flux

flux is the preferred deployment path. bootstrap should point at this repo and reconcile clusters/lab.

example shape:

flux bootstrap git \
  --url=https://codex.occult.group/aurix/k3s-one.git \
  --branch=master \
  --path=clusters/lab \
  --token-auth

use a repo-scoped token with the least permissions that still allow flux to read the private repo. store the token in the cluster as part of flux bootstrap; do not commit it unencrypted.

no helm default

prefer Kustomization resources pointed at raw manifests. if a component only ships helm cleanly, document the exception before adding it.