diff --git a/inventory/group_vars/autosign b/inventory/group_vars/autosign
index c9625a010a..c0db212867 100644
--- a/inventory/group_vars/autosign
+++ b/inventory/group_vars/autosign
@@ -21,7 +21,7 @@ host_group: autosign
 fedmsg_error_recipients:
 - puiterwijk@fedoraproject.org
 
-nfs_mount_opts: "rw,hard,bg,intr,noatime,nodev,nosuid,nfsvers=4"
+nfs_mount_opts: "rw,hard,bg,intr,noatime,nodev,nosuid,sec=sys,nfsvers=4"
 
 # For the MOTD
 csi_security_category: High
diff --git a/inventory/group_vars/batcave b/inventory/group_vars/batcave
index 6f6635c168..d61c79a001 100644
--- a/inventory/group_vars/batcave
+++ b/inventory/group_vars/batcave
@@ -12,7 +12,7 @@ fas_client_groups: sysadmin-ask,sysadmin-build,sysadmin-cvs,sysadmin-main,sysadm
 
 ansible_base: /srv/web/infra
 freezes: false
-nfs_mount_opts: "rw,hard,bg,intr,noatime,nodev,nosuid,nfsvers=4"
+nfs_mount_opts: "rw,hard,bg,intr,noatime,nodev,nosuid,sec=sys,nfsvers=4"
 
 fedmsg_certs:
 - service: shell
diff --git a/inventory/group_vars/bodhi-backend b/inventory/group_vars/bodhi-backend
index ddf0460a82..c30905c76b 100644
--- a/inventory/group_vars/bodhi-backend
+++ b/inventory/group_vars/bodhi-backend
@@ -42,7 +42,7 @@ fedmsg_error_recipients:
 # happens instead at the inventory/host_vars/ level since bodhi-backend03 and
 # bodhi-backend02 have different roles and responsibilities.
 
-nfs_mount_opts: "rw,hard,bg,intr,noatime,nodev,nosuid,nfsvers=4"
+nfs_mount_opts: "rw,hard,bg,intr,noatime,nodev,nosuid,sec=sys,nfsvers=4"
 
 fas_client_groups: sysadmin-releng,sysadmin-bodhi
 sudoers: "{{ private }}/files/sudo/00releng-sudoers"
diff --git a/inventory/group_vars/buildvm-aarch64-stg b/inventory/group_vars/buildvm-aarch64-stg
index 93ec6f82ce..587171781e 100644
--- a/inventory/group_vars/buildvm-aarch64-stg
+++ b/inventory/group_vars/buildvm-aarch64-stg
@@ -17,7 +17,7 @@ host_group: kojibuilder
 fas_client_groups: sysadmin-releng
 sudoers: "{{ private }}/files/sudo/00releng-sudoers"
 datacenter: staging
-nfs_mount_opts: "rw,hard,bg,intr,noatime,nodev,nosuid,nfsvers=4"
+nfs_mount_opts: "rw,hard,bg,intr,noatime,nodev,nosuid,sec=sys,nfsvers=4"
 
 koji_hub_nfs: "fedora_koji"
 koji_server_url: "https://koji.stg.fedoraproject.org/kojihub"
diff --git a/inventory/group_vars/buildvm-armv7-stg b/inventory/group_vars/buildvm-armv7-stg
index 93ec6f82ce..587171781e 100644
--- a/inventory/group_vars/buildvm-armv7-stg
+++ b/inventory/group_vars/buildvm-armv7-stg
@@ -17,7 +17,7 @@ host_group: kojibuilder
 fas_client_groups: sysadmin-releng
 sudoers: "{{ private }}/files/sudo/00releng-sudoers"
 datacenter: staging
-nfs_mount_opts: "rw,hard,bg,intr,noatime,nodev,nosuid,nfsvers=4"
+nfs_mount_opts: "rw,hard,bg,intr,noatime,nodev,nosuid,sec=sys,nfsvers=4"
 
 koji_hub_nfs: "fedora_koji"
 koji_server_url: "https://koji.stg.fedoraproject.org/kojihub"
diff --git a/inventory/group_vars/buildvm-ppc64-stg b/inventory/group_vars/buildvm-ppc64-stg
index 93ec6f82ce..587171781e 100644
--- a/inventory/group_vars/buildvm-ppc64-stg
+++ b/inventory/group_vars/buildvm-ppc64-stg
@@ -17,7 +17,7 @@ host_group: kojibuilder
 fas_client_groups: sysadmin-releng
 sudoers: "{{ private }}/files/sudo/00releng-sudoers"
 datacenter: staging
-nfs_mount_opts: "rw,hard,bg,intr,noatime,nodev,nosuid,nfsvers=4"
+nfs_mount_opts: "rw,hard,bg,intr,noatime,nodev,nosuid,sec=sys,nfsvers=4"
 
