diff --git a/tasks/drivers/kvm/nova_compute_kvm.yml b/tasks/drivers/kvm/nova_compute_kvm.yml
index 224b7655..00ff0099 100644
--- a/tasks/drivers/kvm/nova_compute_kvm.yml
+++ b/tasks/drivers/kvm/nova_compute_kvm.yml
@@ -134,15 +134,16 @@
     - nova-kvm
     - nova-libvirt
 
-- name: Set apparmor config (Ubuntu/Debian)
+# TODO(noonedeadpunk): Clean up in 2026.2 cycle
+- name: Clean up old apparmor config (Ubuntu/Debian)
   ansible.builtin.lineinfile:
     dest: "/etc/apparmor.d/local/usr.lib.libvirt.virt-aa-helper"
     line: "  {{ nova_system_home_folder }}/instances/_base/* r,"
-    backup: true
     create: true
     owner: "root"
     group: "root"
     mode: "0644"
+    state: absent
   when:
     - ansible_facts['distribution'] == 'Ubuntu' or ansible_facts['distribution'] == 'Debian'
   notify: Reload apparmor profile
@@ -151,6 +152,28 @@
     - nova-kvm
     - nova-libvirt
 
+- name: Set apparmor overrides (Ubuntu/Debian)
+  ansible.builtin.blockinfile:
+    dest: "/etc/apparmor.d/local/usr.lib.libvirt.virt-aa-helper"
+    block: |
+      # arbitrary path to nova home folder
+        {{ nova_system_home_folder }}/images/** r,
+        {{ nova_system_home_folder }}/instances/_base/** r,
+        {{ nova_system_home_folder }}/instances/snapshots/** r,
+    create: true
+    owner: "root"
+    group: "root"
+    mode: "0644"
+    marker: "# {mark} OPENSTACK-ANSIBLE MANAGED BLOCK"
+  when:
+    - ansible_facts['distribution'] == 'Ubuntu' or ansible_facts['distribution'] == 'Debian'
+    - nova_system_home_folder != '/var/lib/nova'
+  notify: Reload apparmor profile
+  tags:
+    - nova-config
+    - nova-kvm
+    - nova-libvirt
+
 - name: Including nova_disable_smt tasks
   ansible.builtin.include_tasks: nova_disable_smt.yml
   when: