diff --git a/ansible/bootstrap.yml b/ansible/bootstrap.yml
index 1d818b7cc..8d879b7d9 100644
--- a/ansible/bootstrap.yml
+++ b/ansible/bootstrap.yml
@@ -126,7 +126,9 @@
     ansible.builtin.assert:
       that: dnf_repos_password is undefined
       fail_msg: Passwords should not be templated into repofiles during configure, unset 'dnf_repos_password'
-    when: appliances_mode == 'configure'
+    when:
+      - appliances_mode == 'configure'
+      - not (dnf_repos_allow_insecure_creds | default(false)) # useful for development
 
 - hosts: squid
   tags: squid
diff --git a/ansible/roles/compute_init/README.md b/ansible/roles/compute_init/README.md
index e8171ea3e..70fa82229 100644
--- a/ansible/roles/compute_init/README.md
+++ b/ansible/roles/compute_init/README.md
@@ -49,7 +49,7 @@ it also requires an image build with the role name added to the
 | bootstrap.yml            | sshd                    | None at present                 | No                  |
 | bootstrap.yml            | dnf_repos               | None at present [2]             | -                   |
 | bootstrap.yml            | squid                   | Not relevant for compute nodes  | n/a                 |
-| bootstrap.yml            | tuned                   | None                            | -                   |         
+| bootstrap.yml            | tuned                   | Fully supported                 | No                  |         
 | bootstrap.yml            | freeipa_server          | Not relevant for compute nodes  | n/a                 |
 | bootstrap.yml            | cockpit                 | None required - use image build | No                  |
 | bootstrap.yml            | firewalld               | Not relevant for compute nodes  | n/a                 |
diff --git a/ansible/roles/compute_init/files/compute-init.yml b/ansible/roles/compute_init/files/compute-init.yml
index 430e2cf65..bbd0f029e 100644
--- a/ansible/roles/compute_init/files/compute-init.yml
+++ b/ansible/roles/compute_init/files/compute-init.yml
@@ -9,6 +9,7 @@
     enable_compute: "{{ os_metadata.meta.compute | default(false) | bool }}"
     enable_resolv_conf: "{{ os_metadata.meta.resolv_conf | default(false) | bool }}"
     enable_etc_hosts: "{{ os_metadata.meta.etc_hosts | default(false) | bool }}"
+    enable_tuned:  "{{ os_metadata.meta.tuned | default(false) | bool }}"
     enable_nfs: "{{ os_metadata.meta.nfs | default(false) | bool }}"
     enable_manila: "{{ os_metadata.meta.manila | default(false) | bool }}"
     enable_basic_users: "{{ os_metadata.meta.basic_users | default(false) | bool }}"
@@ -17,6 +18,12 @@
     # TODO: "= role defaults" - could be moved to a vars_file: on play with similar precedence effects
     resolv_conf_nameservers: []
 
+    tuned_profile_baremetal: hpc-compute
+    tuned_profile_vm: virtual-guest
+    tuned_profile: "{{ tuned_profile_baremetal if ansible_virtualization_role != 'guest' else tuned_profile_vm }}"
+    tuned_enabled: true
+    tuned_started: true
+
     nfs_client_mnt_point: "/mnt"
     nfs_client_mnt_options:
     nfs_client_mnt_state: mounted
@@ -59,9 +66,9 @@
       file:
         path: /mnt/cluster
         state: directory
-        owner: root
+        owner: slurm
         group: root
-        mode: u=rwX,go= # is sensitive
+        mode: u=rX,g=rwX,o=
     
     - name: Mount /mnt/cluster
       mount:
@@ -125,6 +132,10 @@
         mode: 0644
       when: enable_etc_hosts
 
+    - name: Configure tuned
+      include_tasks: tasks/tuned.yml
+      when: enable_tuned
+
     # NFS client mount
     - name: If nfs-clients is present
       include_tasks: tasks/nfs-clients.yml
diff --git a/ansible/roles/compute_init/tasks/install.yml b/ansible/roles/compute_init/tasks/install.yml
index bbcbf133f..77cddf0a8 100644
--- a/ansible/roles/compute_init/tasks/install.yml
+++ b/ansible/roles/compute_init/tasks/install.yml
@@ -32,6 +32,8 @@
       dest: files/NetworkManager-dns-none.conf
     - src: ../../basic_users/filter_plugins/filter_keys.py
       dest: filter_plugins/filter_keys.py
+    - src: ../../tuned/tasks/configure.yml
+      dest: tasks/tuned.yml
     - src: ../../stackhpc.nfs/tasks/nfs-clients.yml
       dest: tasks/nfs-clients.yml
 
diff --git a/environments/.stackhpc/inventory/extra_groups b/environments/.stackhpc/inventory/extra_groups
index 416d50566..7b15a4fb6 100644
--- a/environments/.stackhpc/inventory/extra_groups
+++ b/environments/.stackhpc/inventory/extra_groups
@@ -24,6 +24,10 @@ cluster
 login
 compute
 
+[tuned:children]
+# Install tuned into fat image
+builder
+
 [squid:children]
 # Install squid into fat image
 builder
diff --git a/environments/.stackhpc/tofu/cluster_image.auto.tfvars.json b/environments/.stackhpc/tofu/cluster_image.auto.tfvars.json
index 46c784e13..99bca2f54 100644
--- a/environments/.stackhpc/tofu/cluster_image.auto.tfvars.json
+++ b/environments/.stackhpc/tofu/cluster_image.auto.tfvars.json
@@ -1,6 +1,6 @@
 {
     "cluster_image": {
-        "RL8": "openhpc-RL8-250130-1126-8f2a7703",
-        "RL9": "openhpc-RL9-250130-1127-8f2a7703"
+        "RL8": "openhpc-RL8-250211-1540-a0b4a57e",
+        "RL9": "openhpc-RL9-250211-1540-a0b4a57e"
     }
 }
diff --git a/environments/.stackhpc/tofu/main.tf b/environments/.stackhpc/tofu/main.tf
index 91c3e178c..a84c3eefb 100644
--- a/environments/.stackhpc/tofu/main.tf
+++ b/environments/.stackhpc/tofu/main.tf
@@ -80,7 +80,7 @@ module "cluster" {
         standard: { # NB: can't call this default!
             nodes: ["compute-0", "compute-1"]
             flavor: var.other_node_flavor
-            compute_init_enable: ["compute", "etc_hosts", "nfs", "basic_users", "eessi"]
+            compute_init_enable: ["compute", "etc_hosts", "nfs", "basic_users", "eessi", "tuned"]
             ignore_image_changes: true
         }
         # Example of how to add another partition: