diff --git a/apps/README.md b/apps/README.md
deleted file mode 100644
index 48d8ed0..0000000
--- a/apps/README.md
+++ /dev/null
@@ -1,29 +0,0 @@
-### apps
-
-集群服务helm部署的应用，包含一些基础服务和一些业务服务
-
-### 调试集群内服务方法 运行此命令
-
-```shell
-kubectl run -i --tty --rm --restart=Never \
-    --overrides='{"apiVersion": "v1", "spec": {"nodeSelector": {"kubernetes.io/hostname": "homea"}}}' \
-    --image=nicolaka/netshoot:latest \
-    debug -- sh
-```
-
-### 密钥相关
-
-可以将helm部署中使用到的密钥放到k8s的secret中
-然后使用reflector将secret中的密钥同步到其他namespace中
-
-```shell
-kubectl -n infra-data create secret generic s3-devcm-hw \
-    --from-literal=ACCESS_KEY_ID=xxxxx \
-    --from-literal=ACCESS_SECRET_KEY=xxxxx
-    
-kubectl -n infra-data annotate secret s3-devcm-hw \
-    reflector.v1.k8s.emberstack.com/reflection-allowed=true \
-    reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces=infra-devops,apps \
-    reflector.v1.k8s.emberstack.com/reflection-auto-enabled=true --overwrite
-    
-```
diff --git a/apps/infra/data/cloudnative-pg/helmchart-plugin-barman.yaml b/apps/infra/data/cloudnative-pg/helmchart-plugin-barman.yaml
deleted file mode 100644
index 8998909..0000000
--- a/apps/infra/data/cloudnative-pg/helmchart-plugin-barman.yaml
+++ /dev/null
@@ -1,25 +0,0 @@
-apiVersion: helm.cattle.io/v1
-kind: HelmChart
-metadata:
-  name: cloudnative-pg-plugin-barman
-  namespace: infra-data
-spec:
-  repo: https://cloudnative-pg.github.io/charts
-  chart: plugin-barman-cloud
-  targetNamespace: infra-data
-  version: 0.5.0
-  valuesContent: |-
-    affinity:
-      nodeAffinity:
-        requiredDuringSchedulingIgnoredDuringExecution:
-          nodeSelectorTerms:
-            - matchExpressions:
-                - key: topology.kubernetes.io/region
-                  operator: In
-                  values:
-                    - "cn-sh"
-    tolerations:
-      - key: "node-role.kubernetes.io/control-plane"
-        operator: "Exists"
-        effect: "NoSchedule"
-
diff --git a/apps/infra/data/cloudnative-pg/helmchart.yaml b/apps/infra/data/cloudnative-pg/helmchart.yaml
deleted file mode 100644
index 1c8a2ce..0000000
--- a/apps/infra/data/cloudnative-pg/helmchart.yaml
+++ /dev/null
@@ -1,25 +0,0 @@
-apiVersion: helm.cattle.io/v1
-kind: HelmChart
-metadata:
-  name: cloudnative-pg
-  namespace: infra-data
-spec:
-  repo: https://cloudnative-pg.github.io/charts
-  chart: cloudnative-pg
-  targetNamespace: infra-data
-  version: 0.27.1
-  valuesContent: |-
-    affinity:
-      nodeAffinity:
-        requiredDuringSchedulingIgnoredDuringExecution:
-          nodeSelectorTerms:
-            - matchExpressions:
-                - key: topology.kubernetes.io/region
-                  operator: In
-                  values:
-                    - "cn-sh"
-    tolerations:
-      - key: "node-role.kubernetes.io/control-plane"
-        operator: "Exists"
-        effect: "NoSchedule"
-
diff --git a/apps/infra/data/valkey-cluster/helmchart.yaml b/apps/infra/data/valkey-cluster/helmchart.yaml
deleted file mode 100644
index f6fdb78..0000000
--- a/apps/infra/data/valkey-cluster/helmchart.yaml
+++ /dev/null
@@ -1,21 +0,0 @@
-apiVersion: helm.cattle.io/v1
-kind: HelmChart
-metadata:
-  name: valkey-cluster-sh
-  namespace: infra-data
-spec:
-  chart: oci://registry-1.docker.io/bitnamicharts/valkey-cluster
-  targetNamespace: infra-data
-  version: 3.0.23
-  valuesContent: |-
-    image:
-      repository: bitnamilegacy/valkey-cluster
-    cluster:
-      nodes: 1
-      replicas: 0
-    valkey: 
-      nodeAffinityPreset:
-        type: hard
-        key: topology.kubernetes.io/region
-        values:
-          - cn-sh
\ No newline at end of file
diff --git a/apps/infra/devops/cert-manager/helmchart-dnspod.yaml b/apps/infra/devops/cert-manager/helmchart-dnspod.yaml
deleted file mode 100644
index c7e2104..0000000
--- a/apps/infra/devops/cert-manager/helmchart-dnspod.yaml
+++ /dev/null
@@ -1,29 +0,0 @@
-# 安装后需要将clusterIssuer的cnameStrategy策略设置为Follow
-apiVersion: helm.cattle.io/v1
-kind: HelmChart
-metadata:
-  name: cert-manager-webhook-dnspod
-  namespace: infra-devops
-spec:
-  chart: oci://registry-1.docker.io/imroc/cert-manager-webhook-dnspod
-  targetNamespace: infra-devops
-  version: 1.4.5
-  valuesContent: |-
-    affinity:
-      nodeAffinity:
-        requiredDuringSchedulingIgnoredDuringExecution:
-          nodeSelectorTerms:
-            - matchExpressions:
-                - key: topology.kubernetes.io/region
-                  operator: In
-                  values:
-                    - "cn-sh"
-    image:
-      tag: "1.5.2"
-    namespace: infra-devops
-    certManager:
-      namespace: infra-devops
-    groupName: cert.dev.cm
-    # 此处关闭 选择手动创建 以支持cnameStrategy
-    clusterIssuer:
-      enabled: false
diff --git a/apps/infra/devops/cert-manager/helmchart.yaml b/apps/infra/devops/cert-manager/helmchart.yaml
deleted file mode 100644
index c6dd574..0000000
--- a/apps/infra/devops/cert-manager/helmchart.yaml
+++ /dev/null
@@ -1,51 +0,0 @@
-apiVersion: helm.cattle.io/v1
-kind: HelmChart
-metadata:
-  name: cert-manager
-  namespace: infra-devops
-spec:
-  repo: https://charts.jetstack.io
-  chart: cert-manager
-  targetNamespace: infra-devops
-  version: v1.19.3
-  valuesContent: |-
-    affinity:
-      nodeAffinity:
-        requiredDuringSchedulingIgnoredDuringExecution:
-          nodeSelectorTerms:
-            - matchExpressions:
-                - key: topology.kubernetes.io/region
-                  operator: In
-                  values:
-                    - "cn-sh"
-    webhook:
-      affinity:
-        nodeAffinity:
-          requiredDuringSchedulingIgnoredDuringExecution:
-            nodeSelectorTerms:
-              - matchExpressions:
-                  - key: topology.kubernetes.io/region
-                    operator: In
-                    values:
-                      - "cn-sh"
-    cainjector:
-      affinity:
-        nodeAffinity:
-          requiredDuringSchedulingIgnoredDuringExecution:
-            nodeSelectorTerms:
-              - matchExpressions:
-                  - key: topology.kubernetes.io/region
-                    operator: In
-                    values:
-                      - "cn-sh"
-    crds:
-      enabled: true
-      keep: true
-    # 在删除证书时同时删除secret
-    enableCertificateOwnerRef: true
-    prometheus:
-      enabled: true
-      servicemonitor:
-        enabled: true
-        interval: 300s
-        prometheusInstance: kube-prometheus
diff --git a/apps/infra/devops/reflector/helmchart.yaml b/apps/infra/devops/reflector/helmchart.yaml
deleted file mode 100644
index ec00d6b..0000000
--- a/apps/infra/devops/reflector/helmchart.yaml
+++ /dev/null
@@ -1,20 +0,0 @@
-apiVersion: helm.cattle.io/v1
-kind: HelmChart
-metadata:
-  name: reflector
-  namespace: infra-devops
-spec:
-  repo: https://emberstack.github.io/helm-charts
-  chart: reflector
-  targetNamespace: infra-devops
-  version: 9.1.45
-  valuesContent: |-
-    affinity:
-      nodeAffinity:
-        requiredDuringSchedulingIgnoredDuringExecution:
-          nodeSelectorTerms:
-            - matchExpressions:
-                - key: topology.kubernetes.io/region
-                  operator: In
-                  values:
-                    - "cn-sh"
diff --git a/apps/infra/monitor/namespaces.yaml b/apps/infra/monitor/namespaces.yaml
deleted file mode 100644
index 7ee144e..0000000
--- a/apps/infra/monitor/namespaces.yaml
+++ /dev/null
@@ -1,4 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: infra-monitor
\ No newline at end of file
diff --git a/apps/infra/net/nginx/configmap-static-update.sh b/apps/infra/net/nginx/configmap-static-update.sh
deleted file mode 100644
index f1544a9..0000000
--- a/apps/infra/net/nginx/configmap-static-update.sh
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-
-# 更新 ConfigMap 中的静态文件
-cat > configmap-static.yaml << 'EOF'
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: static
-  namespace: infra-net
-data:
-EOF
-
-# 直接遍历 static 目录并追加到文件
-for file in static/*; do
-    filename=$(basename "$file")
-    echo "  $filename: |" >> configmap-static.yaml
-    sed 's/^/    /' "$file" >> configmap-static.yaml
-    echo "" >> configmap-static.yaml
-done
-
-echo "ConfigMap updated successfully!"
