diff --git a/images/Makefile b/images/Makefile
index b932a0c..c8f424c 100644
--- a/images/Makefile
+++ b/images/Makefile
@@ -10,7 +10,7 @@ ALMA_VERSION_MAJOR := $(shell VERSION=$(ALMA_VERSION); echo $${VERSION%%.*})
 
 all: opnsense.qcow2 \
 	bos.x86_64.qcow2 bos.aarch64.qcow2 \
-	cos.x86_64.warewulf.tar  cos.aarch64.warewulf.tar
+	cos.plain.x86_64.warewulf.tar  cos.plain.aarch64.warewulf.tar
 
 clean: 
 	rm -rf *.sha256 *.qcow2 *.iso *.iso.bz2 *.raw *.vmdk *.tar *.tmp.sh output-* .config .cache *.log
@@ -65,35 +65,14 @@ bos.%.qcow2: AlmaLinux-$(ALMA_VERSION_MAJOR)-GenericCloud-$(ALMA_VERSION)-$(ALMA
 	  almalinux.pkr.hcl
 	mv output-bos."$*"/$@ "$@"
 
-cos.%.qcow2: export PACKER_LOG = 1
-cos.%.qcow2: AlmaLinux-$(ALMA_VERSION_MAJOR)-GenericCloud-$(ALMA_VERSION)-$(ALMA_BUILD).%.qcow2 almalinux.pkr.hcl cos-provision.sh
-	packer init . 
-	packer build -force -only='cos.*' \
-	  -var "name=cos" \
-	  -var "image=$<" \
-	  -var "arch=$*" \
-	  -var "ovmf_code=$(OVMF_CODE_PATH)" -var "ovmf_vars=$(OVMF_VARS_PATH)" \
-	  -var "aavmf_code=$(AAVMF_CODE_PATH)" -var "aavmf_vars=$(AAVMF_VARS_PATH)" \
-	  -var "PACKAGES=$(PACKAGES)" \
-	  almalinux.pkr.hcl
-	mv output-cos."$*"/$@ "$@"
-
-VARIANT ?= plain
-
 # Builds a warewulf uncompressed VNFS template of COS with warewulf patches
 cos.%.warewulf.tar: Containerfile.cos.warewulf cos-provision.sh
+	$(eval VARIANT := $(word 1,$(subst ., ,$*))) \
+	$(eval ARCH := $(word 2,$(subst ., ,$*))) \
 	podman build --security-opt label=disable --no-cache \
-		--build-arg PACKAGES="$(PACKAGES)" \
-		--build-arg VARIANT="$(VARIANT)" \
-		--build-arg COS_RELEASE="$(ALMA_VERSION)" \
-		--platform "linux/$*" \
-		-f Containerfile.cos.warewulf -t "warewulf_cos_$(VARIANT)_$*"
-	podman save "warewulf_cos_$(VARIANT)_$*" >cos.$(VARIANT).$*.warewulf.tar
-
-# Builds a uncompressed RAW format of COS (the size of match the size of the disk)
-cos.%.raw: cos.%.qcow2
-	qemu-img convert "$<" "$@"
-
-# Builds a compressed VMDK format of COS
-cos.%.vmdk: cos.%.qcow2
-	qemu-img convert -f qcow2 -O vmdk -o adapter_type=lsilogic,subformat=streamOptimized,compat6 "$<" "$@"
\ No newline at end of file
+	  --build-arg PACKAGES="$(PACKAGES)" \
+	  --build-arg VARIANT="$(VARIANT)" \
+	  --build-arg COS_RELEASE="$(ALMA_VERSION)" \
+	  --platform "linux/$(ARCH)" \
+	  -f Containerfile.cos.warewulf -t "warewulf_cos_$*"
+	podman save "warewulf_cos_$*" >"$@"
diff --git a/images/bos-provision.sh b/images/bos-provision.sh
index 1ec1f25..2961504 100644
--- a/images/bos-provision.sh
+++ b/images/bos-provision.sh
@@ -6,11 +6,8 @@ dnf install -y "https://repos.openhpc.community/OpenHPC/3/EL_9/$(arch)/ohpc-rele
 dnf config-manager --set-enabled crb
 dnf copr enable cyqsimon/micro -y
 
