diff --git a/README.md b/README.md
index 4c3bd3d..d929535 100644
--- a/README.md
+++ b/README.md
@@ -2,7 +2,8 @@
 
 Terraform for the following configuration:
 
-* OpenStack virtualised instances
+* OpenStack virtualised lab instances
+* An OpenStack virtualised container registry instance
 * Cinder volumes for instance storage
 * Floating IPs for networking
 
@@ -12,24 +13,26 @@ OpenStack infrastructure.
 
 ## Prerequisites
 
-* A Neutron network the instances can attach to, with router
+* A Neutron network the instances can attach to, with a router
 * Plenty of resource quota
+* Terraform installed (see instructions
+  [here](https://developer.hashicorp.com/terraform/install))
 
 ## Software Components
 
-[Kayobe](https://docs.openstack.org/kayobe/latest/) enables deployment of
+[Kayobe](https://docs.openstack.org/kayobe/latest/) enables the deployment of
 containerised OpenStack to bare metal.
 
 # Instructions for deployment
 
-After cloning this repo, source the regular OpenStack rc file with necessary
-vars for accessing the *A Universe From Nothing* lab project.
+After cloning this repo, source the regular OpenStack rc file with the
+necessary vars for accessing the *A Universe From Nothing* lab project.
 
-There are a various variables available for configuration. These can be seen
+There are various variables available for configuration. These can be seen
 in `vars.tf`, and can be set in `terraform.tfvars` (see sample file
 `terraform.tfvars.sample`).
 
-Next up is the `terraform` bit assuming it is already installed:
+Create the resources using Terraform:
 
     terraform init
     terraform plan
@@ -37,7 +40,7 @@ Next up is the `terraform` bit assuming it is already installed:
 
 To reprovision a lab machine:
 
-    terraform taint openstack_compute_instance_v2.#
+    terraform taint openstack_compute_instance_v2.lab[#]
     terraform apply -auto-approve
 
 where `#` is the lab index which can be obtained from the web UI.
@@ -54,7 +57,7 @@ SSH in to your lab instance by running and entering the provided password:
 
     ssh lab@<lab-ip-address> -o PreferredAuthentications=password
 
-The default password is the id of the lab instance. As such, it is recommeded
+The default password is the id of the lab instance. As such, it is recommended
 that you run `passwd` immediately to change the default password.
 
 ## Nested virtualisation
@@ -75,7 +78,7 @@ When complete, it should report an elapsed time as follows:
 
     [INFO] 22 minutes and 3 seconds elapsed.
 
-## Inspect the bifrost container inside your seed VM:
+## Inspect the Bifrost container inside your seed VM:
 
     ssh stack@192.138.33.5
     docker ps
@@ -85,7 +88,7 @@ When complete, it should report an elapsed time as follows:
 
 Look at the steps involved in deploying Kayobe control plane:
 
-    < a-universe-from-seed.sh
+    less a-universe-from-seed.sh
 
 # Wrapping up
 
diff --git a/a-seed-from-nothing.sh b/a-seed-from-nothing.sh
index f786a88..abdea88 100644
--- a/a-seed-from-nothing.sh
+++ b/a-seed-from-nothing.sh
@@ -3,9 +3,6 @@
 # Reset SECONDS
 SECONDS=0
 
-# Cloud User: cloud-user (CentOS) or ubuntu?
-CLOUD_USER=cloud-user
-
 ENABLE_OVN=true
 
 # Registry IP
@@ -14,19 +11,20 @@ registry_ip=$1
 echo "[INFO] Given docker registry IP: $registry_ip"
 
 # Disable the firewall.
-if [[ "${CLOUD_USER}" = "ubuntu" ]]
-then
+if type apt; then
+    grep -q $HOSTNAME /etc/hosts || (echo "$(ip r | grep -o '^default via.*src [0-9.]*' | awk '{print $NF}') $HOSTNAME" | sudo tee -a /etc/hosts)
     dpkg -l ufw && sudo systemctl is-enabled ufw && sudo systemctl stop ufw && sudo systemctl disable ufw
 else
     rpm -q firewalld && sudo systemctl is-enabled firewalld && sudo systemctl stop firewalld && sudo systemctl disable firewalld
-fi
 