 koji_hub_nfs: "fedora_koji"
 koji_server_url: "https://koji.stg.fedoraproject.org/kojihub"
diff --git a/inventory/group_vars/buildvm-ppc64le-stg b/inventory/group_vars/buildvm-ppc64le-stg
index 93ec6f82ce..587171781e 100644
--- a/inventory/group_vars/buildvm-ppc64le-stg
+++ b/inventory/group_vars/buildvm-ppc64le-stg
@@ -17,7 +17,7 @@ host_group: kojibuilder
 fas_client_groups: sysadmin-releng
 sudoers: "{{ private }}/files/sudo/00releng-sudoers"
 datacenter: staging
-nfs_mount_opts: "rw,hard,bg,intr,noatime,nodev,nosuid,nfsvers=4"
+nfs_mount_opts: "rw,hard,bg,intr,noatime,nodev,nosuid,sec=sys,nfsvers=4"
 
 koji_hub_nfs: "fedora_koji"
 koji_server_url: "https://koji.stg.fedoraproject.org/kojihub"
diff --git a/inventory/group_vars/buildvm-stg b/inventory/group_vars/buildvm-stg
index e87471bf36..4e6704f15c 100644
--- a/inventory/group_vars/buildvm-stg
+++ b/inventory/group_vars/buildvm-stg
@@ -17,7 +17,7 @@ host_group: kojibuilder
 fas_client_groups: sysadmin-releng
 sudoers: "{{ private }}/files/sudo/00releng-sudoers"
 datacenter: staging
-nfs_mount_opts: "rw,hard,bg,intr,noatime,nodev,nosuid,nfsvers=4"
+nfs_mount_opts: "rw,hard,bg,intr,noatime,nodev,nosuid,sec=sys,nfsvers=4"
 
 koji_hub_nfs: "fedora_koji"
 koji_server_url: "https://koji.stg.fedoraproject.org/kojihub"
diff --git a/inventory/group_vars/koji b/inventory/group_vars/koji
index bb09da3d84..0e469278ff 100644
--- a/inventory/group_vars/koji
+++ b/inventory/group_vars/koji
@@ -41,7 +41,7 @@ fedmsg_certs:
   - buildsys.task.state.change
   - buildsys.untag
 
-nfs_mount_opts: "rw,hard,bg,intr,noatime,nodev,nosuid,nfsvers=4"
+nfs_mount_opts: "rw,hard,bg,intr,noatime,nodev,nosuid,sec=sys,nfsvers=4"
 virt_install_command: "{{ virt_install_command_two_nic }}"
 
 osbs_url: "osbs.fedoraproject.org"
diff --git a/inventory/group_vars/releng-compose b/inventory/group_vars/releng-compose
index 118db1b4f2..b55a6f1a1e 100644
--- a/inventory/group_vars/releng-compose
+++ b/inventory/group_vars/releng-compose
@@ -20,7 +20,7 @@ fas_client_groups: sysadmin-releng
 freezes: true
 sudoers: "{{ private }}/files/sudo/00releng-sudoers"
 
-nfs_mount_opts: "rw,hard,bg,intr,noatime,nodev,nosuid,nfsvers=4"
+nfs_mount_opts: "rw,hard,bg,intr,noatime,nodev,nosuid,sec=sys,nfsvers=4"
 
 # For the mock config
 kojipkgs_url: kojipkgs.fedoraproject.org
diff --git a/inventory/group_vars/releng-secondary b/inventory/group_vars/releng-secondary
index 07bf9922bd..170e63e2fe 100644
--- a/inventory/group_vars/releng-secondary
+++ b/inventory/group_vars/releng-secondary
@@ -11,7 +11,7 @@ dns: 10.5.126.21
 nrpe_procs_warn: 900
 nrpe_procs_crit: 1000
 
-nfs_mount_opts: "rw,hard,bg,intr,noatime,nodev,nosuid,nfsvers=4"
+nfs_mount_opts: "rw,hard,bg,intr,noatime,nodev,nosuid,sec=sys,nfsvers=4"
 
 fas_client_groups: sysadmin-releng,sysadmin-secondary,sysadmin-noc,sysadmin-veteran
 sudoers: "{{ private }}/files/sudo/00releng-sudoers"
diff --git a/inventory/group_vars/releng-stg b/inventory/group_vars/releng-stg
index a2050c5dc7..e8877bed47 100644
--- a/inventory/group_vars/releng-stg
+++ b/inventory/group_vars/releng-stg
@@ -3,7 +3,7 @@ koji_server_url: "https://koji.stg.fedoraproject.org/kojihub"
 koji_weburl: "https://koji.stg.fedoraproject.org/koji"
 koji_topurl: "https://kojipkgs.fedoraproject.org/"
 