diff --git a/apps/infra/net/nginx/static/captcha.html b/apps/infra/net/nginx/static/captcha.html
deleted file mode 100644
index 35a6cad..0000000
--- a/apps/infra/net/nginx/static/captcha.html
+++ /dev/null
@@ -1,302 +0,0 @@
-<!DOCTYPE html>
-<html lang="en">
-<head>
-    <meta charset="UTF-8">
-    <meta content="width=device-width,initial-scale=1,user-scalable=no,viewport-fit=cover" name="viewport">
-    <title>出于安全原因 请完成验证</title>
-    <script src="{{captcha_frontend_js}}" async defer></script>
-    <style>
-        * {
-            -webkit-box-sizing: border-box;
-            box-sizing: border-box
-        }
-
-        body {
-            padding: 0;
-            margin: 0
-        }
-
-        #error {
-            position: relative;
-            height: 100vh
-        }
-
-        #error .error {
-            position: absolute;
-            left: 50%;
-            top: 50%;
-            -webkit-transform: translate(-50%, -50%);
-            -ms-transform: translate(-50%, -50%);
-            transform: translate(-50%, -50%)
-        }
-
-        #error .error-bg {
-            position: absolute;
-            left: 0;
-            right: 0;
-            top: 0;
-            bottom: 0;
-            overflow: hidden
-        }
-
-        #error .error-bg > div {
-            position: absolute;
-            top: 0;
-            bottom: 0;
-            width: 1px;
-            background-color: #eee
-        }
-
-        #error .error-bg > div:nth-child(1) {
-            left: 20%
-        }
-
-        #error .error-bg > div:nth-child(2) {
-            left: 40%
-        }
-
-        #error .error-bg > div:nth-child(3) {
-            left: 60%
-        }
-
-        #error .error-bg > div:nth-child(4) {
-            left: 80%
-        }
-
-        #error .error-bg > div:after {
-            content: '';
-            position: absolute;
-            top: 0;
-            left: -.5px;
-            -webkit-transform: translateY(-160px);
-            -ms-transform: translateY(-160px);
-            transform: translateY(-160px);
-            height: 160px;
-            width: 2px;
-            background-color: #1cfafe
-        }
-
-        @-webkit-keyframes drop {
-            90% {
-                height: 20px
-            }
-
-            100% {
-                height: 160px;
-                -webkit-transform: translateY(calc(100vh + 160px));
-                transform: translateY(calc(100vh + 160px))
-            }
-        }
-
-        @keyframes drop {
-            90% {
-                height: 20px
-            }
-
-            100% {
-                height: 160px;
-                -webkit-transform: translateY(calc(100vh + 160px));
-                transform: translateY(calc(100vh + 160px))
-            }
-        }
-
-        #error .error-bg > div:nth-child(1):after {
-            -webkit-animation: drop 3s infinite linear;
-            animation: drop 3s infinite linear;
-            -webkit-animation-delay: .2s;
-            animation-delay: .2s
-        }
-
-        #error .error-bg > div:nth-child(2):after {
-            -webkit-animation: drop 2s infinite linear;
-            animation: drop 2s infinite linear;
-            -webkit-animation-delay: .7s;
-            animation-delay: .7s
-        }
-
-        #error .error-bg > div:nth-child(3):after {
-            -webkit-animation: drop 3s infinite linear;
-            animation: drop 3s infinite linear;
-            -webkit-animation-delay: .9s;
-            animation-delay: .9s
-        }
-
-        #error .error-bg > div:nth-child(4):after {
-            -webkit-animation: drop 2s infinite linear;
-            animation: drop 2s infinite linear;
-            -webkit-animation-delay: 1.2s;
-            animation-delay: 1.2s
-        }
-
-        .error {
-            max-width: 520px;
-            width: 100%;
-            padding: 20px;
-            text-align: center
-        }
-
-        .error .error-code {
-            height: 210px;
-            line-height: 210px
-        }
-
-        .error .error-code h1 {
-            font-family: oswald, sans-serif;
-            font-size: 80px;
-            font-weight: 700;
-            margin: 0;
-            text-shadow: 4px 4px 0 #1cfafe
-        }
-
-        .error h2 {
-            font-family: oswald, sans-serif;
-            font-size: 42px;
-            font-weight: 700;
-            margin: 0;
-            text-transform: uppercase;
-            letter-spacing: 1.6px
-        }
-
-        .error p {
-            font-family: lato, sans-serif;
-            color: #000;
-            font-weight: 400;
-            margin-top: 20px;
-            margin-bottom: 25px
-        }
-
-        .error a {
-            font-family: lato, sans-serif;
-            padding: 10px 30px;
-            display: inline-block;
-            color: #000;
-            font-weight: 400;
-            text-transform: uppercase;
-            -webkit-box-shadow: 0 0 0 2px #000, 2px 2px 0 2px #1cfafe;
-            box-shadow: 0 0 0 2px #000, 2px 2px 0 2px #1cfafe;
-            text-decoration: none;
-            -webkit-transition: .2s all;
-            transition: .2s all
-        }
-
-        .error a:not(:first-of-type) {
-            margin-left: 20px
-        }
-
-        .error a:hover {
-            background-color: #1cfafe;
-            -webkit-box-shadow: 0 0 0 0 #000, 0 0 0 2px #1cfafe;
-            box-shadow: 0 0 0 0 #000, 0 0 0 2px #1cfafe
-        }
-
-        .error-social > a {
-            width: 40px;
-            height: 40px;
-            line-height: 40px;
-            padding: 0;
-            margin: 0 5px
-        }
-
-        .error-social > a:hover {
-            background-color: #1cfafe;
-            -webkit-box-shadow: 0 0 0 0 #000, 0 0 0 2px #1cfafe;
-            box-shadow: 0 0 0 0 #000, 0 0 0 2px #1cfafe
-        }
-
-        #captcha-form {
-            position: relative;
-            width: 300px;
-            height: 65px;
-            overflow: hidden;
-            margin: 0 auto 30px;
-            background-color: #fff;
-            -webkit-box-shadow: 0 0 0 2px #000, 2px 2px 0 2px #1cfafe;
-            box-shadow: 0 0 0 2px #000, 2px 2px 0 2px #1cfafe;
-        }
-
-        .loading {
-            position: absolute;
-            top: 0;
-            left: 0;
-            z-index: 1;
-            display: flex;
-            justify-content: center;
-            align-items: center;
-            width: 100%;
-            height: 65px;
-            gap: 10px;
-        }
-
-        .loading:has(+ *) {
-            display: none;
-        }
-
-        .loading::before {
-            content: "";
-            width: 20px;
-            height: 20px;
-            border: 2px solid #000;
-            border-right-color: #1cfafe;
-            border-radius: 50%;
-            animation: spin 1s linear infinite;
-        }
-
-        #captcha {
-            position: relative;
-            z-index: 2;
-        }
-
-        @keyframes spin {
-            from {
-                transform: rotate(0deg);
-            }
-            to {
-                transform: rotate(360deg);
-            }
-        }
-
-        @media only screen and (max-width: 480px) {
-            .error .error-code {
-                height: 122px;
-                line-height: 122px
-            }
-
-            .error .error-code h1 {
-                font-size: 60px
-            }
-
-            .error h2 {
-                font-size: 26px
-            }
-        }
-    </style>
-</head>
-<body>
-<div id="error">
-    <div class="error-bg">
-        <div></div>
-        <div></div>
-        <div></div>
-        <div></div>
-    </div>
-    <div class="error">
-        <div class="error-code">
-            <h1>FillCode</h1>
-        </div>
-        <h2>请完成验证</h2>
-        <p>请完成下面验证, 页面将会自动跳转到访问页面。</p>
-        <form id="captcha-form" method="POST">
-            <div id="captcha" class="{{captcha_frontend_key}}" data-sitekey="{{captcha_site_key}}"
-                 data-callback="captchaCallback" data-size="flexible"></div>
-            <div class="loading">验证码加载中, 请稍等...</div>
-        </form>
-        <a href="mailto:admin@dev.cm">联系我们</a>
-    </div>
-</div>
-<script>
-    function captchaCallback() {
-        setTimeout(() => document.querySelector('#captcha-form').submit(), 500)
-    }
-</script>
-</body>
-</html>
diff --git a/apps/infra/net/nginx/static/pwa-cdn.js b/apps/infra/net/nginx/static/pwa-cdn.js
deleted file mode 100644
index 4aaf3db..0000000
--- a/apps/infra/net/nginx/static/pwa-cdn.js
+++ /dev/null
@@ -1,59 +0,0 @@
-'use strict'
-
-// 配置
-const pwaCdnConfig = {
-    cdnUrl: 'https://cdn.fillcode.com/',
-    serviceWorkerUrl: '/__static/sw-cdn.js',
-    staticRegex: /\.(js|css|png|jpg|jpeg|gif|svg|webp|woff|woff2|ttf|ico)$/,
-    debug: false,
-}
-
-/**
- * PWA 初始化函数
- */
-async function initializePWA() {
-    // 检查支持
-    if (!('serviceWorker' in navigator)) return console.log('PWA-CDN: Service Worker not supported')
-
-    let registration;
-
-    try {
-        // 注册Service Worker - 使用相对路径
-        registration = await navigator.serviceWorker.register(pwaCdnConfig.serviceWorkerUrl, {scope: '/'})
-
-        console.log('PWA-CDN: Service Worker registered')
-    } catch (error) {
-        console.error('PWA-CDN: Failed to register Service Worker:', error)
-    }
-
-    // 发送初始配置
-    const sendConfig = () => {
-        registration.active.postMessage({type: 'CONFIG', config: pwaCdnConfig})
-    }
-
-    // 如果注册失败，直接返回错误
-    if(!registration) return console.error('PWA-CDN: Service Worker registration failed, cannot send config')
-
-    // 更新配置函数
-    window.updatePWACDNConfig = (newConfig) => {
-        Object.assign(pwaCdnConfig, newConfig)
-        sendConfig()
-    }
-
-    // 等待Service Worker激活后发送配置
-    if (registration.active)  sendConfig()
-
-    // 监听Service Worker更新事件
-    registration.addEventListener('updatefound', () => {
-        const newWorker = registration.installing
-
-        newWorker.addEventListener('statechange', () => {
-            if (newWorker.state === 'activated') sendConfig()
-        })
-    })
-}
-
-/**
- * 启动 PWA-CDN
- * */
-initializePWA().catch(console.error)
diff --git a/apps/infra/net/nginx/static/sw-cdn.js b/apps/infra/net/nginx/static/sw-cdn.js
deleted file mode 100644
index 3ad7bf4..0000000
--- a/apps/infra/net/nginx/static/sw-cdn.js
+++ /dev/null
@@ -1,88 +0,0 @@
-'use strict'
-
-// Service Worker 配置 - 默认值
-let config = {
-    cdnUrl: 'https://cdn.fillcode.com/',
-    serviceWorkerUrl: '/__static/sw-cdn.js',
-    staticRegex: /(.*\.(css|js|png|jpg|jpeg|gif|svg|webp|ico|woff|woff2|ttf|eot)|avatars[^/]+)$/,
-    debug: false,
-}
-
-// 监听配置更新消息
-self.addEventListener('message', e => {
-    if (e.data.type !== 'CONFIG') return
-
-    config = e.data.config
-
-    if (config.debug) console.log('PWA-CDN: Config updated', config)
-})
-
-// 拦截网络请求
-self.addEventListener('fetch', e => {