-rpm --import "https://www.elrepo.org/RPM-GPG-KEY-elrepo.org"
-dnf install -y "https://www.elrepo.org/elrepo-release-9.el9.elrepo.noarch.rpm"
-
 dnf update -y
-dnf install -y --enablerepo=elrepo-kernel kernel-ml kernel-ml-modules kernel-ml-devel
+dnf install -y kernel-modules kernel-headers
 dnf install -y --allowerasing --setopt=install_weak_deps=False \
     podman perl /bin/mailx ${PACKAGES}
 
diff --git a/images/cos-provision.sh b/images/cos-provision.sh
index 61429b9..073f19d 100755
--- a/images/cos-provision.sh
+++ b/images/cos-provision.sh
@@ -7,9 +7,14 @@ dnf install -y "https://repos.openhpc.community/OpenHPC/3/EL_9/$(arch)/ohpc-rele
 dnf config-manager --set-enabled crb
 dnf copr enable cyqsimon/micro -y
 
+IFS='_' read -r -a values <<<"$VARIANT"
+if [ ${#values[@]} -eq 0 ]; then
+  echo "No variant specified"
+  exit 1
+fi
+
 dnf update -y
 
-IFS='_' read -r -a values <<<"$VARIANT"
 for value in "${values[@]}"; do
   case $value in
   plain)
diff --git a/playbook-svc-mgmt.yml b/playbook-svc-mgmt.yml
index 7aead0c..67c971d 100644
--- a/playbook-svc-mgmt.yml
+++ b/playbook-svc-mgmt.yml
@@ -19,13 +19,14 @@
 
     - name: Generate webhookd privatekeys
       community.crypto.openssl_privatekey:
-        path: "/etc/webhookd/{{item}}.key"
-        mode: 600
+        path: "{{host_backup_directory}}/{{item}}.key"
       loop: [server, client]
+      delegate_to: localhost
+      become: false
 
     - name: Create CSR for new certificate
       community.crypto.openssl_csr_pipe:
-        privatekey_path: "/etc/webhookd/{{item}}.key"
+        privatekey_path: "{{host_backup_directory}}/{{item}}.key"
         use_common_name_for_san: false
         common_name: local CA
         subject_alt_name:
@@ -33,22 +34,25 @@
           - "DNS:{{hostvars[inventory_hostname]['ansible_default_ipv4']['address']}}"
       register: csr
       loop: [server, client]
+      delegate_to: localhost
+      become: false
 
     - name: Generate webhookd publickeys
       community.crypto.x509_certificate:
-        privatekey_path: "/etc/webhookd/{{item.item}}.key"
-        path: "/etc/webhookd/{{item.item}}.pem"
+        privatekey_path: "{{host_backup_directory}}/{{item.item}}.key"
+        path: "{{host_backup_directory}}/{{item.item}}.pem"
         csr_content: "{{item.csr}}"
         provider: selfsigned
         selfsigned_not_after: "+3650d"
-        mode: 644
       loop: "{{csr.results}}"
+      delegate_to: localhost
+      become: false
 
-    - name: Fetch webhookd keypairs
-      ansible.builtin.fetch:
-        flat: true
-        src: "/etc/webhookd/{{item}}"
-        dest: "{{host_backup_directory}}/{{item}}"
+    - name: Upload webhookd keypairs
+      ansible.builtin.copy:
+        src: "{{host_backup_directory}}/{{item}}"
+        dest: "/etc/webhookd/{{item}}"
+        mode: 600
       loop: [server.pem, server.key, client.pem, client.key]
 
     - name: Allow binding webhook port in SELinux
@@ -300,23 +304,12 @@
         group: "{{idm_default_group}}"
       loop: "{{mgmt_exported_directories}}"
 
-    - name: Permit mountd service
+    - name: Permit rpc-bind and dependent services
       ansible.posix.firewalld:
-        service: mountd
-        state: enabled
-        permanent: true
-
-    - name: Permit rpc-bind service
-      ansible.posix.firewalld:
-        service: rpc-bind
-        state: enabled
-        permanent: true
-
-    - name: Permit rquotad service
-      ansible.posix.firewalld:
-        service: rquotad
+        service: "{{item}}"
         state: enabled
         permanent: true
+      loop: [rpc-bind, mountd, rquotad]
 
     - name: Enable rquotad service
       ansible.builtin.systemd_service:
@@ -324,6 +317,20 @@
         state: started
         enabled: true
 
+    - name: Enable NFSv4 only
+      ansible.builtin.blockinfile:
+        path: /etc/nfs.conf
+        append_newline: true
+        prepend_newline: true
+        marker: "### {mark} Ansible generated block: do not edit this section! ###"
+        block: |
+          [nfsd]
+          vers3=n
+          vers4=y
+          vers4.0=y
+          vers4.1=y
+          vers4.2=y
+
     ### rds1 NFS ###
 
     - name: Get fresh Kerberos ticket
diff --git a/playbook-task-update_motd.yml b/playbook-task-update_motd.yml
new file mode 100644
index 0000000..0559bf7
--- /dev/null
+++ b/playbook-task-update_motd.yml
@@ -0,0 +1,9 @@
+- name: Update login node MOTD
+  hosts: "login-*.{{domain}}"
+  become: true
+
+  tasks:
+    - name: Upload motd
+      ansible.builtin.copy:
+        content: "{{login_message_of_the_day}}"
+        dest: /etc/motd.d/00-welcome.motd
diff --git a/staging.rb b/staging.rb
index 8bbdf82..0606a09 100644
--- a/staging.rb
+++ b/staging.rb
@@ -153,10 +153,10 @@ def self.write_inventory(pve_ip:, storage_pool:, extra_hosts:, host_common_hash:
         overlays: %w[wwinit generic arch-x86_64],
         sockets: 1,
         threads_per_core: 1,
-        cores_per_socket: 2,
+        cores_per_socket: 4,
         pve_disk_size: '1G',
         pve_mem_gb: 10, # Otherwise iPXE runs out of memory decompressing initramfs
-        pve_ncores: 2
+        pve_ncores: 4
       },
       "compute1.#{DOMAIN}": {
         ip: '10.10.10.151',
@@ -168,10 +168,10 @@ def self.write_inventory(pve_ip:, storage_pool:, extra_hosts:, host_common_hash:
         overlays: %w[wwinit generic arch-aarch64],
         sockets: 1,
         threads_per_core: 1,
-        cores_per_socket: 2,
+        cores_per_socket: 4,
         pve_disk_size: '1G',
         pve_mem_gb: 10, # Otherwise iPXE runs out of memory decompressing initramfs
-        pve_ncores: 2
+        pve_ncores: 4
       }
     }
 
diff --git a/templates/webhookd_exec_del_host.sh.j2 b/templates/webhookd_exec_del_host.sh.j2
index d4b40d1..cb5cee4 100644
--- a/templates/webhookd_exec_del_host.sh.j2
+++ b/templates/webhookd_exec_del_host.sh.j2
@@ -11,5 +11,6 @@ logger "$0: Deleting host $HOST.{{domain}}"
 ipa host-del "$HOST.{{domain}}" 2>&1 || true | logger
 logger "$0: Deleting A record for $HOST"
 ipa dnsrecord-del "{{domain}}" "$HOST" --del-all 2>&1 || true | logger
+logger "$0: Host $HOST.{{domain}} deleted"
 
 exit 0
diff --git a/templates/webhookd_exec_provision.sh.j2 b/templates/webhookd_exec_provision.sh.j2
index b541f04..cf08026 100644
--- a/templates/webhookd_exec_provision.sh.j2
+++ b/templates/webhookd_exec_provision.sh.j2
@@ -5,16 +5,21 @@ set -eu
 PAM_USER="$user"
 HOME_DIR="/mnt/rds1/home/$PAM_USER"
 
+logger "$0: Provisioning for $PAM_USER @ $HOME_DIR ..."
+
 kinit -kt /etc/root.keytab root
 
 if [ -d "$HOME_DIR" ]; then
-    logger "$0: Request received for user $PAM_USER with existing homedir: $HOME_DIR; skipping..."
+    logger "$0: Request received for user $PAM_USER with existing homedir: $HOME_DIR; setting permissions only..."
+    chown "$PAM_USER":"$PAM_USER" "$HOME_DIR"
 elif ipa user-find --login="$user" --in-groups="{{idm_default_group}}" >/dev/null 2>&1; then
     logger "$0: Creating homedir $HOME_DIR for $PAM_USER ($(id -u "$PAM_USER"))"
     mkdir -p "$HOME_DIR"
     find /etc/skel -mindepth 1 -exec cp {} "$HOME_DIR/" \;
     chown -R "$PAM_USER":"$PAM_USER" "$HOME_DIR"
+    chmod 700 "$HOME_DIR"
 else
     logger "$0: Unknown user $PAM_USER, request ignored"
 fi
+logger "$0: Provision completed for $PAM_USER"
 exit 0