-nfs_mount_opts: "rw,hard,bg,intr,noatime,nodev,nosuid,nfsvers=4"
+nfs_mount_opts: "rw,hard,bg,intr,noatime,nodev,nosuid,sec=sys,nfsvers=4"
 
 mem_size: 8192
 num_cpus: 4
diff --git a/inventory/group_vars/runroot b/inventory/group_vars/runroot
index ffe0c39244..cbcbbfbe3c 100644
--- a/inventory/group_vars/runroot
+++ b/inventory/group_vars/runroot
@@ -3,4 +3,4 @@
 # We need to mount koji storage rw here so run_root can work. 
 # The rest of the group can be ro, it's only builders in the 
 # compose channel that need a rw mount
-nfs_mount_opts: "rw,hard,bg,intr,noatime,nodev,nosuid,nfsvers=4"
+nfs_mount_opts: "rw,hard,bg,intr,noatime,nodev,nosuid,sec=sys,nfsvers=4"
diff --git a/inventory/group_vars/wiki b/inventory/group_vars/wiki
index 020479f24e..ae63ab64e6 100644
--- a/inventory/group_vars/wiki
+++ b/inventory/group_vars/wiki
@@ -31,7 +31,7 @@ fedmsg_certs:
   - wiki.article.edit
   - wiki.upload.complete
 
-nfs_mount_opts: "rw,hard,bg,intr,noatime,nodev,nosuid,nfsvers=4"
+nfs_mount_opts: "rw,hard,bg,intr,noatime,nodev,nosuid,sec=sys,nfsvers=4"
 
 csi_security_category: Moderate
 csi_primary_contact: "#fedora-admin"
diff --git a/inventory/group_vars/wiki-stg b/inventory/group_vars/wiki-stg
index eaa4340313..cf00362988 100644
--- a/inventory/group_vars/wiki-stg
+++ b/inventory/group_vars/wiki-stg
@@ -29,4 +29,4 @@ fedmsg_certs:
   - wiki.article.edit
   - wiki.upload.complete
 
-nfs_mount_opts: "rw,hard,bg,intr,noatime,nodev,nosuid,nfsvers=4"
+nfs_mount_opts: "rw,hard,bg,intr,noatime,nodev,nosuid,sec=sys,nfsvers=4"
diff --git a/inventory/host_vars/data-analysis01.phx2.fedoraproject.org b/inventory/host_vars/data-analysis01.phx2.fedoraproject.org
index 72a22a6860..30c37be0de 100644
--- a/inventory/host_vars/data-analysis01.phx2.fedoraproject.org
+++ b/inventory/host_vars/data-analysis01.phx2.fedoraproject.org
@@ -5,7 +5,7 @@ freezes: false
 # this box mounts a large share from the netapp to store combined http
 # logs from the proxies.
 
-nfs_mount_opts: "rw,hard,bg,intr,noatime,nodev,nosuid,nfsvers=4"
+nfs_mount_opts: "rw,hard,bg,intr,noatime,nodev,nosuid,sec=sys,nfsvers=4"
 
 # general configs
 nrpe_procs_warn: 900
diff --git a/inventory/host_vars/pkgs02.phx2.fedoraproject.org b/inventory/host_vars/pkgs02.phx2.fedoraproject.org
index aef4e772e2..b041d3ccbc 100644
--- a/inventory/host_vars/pkgs02.phx2.fedoraproject.org
+++ b/inventory/host_vars/pkgs02.phx2.fedoraproject.org
@@ -17,7 +17,7 @@ num_cpus: 8
 virt_install_command: "{{ virt_install_command_two_nic }}"
 
 host_backup_targets: ['/srv']
-nfs_mount_opts: "rw,hard,bg,intr,noatime,nodev,nosuid,nfsvers=4"
+nfs_mount_opts: "rw,hard,bg,intr,noatime,nodev,nosuid,sec=sys,nfsvers=4"
 
 ssh_hostnames:
 - pkgs.fedoraproject.org
diff --git a/playbooks/groups/backup-server.yml b/playbooks/groups/backup-server.yml
index 944ed8dffb..42ab94d1d0 100644
--- a/playbooks/groups/backup-server.yml
+++ b/playbooks/groups/backup-server.yml
@@ -23,7 +23,7 @@
   - collectd/base
   - { role: nfs/client,
       mnt_dir: '/fedora_backups',
-      nfs_mount_opts: "rw,hard,bg,intr,noatime,nodev,nosuid,nfsvers=4",
+      nfs_mount_opts: "rw,hard,bg,intr,noatime,nodev,nosuid,sec=sys,nfsvers=4",
       nfs_src_dir: 'fedora_backups' }
   - openvpn/client
 