-# Disable SELinux.
-sudo setenforce 0
+    # Disable SELinux.
+    sudo setenforce 0
+fi
 
 # Useful packages
-if [[ "${CLOUD_USER}" = "ubuntu" ]]
-then
+if type apt; then
+    # Avoid the interactive dialog prompting for service restart: set policy to leave services unchanged
+    echo "\$nrconf{restart} = 'l';" | sudo tee /etc/needrestart/conf.d/90-aufn.conf
     sudo apt update
     sudo apt install -y git tmux lvm2 iptables
 else
@@ -42,8 +40,7 @@ EOF
 sudo sysctl --load /etc/sysctl.d/70-ipv6.conf
 
 # CentOS Stream 8 requires network-scripts.  Rocky Linux 9 and onwards use NetworkManager.
-if [[ "${CLOUD_USER}" = "cloud-user" ]]
-then
+if type dnf; then
     case $(grep -o "[89]\.[0-9]" /etc/redhat-release) in
       "8.*")
         sudo dnf install -y network-scripts
@@ -60,6 +57,18 @@ then
         exit -1
         ;;
     esac
+elif type apt; then
+    # Prepare for disabling of Netplan and enabling of systemd-networkd.
+    # Netplan has an interaction with systemd and cloud-init to populate
+    # systemd-networkd files, but ephemerally.  If /etc/systemd/network is
+    # empty and netplan config files are present in /run, copy them over.
+    persistent_netcfg=$(ls /etc/systemd/network)
+    ephemeral_netcfg=$(ls /run/systemd/network)
+    if [[ -z "$persistent_netcfg" && ! -z "$ephemeral_netcfg" ]]
+    then
+        echo "Creating persistent versions of Netplan ephemeral config"
+        sudo cp /run/systemd/network/* /etc/systemd/network
+    fi
 fi
 
 # Exit on error
@@ -68,6 +77,7 @@ fi
 set -e
 
 # Ensure an ssh key is generated
+CLOUD_USER=$(ls /home | grep -v lab | grep -v stack | head -1)
 # NOTE: you might think ~${CLOUD_USER} would work but apparently not
 CLOUD_USER_DIR=/home/${CLOUD_USER}
 keyfile="$HOME/.ssh/id_rsa"
@@ -86,43 +96,38 @@ then
     sudo chown ${CLOUD_USER}.${CLOUD_USER} ${CLOUD_USER_DIR}/.ssh/authorized_keys
 fi
 
-# Clone Kayobe.
+# Clone Beokay.
 cd $HOME
-[[ -d kayobe ]] || git clone https://opendev.org/openstack/kayobe.git -b stable/yoga
-cd kayobe
+git clone https://github.com/stackhpc/beokay.git -b master
+
+# Use Beokay to bootstrap your control host.
+[[ -d deployment ]] || beokay/beokay.py create --base-path ~/deployment --kayobe-repo https://opendev.org/openstack/kayobe.git --kayobe-branch stable/2023.1 --kayobe-config-repo https://github.com/stackhpc/a-universe-from-nothing.git --kayobe-config-branch stable/2023.1
 
 # Bump the provisioning time - it can be lengthy on virtualised storage
-sed -i.bak 's%^[# ]*wait_active_timeout:.*%    wait_active_timeout: 5000%' ~/kayobe/ansible/overcloud-provision.yml
+sed -i.bak 's%^[# ]*wait_active_timeout:.*%    wait_active_timeout: 5000%' ~/deployment/src/kayobe/ansible/overcloud-provision.yml
 
 # Clone the Tenks repository.
+cd ~/deployment/src/
 [[ -d tenks ]] || git clone https://opendev.org/openstack/tenks.git
-
-# Clone this Kayobe configuration.
-mkdir -p config/src
-cd config/src/
-[[ -d kayobe-config ]] || git clone https://github.com/stackhpc/a-universe-from-nothing.git -b stable/yoga kayobe-config
+cd
 
 # Set default registry name to the one we just created
-sed -i.bak 's/^docker_registry.*/docker_registry: '$registry_ip':4000/' kayobe-config/etc/kayobe/docker.yml
+sed -i.bak 's/^docker_registry:.*/docker_registry: '$registry_ip':4000/' ~/deployment/src/kayobe-config/etc/kayobe/docker.yml
 