-    const url = new URL(e.request.url)
-
-    // 如果请求不是GET方法，直接返回
-    if (e.request.method !== 'GET') return
-
-    // 如果请求的域名不是当前页面的域名
-    if (url.origin !== self.location.origin) return
-
-    // 过滤__static路径下的请求
-    if (url.pathname.startsWith('/__static/')) return
-
-    // 如果请求的路径不匹配静态资源正则表达式，直接返回
-    if (!config.staticRegex.test(url.pathname)) return
-
-    // 判断是否是强制需要同源请求
-    const requiresSameOrigin = ['worker', 'sharedworker', 'serviceworker'].includes(e.request.destination)
-
-    // 如果是强制需要同源请求的资源类型，直接返回
-    if (requiresSameOrigin) return
-
-    // 开始处理静态资源请求
-    e.respondWith(handleStaticResource(e.request, url))
-})
-
-// 处理静态资源请求
-async function handleStaticResource(request, url) {
-    // 生成CDN子路径
-    const hostname = self.location.hostname
-    const cdnPath = hostname.replace(/\./g, '-')
-
-    const targetUrl = config.cdnUrl + cdnPath + url.pathname + url.search
-
-    if (config.debug) console.log('PWA-CDN:', url.href, '->', targetUrl)
-
-    try {
-        // 创建新请求
-        const newRequest = new Request(targetUrl, {
-            ...request,
-            mode: 'cors',
-            redirect: 'error',
-        })
-
-        // 请求目标域名，浏览器会自动处理缓存
-        const response = await fetch(newRequest)
-
-        // 检查响应状态
-        if (!response.ok) throw new Error('PWA-CDN: Non-2xx response detected')
-
-        return response
-    } catch (error) {
-        if (config.debug) console.warn('PWA-CDN: Fallback to original request for', url.href, error)
-
-        // 失败时回退到原始请求
-        return fetch(request)
-    }
-}
-
-// Service Worker 生命周期
-self.addEventListener('install', () => {
-    if (config.debug) console.log('PWA-CDN: Service Worker installing')
-    self.skipWaiting().catch(console.error)
-})
-
-self.addEventListener('activate', () => {
-    if (config.debug) console.log('PWA-CDN: Service Worker activated')
-    self.clients.claim().catch(console.error)
-})
diff --git a/apps/kube/README.md b/apps/kube/README.md
deleted file mode 100644
index 6fbed98..0000000
--- a/apps/kube/README.md
+++ /dev/null
@@ -1,4 +0,0 @@
-### path core中服务的节点亲和性 使他们只运行在master节点上
-```shell
-kubectl patch -n kube-system deployment coredns --patch-file=apps/kube/patch-affinity.yaml
-```
\ No newline at end of file
diff --git a/apps/kube/patch-affinity.yaml b/apps/kube/patch-affinity.yaml
deleted file mode 100644
index c5722bc..0000000
--- a/apps/kube/patch-affinity.yaml
+++ /dev/null
@@ -1,12 +0,0 @@
-spec:
-  template:
-    spec:
-      affinity:
-        nodeAffinity:
-          requiredDuringSchedulingIgnoredDuringExecution:
-            nodeSelectorTerms:
-              - matchExpressions:
-                  - key: node-role.kubernetes.io/control-plane
-                    operator: In
-                    values:
-                      - "true"
\ No newline at end of file
diff --git a/flux/README.md b/flux/README.md
new file mode 100644
index 0000000..85085cc
--- /dev/null
+++ b/flux/README.md
@@ -0,0 +1,230 @@
+# Flux GitOps 迁移指南
+
+补充一份面向本地演练和远端平滑切换的执行清单，见 [TEST_MIGRATION_PLAN.md](TEST_MIGRATION_PLAN.md)。
+
+## 目录结构
+
+```
+flux/
+├── clusters/
+│   └── dev-cm/                          # 集群级别编排
+│       ├── kustomization.yaml           # 资源列表
+│       ├── sources.yaml                 # HelmRepository 源
+│       ├── kube-system.yaml             # CoreDNS / NodeLocalDNS
+│       ├── infra-devops.yaml            # cert-manager / reflector / velero
+│       ├── infra-data.yaml              # CNPG / Valkey
+│       ├── infra-monitor.yaml           # Loki / Prometheus
+│       ├── infra-net.yaml               # Nginx / CrowdSec / Tailscale
+│       ├── infra-gitops.yaml            # Gitea
+│       └── apps.yaml                    # Halo / RustDesk / Fillcode / SinceAI
+├── infrastructure/
+│   ├── sources/                         # 所有 HelmRepository 定义
+│   ├── kube-system/                     # CoreDNS 自定义 + NodeLocalDNS
+│   ├── infra-devops/                    # cert-manager, webhook-dnspod, reflector, velero
+│   ├── infra-data/                      # CNPG operator, Barman, PG集群, Valkey
+│   ├── infra-net/                       # ingress-nginx, CrowdSec, Tailscale DERP, 证书
+│   ├── infra-monitor/                   # Loki, Promtail, Prometheus+Grafana
+│   └── infra-gitops/                    # Gitea, Gitea Actions
+└── apps/                                # Halo, RustDesk, Whoami, 证书, Ingress
+```
+
+## 依赖顺序
+
+```
+sources (HelmRepository)
+    │
+    ├── kube-system (无依赖)
+    │
+    └── infra-devops (cert-manager → webhook-dnspod → ClusterIssuer, reflector, velero)
+            │
+            ├── infra-data (CNPG operator → Barman plugin → PG集群 + ObjectStore, Valkey)
+            │       │
+            │       ├── infra-monitor (Loki → Promtail, Prometheus+Grafana→PG)
+            │       │       │
+            │       │       ├── infra-net (Nginx, 证书, CrowdSec→Loki+PG, Tailscale)
+            │       │       │
+            │       │       └── infra-gitops (Gitea→PG+Valkey, Gitea Actions→Gitea)
+            │       │
+            │       └───────┴── apps (Halo→PG, RustDesk, Whoami, 证书, Ingress)
+```
+
+## K3s 保留项
+
+以下资源**继续由 K3s HelmChart 管理**，不迁移到 Flux：
+
+- `k3s/apps/infra/gitops/namespaces.yaml` — infra-gitops 命名空间
+- `k3s/apps/infra/gitops/flux/helmchart.yaml` — flux-operator HelmChart
+- `k3s/apps/infra/gitops/flux/flux-instance.yaml` — FluxInstance (含 sync 配置)
+- `k3s/apps/infra/gitops/flux/networkpolicy.yaml` — flux-operator NetworkPolicy
+- `k3s/apps/infra/gitops/flux/clusterrolebinding.yaml` — flux-web RBAC
+
+## 迁移步骤
+
+### 1. 创建 Git 认证 Secret
+
+Flux 需要 HTTPS 凭据来访问 Gitea 仓库。在集群中创建 Secret：
+
+```bash
+kubectl -n infra-gitops create secret generic flux-git-auth \
+    --from-literal=username=<GITEA_USERNAME> \
+    --from-literal=password=<GITEA_ACCESS_TOKEN>
+```
+
+### 2. 确认仓库 URL
+
+检查 `k3s/apps/infra/gitops/flux/flux-instance.yaml` 中的 `sync.url` 字段，确保指向正确的 deploy 仓库地址。当前设置为：
+
+```yaml
+sync:
+  url: https://git.dev.cm/devcm/deploy.git
+```
+
+如果组织名或仓库名不同，请修改。
+
+### 3. 提交并推送 Flux 清单
+
+```bash
+git add flux/
+git add k3s/apps/infra/gitops/flux/flux-instance.yaml
+git commit -m "feat: 迁移到 Flux GitOps 管理"
+git push origin main
+```
+
+### 4. 应用更新后的 FluxInstance
+
+FluxInstance 的 sync 配置更新后，K3s 会自动检测变更并重新应用。也可以手动触发：
+
+```bash
+kubectl apply -f k3s/apps/infra/gitops/flux/flux-instance.yaml
+```
+
+这会让 flux-operator 创建：
+
+- `GitRepository/flux` — 监听 deploy 仓库
+- `Kustomization/flux` — 应用 `flux/clusters/dev-cm/` 路径下的所有资源
+
+### 5. 等待 Flux 完成同步
+
+```bash
+# 查看 GitRepository 状态
+kubectl -n infra-gitops get gitrepository flux
+
+# 查看所有 Kustomization 状态
+kubectl -n infra-gitops get kustomization
+
+# 查看所有 HelmRelease 状态
+kubectl get helmrelease -A
+
+# 实时查看 Flux 事件
+kubectl -n infra-gitops get events --sort-by='.lastTimestamp' --watch
+```
+
+等待所有 Kustomization 和 HelmRelease 状态变为 `Ready`。
+
+### 6. 验证资源被 Flux 接管
+
+对于每个已有的 Helm Release，Flux 会检测到已存在的资源并进行接管（adopt）。验证：
+
+```bash
+# 检查所有 HelmRelease 是否就绪
+kubectl get helmrelease -A -o wide
+
+# 检查某个具体的 release
+kubectl -n infra-devops describe helmrelease cert-manager
+```
+
+### 7. 清理旧的 K3s HelmChart 资源
+
+确认 Flux 已成功接管所有资源后，删除旧的 K3s HelmChart CR（不会影响已部署的应用）：
+
+```bash
+# 列出所有 K3s HelmChart
+kubectl get helmchart -A
+
+# 逐个删除（保留 flux-operator）
+kubectl delete helmchart -n infra-devops cert-manager
+kubectl delete helmchart -n infra-devops cert-manager-webhook-dnspod
+kubectl delete helmchart -n infra-devops reflector
+kubectl delete helmchart -n infra-devops velero
+kubectl delete helmchart -n infra-data cloudnative-pg
+kubectl delete helmchart -n infra-data cloudnative-pg-plugin-barman
+kubectl delete helmchart -n infra-data valkey-cluster-sh
+kubectl delete helmchart -n infra-net ingress-nginx
+kubectl delete helmchart -n infra-net crowdsec
+kubectl delete helmchart -n infra-net tailscale-derp-hk
+kubectl delete helmchart -n infra-monitor loki
+kubectl delete helmchart -n infra-monitor loki-promtail
+kubectl delete helmchart -n infra-monitor prometheus
+kubectl delete helmchart -n infra-gitops gitea
+kubectl delete helmchart -n infra-gitops gitea-actions
+kubectl delete helmchart -n apps fillcode-whoami
+kubectl delete helmchart -n apps halo
+kubectl delete helmchart -n apps rustdesk
+```
+
+> **注意**: K3s HelmChart 使用 `helm.cattle.io/v1` API。删除 HelmChart CR 默认**不会**卸载已部署的 Helm release。Flux 的 HelmRelease 会接管这些 release 的后续管理。
+
+### 8. 清理旧的 K3s 清单文件
+
+确认一切正常后，可以移除 `k3s/apps/` 中已迁移到 Flux 的文件（保留 flux 相关的）：
+
+```bash
+# 保留以下文件（K3s 继续管理）:
+# k3s/apps/infra/gitops/namespaces.yaml
+# k3s/apps/infra/gitops/flux/
+
+# 其余文件可以删除或归档
+```
+
+## 资源映射表
+
+| 原 K3s HelmChart             | Flux HelmRelease             | 命名空间      |
+| ---------------------------- | ---------------------------- | ------------- |
+| cert-manager                 | cert-manager                 | infra-devops  |
+| cert-manager-webhook-dnspod  | cert-manager-webhook-dnspod  | infra-devops  |
+| reflector                    | reflector                    | infra-devops  |
+| velero                       | velero                       | infra-devops  |
+| cloudnative-pg               | cloudnative-pg               | infra-data    |
+| cloudnative-pg-plugin-barman | cloudnative-pg-plugin-barman | infra-data    |
+| valkey-cluster-sh            | valkey-cluster-sh            | infra-data    |
+| ingress-nginx                | ingress-nginx                | infra-net     |
+| crowdsec                     | crowdsec                     | infra-net     |
+| tailscale-derp-hk            | tailscale-derp-hk            | infra-net     |
+| loki                         | loki                         | infra-monitor |
+| loki-promtail                | loki-promtail                | infra-monitor |
+| prometheus                   | prometheus                   | infra-monitor |
+| gitea                        | gitea                        | infra-gitops  |
+| gitea-actions                | gitea-actions                | infra-gitops  |
+| fillcode-whoami              | fillcode-whoami              | apps          |
+| halo                         | halo                         | apps          |
+| rustdesk                     | rustdesk                     | apps          |
+
+## HelmRelease 内依赖关系
+
+| HelmRelease                  | dependsOn                      |
+| ---------------------------- | ------------------------------ |
+| cert-manager-webhook-dnspod  | cert-manager                   |
+| cloudnative-pg-plugin-barman | cloudnative-pg                 |
+| loki-promtail                | loki                           |
+| crowdsec                     | ingress-nginx, loki (cross-ns) |
+| gitea-actions                | gitea                          |
+
+## 注意事项
+
+1. **Helm Release 接管**: Flux 默认会检测与 HelmRelease 同名的已存在 Helm release。如果名称不匹配，需要在 `spec.releaseName` 中指定原始名称。
+
+2. **CRD 管理**: cert-manager 和 kube-prometheus-stack 的 HelmRelease 配置了 `install.crds: CreateReplace` 和 `upgrade.crds: CreateReplace` 以确保 CRD 被正确管理。
