diff --git a/proxmox/.gitignore b/proxmox/.gitignore
index daec180..0ac6e9d 100644
--- a/proxmox/.gitignore
+++ b/proxmox/.gitignore
@@ -9,3 +9,4 @@ terraform.tfvars.sops.json
 #
 age.key.txt
 .env.yaml
+secrets.proxmox.yaml
diff --git a/proxmox/Makefile b/proxmox/Makefile
index 8aa808b..fcb2bae 100644
--- a/proxmox/Makefile
+++ b/proxmox/Makefile
@@ -80,8 +80,8 @@ system:
 		proxmox-cloud-controller-manager oci://ghcr.io/sergelogvinov/charts/proxmox-cloud-controller-manager
 
 	#
-	# File vars/secrets.proxmox.yaml should be created manually
+	# File vars/secrets.proxmox.yaml was created by terraform
 	#
 	kubectl --kubeconfig=kubeconfig apply -f vars/proxmox-ns.yaml
-	# helm --kubeconfig=kubeconfig secrets upgrade -i --namespace=csi-proxmox -f vars/proxmox-csi.yaml -f vars/secrets.proxmox.yaml \
-	# 	proxmox-csi-plugin oci://ghcr.io/sergelogvinov/charts/proxmox-csi-plugin
+	helm --kubeconfig=kubeconfig secrets upgrade -i --namespace=csi-proxmox -f vars/proxmox-csi.yaml -f vars/secrets.proxmox.yaml \
+		proxmox-csi-plugin oci://ghcr.io/sergelogvinov/charts/proxmox-csi-plugin
diff --git a/proxmox/instances-controlplane.tf b/proxmox/instances-controlplane.tf
index c0dfa17..4cd3c8a 100644
--- a/proxmox/instances-controlplane.tf
+++ b/proxmox/instances-controlplane.tf
@@ -204,8 +204,8 @@ resource "local_sensitive_file" "controlplane" {
         "clusters" : [{
           "url" : "https://${each.value.hvv4}:8006/api2/json",
           "insecure" : true,
-          "token_id" : split("=", local.proxmox_token)[0],
-          "token_secret" : split("=", local.proxmox_token)[1],
+          "token_id" : split("=", local.proxmox_token_ccm)[0],
+          "token_secret" : split("=", local.proxmox_token_ccm)[1],
           "region" : var.region,
         }]
       })
@@ -215,6 +215,22 @@ resource "local_sensitive_file" "controlplane" {
   file_permission = "0600"
 }
 
+resource "local_sensitive_file" "csi" {
+  content = yamlencode({
+    "config" : {
+      "clusters" : [{
+        "url" : "https://${var.proxmox_host}:8006/api2/json",
+        "insecure" : true,
+        "token_id" : split("=", local.proxmox_token_csi)[0],
+        "token_secret" : split("=", local.proxmox_token_csi)[1],
+        "region" : var.region,
+      }]
+    }
+  })
+  filename        = "vars/secrets.proxmox.yaml"
+  file_permission = "0600"
+}
+
 locals {
   controlplane_config = { for k, v in local.controlplanes : k => "talosctl apply-config --insecure --nodes ${v.ipv6} --config-patch @_cfgs/${v.name}.yaml --file _cfgs/controlplane.yaml" }
 }
diff --git a/proxmox/instances-db.tf b/proxmox/instances-db.tf
index f2b6f4f..89a6f79 100644
--- a/proxmox/instances-db.tf
+++ b/proxmox/instances-db.tf
@@ -88,7 +88,7 @@ resource "proxmox_virtual_environment_vm" "db" {
     up_delay = 5
   }
 
-  machine = "pc"
+  machine = "q35"
   cpu {
     architecture = "x86_64"
     cores        = each.value.cpu
diff --git a/proxmox/instances-web.tf b/proxmox/instances-web.tf
index ffb14b6..db22141 100644
--- a/proxmox/instances-web.tf
+++ b/proxmox/instances-web.tf
@@ -105,7 +105,7 @@ resource "proxmox_virtual_environment_vm" "web" {
     up_delay = 5
   }
 
-  machine = "pc"
+  machine = "q35"
   cpu {
     architecture = "x86_64"
     cores        = each.value.cpu
diff --git a/proxmox/instances-worker.tf b/proxmox/instances-worker.tf
index b620610..36b0b46 100644
--- a/proxmox/instances-worker.tf
+++ b/proxmox/instances-worker.tf
@@ -84,7 +84,7 @@ resource "proxmox_virtual_environment_vm" "worker" {
     up_delay = 15
   }
 
-  machine = "pc"
+  machine = "q35"
   cpu {
     architecture = "x86_64"
     cores        = each.value.cpu
diff --git a/proxmox/variables.tf b/proxmox/variables.tf
index dcb9120..b0311ec 100644
--- a/proxmox/variables.tf
+++ b/proxmox/variables.tf
@@ -43,7 +43,8 @@ data "terraform_remote_state" "init" {
 locals {
   kubernetes = jsondecode(data.sops_file.tfvars.raw)["kubernetes"]
 
-  proxmox_token = data.terraform_remote_state.init.outputs.ccm
+  proxmox_token_ccm = data.terraform_remote_state.init.outputs.ccm
+  proxmox_token_csi = data.terraform_remote_state.init.outputs.csi
 }
 
 variable "nodes" {
diff --git a/proxmox/vars/secrets.proxmox.yaml b/proxmox/vars/secrets.proxmox.yaml
deleted file mode 100644
index e437ac1..0000000
--- a/proxmox/vars/secrets.proxmox.yaml
+++ /dev/null
@@ -1,7 +0,0 @@
-config:
-    clusters:
-        - region: region-1
-          url: https://172.16.0.128:8006/api2/json
-          insecure: true
-          token_id: kubernetes@pve!csi
-          token_secret: f6ead34e-11c0-4c4d-b8f3-7ae99b526ac0