diff --git a/flux/infrastructure-source.yaml b/flux/infrastructure-source.yaml
new file mode 100644
index 0000000..dda663b
--- /dev/null
+++ b/flux/infrastructure-source.yaml
@@ -0,0 +1,34 @@
+# GitRepository source for infrastructure
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: GitRepository
+metadata:
+  name: infrastructure
+  namespace: flux-system
+spec:
+  interval: 5m
+  url: http://forgejo-http.forgejo.svc.cluster.local:3000/gitadmin/infrastructure.git
+  ref:
+    branch: main
+  timeout: 60s
+  secretRef:
+    name: forgejo-auth
+---
+# Kustomization to sync infrastructure manifests
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: infrastructure
+  namespace: flux-system
+spec:
+  interval: 10m
+  path: "./"
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: infrastructure
+  timeout: 5m
+  wait: true
+  # Flux will now use kustomization.yaml to control which resources to sync
+  commonMetadata:
+    annotations:
+      fluxcd.io/managed-by: "flux"
\ No newline at end of file
diff --git a/kustomization.yaml b/kustomization.yaml
new file mode 100644
index 0000000..cef5fd2
--- /dev/null
+++ b/kustomization.yaml
@@ -0,0 +1,18 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+# Core infrastructure
+- auth-system/
+- cert-manager/
+- dns/
+- emissary/
+- forgejo-k8s.yaml
+- pomerium.yaml
+
+# Exclude problematic directories:
+# - flux/ (managed by Flux itself)
+# - pomerium/ (Helm chart)
+# - gitea/ (legacy, replaced by forgejo)
+# - bin/ (binaries)
+# - cookies.txt, DEPLOYMENT.md (not Kubernetes manifests)
\ No newline at end of file