diff --git a/bootc/base/Containerfile b/bootc/base/Containerfile
index 20b307f..85314d5 100644
--- a/bootc/base/Containerfile
+++ b/bootc/base/Containerfile
@@ -30,4 +30,5 @@ if [ -n "$ADMIN_USERNAME" -a -f "/etc/ssh/authorized_keys/$ADMIN_USERNAME.keys"
 fi
 semanage fcontext -a -t ssh_home_t "/etc/ssh/authorized_keys(/.*)?"
 restorecon -Rf /etc/ssh/authorized_keys
+install -d -m 0700 -o root -g root /var/lib/private/flightctl
 EOF
diff --git a/bootc/base/root/etc/systemd/system/flightctl-agent.service.d/override.conf b/bootc/base/root/etc/systemd/system/flightctl-agent.service.d/override.conf
index 327f856..651a109 100644
--- a/bootc/base/root/etc/systemd/system/flightctl-agent.service.d/override.conf
+++ b/bootc/base/root/etc/systemd/system/flightctl-agent.service.d/override.conf
@@ -1,3 +1,3 @@
 [Service]
-# If the config file has been injected into the qcow2 image in /var, move it to the right place
-ExecStartPre=/bin/bash -Eeuo pipefail -c 'if [ -f /var/lib/flightctl/config.yaml -a ! -f /etc/flightctl/config.yaml ]; then mv /var/lib/flightctl/config.yaml /etc/flightctl/config.yaml; restorecon -RF /etc/flightctl/config.yaml; fi'
+# If the config file has been injected into the qcow2 image in /var/lib/private, move it to the right place
+ExecStartPre=/bin/bash -Eeuo pipefail -c 'if [ -f /var/lib/private/flightctl/config.yaml -a ! -f /etc/flightctl/config.yaml ]; then mv /var/lib/private/flightctl/config.yaml /etc/flightctl/config.yaml; restorecon -RF /etc/flightctl/config.yaml; fi; if [ -f /var/lib/private/flightctl/auth.json -a ! -f /etc/ostree/auth.json ]; then mv /var/lib/private/flightctl/auth.json /etc/ostree/auth.json; restorecon -RF /etc/ostree/auth.json; fi'
diff --git a/bootc/scenario3a/root/etc/default/bootstrap-vm-nextcloud.env b/bootc/scenario3a/root/etc/default/bootstrap-vm-nextcloud.env
index 248ba46..2df58d9 100644
--- a/bootc/scenario3a/root/etc/default/bootstrap-vm-nextcloud.env
+++ b/bootc/scenario3a/root/etc/default/bootstrap-vm-nextcloud.env
@@ -3,3 +3,4 @@ DOMAIN_RAM=8192
 DOMAIN_DISK_SIZE=100
 DOMAIN_OS_VARIANT=rhel9.6
 DOMAIN_MAC_ADDRESS=04:00:00:00:00:01
+FLIGHTCTL_LABELS_OVERRIDE={ "type": "virtualmachine", "vm.name": "nextcloud", "scenario": "scenario1" }
diff --git a/bootc/scenario3a/root/usr/local/bin/bootstrap-vm.sh b/bootc/scenario3a/root/usr/local/bin/bootstrap-vm.sh
index c492ee6..731658b 100755
--- a/bootc/scenario3a/root/usr/local/bin/bootstrap-vm.sh
+++ b/bootc/scenario3a/root/usr/local/bin/bootstrap-vm.sh
@@ -8,23 +8,55 @@ if [[ $# -ne 1 ]]; then
 fi
 
 VM="${1}"
+if [ -f "/var/lib/libvirt/images/${VM}/root.qcow2" ]; then
+  echo "VM ${VM} already exists. Please remove it first."
+  exit 1
+fi
+
 temp_dir=$(mktemp -d)
 cleanup() {
+  local exit_code=$?
   rm -rf "$temp_dir"
+  if [ $exit_code -ne 0 ]; then
+    echo "An error occurred. Cleaning up..."
+    virsh destroy "${VM}" || true
+    virsh undefine "${VM}" --nvram || true
+    rm -f "/var/lib/libvirt/images/${VM}/root.qcow2"
+  fi
 }
 trap cleanup EXIT
 
-mkdir -p "/var/lib/libvirt/images/${VM}"
-cp -a "/usr/local/libvirt/images/${VM}/qcow2/disk.qcow2" "/var/lib/libvirt/images/${VM}/root.qcow2"
+# Create a temporary directory to hold the VM image and copy the base image there
+install -m 0710 -o root -g qemu --context=system_u:object_r:virt_image_t:s0 -d "$temp_dir"
+install -m 0770 -o root -g qemu --context=system_u:object_r:virt_image_t:s0 "/usr/local/libvirt/images/${VM}/qcow2/disk.qcow2" "$temp_dir/root.qcow2"
 
 # Inject the Flightctl configuration file (w/ enrollment certificates) into the VM image
+# Note: The injected config file will be moved to the right place in the VM by a systemd override in the base image
 if [ -f /etc/flightctl/config.yaml ]; then
-  yq e '.default-labels += { "type": "virtualmachine" }' /etc/flightctl/config.yaml > "$temp_dir/config.yaml"
-  guestfish --add /var/lib/libvirt/images/${VM}/root.qcow2 -m /dev/sda4 <<EOF
-copy-in $temp_dir/config.yaml /ostree/deploy/default/var/lib/flightctl/
+  if [ -n "${FLIGHTCTL_LABELS_OVERRIDE:-}" ]; then
+    echo "Overriding default labels with: ${FLIGHTCTL_LABELS_OVERRIDE}"
+    yq e ". * { \"default-labels\": ${FLIGHTCTL_LABELS_OVERRIDE} }" /etc/flightctl/config.yaml > "$temp_dir/config.yaml"
+  else
+    cp /etc/flightctl/config.yaml "$temp_dir/config.yaml"
+  fi
+  guestfish --add "$temp_dir/root.qcow2" -m /dev/sda4 <<EOF
+copy-in $temp_dir/config.yaml /ostree/deploy/default/var/lib/private/flightctl/
+EOF
+fi
+
+# Inject the OSTree auth.json file into the VM image if it exists on the host
+# Note: The injected config file will be moved to the right place in the VM by a systemd override in the base image
+if [ -f /etc/ostree/auth.json ]; then
+  guestfish --add "$temp_dir/root.qcow2" -m /dev/sda4 <<'EOF'
+copy-in /etc/ostree/auth.json /ostree/deploy/default/var/lib/private/flightctl/
 EOF
 fi
 
+# Copy the VM image to the libvirt images directory
+install -m 0710 -o root -g qemu -Z -d "/var/lib/libvirt/images/${VM}"
+install -m 0660 -o root -g qemu -Z "$temp_dir/root.qcow2" "/var/lib/libvirt/images/${VM}/root.qcow2"
+
+# Create and start the VM using virt-install
 virt-install --name "${VM}" \
              --autostart \
              --cpu=host-passthrough \
@@ -38,3 +70,6 @@ virt-install --name "${VM}" \
              --import \
              --network=network=default,mac=${DOMAIN_MAC_ADDRESS} \
              --noautoconsole
+
+echo "VM ${VM} has been created and started."
+exit 0