 # Configure host networking (bridge, routes & firewall)
-./kayobe-config/configure-local-networking.sh
-
-# Install kayobe.
-cd ~/kayobe
-./dev/install-dev.sh
+~/deployment/src/kayobe-config/configure-local-networking.sh
 
 # Enable OVN flags
 if $ENABLE_OVN
 then
-    cat <<EOF | sudo tee -a config/src/kayobe-config/etc/kayobe/bifrost.yml
+    cat <<EOF | sudo tee -a ~/deployment/src/kayobe-config/etc/kayobe/bifrost.yml
 kolla_bifrost_extra_kernel_options:
   - "console=ttyS0"
 EOF
-    cat <<EOF | sudo tee -a config/src/kayobe-config/etc/kayobe/kolla.yml
+    cat <<EOF | sudo tee -a ~/deployment/src/kayobe-config/etc/kayobe/kolla.yml
 kolla_enable_ovn: yes
 EOF
-    cat <<EOF | sudo tee -a config/src/kayobe-config/etc/kayobe/neutron.yml
+    cat <<EOF | sudo tee -a ~/deployment/src/kayobe-config/etc/kayobe/neutron.yml
 kolla_neutron_ml2_type_drivers:
   - geneve
   - vlan
@@ -134,17 +139,25 @@ kolla_neutron_ml2_tenant_network_types:
 EOF
 fi
 
+# Set Environment variables for Kayobe dev scripts
+export KAYOBE_CONFIG_SOURCE_PATH=~/deployment/src/kayobe-config
+export KAYOBE_VENV_PATH=~/deployment/venvs/kayobe
+
 # Deploy hypervisor services.
-./dev/seed-hypervisor-deploy.sh
+~/deployment/src/kayobe/dev/seed-hypervisor-deploy.sh
 
 # Deploy a seed VM.
 # NOTE: This should work the first time because the packet configuration uses a
 # custom docker registry.  However, there are sometimes issues with Docker starting up on the seed (FIXME)
-if ! ./dev/seed-deploy.sh; then
+if ! ~/deployment/src/kayobe/dev/seed-deploy.sh; then
     # Deploy a seed VM. Should work this time.
-    ./dev/seed-deploy.sh
+    ~/deployment/src/kayobe/dev/seed-deploy.sh
 fi
 
+# Run TENKS
+export TENKS_CONFIG_PATH=~/deployment/src/kayobe-config/tenks.yml
+~/deployment/src/kayobe/dev/tenks-deploy-overcloud.sh ~/deployment/src/tenks
+
 # Duration
 duration=$SECONDS
 echo "[INFO] $(($duration / 60)) minutes and $(($duration % 60)) seconds elapsed."
diff --git a/a-universe-from-seed.sh b/a-universe-from-seed.sh
index dac4852..8e2d960 100755
--- a/a-universe-from-seed.sh
+++ b/a-universe-from-seed.sh
@@ -8,19 +8,10 @@ SECONDS=0
 
 # FIXME: IP on public1 subnet disappears for braio interface during the course
 # of a-seed-from-nothing.sh script. Rerun the configuration script to re-add it.
-cd ~/kayobe/config/src/
-./kayobe-config/configure-local-networking.sh
-
-# Change to kayobe directory
-cd ~/kayobe
-
-# Create some 'bare metal' VMs for the controller and compute node.
-# NOTE: Make sure to use ./tenks, since just ‘tenks’ will install via PyPI.
-export TENKS_CONFIG_PATH=config/src/kayobe-config/tenks.yml
-./dev/tenks-deploy.sh ./tenks
+~/deployment/src/kayobe-config/configure-local-networking.sh
 
 # Activate the Kayobe environment, to allow running commands directly.
-source dev/environment-setup.sh
+source ~/deployment/env-vars.sh
 
 # Inspect and provision the overcloud hardware:
 kayobe overcloud inventory discover
@@ -32,7 +23,7 @@ kayobe overcloud provision
 kayobe overcloud host configure
 kayobe overcloud container image pull
 kayobe overcloud service deploy
-source config/src/kayobe-config/etc/kolla/public-openrc.sh
+source ~/deployment/src/kayobe-config/etc/kolla/public-openrc.sh
 kayobe overcloud post configure
 