diff --git a/playbooks/groups/gnome-backups.yml b/playbooks/groups/gnome-backups.yml
index 2f2a0183ef..204a97ba15 100644
--- a/playbooks/groups/gnome-backups.yml
+++ b/playbooks/groups/gnome-backups.yml
@@ -21,7 +21,7 @@
   - gnome_backups
   - { role: nfs/client,
       mnt_dir: '/gnome_backups',
-      nfs_mount_opts: "rw,hard,bg,intr,noatime,nodev,nosuid,nfsvers=4",
+      nfs_mount_opts: "rw,hard,bg,intr,noatime,nodev,nosuid,sec=sys,nfsvers=4",
       nfs_src_dir: 'gnome_backups' }
 
   tasks:
diff --git a/playbooks/groups/logserver.yml b/playbooks/groups/logserver.yml
index 4a7646461d..79e3fc7ebe 100644
--- a/playbooks/groups/logserver.yml
+++ b/playbooks/groups/logserver.yml
@@ -59,7 +59,7 @@
   - cloudstats
   - role: nfs/client
     mnt_dir: '/mnt/fedora_stats'
-    nfs_mount_opts: "rw,hard,bg,intr,noatime,nodev,nosuid,nfsvers=4"
+    nfs_mount_opts: "rw,hard,bg,intr,noatime,nodev,nosuid,sec=sys,nfsvers=4"
     nfs_src_dir: 'fedora_stats'
 
   handlers:
diff --git a/playbooks/groups/pkgs.yml b/playbooks/groups/pkgs.yml
index 8fea03bc20..7c797d713f 100644
--- a/playbooks/groups/pkgs.yml
+++ b/playbooks/groups/pkgs.yml
@@ -32,11 +32,11 @@
   - { role: nfs/client,
       when: env != "staging",
       mnt_dir: '/srv/cache/lookaside',
-      nfs_src_dir: 'fedora_sourcecache', nfs_mount_opts='rw,hard,bg,intr,noatime,nodev,nosuid,nfsvers=4' }
+      nfs_src_dir: 'fedora_sourcecache', nfs_mount_opts='rw,hard,bg,intr,noatime,nodev,nosuid,sec=sys,nfsvers=4' }
   - { role: nfs/client,
       when: env == "staging" and inventory_hostname.startswith('pkgs02'),
       mnt_dir: '/srv/cache/lookaside_prod',
-      nfs_src_dir: 'fedora_sourcecache', nfs_mount_opts='ro,hard,bg,intr,noatime,nodev,nosuid,nfsvers=4' }
+      nfs_src_dir: 'fedora_sourcecache', nfs_mount_opts='ro,hard,bg,intr,noatime,nodev,nosuid,sec=sys,nfsvers=4' }
   - role: distgit/pagure
   - role: distgit
     tags: distgit
diff --git a/playbooks/groups/secondary.yml b/playbooks/groups/secondary.yml
index f81a5915b4..71271ec8e0 100644
--- a/playbooks/groups/secondary.yml
+++ b/playbooks/groups/secondary.yml
@@ -25,11 +25,11 @@
       nfs_src_dir: 'fedora_ftp/fedora.redhat.com/pub/archive' }
   - { role: nfs/client,
       mnt_dir: '/srv/pub/alt',
-      nfs_mount_opts: "rw,hard,bg,intr,noatime,nodev,nosuid,nfsvers=4",
+      nfs_mount_opts: "rw,hard,bg,intr,noatime,nodev,nosuid,sec=sys,nfsvers=4",
       nfs_src_dir: 'fedora_ftp/fedora.redhat.com/pub/alt' }
   - { role: nfs/client,
       mnt_dir: '/srv/pub/fedora-secondary',
-      nfs_mount_opts: "rw,hard,bg,intr,noatime,nodev,nosuid,nfsvers=4",
+      nfs_mount_opts: "rw,hard,bg,intr,noatime,nodev,nosuid,sec=sys,nfsvers=4",
       nfs_src_dir: 'fedora_ftp/fedora.redhat.com/pub/fedora-secondary' }
 
   - role: apache
diff --git a/playbooks/hosts/data-analysis01.phx2.fedoraproject.org.yml b/playbooks/hosts/data-analysis01.phx2.fedoraproject.org.yml
index 5be664e24a..29e6fdf36a 100644
--- a/playbooks/hosts/data-analysis01.phx2.fedoraproject.org.yml
+++ b/playbooks/hosts/data-analysis01.phx2.fedoraproject.org.yml
@@ -51,7 +51,7 @@
   roles:
    - role: nfs/client
      mnt_dir: '/mnt/fedora_stats'
-     nfs_mount_opts: "rw,hard,bg,intr,noatime,nodev,nosuid,nfsvers=4"
+     nfs_mount_opts: "rw,hard,bg,intr,noatime,nodev,nosuid,sec=sys,nfsvers=4"
      nfs_src_dir: 'fedora_stats'
    - geoip