+
+3. **跨命名空间引用**: 所有 HelmRepository 位于 `infra-gitops` 命名空间。HelmRelease 通过 `sourceRef.namespace: infra-gitops` 跨命名空间引用。FluxInstance 配置为单租户模式 (`multitenant: false`)，允许此行为。
+
+4. **kube-system 资源**: `prune: false` 用于 kube-system Kustomization，防止 Flux 意外删除系统资源。
+
+5. **Velero CRD**: Velero HelmRelease 保持 `upgradeCRDs: false`，与原始配置一致。
+
+6. **敏感信息**: 以下 Secret 需要手动维护（不在 Git 中管理）：
+   - `flux-git-auth` (Gitea 访问令牌)
+   - `dnspod-secret` (DNSPod API 凭据)
+   - `s3-devcm-hw` (华为云 OBS 凭据)
+   - `cnpg17-cluster-*-app` (PostgreSQL 密码, 由 CNPG 自动管理)
+   - `valkey-cluster-sh` (Valkey 密码)
+   - `gitea-actions` (Gitea Actions runner token)
diff --git a/apps/apps/fillcode/certificate-fillcode-com.yaml b/flux/apps/certificate-fillcode-com.yaml
similarity index 100%
rename from apps/apps/fillcode/certificate-fillcode-com.yaml
rename to flux/apps/certificate-fillcode-com.yaml
diff --git a/apps/apps/sinceai/certificate-sinceai-com.yaml b/flux/apps/certificate-sinceai-com.yaml
similarity index 100%
rename from apps/apps/sinceai/certificate-sinceai-com.yaml
rename to flux/apps/certificate-sinceai-com.yaml
diff --git a/apps/apps/halo/helmchart.yaml b/flux/apps/helmrelease-halo.yaml
similarity index 70%
rename from apps/apps/halo/helmchart.yaml
rename to flux/apps/helmrelease-halo.yaml
index b1d1bd0..bef05fb 100644
--- a/apps/apps/halo/helmchart.yaml
+++ b/flux/apps/helmrelease-halo.yaml
@@ -1,25 +1,20 @@
-apiVersion: helm.cattle.io/v1
-kind: HelmChart
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
 metadata:
   name: halo
   namespace: apps
 spec:
-  repo: https://halo-sigs.github.io/charts/
-  chart: halo
-  targetNamespace: apps
-  version: 1.3.2
-  valuesContent: |-
-    affinity:
-      podAffinity:
-        preferredDuringSchedulingIgnoredDuringExecution:
-          - weight: 100
-            podAffinityTerm:
-              labelSelector:
-                matchLabels:
-                  cnpg.io/cluster: cnpg17-cluster-hk
-                  role: primary
-              topologyKey: kubernetes.io/hostname
-              namespaceSelector: {} 
+  interval: 30m
+  chart:
+    spec:
+      chart: halo
+      version: 1.3.2
+      sourceRef:
+        kind: HelmRepository
+        name: halo
+        namespace: infra-gitops
+      interval: 12h
+  values:
     image:
       repository: halohub/halo-pro
       tag: 2.23.1
@@ -60,6 +55,3 @@ spec:
       existingSecret: cnpg17-cluster-hk-app
     haloUsername: rohow
     haloExternalUrl: https://dev.cm
-
-    
-
diff --git a/apps/apps/rustdesk/helmchart.yaml b/flux/apps/helmrelease-rustdesk.yaml
similarity index 71%
rename from apps/apps/rustdesk/helmchart.yaml
rename to flux/apps/helmrelease-rustdesk.yaml
index ef3c784..b05ebb6 100644
--- a/apps/apps/rustdesk/helmchart.yaml
+++ b/flux/apps/helmrelease-rustdesk.yaml
@@ -1,17 +1,20 @@
-apiVersion: helm.cattle.io/v1
-kind: HelmChart
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
 metadata:
   name: rustdesk
   namespace: apps
 spec:
-  repo: https://devcm-repo.github.io/helm-charts
-  chart: rustdesk-server
-  targetNamespace: apps
-  version: 0.0.7
-  valuesContent: |-
-    nodeSelector:
-      kubernetes.io/hostname: tcd
-    
+  interval: 30m
+  chart:
+    spec:
+      chart: rustdesk-server
+      version: 0.0.7
+      sourceRef:
+        kind: HelmRepository
+        name: devcm-repo
+        namespace: infra-gitops
+      interval: 12h
+  values:
     rustdeskServer:
       encryptedOnly: true
       mustLogin: true
@@ -23,7 +26,7 @@ spec:
           value: "Asia/Shanghai"
         - name: RUSTDESK_API_LANG
           value: "zh-CN"
-    
+
     rustdeskApi:
       server: desk.dev.cm
       ingress:
diff --git a/apps/apps/fillcode/helmchart-whoami.yaml b/flux/apps/helmrelease-whoami.yaml
similarity index 53%
rename from apps/apps/fillcode/helmchart-whoami.yaml
rename to flux/apps/helmrelease-whoami.yaml
index 058daf9..b279fb0 100644
--- a/apps/apps/fillcode/helmchart-whoami.yaml
+++ b/flux/apps/helmrelease-whoami.yaml
@@ -1,14 +1,20 @@
-apiVersion: helm.cattle.io/v1
-kind: HelmChart
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
 metadata:
   name: fillcode-whoami
   namespace: apps
 spec:
-  repo: https://cowboysysop.github.io/charts/
-  chart: whoami
-  targetNamespace: apps
-  version: 5.1.2
-  valuesContent: |-
+  interval: 30m
+  chart:
+    spec:
+      chart: whoami
+      version: 5.1.2
+      sourceRef:
+        kind: HelmRepository
+        name: cowboysysop
+        namespace: infra-gitops
+      interval: 12h
+  values:
     ingress:
       enabled: true
       ingressClassName: nginx
@@ -20,5 +26,3 @@ spec:
         - host: whoami.fillcode.com
           paths:
             - /
-    
-
diff --git a/apps/apps/fillcode/ingress.yaml b/flux/apps/ingress-fillcode.yaml
similarity index 96%
rename from apps/apps/fillcode/ingress.yaml
rename to flux/apps/ingress-fillcode.yaml
index 9d528d5..cd1c630 100644
--- a/apps/apps/fillcode/ingress.yaml
+++ b/flux/apps/ingress-fillcode.yaml
@@ -3,7 +3,6 @@ kind: Ingress
 metadata:
   name: fillcode
   namespace: apps
-  annotations:
 spec:
   ingressClassName: nginx
   rules:
@@ -21,4 +20,3 @@ spec:
     - hosts:
         - fillcode.com
       secretName: fillcode-com-crt
-
diff --git a/apps/apps/halo/ingress-static.yaml b/flux/apps/ingress-halo-static.yaml
similarity index 100%
rename from apps/apps/halo/ingress-static.yaml
rename to flux/apps/ingress-halo-static.yaml
diff --git a/apps/apps/halo/ingress-www.yaml b/flux/apps/ingress-halo-www.yaml
similarity index 99%
rename from apps/apps/halo/ingress-www.yaml
rename to flux/apps/ingress-halo-www.yaml
index 1ed4173..ab64664 100644
--- a/apps/apps/halo/ingress-www.yaml
+++ b/flux/apps/ingress-halo-www.yaml
@@ -20,4 +20,3 @@ spec:
                 name: halo
                 port:
                   number: 80
-
diff --git a/apps/apps/sinceai/ingress-shop.yaml b/flux/apps/ingress-sinceai-shop.yaml
similarity index 99%
rename from apps/apps/sinceai/ingress-shop.yaml
rename to flux/apps/ingress-sinceai-shop.yaml
index bc79e7b..46f37bc 100644
--- a/apps/apps/sinceai/ingress-shop.yaml
+++ b/flux/apps/ingress-sinceai-shop.yaml
@@ -24,4 +24,3 @@ spec:
     - hosts:
         - shop.sinceai.com
       secretName: sinceai-com-crt
-
diff --git a/flux/apps/kustomization.yaml b/flux/apps/kustomization.yaml
new file mode 100644
index 0000000..a7c442d
--- /dev/null
+++ b/flux/apps/kustomization.yaml
@@ -0,0 +1,13 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - namespace.yaml
+  - certificate-fillcode-com.yaml
+  - certificate-sinceai-com.yaml
+  - helmrelease-halo.yaml
+  - ingress-fillcode.yaml
+  - ingress-halo-www.yaml
+  - ingress-halo-static.yaml
+  - ingress-sinceai-shop.yaml
+  - helmrelease-whoami.yaml
+  - helmrelease-rustdesk.yaml
diff --git a/apps/apps/namespaces.yaml b/flux/apps/namespace.yaml
similarity index 100%
rename from apps/apps/namespaces.yaml
rename to flux/apps/namespace.yaml
diff --git a/flux/clusters/base/apps.yaml b/flux/clusters/base/apps.yaml
new file mode 100644
index 0000000..bbb9c19
--- /dev/null
+++ b/flux/clusters/base/apps.yaml
@@ -0,0 +1,17 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: apps
+  namespace: infra-gitops
+spec:
+  interval: 30m
+  retryInterval: 1m
+  sourceRef:
+    kind: GitRepository
+    name: flux
+  path: ./flux/apps
+  prune: true
+  dependsOn:
+    - name: infra-data
+    - name: infra-net
+    - name: infra-gitops
diff --git a/flux/clusters/base/infra-data.yaml b/flux/clusters/base/infra-data.yaml
new file mode 100644
index 0000000..31c8f10
--- /dev/null
+++ b/flux/clusters/base/infra-data.yaml
@@ -0,0 +1,17 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: infra-data
+  namespace: infra-gitops
+spec:
+  interval: 30m
+  retryInterval: 1m
+  sourceRef:
+    kind: GitRepository
+    name: flux
+  path: ./flux/infrastructure/infra-data
+  prune: true
+  force: true
+  wait: true
+  dependsOn:
+    - name: infra-devops
diff --git a/flux/clusters/base/infra-devops.yaml b/flux/clusters/base/infra-devops.yaml
new file mode 100644
index 0000000..5c348b3
--- /dev/null
+++ b/flux/clusters/base/infra-devops.yaml
@@ -0,0 +1,35 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: infra-devops
+  namespace: infra-gitops
+spec:
+  interval: 30m
+  retryInterval: 1m
+  sourceRef:
+    kind: GitRepository
+    name: flux
+  path: ./flux/infrastructure/infra-devops
+  prune: true
+  wait: true
+  dependsOn:
+    - name: sources
+
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: infra-devops-post
+  namespace: infra-gitops
+spec:
+  interval: 30m
+  retryInterval: 1m
+  sourceRef:
+    kind: GitRepository
+    name: flux
+  path: ./flux/infrastructure/infra-devops/post
+  prune: true
+  force: true
+  wait: true
+  dependsOn:
+    - name: infra-monitor
diff --git a/flux/clusters/base/infra-gitops.yaml b/flux/clusters/base/infra-gitops.yaml
new file mode 100644
index 0000000..7559fe2
--- /dev/null
+++ b/flux/clusters/base/infra-gitops.yaml
@@ -0,0 +1,17 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: infra-gitops
+  namespace: infra-gitops
+spec:
+  interval: 30m
+  retryInterval: 1m
+  sourceRef:
+    kind: GitRepository
+    name: flux
+  path: ./flux/infrastructure/infra-gitops
+  prune: true
+  wait: true
+  dependsOn:
+    - name: infra-data
+    - name: infra-monitor
diff --git a/flux/clusters/base/infra-monitor.yaml b/flux/clusters/base/infra-monitor.yaml
new file mode 100644
index 0000000..738ff43
--- /dev/null
+++ b/flux/clusters/base/infra-monitor.yaml
@@ -0,0 +1,17 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: infra-monitor
+  namespace: infra-gitops
+spec:
+  interval: 30m
+  retryInterval: 1m
+  sourceRef:
+    kind: GitRepository
+    name: flux
+  path: ./flux/infrastructure/infra-monitor
+  prune: true
+  force: true
+  wait: true
+  dependsOn:
+    - name: infra-data
diff --git a/flux/clusters/base/infra-net.yaml b/flux/clusters/base/infra-net.yaml
new file mode 100644
index 0000000..8524bda
--- /dev/null
+++ b/flux/clusters/base/infra-net.yaml
@@ -0,0 +1,18 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: infra-net
+  namespace: infra-gitops
+spec:
+  interval: 30m
+  retryInterval: 1m
+  sourceRef:
+    kind: GitRepository
+    name: flux
+  path: ./flux/infrastructure/infra-net
+  prune: true
+  wait: true
+  dependsOn:
+    - name: kube-system
+    - name: infra-devops
+    - name: infra-monitor
diff --git a/flux/clusters/base/kube-system.yaml b/flux/clusters/base/kube-system.yaml
new file mode 100644
index 0000000..036e261
--- /dev/null
+++ b/flux/clusters/base/kube-system.yaml
@@ -0,0 +1,14 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: kube-system
+  namespace: infra-gitops
+spec:
+  interval: 30m
+  retryInterval: 1m
+  sourceRef:
+    kind: GitRepository
+    name: flux
+  path: ./flux/infrastructure/kube-system
+  prune: false
+  wait: true
diff --git a/flux/clusters/base/kustomization.yaml b/flux/clusters/base/kustomization.yaml
