diff --git a/oracle/images/Makefile b/oracle/images/Makefile
new file mode 100644
index 0000000..7eb0faa
--- /dev/null
+++ b/oracle/images/Makefile
@@ -0,0 +1,39 @@
+#
+REGISTRY ?= ghcr.io/siderolabs
+TAG ?= 1.6.7
+
+clean:
+	rm -rf .terraform.lock.hcl .terraform/
+	rm -f oracle-*.qcow2
+	rm -f oracle-*.oci
+	rm -f image_metadata.json
+
+init:
+	terraform init -upgrade
+
+images: clean
+	docker run --rm -i -v /dev:/dev --privileged $(REGISTRY)/imager:v$(TAG) oracle \
+		--extra-kernel-arg talos.dashboard.disabled=1 --platform oracle --arch amd64 --tar-to-stdout | tar xz
+	xz -d oracle-amd64.qcow2.xz
+	cp image_metadata_amd64.json image_metadata.json
+	tar zcf oracle-amd64.oci oracle-amd64.qcow2 image_metadata.json
+
+	docker run --rm -i -v /dev:/dev --privileged $(REGISTRY)/imager:v$(TAG) oracle \
+		--extra-kernel-arg talos.dashboard.disabled=1 --platform oracle --arch arm64 --tar-to-stdout | tar xz
+	xz -d oracle-arm64.qcow2.xz
+	cp image_metadata_arm64.json image_metadata.json
+	tar zcf oracle-arm64.oci oracle-arm64.qcow2 image_metadata.json
+
+images-factory: clean
+	wget -O oracle-amd64.qcow2.xz https://factory.talos.dev/image/6d423353cba6ef7d56d5a818fff27caf23f32b90cf271eada90f706141a84ec0/v$(TAG)/oracle-amd64.qcow2.xz
+	xz -d oracle-amd64.qcow2.xz
+	cp image_metadata_amd64.json image_metadata.json
+	tar zcf oracle-amd64.oci oracle-amd64.qcow2 image_metadata.json
+
+	wget -O oracle-arm64.qcow2.xz https://factory.talos.dev/image/6d423353cba6ef7d56d5a818fff27caf23f32b90cf271eada90f706141a84ec0/v$(TAG)/oracle-arm64.qcow2.xz
+	xz -d oracle-arm64.qcow2.xz
+	cp image_metadata_arm64.json image_metadata.json
+	tar zcf oracle-arm64.oci oracle-arm64.qcow2 image_metadata.json
+
+images-update:
+	terraform apply -var="release=v$(TAG)"
diff --git a/oracle/images/auth.tf b/oracle/images/auth.tf
index 7963a50..843cacd 100644
--- a/oracle/images/auth.tf
+++ b/oracle/images/auth.tf
@@ -8,5 +8,5 @@ provider "oci" {
   user_ocid        = var.user_ocid
   fingerprint      = var.fingerprint
   private_key_path = var.key_file
-  region           = var.region
+  region           = local.region
 }
diff --git a/oracle/images/images.tf b/oracle/images/images.tf
index 2a93046..2326cef 100644
--- a/oracle/images/images.tf
+++ b/oracle/images/images.tf
@@ -1,55 +1,38 @@
 
-resource "oci_objectstorage_object" "talos_amd64" {
+resource "oci_objectstorage_object" "talos" {
+  for_each = toset(var.arch)
+
   bucket      = oci_objectstorage_bucket.images.name
   namespace   = data.oci_objectstorage_namespace.ns.namespace
-  object      = "talos-amd64.oci"
-  source      = "oracle-amd64.oci"
-  content_md5 = filemd5("oracle-amd64.oci")
+  object      = "talos-${lower(each.key)}.oci"
+  source      = "oracle-${lower(each.key)}.oci"
+  content_md5 = filemd5("oracle-${lower(each.key)}.oci")
 }
 
-resource "oci_objectstorage_object" "talos_arm64" {
-  bucket      = oci_objectstorage_bucket.images.name
-  namespace   = data.oci_objectstorage_namespace.ns.namespace
-  object      = "talos-arm64.oci"
-  source      = "oracle-arm64.oci"
-  content_md5 = filemd5("oracle-arm64.oci")
-}
-
-resource "oci_core_image" "talos_amd64" {
+resource "oci_core_image" "talos" {
+  for_each       = toset(var.arch)
   compartment_id = var.compartment_ocid
-  display_name   = "Talos-amd64"
+  display_name   = "Talos-${lower(each.key)}"
+  defined_tags   = local.tags
+  freeform_tags  = { "OS" : "Talos", "Arch" : lower(each.key) }
   launch_mode    = "PARAVIRTUALIZED"
 
   image_source_details {
     source_type    = "objectStorageTuple"
     namespace_name = oci_objectstorage_bucket.images.namespace
     bucket_name    = oci_objectstorage_bucket.images.name
-    object_name    = oci_objectstorage_object.talos_amd64.object
+    object_name    = oci_objectstorage_object.talos[each.key].object
 
     operating_system         = "Talos"
-    operating_system_version = "1.3.0"
+    operating_system_version = var.release
     source_image_type        = "QCOW2"
   }
 