 # At this point it should be possible to access the Horizon GUI via the seed
@@ -49,12 +40,13 @@ kayobe overcloud host command run --command "iptables -P FORWARD ACCEPT" --becom
 
 # The following script will register some resources in OpenStack to enable
 # booting up a tenant VM.
-source config/src/kayobe-config/etc/kolla/public-openrc.sh
-./config/src/kayobe-config/init-runonce.sh
+source ~/deployment/src/kayobe-config/etc/kolla/public-openrc.sh
+~/deployment/src/kayobe-config/init-runonce.sh
 
 # Following the instructions displayed by the above script, boot a VM.
 # You'll need to have activated the ~/os-venv virtual environment.
-source ~/os-venv/bin/activate
+deactivate
+source ~/deployment/venvs/os-venv/bin/activate
 openstack server create --image cirros --flavor m1.tiny --key-name mykey --network demo-net demo1
 
 # Assign a floating IP to the server to make it accessible.
diff --git a/openstack-device.tf b/openstack-device.tf
index 3d621fb..0d58716 100644
--- a/openstack-device.tf
+++ b/openstack-device.tf
@@ -1,5 +1,5 @@
 resource "openstack_compute_keypair_v2" "ufn_lab_key" {
-  name       = "ufn_lab_key"
+  name       = "${var.lab_prefix}_lab_key"
   public_key = tls_private_key.default.public_key_openssh
 }
 
@@ -110,6 +110,67 @@ resource "null_resource" "registry" {
   }
 }
 
+resource "openstack_compute_secgroup_v2" "AUFN" {
+  name        = "${var.lab_prefix}-lab-rules"
+  description = "Access rules for AUFN lab deployment"
+
+  rule {
+    from_port   = 22
+    to_port     = 22
+    ip_protocol = "tcp"
+    cidr        = "0.0.0.0/0"
+  }
+
+  rule {
+    from_port   = 80
+    to_port     = 80
+    ip_protocol = "tcp"
+    cidr        = "0.0.0.0/0"
+  }
+
+  rule {
+    from_port   = 3000
+    to_port     = 3000
+    ip_protocol = "tcp"
+    cidr        = "0.0.0.0/0"
+  }
+
+  rule {
+    from_port   = 5601
+    to_port     = 5601
+    ip_protocol = "tcp"
+    cidr        = "0.0.0.0/0"
+  }
+
+  rule {
+    from_port   = 9091
+    to_port     = 9091
+    ip_protocol = "tcp"
+    cidr        = "0.0.0.0/0"
+  }
+
+  rule {
+    from_port   = 9093
+    to_port     = 9093
+    ip_protocol = "tcp"
+    cidr        = "0.0.0.0/0"
+  }
+}
+
+data "openstack_dns_zone_v2" "lab_zone" {
+  count = var.dns_zone_name != null ? 1 : 0
+  name  = var.dns_zone_name
+}
+
+resource "openstack_dns_recordset_v2" "lab_dns" {
+  count       = var.dns_zone_name != null ? var.lab_count : 0
+  zone_id     = data.openstack_dns_zone_v2.lab_zone[0].id
+  name        = format("%s-lab-%02d.%s", var.lab_prefix, count.index, var.dns_zone_name)
+  type        = "A"
+  ttl         = 300
+  records     = [openstack_compute_instance_v2.lab[count.index].network[0].fixed_ip_v4]
+}
+
 resource "openstack_compute_instance_v2" "lab" {
 
   count           = var.lab_count
@@ -117,6 +178,7 @@ resource "openstack_compute_instance_v2" "lab" {
   image_name      = var.image_name
   flavor_name     = var.lab_flavor
   key_pair        = openstack_compute_keypair_v2.ufn_lab_key.name
+  security_groups = ["default", openstack_compute_secgroup_v2.AUFN.name ]
 
   dynamic "block_device" {
     for_each = var.boot_labs_from_volume ? [1] : []
diff --git a/pull-retag-push-images.sh b/pull-retag-push-images.sh
index cf0f3b5..eb8dfcb 100755
--- a/pull-retag-push-images.sh
+++ b/pull-retag-push-images.sh
@@ -5,11 +5,7 @@ set -e
 # Reset SECONDS
 SECONDS=0
 