new file mode 100644
index 0000000..f4ef994
--- /dev/null
+++ b/flux/clusters/base/kustomization.yaml
@@ -0,0 +1,11 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - sources.yaml
+  - kube-system.yaml
+  - infra-devops.yaml
+  - infra-data.yaml
+  - infra-net.yaml
+  - infra-monitor.yaml
+  - infra-gitops.yaml
+  - apps.yaml
diff --git a/flux/clusters/base/sources.yaml b/flux/clusters/base/sources.yaml
new file mode 100644
index 0000000..01f8d4d
--- /dev/null
+++ b/flux/clusters/base/sources.yaml
@@ -0,0 +1,14 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: sources
+  namespace: infra-gitops
+spec:
+  interval: 30m
+  retryInterval: 1m
+  sourceRef:
+    kind: GitRepository
+    name: flux
+  path: ./flux/infrastructure/sources
+  prune: true
+  wait: true
diff --git a/flux/clusters/dev-cm/kustomization.yaml b/flux/clusters/dev-cm/kustomization.yaml
new file mode 100644
index 0000000..228955a
--- /dev/null
+++ b/flux/clusters/dev-cm/kustomization.yaml
@@ -0,0 +1,29 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ../base
+patches:
+  - target:
+      kind: Kustomization
+      name: infra-devops
+    path: patches/infra-devops.yaml
+  - target:
+      kind: Kustomization
+      name: infra-data
+    path: patches/infra-data.yaml
+  - target:
+      kind: Kustomization
+      name: infra-net
+    path: patches/infra-net.yaml
+  - target:
+      kind: Kustomization
+      name: infra-monitor
+    path: patches/infra-monitor.yaml
+  - target:
+      kind: Kustomization
+      name: infra-gitops
+    path: patches/infra-gitops.yaml
+  - target:
+      kind: Kustomization
+      name: apps
+    path: patches/apps.yaml
diff --git a/flux/clusters/dev-cm/patches/apps.yaml b/flux/clusters/dev-cm/patches/apps.yaml
new file mode 100644
index 0000000..7504d05
--- /dev/null
+++ b/flux/clusters/dev-cm/patches/apps.yaml
@@ -0,0 +1,39 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: apps
+spec:
+  patches:
+    - target:
+        kind: HelmRelease
+        name: halo
+      patch: |
+        apiVersion: helm.toolkit.fluxcd.io/v2
+        kind: HelmRelease
+        metadata:
+          name: halo
+        spec:
+          values:
+            affinity:
+              podAffinity:
+                preferredDuringSchedulingIgnoredDuringExecution:
+                  - weight: 100
+                    podAffinityTerm:
+                      labelSelector:
+                        matchLabels:
+                          cnpg.io/cluster: cnpg17-cluster-hk
+                          role: primary
+                      topologyKey: kubernetes.io/hostname
+                      namespaceSelector: {}
+    - target:
+        kind: HelmRelease
+        name: rustdesk
+      patch: |
+        apiVersion: helm.toolkit.fluxcd.io/v2
+        kind: HelmRelease
+        metadata:
+          name: rustdesk
+        spec:
+          values:
+            nodeSelector:
+              kubernetes.io/hostname: tcd
diff --git a/flux/clusters/dev-cm/patches/infra-data.yaml b/flux/clusters/dev-cm/patches/infra-data.yaml
new file mode 100644
index 0000000..24047b9
--- /dev/null
+++ b/flux/clusters/dev-cm/patches/infra-data.yaml
@@ -0,0 +1,120 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: infra-data
+spec:
+  patches:
+    - target:
+        kind: HelmRelease
+        name: cloudnative-pg
+      patch: |
+        apiVersion: helm.toolkit.fluxcd.io/v2
+        kind: HelmRelease
+        metadata:
+          name: cloudnative-pg
+        spec:
+          values:
+            affinity:
+              nodeAffinity:
+                requiredDuringSchedulingIgnoredDuringExecution:
+                  nodeSelectorTerms:
+                    - matchExpressions:
+                        - key: topology.kubernetes.io/region
+                          operator: In
+                          values:
+                            - "cn-sh"
+            tolerations:
+              - key: "node-role.kubernetes.io/control-plane"
+                operator: "Exists"
+                effect: "NoSchedule"
+    - target:
+        kind: HelmRelease
+        name: cloudnative-pg-plugin-barman
+      patch: |
+        apiVersion: helm.toolkit.fluxcd.io/v2
+        kind: HelmRelease
+        metadata:
+          name: cloudnative-pg-plugin-barman
+        spec:
+          values:
+            affinity:
+              nodeAffinity:
+                requiredDuringSchedulingIgnoredDuringExecution:
+                  nodeSelectorTerms:
+                    - matchExpressions:
+                        - key: topology.kubernetes.io/region
+                          operator: In
+                          values:
+                            - "cn-sh"
+            tolerations:
+              - key: "node-role.kubernetes.io/control-plane"
+                operator: "Exists"
+                effect: "NoSchedule"
+    - target:
+        kind: Cluster
+        name: cnpg17-cluster-hk
+      patch: |
+        apiVersion: postgresql.cnpg.io/v1
+        kind: Cluster
+        metadata:
+          name: cnpg17-cluster-hk
+        spec:
+          affinity:
+            nodeAffinity:
+              requiredDuringSchedulingIgnoredDuringExecution:
+                nodeSelectorTerms:
+                  - matchExpressions:
+                      - key: topology.kubernetes.io/region
+                        operator: In
+                        values:
+                          - "cn-hk"
+              preferredDuringSchedulingIgnoredDuringExecution:
+                - weight: 1
+                  preference:
+                    matchExpressions:
+                      - key: kubernetes.io/hostname
+                        operator: In
+                        values:
+                          - clawhk
+    - target:
+        kind: Cluster
+        name: cnpg17-cluster-sh
+      patch: |
+        apiVersion: postgresql.cnpg.io/v1
+        kind: Cluster
+        metadata:
+          name: cnpg17-cluster-sh
+        spec:
+          affinity:
+            nodeAffinity:
+              requiredDuringSchedulingIgnoredDuringExecution:
+                nodeSelectorTerms:
+                  - matchExpressions:
+                      - key: topology.kubernetes.io/region
+                        operator: In
+                        values:
+                          - "cn-sh"
+              preferredDuringSchedulingIgnoredDuringExecution:
+                - weight: 1
+                  preference:
+                    matchExpressions:
+                      - key: kubernetes.io/hostname
+                        operator: In
+                        values:
+                          - homea
+    - target:
+        kind: HelmRelease
+        name: valkey-cluster-sh
+      patch: |
+        apiVersion: helm.toolkit.fluxcd.io/v2
+        kind: HelmRelease
+        metadata:
+          name: valkey-cluster-sh
+        spec:
+          values:
+            valkey:
+              nodeAffinityPreset:
+                type: hard
+                key: topology.kubernetes.io/region
+                values:
+                  - cn-sh
diff --git a/flux/clusters/dev-cm/patches/infra-devops.yaml b/flux/clusters/dev-cm/patches/infra-devops.yaml
new file mode 100644
index 0000000..8c06287
--- /dev/null
+++ b/flux/clusters/dev-cm/patches/infra-devops.yaml
@@ -0,0 +1,124 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: infra-devops
+spec:
+  patches:
+    - target:
+        kind: HelmRelease
+        name: cert-manager
+      patch: |
+        apiVersion: helm.toolkit.fluxcd.io/v2
+        kind: HelmRelease
+        metadata:
+          name: cert-manager
+        spec:
+          values:
+            affinity:
+              nodeAffinity:
+                requiredDuringSchedulingIgnoredDuringExecution:
+                  nodeSelectorTerms:
+                    - matchExpressions:
+                        - key: topology.kubernetes.io/region
+                          operator: In
+                          values:
+                            - "cn-sh"
+            webhook:
+              affinity:
+                nodeAffinity:
+                  requiredDuringSchedulingIgnoredDuringExecution:
+                    nodeSelectorTerms:
+                      - matchExpressions:
+                          - key: topology.kubernetes.io/region
+                            operator: In
+                            values:
+                              - "cn-sh"
+            cainjector:
+              affinity:
+                nodeAffinity:
+                  requiredDuringSchedulingIgnoredDuringExecution:
+                    nodeSelectorTerms:
+                      - matchExpressions:
+                          - key: topology.kubernetes.io/region
+                            operator: In
+                            values:
+                              - "cn-sh"
+    - target:
+        kind: HelmRelease
+        name: cert-manager-webhook-dnspod
+      patch: |
+        apiVersion: helm.toolkit.fluxcd.io/v2
+        kind: HelmRelease
+        metadata:
+          name: cert-manager-webhook-dnspod
+        spec:
+          values:
+            affinity:
+              nodeAffinity:
+                requiredDuringSchedulingIgnoredDuringExecution:
+                  nodeSelectorTerms:
+                    - matchExpressions:
+                        - key: topology.kubernetes.io/region
+                          operator: In
+                          values:
+                            - "cn-sh"
+    - target:
+        kind: HelmRelease
+        name: reflector
+      patch: |
+        apiVersion: helm.toolkit.fluxcd.io/v2
+        kind: HelmRelease
+        metadata:
+          name: reflector
+        spec:
+          values:
+            affinity:
+              nodeAffinity:
+                requiredDuringSchedulingIgnoredDuringExecution:
+                  nodeSelectorTerms:
+                    - matchExpressions:
+                        - key: topology.kubernetes.io/region
+                          operator: In
+                          values:
+                            - "cn-sh"
+    - target:
+        kind: HelmRelease
+        name: velero
+      patch: |
+        apiVersion: helm.toolkit.fluxcd.io/v2
+        kind: HelmRelease
+        metadata:
+          name: velero
+        spec:
+          values:
+            affinity:
+              nodeAffinity:
+                requiredDuringSchedulingIgnoredDuringExecution:
+                  nodeSelectorTerms:
+                    - matchExpressions:
+                        - key: topology.kubernetes.io/region
+                          operator: In
+                          values:
+                            - "cn-sh"
+                preferredDuringSchedulingIgnoredDuringExecution:
+                  - weight: 1
+                    preference:
+                      matchExpressions:
+                        - key: kubernetes.io/hostname
+                          operator: In
+                          values:
+                            - homeb
+            nodeAgent:
+              affinity:
+                nodeAffinity:
+                  requiredDuringSchedulingIgnoredDuringExecution:
+                    nodeSelectorTerms:
+                      - matchExpressions:
+                          - key: node-role.kubernetes.io/control-plane
+                            operator: NotIn
+                            values:
+                              - "true"
+                          - key: svccontroller.k3s.cattle.io/enablelb
+                            operator: NotIn
+                            values:
+                              - "true"
diff --git a/flux/clusters/dev-cm/patches/infra-gitops.yaml b/flux/clusters/dev-cm/patches/infra-gitops.yaml
new file mode 100644
index 0000000..71f8b29
--- /dev/null
+++ b/flux/clusters/dev-cm/patches/infra-gitops.yaml
@@ -0,0 +1,51 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: infra-gitops
+spec:
+  patches:
+    - target:
+        kind: HelmRelease
+        name: gitea
+      patch: |
+        apiVersion: helm.toolkit.fluxcd.io/v2
+        kind: HelmRelease
+        metadata:
+          name: gitea
+        spec:
+          values:
+            affinity:
+              podAffinity:
+                preferredDuringSchedulingIgnoredDuringExecution:
+                  - weight: 100
+                    podAffinityTerm:
+                      labelSelector:
+                        matchLabels:
+                          cnpg.io/cluster: cnpg17-cluster-sh
+                          role: primary
+                          app.kubernetes.io/name: redis
+                          app.kubernetes.io/component: master
+                      topologyKey: kubernetes.io/hostname
+                      namespaceSelector: {}
+              nodeAffinity:
+                preferredDuringSchedulingIgnoredDuringExecution:
+                  - weight: 1
+                    preference:
+                      matchExpressions:
+                        - key: kubernetes.io/hostname
+                          operator: In
+                          values:
+                            - homea
+    - target:
+        kind: HelmRelease
+        name: gitea-actions
+      patch: |
+        apiVersion: helm.toolkit.fluxcd.io/v2
+        kind: HelmRelease
+        metadata:
+          name: gitea-actions
+        spec:
+          values:
+            statefulset:
+              nodeSelector:
+                dev-cm-runner/enabled: "true"
diff --git a/flux/clusters/dev-cm/patches/infra-monitor.yaml b/flux/clusters/dev-cm/patches/infra-monitor.yaml
new file mode 100644
index 0000000..940eaf5
--- /dev/null
+++ b/flux/clusters/dev-cm/patches/infra-monitor.yaml
@@ -0,0 +1,86 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: infra-monitor
+spec:
+  patches:
+    - target:
+        kind: HelmRelease
+        name: loki
+      patch: |
+        apiVersion: helm.toolkit.fluxcd.io/v2
+        kind: HelmRelease
+        metadata:
+          name: loki
+        spec:
+          values:
+            lokiCanary:
+              nodeSelector:
+                svccontroller.k3s.cattle.io/enablelb: "true"
+            resultsCache:
+              nodeSelector:
+                kubernetes.io/hostname: tce
+            chunksCache:
+              nodeSelector:
+                kubernetes.io/hostname: tce
+            singleBinary:
+              nodeSelector:
+                kubernetes.io/hostname: tce
+    - target:
+        kind: HelmRelease
+        name: loki-promtail
+      patch: |
+        apiVersion: helm.toolkit.fluxcd.io/v2
+        kind: HelmRelease
+        metadata:
+          name: loki-promtail
+        spec:
+          values:
+            nodeSelector:
+              svccontroller.k3s.cattle.io/enablelb: "true"
+    - target:
+        kind: HelmRelease
+        name: prometheus
+      patch: |
+        apiVersion: helm.toolkit.fluxcd.io/v2
+        kind: HelmRelease
+        metadata:
+          name: prometheus
+        spec:
+          values:
+            prometheusOperator:
+              nodeSelector:
+                kubernetes.io/hostname: hwa
+            kube-state-metrics:
+              nodeSelector:
+                kubernetes.io/hostname: hwa
+            grafana:
+              affinity:
+                podAffinity:
+                  preferredDuringSchedulingIgnoredDuringExecution:
+                    - weight: 100
+                      podAffinityTerm:
+                        labelSelector:
+                          matchLabels:
+                            cnpg.io/cluster: cnpg17-cluster-sh
+                            role: primary
+                        topologyKey: kubernetes.io/hostname
+                        namespaceSelector: {}
+              persistence:
+                storageClassName: local-path
+            prometheus:
+              prometheusSpec:
+                nodeSelector:
+                  kubernetes.io/hostname: hwa
+                storageSpec:
+                  volumeClaimTemplate:
+                    spec:
+                      storageClassName: local-path
+            alertmanager:
+              alertmanagerSpec:
+                nodeSelector:
+                  kubernetes.io/hostname: hwa
+                storage:
+                  volumeClaimTemplate:
+                    spec:
+                      storageClassName: local-path
diff --git a/flux/clusters/dev-cm/patches/infra-net.yaml b/flux/clusters/dev-cm/patches/infra-net.yaml
new file mode 100644
index 0000000..ad749f3
--- /dev/null
+++ b/flux/clusters/dev-cm/patches/infra-net.yaml
@@ -0,0 +1,95 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: infra-net
+spec:
+  patches:
+    - target:
+        kind: HelmRelease
+        name: ingress-nginx
+      patch: |
+        apiVersion: helm.toolkit.fluxcd.io/v2
+        kind: HelmRelease
+        metadata:
+          name: ingress-nginx
+        spec:
+          values:
+            controller:
+              nodeSelector:
+                svccontroller.k3s.cattle.io/enablelb: "true"
+              tolerations:
+                - key: "node-role.kubernetes.io/control-plane"
+                  operator: "Exists"
+                  effect: "NoSchedule"
+              dnsPolicy: "None"
+              dnsConfig:
+                nameservers:
+                  - "169.254.20.10"
+                  - "10.43.0.10"
+              maxmindLicenseKey: "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"
+            defaultBackend:
+              affinity:
+                nodeAffinity:
+                  requiredDuringSchedulingIgnoredDuringExecution:
+                    nodeSelectorTerms:
+                      - matchExpressions:
+                          - key: topology.kubernetes.io/region
+                            operator: In
+                            values:
+                              - "cn-sh"
+                              - "cn-hk"
+    - target:
+        kind: HelmRelease
+        name: crowdsec
+      patch: |
+        apiVersion: helm.toolkit.fluxcd.io/v2
+        kind: HelmRelease
+        metadata:
+          name: crowdsec
+        spec:
+          values:
+            agent:
+              affinity:
+                podAffinity:
+                  preferredDuringSchedulingIgnoredDuringExecution:
+                    - weight: 100
+                      podAffinityTerm:
+                        labelSelector:
+                          matchLabels:
+                            app.kubernetes.io/name: loki
+                        topologyKey: kubernetes.io/hostname
+                        namespaceSelector: {}
+            appsec:
+              affinity:
+                nodeAffinity:
+                  preferredDuringSchedulingIgnoredDuringExecution:
+                    - weight: 1
+                      preference:
+                        matchExpressions:
+                          - key: topology.kubernetes.io/region
+                            operator: In
+                            values:
+                              - cn-hk
+            lapi:
+              affinity:
+                nodeAffinity:
+                  preferredDuringSchedulingIgnoredDuringExecution:
+                    - weight: 1
+                      preference:
+                        matchExpressions:
+                          - key: topology.kubernetes.io/region
+                            operator: In
+                            values:
+                              - cn-hk
+    - target:
+        kind: HelmRelease
+        name: tailscale-derp-hk
+      patch: |
+        apiVersion: helm.toolkit.fluxcd.io/v2
+        kind: HelmRelease
+        metadata:
+          name: tailscale-derp-hk
+        spec:
+          values:
+            nodeSelector:
+              kubernetes.io/hostname: tchk
diff --git a/flux/clusters/local/kustomization.yaml b/flux/clusters/local/kustomization.yaml
new file mode 100644
index 0000000..27bb5cb
--- /dev/null
+++ b/flux/clusters/local/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ../base
diff --git a/apps/infra/gitops/flux/flux-instance.yaml b/flux/flux-instance.yaml
similarity index 78%
rename from apps/infra/gitops/flux/flux-instance.yaml
rename to flux/flux-instance.yaml
index 6333379..beaae9b 100644
--- a/apps/infra/gitops/flux/flux-instance.yaml
+++ b/flux/flux-instance.yaml
@@ -22,6 +22,13 @@ spec:
   storage:
     class: "local-path"
     size: "10Gi"
+  # Git 仓库同步配置 - 请将 url 替换为实际的 deploy 仓库地址
+  sync:
+    kind: GitRepository
+    url: https://git.dev.cm/devcm/deploy.git
+    ref: refs/heads/main
+    path: flux/clusters/dev-cm
+    pullSecret: flux-git-auth
   kustomize:
     patches:
       - target:
@@ -38,4 +45,4 @@ spec:
                         - key: kubernetes.io/hostname
                           operator: In
                           values:
-                            - homea
\ No newline at end of file
+                            - homea
diff --git a/apps/infra/data/cloudnative-pg/cnpg17-cluster-hk.yaml b/flux/infrastructure/infra-data/cnpg17-cluster-hk.yaml
similarity index 63%
rename from apps/infra/data/cloudnative-pg/cnpg17-cluster-hk.yaml
rename to flux/infrastructure/infra-data/cnpg17-cluster-hk.yaml
index 578f12a..ed56381 100644
--- a/apps/infra/data/cloudnative-pg/cnpg17-cluster-hk.yaml
+++ b/flux/infrastructure/infra-data/cnpg17-cluster-hk.yaml
@@ -4,23 +4,6 @@ metadata:
   name: cnpg17-cluster-hk
   namespace: infra-data
 spec:
-  affinity:
-    nodeAffinity:
-      requiredDuringSchedulingIgnoredDuringExecution:
-        nodeSelectorTerms:
-          - matchExpressions:
-              - key: topology.kubernetes.io/region
-                operator: In
-                values:
-                  - "cn-hk"