-  timeouts {
-    create = "30m"
-  }
-}
-
-resource "oci_core_image" "talos_arm64" {
-  compartment_id = var.compartment_ocid
-  display_name   = "Talos-arm64"
-  launch_mode    = "PARAVIRTUALIZED"
-
-  image_source_details {
-    source_type    = "objectStorageTuple"
-    namespace_name = oci_objectstorage_bucket.images.namespace
-    bucket_name    = oci_objectstorage_bucket.images.name
-    object_name    = oci_objectstorage_object.talos_arm64.object
-
-    operating_system         = "Talos"
-    operating_system_version = "1.3.0"
-    source_image_type        = "QCOW2"
+  lifecycle {
+    ignore_changes = [
+      defined_tags,
+    ]
+    replace_triggered_by = [oci_objectstorage_object.talos[each.key].content_md5]
   }
 
   timeouts {
diff --git a/oracle/images/variables.tf b/oracle/images/variables.tf
index 16e5e83..c9c64eb 100644
--- a/oracle/images/variables.tf
+++ b/oracle/images/variables.tf
@@ -1,14 +1,40 @@
 
-variable "compartment_ocid" {}
-variable "tenancy_ocid" {}
+variable "compartment_ocid" {
+  description = "The OCID of the compartment"
+  type        = string
+  default     = "ocid1.compartment.oc1.."
+}
+variable "tenancy_ocid" {
+  description = "The OCID of the tenancy"
+  type        = string
+  default     = "ocid1.tenancy.oc1.."
+}
 variable "user_ocid" {}
 variable "fingerprint" {}
 variable "key_file" {
   default = "~/.oci/oci_main_terraform.pem"
 }
 
-variable "region" {
-  description = "the OCI region where resources will be created"
-  type        = string
-  default     = null
+data "terraform_remote_state" "init" {
+  backend = "local"
+  config = {
+    path = "${path.module}/../prepare/terraform.tfstate"
+  }
+}
+
+locals {
+  region = data.terraform_remote_state.init.outputs.region
+  tags   = data.terraform_remote_state.init.outputs.tags
+}
+
+variable "release" {
+  description = "The image name"
+  type        = string
+  default     = "1.6.7"
+}
+
+variable "arch" {
+  description = "The Talos architecture list"
+  type        = list(string)
+  default     = ["amd64", "arm64"]
 }
diff --git a/oracle/images/versions.tf b/oracle/images/versions.tf
index 10bc239..9bb6f08 100644
--- a/oracle/images/versions.tf
+++ b/oracle/images/versions.tf
@@ -2,9 +2,23 @@
 terraform {
   required_providers {
     oci = {
-      source  = "hashicorp/oci"
-      version = "4.108.0"
+      source  = "oracle/oci"
+      version = "5.38.0"
     }
   }
-  required_version = ">= 1.2"
+  required_version = ">= 1.5"
 }
+
+# terraform {
+#   backend "s3" {
+#     bucket                      = "YYY"
+#     key                         = "images/terraform.tfstate"
+#     region                      = local.region
+#     endpoint                    = "https://XXX.compat.objectstorage.${local.region}.oraclecloud.com"
+#     shared_credentials_file     = "../terraform.tfstate.credentials"
+#     skip_region_validation      = true
+#     skip_credentials_validation = true
+#     skip_metadata_api_check     = true
+#     force_path_style            = true
+#   }
+# }
diff --git a/oracle/prepare/Makefile b/oracle/prepare/Makefile
new file mode 100644
index 0000000..980d174
--- /dev/null
+++ b/oracle/prepare/Makefile
@@ -0,0 +1,7 @@
+
+init:
+	terraform init -upgrade
+
+apply:
+	terraform apply -target=oci_core_vcn.main
+	terraform apply
diff --git a/oracle/prepare/common.tf b/oracle/prepare/common.tf
index 9eb77d7..41c2f13 100644
--- a/oracle/prepare/common.tf
+++ b/oracle/prepare/common.tf
@@ -14,3 +14,11 @@ data "oci_core_services" "object_store" {
     regex  = true
   }
 }
+
+data "oci_core_services" "all_services" {
+  filter {
+    name   = "name"
+    values = ["All .* Services In Oracle Services Network"]
+    regex  = true
+  }
+}
diff --git a/oracle/prepare/variables.tf b/oracle/prepare/variables.tf
index 13ab2ec..b550ed2 100644
--- a/oracle/prepare/variables.tf
+++ b/oracle/prepare/variables.tf
@@ -26,25 +26,6 @@ variable "tags" {
   }
 }
 
-variable "kubernetes" {
-  type = map(string)
-  default = {
-    podSubnets     = "10.32.0.0/12,fd40:10:32::/102"
-    serviceSubnets = "10.200.0.0/22,fd40:10:200::/112"
-    nodeSubnets    = "192.168.0.0/16"
-    domain         = "cluster.local"
-    apiDomain      = "api.cluster.local"
-    clusterName    = "talos-k8s-oracle"
-    clusterID      = ""
-    clusterSecret  = ""
-    tokenMachine   = ""
-    caMachine      = ""
-    token          = ""
-    ca             = ""
-  }
-  sensitive = true
-}
-
 variable "vpc_main_cidr" {
   description = "Local subnet rfc1918"
   type        = string
diff --git a/oracle/prepare/versions.tf b/oracle/prepare/versions.tf
index 10bc239..5099db6 100644
--- a/oracle/prepare/versions.tf
+++ b/oracle/prepare/versions.tf
@@ -2,9 +2,9 @@
 terraform {
   required_providers {
     oci = {
-      source  = "hashicorp/oci"
-      version = "4.108.0"
+      source  = "oracle/oci"
+      version = "5.38.0"
     }
   }
-  required_version = ">= 1.2"
+  required_version = ">= 1.5"
 }
diff --git a/oracle/scripts/download b/oracle/scripts/download
deleted file mode 100755
index 12983bf..0000000
--- a/oracle/scripts/download
+++ /dev/null
@@ -1,16 +0,0 @@
-#!/bin/bash 
-
-dest="./images"
-version="1.5.5"
-url=https://github.com/siderolabs/talos/releases/download/v${version}/
-
-for arch in amd64 arm64
-do
-  file=oracle-${arch}.qcow2.xz
-
-  echo "Downloading ${file} to ${dest}/${file}"
-  curl -L ${url}/${file} -o ${dest}/${file}
-  echo "Extracting: ${dest}/${file}"
-  xz -df ${dest}/${file}
-  echo
-done
diff --git a/oracle/services/auth.tf b/oracle/services/auth.tf
index d5e913b..d0f81d0 100644
--- a/oracle/services/auth.tf
+++ b/oracle/services/auth.tf
@@ -1,13 +1,8 @@
 
-# openssl genrsa -out ~/.oci/oci_api_key.pem 2048
-# chmod go-rwx ~/.oci/oci_api_key.pem
-# openssl rsa -pubout -in ~/.oci/oci_api_key.pem -out ~/.oci/oci_api_key_public.pem
-
 provider "oci" {
   tenancy_ocid     = var.tenancy_ocid
   user_ocid        = var.user_ocid
   fingerprint      = var.fingerprint
-  private_key_path = "~/.oci/oci_api_key.pem"
-
-  region = var.region
+  private_key_path = var.key_file
+  region           = local.region
 }
diff --git a/oracle/services/backet-backup.tf b/oracle/services/backet-backup.tf
new file mode 100644
index 0000000..e721d16
--- /dev/null
+++ b/oracle/services/backet-backup.tf
@@ -0,0 +1,52 @@
+
+resource "random_string" "backup" {
+  length  = 16
+  numeric = false
+  special = false
+  upper   = false
+}
+
+data "oci_objectstorage_namespace" "namespace" {
+  compartment_id = var.compartment_ocid
+}
+
+resource "oci_objectstorage_bucket" "backup" {
+  compartment_id = var.compartment_ocid
+  name           = random_string.registry.result
+  namespace      = data.oci_objectstorage_namespace.namespace.namespace
+  defined_tags   = merge(local.tags, { "Kubernetes.Type" = "project", "Kubernetes.Role" = "backup" })
+
+  access_type  = "NoPublicAccess"
+  auto_tiering = "Disabled"
+  storage_tier = "Standard"
+  versioning   = "Disabled"
+
+  lifecycle {
+    ignore_changes = [
+      defined_tags,
+    ]
+  }
+}
+
+resource "oci_objectstorage_object_lifecycle_policy" "test_object_lifecycle_policy" {
+  bucket    = oci_objectstorage_bucket.backup.name
+  namespace = data.oci_objectstorage_namespace.namespace.namespace
+
+  rules {
+    action      = "DELETE"
+    is_enabled  = "true"
+    name        = "Clean all objects"
+    time_amount = "30"
+    time_unit   = "DAYS"
+    target      = "objects"
+  }
+
+  rules {
+    action      = "ABORT"
+    is_enabled  = "true"
+    name        = "Abort incomplete multipart uploads"
+    time_amount = "2"
+    time_unit   = "DAYS"
+    target      = "multipart-uploads"
+  }
+}
diff --git a/oracle/services/output.tf b/oracle/services/output.tf
index 39cc3fe..7f6571c 100644
--- a/oracle/services/output.tf
+++ b/oracle/services/output.tf
@@ -1,5 +1,16 @@
 
