diff --git a/.github/workflows/build_test_images.yaml b/.github/workflows/build_test_images.yaml
index 8bd5568c..b9b9e9ee 100644
--- a/.github/workflows/build_test_images.yaml
+++ b/.github/workflows/build_test_images.yaml
@@ -88,7 +88,7 @@ jobs:
         run: sudo guestmount -a ${{ steps.publish-image.outputs.image-name }}.qcow2 -i --ro -o allow_other './${{ steps.publish-image.outputs.image-name }}'
 
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@0.17.0
+        uses: aquasecurity/trivy-action@0.24.0
         with:
           scan-type: fs
           scan-ref: "./${{ steps.publish-image.outputs.image-name }}"
@@ -104,7 +104,7 @@ jobs:
           category: "${{ matrix.name }}"
 
       - name: Fail if scan has CRITICAL vulnerabilities
-        uses: aquasecurity/trivy-action@0.16.1
+        uses: aquasecurity/trivy-action@0.24.0
         with:
           scan-type: fs
           scan-ref: "./${{ steps.publish-image.outputs.image-name }}"
diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml
index 1ce234e9..c40f681d 100644
--- a/.github/workflows/pr.yaml
+++ b/.github/workflows/pr.yaml
@@ -15,8 +15,8 @@ jobs:
   fail_on_remote:
     runs-on: ubuntu-latest
     steps:
-      - name: PR must be from a branch in the azimuth-cloud/azimuth-images repo
-        run: exit ${{ github.repository == 'azimuth-cloud/azimuth-images' && '0' || '1' }}
+      - name: PR must be from a branch in the RSE-Cambridge/azimuth-images repo
+        run: exit ${{ github.repository == 'RSE-Cambridge/azimuth-images' && '0' || '1' }}
 
   # Build, publish and test the images
   build_test_images:
diff --git a/ansible/jupyter-repo2docker.yml b/ansible/jupyter-repo2docker.yml
index ca4557b3..5977da9b 100644
--- a/ansible/jupyter-repo2docker.yml
+++ b/ansible/jupyter-repo2docker.yml
@@ -3,4 +3,5 @@
 - hosts: all
   become: yes
   roles:
+    - linux-common
     - jupyter-repo2docker
diff --git a/ansible/kubernetes.yml b/ansible/kubernetes.yml
index 6753ef36..23eff556 100644
--- a/ansible/kubernetes.yml
+++ b/ansible/kubernetes.yml
@@ -3,6 +3,6 @@
 - hosts: all
   become: yes
   roles:
-    - linux-volumes-by-tag
+    - linux-common
 
 - import_playbook: ../vendor/image-builder/images/capi/ansible/node.yml
diff --git a/ansible/linux-rdp-gateway.yml b/ansible/linux-rdp-gateway.yml
index f4724c07..004d86b2 100644
--- a/ansible/linux-rdp-gateway.yml
+++ b/ansible/linux-rdp-gateway.yml
@@ -3,4 +3,5 @@
 - hosts: all
   become: yes
   roles:
+    - linux-common
     - linux-rdp-gateway
diff --git a/ansible/linux-rstudio.yml b/ansible/linux-rstudio.yml
index dd27e734..db51fcba 100644
--- a/ansible/linux-rstudio.yml
+++ b/ansible/linux-rstudio.yml
@@ -3,4 +3,5 @@
 - hosts: all
   become: yes
   roles:
+    - linux-common
     - linux-rstudio
diff --git a/ansible/linux-webconsole.yml b/ansible/linux-webconsole.yml
index e5e89284..2986f98b 100644
--- a/ansible/linux-webconsole.yml
+++ b/ansible/linux-webconsole.yml
@@ -3,4 +3,5 @@
 - hosts: all
   become: yes
   roles:
+    - linux-common
     - linux-webconsole
diff --git a/ansible/roles/jupyter-repo2docker/tasks/main.yml b/ansible/roles/jupyter-repo2docker/tasks/main.yml
index ffa24c13..5b1199a0 100644
--- a/ansible/roles/jupyter-repo2docker/tasks/main.yml
+++ b/ansible/roles/jupyter-repo2docker/tasks/main.yml
@@ -1,27 +1,5 @@
 ---
 
-- name: Update apt cache
-  apt:
-    update_cache: yes
-  when: ansible_os_family == "Debian"
-
-- name: Ensure up-to-date CA certificates
-  package:
-    name: ca-certificates
-    state: latest
-
-# Required for become to an unprivileged user to work
-# Using the apt module seems to work more reliably than package :-/
-- name: Install ACL package
-  apt:
-    update_cache: yes
-    name: acl
-    state: present
-  when: ansible_os_family == "Debian"
-
-- include_role:
-    name: azimuth_cloud.image_utils.linux_ansible_init
-
 - include_role: 
     name: linux-podman
     tasks_from: install.yml
diff --git a/ansible/roles/linux-broadcom/tasks/main.yml b/ansible/roles/linux-broadcom/tasks/main.yml
new file mode 100644
index 00000000..5e06dbec
--- /dev/null
+++ b/ansible/roles/linux-broadcom/tasks/main.yml
@@ -0,0 +1,17 @@
+---
+  - name: Install pre-requisites
+    ansible.builtin.apt:
+      pkg:
+        - dctrl-tools
+        - gcc-12
+        - cpp-12
+        - libgcc-12-dev
+        - libasan8
+        - libtsan2
+        - dkms
+      state: latest    
+
+  - name: Install the broadcom driver for NetXtreme-E Ethernet
+    ansible.builtin.apt:
+      deb: https://object.arcus.openstack.hpc.cam.ac.uk/swift/v1/AUTH_7ac3c0a502cd46c783b2128116165566/bcom-nxe-drivers/netxtreme-peer-mem-dkms_229.2.49.0_all.deb
+      state: present
diff --git a/ansible/roles/linux-common/tasks/main.yml b/ansible/roles/linux-common/tasks/main.yml
new file mode 100644
index 00000000..10a1aa19
--- /dev/null
+++ b/ansible/roles/linux-common/tasks/main.yml
@@ -0,0 +1,32 @@
+---
+
+- name: Update apt cache
+  apt:
+    update_cache: true
+  when: ansible_os_family == "Debian"
+
+- name: Ensure up-to-date CA certificates
+  package:
+    name: ca-certificates
+    state: latest
+
+# Required for become to an unprivileged user to work
+# Using the apt module seems to work more reliably than package :-/
+- name: Install ACL package
+  apt:
+    update_cache: true
+    name: acl
+    state: present
+  when: ansible_os_family == "Debian"
+
+# Enables the ansible-init system, but does not install any default playbooks
+- include_role:
+    name: azimuth_cloud.image_utils.linux_ansible_init
+
+# Enables volumes to be referred to by tag for setting up mounts in cloud-config
+- include_role:
+    name: linux-volumes-by-tag
+
+# Install the Broadcom network driver for NetXtreme-E Ethernet
+- include_role:
+    name: linux-broadcom
diff --git a/ansible/roles/linux-rdp-gateway/tasks/main.yml b/ansible/roles/linux-rdp-gateway/tasks/main.yml
index 91d8b2fe..f0c7cf20 100644
--- a/ansible/roles/linux-rdp-gateway/tasks/main.yml
+++ b/ansible/roles/linux-rdp-gateway/tasks/main.yml
@@ -1,27 +1,5 @@
 ---
 
-- name: Update apt cache
-  apt:
-    update_cache: yes
-  when: ansible_os_family == "Debian"
-
-- name: Ensure up-to-date CA certificates
-  package:
-    name: ca-certificates
-    state: latest
-
-# Required for become to an unprivileged user to work
-# Using the apt module seems to work more reliably than package :-/
-- name: Install ACL package
-  apt:
-    update_cache: yes
-    name: acl
-    state: present
-  when: ansible_os_family == "Debian"
-
-- include_role:
-    name: azimuth_cloud.image_utils.linux_ansible_init
-
 - include_role: 
     name: linux-podman
     tasks_from: install.yml
diff --git a/ansible/roles/linux-rstudio/tasks/main.yml b/ansible/roles/linux-rstudio/tasks/main.yml
index 69c205dc..adec231a 100644
--- a/ansible/roles/linux-rstudio/tasks/main.yml
+++ b/ansible/roles/linux-rstudio/tasks/main.yml
@@ -1,27 +1,5 @@
 ---
 