-      preferredDuringSchedulingIgnoredDuringExecution:
-        - weight: 1
-          preference:
-            matchExpressions:
-              - key: kubernetes.io/hostname
-                operator: In
-                values:
-                  - clawhk
   imageName: ghcr.io/cloudnative-pg/postgresql:17.4
   enableSuperuserAccess: true
   enablePDB: false
@@ -56,4 +39,4 @@ spec:
   pluginConfiguration:
     name: barman-cloud.cloudnative-pg.io
   cluster:
-    name: cnpg17-cluster-hk
\ No newline at end of file
+    name: cnpg17-cluster-hk
diff --git a/apps/infra/data/cloudnative-pg/cnpg17-cluster-sh.yaml b/flux/infrastructure/infra-data/cnpg17-cluster-sh.yaml
similarity index 63%
rename from apps/infra/data/cloudnative-pg/cnpg17-cluster-sh.yaml
rename to flux/infrastructure/infra-data/cnpg17-cluster-sh.yaml
index 5d58483..a48af91 100644
--- a/apps/infra/data/cloudnative-pg/cnpg17-cluster-sh.yaml
+++ b/flux/infrastructure/infra-data/cnpg17-cluster-sh.yaml
@@ -4,23 +4,6 @@ metadata:
   name: cnpg17-cluster-sh
   namespace: infra-data
 spec:
-  affinity:
-    nodeAffinity:
-      requiredDuringSchedulingIgnoredDuringExecution:
-        nodeSelectorTerms:
-          - matchExpressions:
-              - key: topology.kubernetes.io/region
-                operator: In
-                values:
-                  - "cn-sh"
-      preferredDuringSchedulingIgnoredDuringExecution:
-        - weight: 1
-          preference:
-            matchExpressions:
-              - key: kubernetes.io/hostname
-                operator: In
-                values:
-                  - homea
   imageName: ghcr.io/cloudnative-pg/postgresql:17.4
   enableSuperuserAccess: true
   enablePDB: false
@@ -56,4 +39,4 @@ spec:
   pluginConfiguration:
     name: barman-cloud.cloudnative-pg.io
   cluster:
-    name: cnpg17-cluster-sh
\ No newline at end of file
+    name: cnpg17-cluster-sh
diff --git a/apps/infra/data/cloudnative-pg/cnpg17-objectstore-hw.yaml b/flux/infrastructure/infra-data/cnpg17-objectstore-hw.yaml
similarity index 95%
rename from apps/infra/data/cloudnative-pg/cnpg17-objectstore-hw.yaml
rename to flux/infrastructure/infra-data/cnpg17-objectstore-hw.yaml
index 2842379..06a3f90 100644
--- a/apps/infra/data/cloudnative-pg/cnpg17-objectstore-hw.yaml
+++ b/flux/infrastructure/infra-data/cnpg17-objectstore-hw.yaml
@@ -17,4 +17,4 @@ spec:
         key: ACCESS_SECRET_KEY
     wal:
       compression: gzip
-      maxParallel: 8
\ No newline at end of file
+      maxParallel: 8
diff --git a/flux/infrastructure/infra-data/helmrelease-barman-plugin.yaml b/flux/infrastructure/infra-data/helmrelease-barman-plugin.yaml
new file mode 100644
index 0000000..836e31d
--- /dev/null
+++ b/flux/infrastructure/infra-data/helmrelease-barman-plugin.yaml
@@ -0,0 +1,18 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: cloudnative-pg-plugin-barman
+  namespace: infra-data
+spec:
+  interval: 30m
+  dependsOn:
+    - name: cloudnative-pg
+  chart:
+    spec:
+      chart: plugin-barman-cloud
+      version: 0.5.0
+      sourceRef:
+        kind: HelmRepository
+        name: cloudnative-pg
+        namespace: infra-gitops
+      interval: 12h
diff --git a/flux/infrastructure/infra-data/helmrelease-cloudnative-pg.yaml b/flux/infrastructure/infra-data/helmrelease-cloudnative-pg.yaml
new file mode 100644
index 0000000..0d1018a
--- /dev/null
+++ b/flux/infrastructure/infra-data/helmrelease-cloudnative-pg.yaml
@@ -0,0 +1,20 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: cloudnative-pg
+  namespace: infra-data
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: cloudnative-pg
+      version: 0.27.1
+      sourceRef:
+        kind: HelmRepository
+        name: cloudnative-pg
+        namespace: infra-gitops
+      interval: 12h
+  install:
+    crds: CreateReplace
+  upgrade:
+    crds: CreateReplace
diff --git a/flux/infrastructure/infra-data/helmrelease-valkey-cluster.yaml b/flux/infrastructure/infra-data/helmrelease-valkey-cluster.yaml
new file mode 100644
index 0000000..b089f24
--- /dev/null
+++ b/flux/infrastructure/infra-data/helmrelease-valkey-cluster.yaml
@@ -0,0 +1,22 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: valkey-cluster-sh
+  namespace: infra-data
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: valkey-cluster
+      version: 3.0.23
+      sourceRef:
+        kind: HelmRepository
+        name: bitnami
+        namespace: infra-gitops
+      interval: 12h
+  values:
+    image:
+      repository: bitnamilegacy/valkey-cluster
+    cluster:
+      nodes: 1
+      replicas: 0
diff --git a/flux/infrastructure/infra-data/kustomization.yaml b/flux/infrastructure/infra-data/kustomization.yaml
new file mode 100644
index 0000000..406c8aa
--- /dev/null
+++ b/flux/infrastructure/infra-data/kustomization.yaml
@@ -0,0 +1,13 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - namespace.yaml
+  - helmrelease-cloudnative-pg.yaml
+  - helmrelease-barman-plugin.yaml
+  - cnpg17-objectstore-hw.yaml
+  - cnpg17-cluster-hk.yaml
+  - cnpg17-cluster-sh.yaml
+  - loadbalancer-hk.yaml
+  - loadbalancer-sh.yaml
+  - helmrelease-valkey-cluster.yaml
+  - reflector-secret-annotations.yaml
diff --git a/apps/infra/data/cloudnative-pg/loadbalancer-hk.yaml b/flux/infrastructure/infra-data/loadbalancer-hk.yaml
similarity index 100%
rename from apps/infra/data/cloudnative-pg/loadbalancer-hk.yaml
rename to flux/infrastructure/infra-data/loadbalancer-hk.yaml
diff --git a/apps/infra/data/cloudnative-pg/loadbalancer-sh.yaml b/flux/infrastructure/infra-data/loadbalancer-sh.yaml
similarity index 100%
rename from apps/infra/data/cloudnative-pg/loadbalancer-sh.yaml
rename to flux/infrastructure/infra-data/loadbalancer-sh.yaml
diff --git a/apps/infra/net/namespaces.yaml b/flux/infrastructure/infra-data/namespace.yaml
similarity index 68%
rename from apps/infra/net/namespaces.yaml
rename to flux/infrastructure/infra-data/namespace.yaml
index 2957f6b..9ea6604 100644
--- a/apps/infra/net/namespaces.yaml
+++ b/flux/infrastructure/infra-data/namespace.yaml
@@ -1,4 +1,4 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: infra-net
\ No newline at end of file
+  name: infra-data
diff --git a/flux/infrastructure/infra-data/reflector-secret-annotations.yaml b/flux/infrastructure/infra-data/reflector-secret-annotations.yaml
new file mode 100644
index 0000000..b1f60b0
--- /dev/null
+++ b/flux/infrastructure/infra-data/reflector-secret-annotations.yaml
@@ -0,0 +1,41 @@
+# 给CNPG和Valkey自动生成的secrets添加Reflector注解
+# 通过SSA force合并注解到已有secrets 使其自动复制到消费方命名空间
+#
+# cnpg17-cluster-hk-app → apps (halo), infra-net (crowdsec)
+# cnpg17-cluster-sh-app → infra-gitops (gitea), infra-monitor (grafana)
+# valkey-cluster-sh → infra-gitops (gitea)
+apiVersion: v1
+kind: Secret
+metadata:
+  name: cnpg17-cluster-hk-app
+  namespace: infra-data
+  annotations:
+    kustomize.toolkit.fluxcd.io/prune: disabled
+    reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
+    reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "apps,infra-net"
+    reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
+    reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "apps,infra-net"
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: cnpg17-cluster-sh-app
+  namespace: infra-data
+  annotations:
+    kustomize.toolkit.fluxcd.io/prune: disabled
+    reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
+    reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "infra-gitops,infra-monitor"
+    reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
+    reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "infra-gitops,infra-monitor"
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: valkey-cluster-sh
+  namespace: infra-data
+  annotations:
+    kustomize.toolkit.fluxcd.io/prune: disabled
+    reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
+    reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "infra-gitops"
+    reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
+    reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "infra-gitops"
diff --git a/apps/infra/devops/cert-manager/clusterissuer-dnspod.yaml b/flux/infrastructure/infra-devops/clusterissuer-dnspod.yaml
similarity index 95%
rename from apps/infra/devops/cert-manager/clusterissuer-dnspod.yaml
rename to flux/infrastructure/infra-devops/clusterissuer-dnspod.yaml
index 6adbb0b..2007415 100644
--- a/apps/infra/devops/cert-manager/clusterissuer-dnspod.yaml
+++ b/flux/infrastructure/infra-devops/clusterissuer-dnspod.yaml
@@ -23,4 +23,4 @@ spec:
                 key: secretId
               secretKeyRef:
                 name: dnspod-secret
-                key: secretKey
\ No newline at end of file
+                key: secretKey
diff --git a/flux/infrastructure/infra-devops/helmrelease-cert-manager-webhook-dnspod.yaml b/flux/infrastructure/infra-devops/helmrelease-cert-manager-webhook-dnspod.yaml
new file mode 100644
index 0000000..8df2dda
--- /dev/null
+++ b/flux/infrastructure/infra-devops/helmrelease-cert-manager-webhook-dnspod.yaml
@@ -0,0 +1,29 @@
+# 安装后需要将clusterIssuer的cnameStrategy策略设置为Follow
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: cert-manager-webhook-dnspod
+  namespace: infra-devops
+spec:
+  interval: 30m
+  dependsOn:
+    - name: cert-manager
+  chart:
+    spec:
+      chart: cert-manager-webhook-dnspod
+      version: 1.4.5
+      sourceRef:
+        kind: HelmRepository
+        name: imroc
+        namespace: infra-gitops
+      interval: 12h
+  values:
+    image:
+      tag: "1.5.2"
+    namespace: infra-devops
+    certManager:
+      namespace: infra-devops
+    groupName: cert.dev.cm
+    # 此处关闭 选择手动创建 以支持cnameStrategy
+    clusterIssuer:
+      enabled: false
diff --git a/flux/infrastructure/infra-devops/helmrelease-cert-manager.yaml b/flux/infrastructure/infra-devops/helmrelease-cert-manager.yaml
new file mode 100644
index 0000000..b543127
--- /dev/null
+++ b/flux/infrastructure/infra-devops/helmrelease-cert-manager.yaml
@@ -0,0 +1,31 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: cert-manager
+  namespace: infra-devops
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: cert-manager
+      version: v1.19.3
+      sourceRef:
+        kind: HelmRepository
+        name: jetstack
+        namespace: infra-gitops
+      interval: 12h
+  install:
+    crds: CreateReplace
+  upgrade:
+    crds: CreateReplace
+  # 首次install时servicemonitor=false(CRD尚不存在)
+  # infra-monitor层部署后通过SSA patch开启
+  values:
+    crds:
+      enabled: true
+      keep: true
+    enableCertificateOwnerRef: true
+    prometheus:
+      enabled: true
+      servicemonitor:
+        enabled: false
diff --git a/flux/infrastructure/infra-devops/helmrelease-reflector.yaml b/flux/infrastructure/infra-devops/helmrelease-reflector.yaml
new file mode 100644
index 0000000..ebf8fc6
--- /dev/null
+++ b/flux/infrastructure/infra-devops/helmrelease-reflector.yaml
@@ -0,0 +1,17 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: reflector
