diff --git a/nix/kubernetes/keys/package/bootstrap-script/package.nix b/nix/kubernetes/keys/package/bootstrap-script/package.nix
index 31a7df00..298ac62b 100644
--- a/nix/kubernetes/keys/package/bootstrap-script/package.nix
+++ b/nix/kubernetes/keys/package/bootstrap-script/package.nix
@@ -39,6 +39,9 @@ let
       ++ (lib.attrsets.mapAttrsToList (
         secret_name: secret_value: "${secret_value}/${secret_name}.yaml"
       ) k8s.k8s-secrets-generic)
+      ++ [
+        ./files/manifests/flux_apply_git.yaml
+      ]
     )
   );
   apply_manifests = "kubectl --kubeconfig=${k8s.client-configs.admin}/admin.kubeconfig apply --server-side --force-conflicts -f ${manifests}";
diff --git a/nix/kubernetes/keys/package/deploy-script/package.nix b/nix/kubernetes/keys/package/deploy-script/package.nix
index 8b6844dc..e809d9a7 100644
--- a/nix/kubernetes/keys/package/deploy-script/package.nix
+++ b/nix/kubernetes/keys/package/deploy-script/package.nix
@@ -46,6 +46,13 @@ let
       "nw1"
       "nw2"
     ])
+    + (trust_ssh_key {
+      public_key = "${k8s.ssh-keys.flux_ssh_key}/flux_ssh_key.pub";
+      destination = "/jail/admin_git/usr/home/git/.ssh/authorized_keys";
+      owner = "11236";
+      group = "11236";
+      mode = "0600";
+    })
   );
   deploy_script = (writeShellScript "deploy-script" deploy_script_body);
   deploy_file = (
@@ -227,6 +234,32 @@ let
       ])
     )
   );
+  trust_ssh_key =
+    {
+      public_key,
+      destination,
+      owner,
+      group,
+      mode,
+    }:
+    let
+      public_key_name = builtins.baseNameOf public_key;
+      public_key_contents = builtins.readFile public_key;
+      trimmed = lib.strings.trim public_key_contents;
+      escaped = lib.strings.escapeShellArg trimmed;
+    in
+    ''
+      ##
+      ## trust ${public_key_name} in ${destination}
+      ##
+      if ! ${openssh}/bin/ssh mrmanager doas grep -q "${escaped}" "${destination}"; then
+         ${openssh}/bin/ssh mrmanager doas tee -a "${destination}" <<<"$(cat ${public_key})"
+         ${openssh}/bin/ssh mrmanager doas chown "${owner}:${group}" "${destination}"
+         ${openssh}/bin/ssh mrmanager doas chmod "${mode}" "${destination}"
+      else
+         echo "${public_key_name} is already trusted in ${destination}"
+      fi
+    '';
 in
 stdenv.mkDerivation (finalAttrs: {
   name = "deploy-script";