diff --git a/nix/kubernetes/README.org b/nix/kubernetes/README.org
index 1662ba45..40e71b7d 100644
--- a/nix/kubernetes/README.org
+++ b/nix/kubernetes/README.org
@@ -110,8 +110,8 @@
       registry: "ghcr.io/fluxcd"
     sync:
       kind: GitRepository
-      url: "https://gitlab.com/my-org/my-fleet.git"
-      ref: "refs/heads/main"
+      url: "ssh://git@10.215.1.210:22/repos/mrmanager"
+      ref: "refs/heads/nix"
       path: "clusters/my-cluster"
       pullSecret: "flux-system"
 #+end_src
diff --git a/nix/kubernetes/keys/package/bootstrap-script/package.nix b/nix/kubernetes/keys/package/bootstrap-script/package.nix
index ce3d0e31..5ebacb21 100644
--- a/nix/kubernetes/keys/package/bootstrap-script/package.nix
+++ b/nix/kubernetes/keys/package/bootstrap-script/package.nix
@@ -34,6 +34,7 @@ let
       ./files/manifests/flux_namespace.yaml
       ./files/manifests/flux.yaml
       ./files/manifests/flux_instance.yaml
+      "${k8s.k8s-ssh-secrets.kubernetes-deploy-key}/kubernetes-deploy-key.yaml"
     ]
   );
   apply_manifests = "kubectl --kubeconfig=${k8s.client-configs.admin}/admin.kubeconfig apply --server-side --force-conflicts -f ${manifests}";
diff --git a/nix/kubernetes/keys/package/k8s-keys/package.nix b/nix/kubernetes/keys/package/k8s-keys/package.nix
index 13def7e7..5e144bbf 100644
--- a/nix/kubernetes/keys/package/k8s-keys/package.nix
+++ b/nix/kubernetes/keys/package/k8s-keys/package.nix
@@ -12,5 +12,6 @@ symlinkJoin {
   ++ (builtins.attrValues k8s.keys)
   ++ (builtins.attrValues k8s.client-configs)
   ++ (builtins.attrValues k8s.ssh-keys)
-  ++ (builtins.attrValues k8s.pgp-keys);
+  ++ (builtins.attrValues k8s.pgp-keys)
+  ++ (builtins.attrValues k8s.k8s-ssh-secrets);
 }
diff --git a/nix/kubernetes/keys/package/k8s-secret-ssh/package.nix b/nix/kubernetes/keys/package/k8s-secret-ssh/package.nix
new file mode 100644
index 00000000..88411ddc
--- /dev/null
+++ b/nix/kubernetes/keys/package/k8s-secret-ssh/package.nix
@@ -0,0 +1,39 @@
+# unpackPhase
+# patchPhase
+# configurePhase
+# buildPhase
+# checkPhase
+# installPhase
+# fixupPhase
+# installCheckPhase
+# distPhase
+{
+  stdenv,
+  k8s,
+  kubectl,
+  secret_name,
+  secret_namespace,
+  ssh_key_name,
+  ...
+}:
+stdenv.mkDerivation (finalAttrs: {
+  name = "k8s-secret-ssh-${secret_name}";
+  nativeBuildInputs = [ kubectl ];
+  buildInputs = [ ];
+
+  unpackPhase = "true";
+
+  buildPhase = ''
+    kubectl create secret generic ${secret_name} \
+      --namespace ${secret_namespace} \
+      --from-file=identity=${k8s.ssh-keys."${ssh_key_name}"}/${ssh_key_name} \
+      --from-file=identity.pub=${k8s.ssh-keys."${ssh_key_name}"}/${ssh_key_name}.pub \
+      --dry-run=client -o yaml > ${secret_name}.yaml
+  '';
+  # --from-file=known_hosts=$(OUT)/known_hosts \
+
+  installPhase = ''
+    mkdir "$out"
+    cp "${secret_name}.yaml" $out/
+  '';
+})
diff --git a/nix/kubernetes/keys/scope.nix b/nix/kubernetes/keys/scope.nix
index 5f331528..fb8a6408 100644
--- a/nix/kubernetes/keys/scope.nix
+++ b/nix/kubernetes/keys/scope.nix
@@ -114,6 +114,21 @@ makeScope newScope (
           };
         }
     );
+    k8s-ssh-secrets = (
+      builtins.mapAttrs
+        (
+          secret_name: secret_config:
+          (callPackage ./package/k8s-secret-ssh/package.nix (
+            additional_vars // { inherit secret_name; } // secret_config
+          ))
+        )
+        {
+          "kubernetes-deploy-key" = {
+            secret_namespace = "flux-system";
+            ssh_key_name = "flux_ssh_key";
+          };
+        }
+    );
     client-configs = (
       builtins.mapAttrs
         (