-output "registry" {
+output "registries" {
   description = "Registry name"
-  value       = "https://${var.region}.ocir.io/${data.oci_artifacts_container_configuration.registry.namespace}/${oci_artifacts_container_repository.registry.display_name}"
+  value = [for repo in oci_artifacts_container_repository.registry :
+    try("${local.region}.ocir.io/${data.oci_artifacts_container_configuration.registry.namespace}/${repo.display_name}", "")
+  ]
+}
+
+output "backup" {
+  description = "Backup bucket name"
+  value = {
+    bucket   = oci_objectstorage_bucket.backup.name,
+    region   = local.region,
+    endpoint = "https://${data.oci_objectstorage_namespace.namespace.namespace}.compat.objectstorage.${local.region}.oraclecloud.com",
+  }
 }
diff --git a/oracle/services/registry.tf b/oracle/services/registry.tf
index a79548a..608b839 100644
--- a/oracle/services/registry.tf
+++ b/oracle/services/registry.tf
@@ -1,6 +1,9 @@
 
-resource "random_id" "registry" {
-  byte_length = 8
+resource "random_string" "registry" {
+  length  = 16
+  numeric = false
+  special = false
+  upper   = false
 }
 
 data "oci_artifacts_container_configuration" "registry" {
@@ -8,13 +11,21 @@ data "oci_artifacts_container_configuration" "registry" {
 }
 
 resource "oci_artifacts_container_repository" "registry" {
+  for_each       = toset(var.repos)
   compartment_id = var.compartment_ocid
-  display_name   = "registry-${random_id.registry.hex}"
+  display_name   = "${random_string.registry.result}/${each.value}"
+  defined_tags   = merge(local.tags, { "Kubernetes.Type" = "infra" })
   is_immutable   = false
   is_public      = false
 
   readme {
-    content = "Container registry for ${var.project}"
+    content = "Container mirror of ${each.value}"
     format  = "text/plain"
   }
+
+  lifecycle {
+    ignore_changes = [
+      defined_tags,
+    ]
+  }
 }
diff --git a/oracle/services/variables.tf b/oracle/services/variables.tf
index 6fcf232..9fc6a2b 100644
--- a/oracle/services/variables.tf
+++ b/oracle/services/variables.tf
@@ -1,16 +1,35 @@
 
-variable "compartment_ocid" {}
-variable "tenancy_ocid" {}
+variable "compartment_ocid" {
+  description = "The OCID of the compartment"
+  type        = string
+  default     = "ocid1.compartment.oc1.."
+}
+variable "tenancy_ocid" {
+  description = "The OCID of the tenancy"
+  type        = string
+  default     = "ocid1.tenancy.oc1.."
+}
 variable "user_ocid" {}
 variable "fingerprint" {}
-
-variable "project" {
-  type    = string
-  default = "main"
+variable "key_file" {
+  default = "~/.oci/oci_production_terraform.pem"
 }
 
-variable "region" {
-  description = "the OCI region where resources will be created"
-  type        = string
-  default     = null
+data "terraform_remote_state" "prepare" {
+  backend = "local"
+  config = {
+    path = "${path.module}/../prepare/terraform.tfstate"
+  }
+}
+
+locals {
+  project = data.terraform_remote_state.prepare.outputs.project
+  region  = data.terraform_remote_state.prepare.outputs.region
+  tags    = data.terraform_remote_state.prepare.outputs.tags
+}
+
+variable "repos" {
+  default = [
+    "kubelet",
+  ]
 }
diff --git a/oracle/services/versions.tf b/oracle/services/versions.tf
index cb870b7..05a7d38 100644
--- a/oracle/services/versions.tf
+++ b/oracle/services/versions.tf
@@ -2,8 +2,23 @@
 terraform {
   required_providers {
     oci = {
-      source  = "hashicorp/oci"
-      version = "4.108.0"
+      source  = "oracle/oci"
+      version = "5.38.0"
     }
   }
+  required_version = ">= 1.5"
 }
+
+# terraform {
+#   backend "s3" {
+#     bucket                      = "YYY"
+#     key                         = "services/terraform.tfstate"
+#     region                      = local.region
+#     endpoint                    = "https://fracoo9ea64h.compat.objectstorage.${local.region}.oraclecloud.com"
+#     shared_credentials_file     = "../terraform.tfstate.credentials"
+#     skip_region_validation      = true
+#     skip_credentials_validation = true
+#     skip_metadata_api_check     = true
+#     force_path_style            = true
+#   }
+# }