-# DISTRO: CentOS or Ubuntu?
-DISTRO=centos
-
-if [[ "${DISTRO}" = "ubuntu" ]]
-then
+if type apt; then
     # Install and start docker
     [[ -f /usr/share/keyrings/docker-archive-keyring.gpg ]] || (curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg)
     echo \
@@ -25,7 +21,7 @@ else
     cat << "EOF" | sudo tee /etc/yum.repos.d/docker-ce.repo
 [docker-ce-stable]
 name=Docker CE Stable - $basearch
-baseurl=https://download.docker.com/linux/centos/8/$basearch/stable
+baseurl=https://download.docker.com/linux/centos/9/$basearch/stable
 enabled=1
 gpgcheck=1
 gpgkey=https://download.docker.com/linux/centos/gpg
@@ -41,88 +37,94 @@ if [ ! "$(sudo docker ps -q -f name=registry)" ]; then
     sudo docker run -d -p 4000:5000 --restart=always --name registry registry
 fi
 
-tag=${1:-yoga}
-images="kolla/${DISTRO}-source-bifrost-deploy
-kolla/${DISTRO}-source-kolla-toolbox
-kolla/${DISTRO}-source-haproxy
-kolla/${DISTRO}-source-mariadb-server
-kolla/${DISTRO}-source-mariadb-clustercheck
-kolla/${DISTRO}-source-fluentd
-kolla/${DISTRO}-source-cron
-kolla/${DISTRO}-source-keepalived
-kolla/${DISTRO}-source-neutron-server
-kolla/${DISTRO}-source-neutron-l3-agent
-kolla/${DISTRO}-source-neutron-metadata-agent
-kolla/${DISTRO}-source-neutron-openvswitch-agent
-kolla/${DISTRO}-source-neutron-dhcp-agent
-kolla/${DISTRO}-source-glance-api
-kolla/${DISTRO}-source-nova-compute
-kolla/${DISTRO}-source-keystone-fernet
-kolla/${DISTRO}-source-keystone-ssh
-kolla/${DISTRO}-source-keystone
-kolla/${DISTRO}-source-nova-api
-kolla/${DISTRO}-source-nova-conductor
-kolla/${DISTRO}-source-nova-ssh
-kolla/${DISTRO}-source-nova-novncproxy
-kolla/${DISTRO}-source-nova-scheduler
-kolla/${DISTRO}-source-placement-api
-kolla/${DISTRO}-source-openvswitch-vswitchd
-kolla/${DISTRO}-source-openvswitch-db-server
-kolla/${DISTRO}-source-nova-libvirt
-kolla/${DISTRO}-source-memcached
-kolla/${DISTRO}-source-rabbitmq
-kolla/${DISTRO}-source-heat-api
-kolla/${DISTRO}-source-heat-api-cfn
-kolla/${DISTRO}-source-heat-engine
-kolla/${DISTRO}-source-horizon
-kolla/${DISTRO}-source-kibana
-kolla/${DISTRO}-source-elasticsearch
-kolla/${DISTRO}-source-elasticsearch-curator
-kolla/${DISTRO}-source-barbican-base
-kolla/${DISTRO}-source-barbican-api
-kolla/${DISTRO}-source-barbican-worker
-kolla/${DISTRO}-source-barbican-keystone-listener
-kolla/${DISTRO}-source-magnum-base
-kolla/${DISTRO}-source-magnum-api
-kolla/${DISTRO}-source-magnum-conductor
-kolla/${DISTRO}-source-prometheus-alertmanager
-kolla/${DISTRO}-source-prometheus-v2-server
-kolla/${DISTRO}-source-prometheus-cadvisor
-kolla/${DISTRO}-source-prometheus-haproxy-exporter
-kolla/${DISTRO}-source-prometheus-mtail
-kolla/${DISTRO}-source-prometheus-memcached-exporter
-kolla/${DISTRO}-source-prometheus-blackbox-exporter
-kolla/${DISTRO}-source-prometheus-node-exporter
-kolla/${DISTRO}-source-prometheus-elasticsearch-exporter
-kolla/${DISTRO}-source-prometheus-mysqld-exporter
-kolla/${DISTRO}-source-prometheus-openstack-exporter
-kolla/${DISTRO}-source-prometheus-libvirt-exporter
-kolla/${DISTRO}-source-grafana
-kolla/${DISTRO}-source-cinder-scheduler