-- name: Update apt cache
-  apt:
-    update_cache: yes
-  when: ansible_os_family == "Debian"
-
-- name: Ensure up-to-date CA certificates
-  package:
-    name: ca-certificates
-    state: latest
-
-# Required for become to an unprivileged user to work
-# Using the apt module seems to work more reliably than package :-/
-- name: Install ACL package
-  apt:
-    update_cache: yes
-    name: acl
-    state: present
-  when: ansible_os_family == "Debian"
-
-- include_role:
-    name: azimuth_cloud.image_utils.linux_ansible_init
-
 - include_role: 
     name: linux-podman
     tasks_from: install.yml
diff --git a/ansible/roles/linux-webconsole/tasks/main.yml b/ansible/roles/linux-webconsole/tasks/main.yml
index f78bdf52..5b517be7 100644
--- a/ansible/roles/linux-webconsole/tasks/main.yml
+++ b/ansible/roles/linux-webconsole/tasks/main.yml
@@ -17,25 +17,6 @@
     - "{{ role_path }}/vars/{{ ansible_distribution }}.yml"
     - "{{ role_path }}/vars/{{ ansible_distribution }}-{{ ansible_distribution_version }}.yml"
 
-- name: Update apt cache
-  apt:
-    update_cache: true
-  when: ansible_os_family == "Debian"
-
-- name: Ensure up-to-date CA certificates
-  package:
-    name: ca-certificates
-    state: latest
-
-# Required for become to an unprivileged user to work
-# Using the apt module seems to work more reliably than package :-/
-- name: Install ACL package
-  apt:
-    update_cache: true
-    name: acl
-    state: present
-  when: ansible_os_family == "Debian"
-
 - name: Add apptainer repository
   apt_repository:
     repo: 'ppa:apptainer/ppa'
@@ -51,9 +32,6 @@
     - include_tasks: vnc_server.yml
   when: desktop_enabled is defined and desktop_enabled
 
-- include_role:
-    name: azimuth_cloud.image_utils.linux_ansible_init
-
 - include_role: 
     name: linux-podman
     tasks_from: install.yml
diff --git a/bin/publish-image b/bin/publish-image
index 1e0f3540..8cc51ab7 100755
--- a/bin/publish-image
+++ b/bin/publish-image
@@ -21,7 +21,7 @@ cosign sign-blob "${IMAGE_NAME}.qcow2" --bundle "${IMAGE_NAME}.cosign.bundle" -y
 # test the bundle works validates
 cosign verify-blob "${IMAGE_NAME}.qcow2" --bundle "${IMAGE_NAME}.cosign.bundle" \
   --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
-  --certificate-identity-regexp="https://github.com/azimuth-cloud/azimuth-images/.github/.*"
+  --certificate-identity-regexp="https://github.com/RSE-Cambridge/azimuth-images/.github/.*"
 
 # Upload the compressed image to S3
 cat <<EOF > ~/.s3cfg
diff --git a/vars/arcus/common.json b/vars/arcus/common.json
index fdfad6e7..e847f92a 100644
--- a/vars/arcus/common.json
+++ b/vars/arcus/common.json
@@ -1,5 +1,5 @@
 {
-  "network": "97ed78b5-156c-441c-9fcb-5a26c8a4ed26",
-  "flavor": "vm.azimuth.ci.ec1.medium",
+  "network": "5e8d514a-1943-42e4-a757-6c533c343ece",
+  "flavor": "vm.v1.small",
   "volume_type": "arcus-ceph01-rbd"
 }
diff --git a/vars/arcus/linux.json b/vars/arcus/linux.json
index af641b56..2a0db531 100644
--- a/vars/arcus/linux.json
+++ b/vars/arcus/linux.json
@@ -1,3 +1,3 @@
 {
-  "security_groups": ["default", "ssh-anywhere"]
+  "security_groups": ["default", "external"]
 }