58,19 @@
     os_manila_mount_share_info_var:
       os_manila_mount_share_info: "{{ os_manila_mount_share_info }}"
 
-- name: Ensure /exports/cluster/cvmfs directory exists
-  ansible.builtin.file:
-    path: /exports/cluster/cvmfs
-    state: directory
-    owner: slurm
-    group: root
-    mode: "0755"
-  run_once: true
-  delegate_to: "{{ groups['control'] | first }}"
-
 - name: Export cacerts
   ansible.builtin.include_role:
     name: cacerts
     tasks_from: export.yml
   when: "'cacerts' in group_names"
 
-- name: Create hostconfig directory
+- name: Create per-host hostconfig directory
   ansible.builtin.file:
     path: "/exports/cluster/hostconfig/{{ inventory_hostname }}/"
     state: directory
-    owner: slurm
-    group: root
-    mode: u=rX,g=rwX,o=
+    owner: ansible-init
+    group: ansible-init
+    mode: u=rwX,go=
   delegate_to: "{{ groups['control'] | first }}"
 
 - name: Template sssd config
diff --git a/ansible/roles/nhc/tasks/export.yml b/ansible/roles/nhc/tasks/export.yml
index d6b1120e4..c080fdd3e 100644
--- a/ansible/roles/nhc/tasks/export.yml
+++ b/ansible/roles/nhc/tasks/export.yml
@@ -3,5 +3,7 @@
   ansible.builtin.template:
     src: "{{ nhc_config_template }}"
     dest: "/exports/cluster/hostconfig/{{ inventory_hostname }}/nhc.conf"
-    mode: "0644"
+    owner: ansible-init
+    group: ansible-init
+    mode: u=rw,go=
   delegate_to: "{{ groups['control'] | first }}"
diff --git a/ansible/roles/sssd/tasks/export.yml b/ansible/roles/sssd/tasks/export.yml
index 607878648..3d95a0598 100644
--- a/ansible/roles/sssd/tasks/export.yml
+++ b/ansible/roles/sssd/tasks/export.yml
@@ -4,7 +4,7 @@
   ansible.builtin.template:
     src: "{{ sssd_conf_src }}"
     dest: "/exports/cluster/hostconfig/{{ inventory_hostname }}/sssd.conf"
-    owner: root
-    group: root
+    owner: ansible-init
+    group: ansible-init
     mode: u=rw,go=
   delegate_to: "{{ groups['control'] | first }}"
diff --git a/environments/.stackhpc/tofu/cluster_image.auto.tfvars.json b/environments/.stackhpc/tofu/cluster_image.auto.tfvars.json
index 04730140e..ceeb8080f 100644
--- a/environments/.stackhpc/tofu/cluster_image.auto.tfvars.json
+++ b/environments/.stackhpc/tofu/cluster_image.auto.tfvars.json
@@ -1,6 +1,6 @@
 {
   "cluster_image": {
-    "RL8": "openhpc-RL8-251211-0951-51b93e3f",
-    "RL9": "openhpc-RL9-251211-0951-51b93e3f"
+    "RL8": "openhpc-RL8-251213-1133-31273766",
+    "RL9": "openhpc-RL9-251213-1133-31273766"
   }
 }
diff --git a/environments/common/inventory/group_vars/all/defaults.yml b/environments/common/inventory/group_vars/all/defaults.yml
index e9852afd6..66e4088b0 100644
--- a/environments/common/inventory/group_vars/all/defaults.yml
+++ b/environments/common/inventory/group_vars/all/defaults.yml
@@ -78,6 +78,16 @@ appliances_local_users_default:
       system: true
     enable: "{{ 'grafana' in group_names }}"
 
+  - user:
+      name: ansible-init
+      comment: ansible-init user
+      uid: 301
+      create_home: false
+      home: /var/lib/ansible-init
+      shell: /sbin/nologin
+      system: true
+    enable: "{{ 'ansible_init' in group_names }}"
+
 # Overide this to add extra users whilst keeping the defaults.
 appliances_local_users_extra: [] # see format of appliances_local_users_default above
 appliances_local_users: "{{ (appliances_local_users_default + appliances_local_users_extra) | select | list }}"
diff --git a/environments/common/inventory/group_vars/all/nfs.yml b/environments/common/inventory/group_vars/all/nfs.yml
index 05ecd8900..76aa63ff0 100644
--- a/environments/common/inventory/group_vars/all/nfs.yml
+++ b/environments/common/inventory/group_vars/all/nfs.yml
@@ -31,6 +31,7 @@ nfs_configuration_compute_nodes: # cluster configuration for compute_init/slurm-
       server: "{{ inventory_hostname in groups['control'] }}"
       clients: false
     nfs_export: "/exports/cluster"
+    nfs_export_options: "ro,secure,root_squash"
 
 nfs_configurations_extra: [] # site-specific nfs shares