-kolla/${DISTRO}-source-cinder-volume
-kolla/${DISTRO}-source-cinder-backup
-kolla/${DISTRO}-source-cinder-api
-kolla/${DISTRO}-source-ovn-controller
-kolla/${DISTRO}-source-ovn-northd
-kolla/${DISTRO}-source-ovn-nb-db-server
-kolla/${DISTRO}-source-ovn-sb-db-server
-kolla/${DISTRO}-source-dnsmasq
-kolla/${DISTRO}-source-ironic-api
-kolla/${DISTRO}-source-ironic-conductor
-kolla/${DISTRO}-source-ironic-inspector
-kolla/${DISTRO}-source-ironic-neutron-agent
-kolla/${DISTRO}-source-ironic-pxe
-kolla/${DISTRO}-source-nova-compute-ironic
-kolla/${DISTRO}-source-manila-api
-kolla/${DISTRO}-source-manila-share
-kolla/${DISTRO}-source-manila-data
-kolla/${DISTRO}-source-manila-scheduler"
+registry=quay.io
+acct=openstack.kolla
+if type apt; then
+    tag=${1:-2023.1-ubuntu-jammy}
+else
+    tag=${1:-2023.1-rocky-9}
+fi
+images="bifrost-deploy
+kolla-toolbox
+haproxy
+mariadb-server
+mariadb-clustercheck
+fluentd
+cron
+keepalived
+neutron-server
+neutron-l3-agent
+neutron-metadata-agent
+neutron-openvswitch-agent
+neutron-dhcp-agent
+glance-api
+nova-compute
+keystone-fernet
+keystone-ssh
+keystone
+nova-api
+nova-conductor
+nova-ssh
+nova-novncproxy
+nova-scheduler
+placement-api
+openvswitch-vswitchd
+openvswitch-db-server
+nova-libvirt
+memcached
+rabbitmq
+heat-api
+heat-api-cfn
+heat-engine
+horizon
+opensearch
+opensearch-dashboards
+barbican-base
+barbican-api
+barbican-worker
+barbican-keystone-listener
+magnum-base
+magnum-api
+magnum-conductor
+prometheus-alertmanager
+prometheus-v2-server
+prometheus-cadvisor
+prometheus-haproxy-exporter
+prometheus-mtail
+prometheus-memcached-exporter
+prometheus-blackbox-exporter
+prometheus-node-exporter
+prometheus-elasticsearch-exporter
+prometheus-mysqld-exporter
+prometheus-openstack-exporter
+prometheus-libvirt-exporter
+grafana
+cinder-scheduler
+cinder-volume
+cinder-backup
+cinder-api
+ovn-controller
+ovn-northd
+ovn-nb-db-server
+ovn-sb-db-server
+dnsmasq
+ironic-api
+ironic-conductor
+ironic-inspector
+ironic-neutron-agent
+ironic-pxe
+nova-compute-ironic
+manila-api
+manila-share
+manila-data
+manila-scheduler"
 
 for image in $images; do
-    sudo docker pull $image:$tag
-    sudo docker tag docker.io/$image:$tag localhost:4000/openstack.$image:$tag
-    sudo docker push localhost:4000/openstack.$image:$tag
-    sudo docker image remove docker.io/$image:$tag
+    echo "Processing $acct/$image:$tag..."
+    sudo docker pull $registry/$acct/$image:$tag
+    sudo docker tag $registry/$acct/$image:$tag localhost:4000/$acct/$image:$tag
+    sudo docker push localhost:4000/$acct/$image:$tag
+    sudo docker image remove $registry/$acct/$image:$tag
 done
 
 # Duration
diff --git a/vars.tf b/vars.tf
index 77265ee..8f49613 100644
--- a/vars.tf
+++ b/vars.tf
@@ -79,3 +79,10 @@ variable "bastion_floating_ip" {
   description = "Bastion floating IP"
   default     = "0.0.0.0"
 }
+
+variable "dns_zone_name" {
+  description = "The name of the DNS zone to use for creating DNS records. Leave null to skip DNS record creation."
+  type        = string
+  nullable    = true
+  default     = null
+}