+  namespace: infra-devops
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: reflector
+      version: 9.1.45
+      sourceRef:
+        kind: HelmRepository
+        name: emberstack
+        namespace: infra-gitops
+      interval: 12h
+  values: {}
diff --git a/apps/infra/devops/velero/helmchart.yaml b/flux/infrastructure/infra-devops/helmrelease-velero.yaml
similarity index 50%
rename from apps/infra/devops/velero/helmchart.yaml
rename to flux/infrastructure/infra-devops/helmrelease-velero.yaml
index dd71f60..85f0fc5 100644
--- a/apps/infra/devops/velero/helmchart.yaml
+++ b/flux/infrastructure/infra-devops/helmrelease-velero.yaml
@@ -1,31 +1,20 @@
-apiVersion: helm.cattle.io/v1
-kind: HelmChart
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
 metadata:
   name: velero
   namespace: infra-devops
 spec:
-  repo: https://vmware-tanzu.github.io/helm-charts
-  chart: velero
-  targetNamespace: infra-devops
-  version: 11.3.2
-  valuesContent: |-
-    affinity:
-      nodeAffinity:
-        requiredDuringSchedulingIgnoredDuringExecution:
-          nodeSelectorTerms:
-            - matchExpressions:
-                - key: topology.kubernetes.io/region
-                  operator: In
-                  values:
-                    - "cn-sh"
-        preferredDuringSchedulingIgnoredDuringExecution:
-          - weight: 1
-            preference:
-              matchExpressions:
-                - key: kubernetes.io/hostname
-                  operator: In
-                  values:
-                    - homeb  
+  interval: 30m
+  chart:
+    spec:
+      chart: velero
+      version: 11.3.2
+      sourceRef:
+        kind: HelmRepository
+        name: vmware-tanzu
+        namespace: infra-gitops
+      interval: 12h
+  values:
     # 此处暂时切换关闭upgradeCRDs操作 待官方修复后再开启
     upgradeCRDs: false
     deployNodeAgent: true
@@ -34,7 +23,7 @@ spec:
       backupSyncPeriod: 1h0m0s
       defaultRepoMaintainFrequency: 3h0m0s
       repositoryMaintenanceJob:
-        repositoryConfigData: 
+        repositoryConfigData:
           global:
             keepLatestMaintenanceJobs: 1
       backupStorageLocation:
@@ -53,7 +42,7 @@ spec:
           valueFrom:
             secretKeyRef:
               name: s3-devcm-hw
-              key: ACCESS_KEY_ID    
+              key: ACCESS_KEY_ID
         - name: AWS_SECRET_ACCESS_KEY
           valueFrom:
             secretKeyRef:
@@ -69,17 +58,3 @@ spec:
             name: plugins
     nodeAgent:
       # 控制面板不启用 lb节点不启用
-      affinity:
-        nodeAffinity:
-          requiredDuringSchedulingIgnoredDuringExecution:
-            nodeSelectorTerms:
-              - matchExpressions:
-                  - key: node-role.kubernetes.io/control-plane
-                    operator: NotIn
-                    values:
-                      - "true"
-                  - key: svccontroller.k3s.cattle.io/enablelb
-                    operator: NotIn
-                    values:
-                      - "true"
-      
diff --git a/flux/infrastructure/infra-devops/kustomization.yaml b/flux/infrastructure/infra-devops/kustomization.yaml
new file mode 100644
index 0000000..d3bb77c
--- /dev/null
+++ b/flux/infrastructure/infra-devops/kustomization.yaml
@@ -0,0 +1,9 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - namespace.yaml
+  - helmrelease-cert-manager.yaml
+  - helmrelease-cert-manager-webhook-dnspod.yaml
+  - clusterissuer-dnspod.yaml
+  - helmrelease-reflector.yaml
+  - helmrelease-velero.yaml
diff --git a/apps/infra/devops/namespaces.yaml b/flux/infrastructure/infra-devops/namespace.yaml
similarity index 66%
rename from apps/infra/devops/namespaces.yaml
rename to flux/infrastructure/infra-devops/namespace.yaml
index fbf95ad..6dc677a 100644
--- a/apps/infra/devops/namespaces.yaml
+++ b/flux/infrastructure/infra-devops/namespace.yaml
@@ -1,4 +1,4 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: infra-devops
\ No newline at end of file
+  name: infra-devops
diff --git a/flux/infrastructure/infra-devops/post/helmrelease-cert-manager-patch.yaml b/flux/infrastructure/infra-devops/post/helmrelease-cert-manager-patch.yaml
new file mode 100644
index 0000000..35fbcf5
--- /dev/null
+++ b/flux/infrastructure/infra-devops/post/helmrelease-cert-manager-patch.yaml
@@ -0,0 +1,17 @@
+# 在prometheus-stack部署后 通过SSA patch cert-manager开启ServiceMonitor
+# cert-manager初始安装时servicemonitor.enabled=false(CRD尚不存在)
+# infra-monitor层部署时CRD已就绪 此patch合并到已有HelmRelease
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: cert-manager
+  namespace: infra-devops
+  annotations:
+    kustomize.toolkit.fluxcd.io/prune: disabled
+spec:
+  values:
+    prometheus:
+      servicemonitor:
+        enabled: true
+        interval: 300s
+        prometheusInstance: kube-prometheus
diff --git a/flux/infrastructure/infra-devops/post/kustomization.yaml b/flux/infrastructure/infra-devops/post/kustomization.yaml
new file mode 100644
index 0000000..554ef78
--- /dev/null
+++ b/flux/infrastructure/infra-devops/post/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - helmrelease-cert-manager-patch.yaml
diff --git a/apps/infra/gitops/gitea/configmap-actions-dind.yaml b/flux/infrastructure/infra-gitops/configmap-actions-dind.yaml
similarity index 96%
rename from apps/infra/gitops/gitea/configmap-actions-dind.yaml
rename to flux/infrastructure/infra-gitops/configmap-actions-dind.yaml
index 64edd6a..906986a 100644
--- a/apps/infra/gitops/gitea/configmap-actions-dind.yaml
+++ b/flux/infrastructure/infra-gitops/configmap-actions-dind.yaml
@@ -7,4 +7,4 @@ data:
   daemon.json: |-
     {
       "mtu": 1280
-    }
\ No newline at end of file
+    }
diff --git a/apps/infra/gitops/gitea/configmap-templates.yaml b/flux/infrastructure/infra-gitops/configmap-templates.yaml
similarity index 98%
rename from apps/infra/gitops/gitea/configmap-templates.yaml
rename to flux/infrastructure/infra-gitops/configmap-templates.yaml
index 5b5b0ff..ba12338 100644
--- a/apps/infra/gitops/gitea/configmap-templates.yaml
+++ b/flux/infrastructure/infra-gitops/configmap-templates.yaml
@@ -28,4 +28,4 @@ data:
     <a class="item extra-links-end" href="https://fillcode.com" target="_blank">Fillcode</a>
     <style>
       .extra-links-end ~ a { display:none !important; }
-    </style>
\ No newline at end of file
+    </style>
diff --git a/apps/infra/gitops/gitea/helmchart-actions.yaml b/flux/infrastructure/infra-gitops/helmrelease-gitea-actions.yaml
similarity index 71%
rename from apps/infra/gitops/gitea/helmchart-actions.yaml
rename to flux/infrastructure/infra-gitops/helmrelease-gitea-actions.yaml
index a9e96fb..94e8e89 100644
--- a/apps/infra/gitops/gitea/helmchart-actions.yaml
+++ b/flux/infrastructure/infra-gitops/helmrelease-gitea-actions.yaml
@@ -1,18 +1,24 @@
-apiVersion: helm.cattle.io/v1
-kind: HelmChart
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
 metadata:
   name: gitea-actions
   namespace: infra-gitops
 spec:
-  repo: https://dl.gitea.com/charts
-  chart: actions
-  targetNamespace: infra-gitops
-  version: 0.0.2
-  valuesContent: |-
+  interval: 30m
+  dependsOn:
+    - name: gitea
+  chart:
+    spec:
+      chart: actions
+      version: 0.0.2
+      sourceRef:
+        kind: HelmRepository
+        name: gitea
+        namespace: infra-gitops
+      interval: 12h
+  values:
     enabled: true
     statefulset:
-      nodeSelector:
-        dev-cm-runner/enabled: "true"
       actRunner:
         config: |
           log:
@@ -22,8 +28,8 @@ spec:
           container:
             require_docker: true
             docker_timeout: 300s
-            # 使用bridge网络模式，解决新建任务临时网络mtu与主机不一致的问题   
-            network: bridge 
+            # 使用bridge网络模式，解决新建任务临时网络mtu与主机不一致的问题
+            network: bridge
       dind:
         # 挂载dind docker配置文件，解决mtu带来的网络问题
         extraVolumeMounts:
@@ -39,8 +45,3 @@ spec:
     giteaRootURL: http://gitea-http.infra-gitops.svc.cluster.local:3000
     existingSecret: gitea-actions
     existingSecretKey: token
-      
-    
-
-
-
diff --git a/apps/infra/gitops/gitea/helmchart.yaml b/flux/infrastructure/infra-gitops/helmrelease-gitea.yaml
similarity index 76%
rename from apps/infra/gitops/gitea/helmchart.yaml
rename to flux/infrastructure/infra-gitops/helmrelease-gitea.yaml
index d1b20f7..659c03b 100644
--- a/apps/infra/gitops/gitea/helmchart.yaml
+++ b/flux/infrastructure/infra-gitops/helmrelease-gitea.yaml
@@ -1,36 +1,20 @@
-apiVersion: helm.cattle.io/v1
-kind: HelmChart
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
 metadata:
   name: gitea
   namespace: infra-gitops
 spec:
-  repo: https://dl.gitea.com/charts
-  chart: gitea
-  targetNamespace: infra-gitops
-  version: 12.5.0
-  valuesContent: |-
-    affinity:
-      podAffinity:
-        preferredDuringSchedulingIgnoredDuringExecution:
-          - weight: 100
-            podAffinityTerm:
-              labelSelector:
-                matchLabels:
-                  cnpg.io/cluster: cnpg17-cluster-sh
-                  role: primary
-                  app.kubernetes.io/name: redis
-                  app.kubernetes.io/component: master
-              topologyKey: kubernetes.io/hostname
-              namespaceSelector: {}
-      nodeAffinity:
-        preferredDuringSchedulingIgnoredDuringExecution:
-          - weight: 1
-            preference:
-              matchExpressions:
-                - key: kubernetes.io/hostname
-                  operator: In
-                  values:
-                    - homea   
+  interval: 30m
+  chart:
+    spec:
+      chart: gitea
+      version: 12.5.0
+      sourceRef:
+        kind: HelmRepository
+        name: gitea
+        namespace: infra-gitops
+      interval: 12h
+  values:
     redis-cluster:
       enabled: false
     postgresql-ha:
@@ -111,7 +95,7 @@ spec:
         - name: GITEA__CACHE__HOST
           value: "redis://:$(REDIS_PASSWORD)@valkey-cluster-sh-headless.infra-data:6379/0?pool_size=100&idle_timeout=180s"
         - name: GITEA__QUEUE__CONN_STR
-          value: "redis://:$(REDIS_PASSWORD)@valkey-cluster-sh-headless.infra-data:6379/0?pool_size=100&idle_timeout=180s"    
+          value: "redis://:$(REDIS_PASSWORD)@valkey-cluster-sh-headless.infra-data:6379/0?pool_size=100&idle_timeout=180s"
     valkey-cluster:
       enabled: false
     extraVolumes:
@@ -125,6 +109,3 @@ spec:
       - name: gitea-custom-templates-volume
         subPath: extra_links.tmpl
         mountPath: /data/gitea/templates/custom/extra_links.tmpl
-
-
-
diff --git a/apps/infra/gitops/gitea/ingress-static.yaml b/flux/infrastructure/infra-gitops/ingress-static-gitea.yaml
similarity index 100%
rename from apps/infra/gitops/gitea/ingress-static.yaml
rename to flux/infrastructure/infra-gitops/ingress-static-gitea.yaml
diff --git a/flux/infrastructure/infra-gitops/kustomization.yaml b/flux/infrastructure/infra-gitops/kustomization.yaml
new file mode 100644
index 0000000..b2d1d1b
--- /dev/null
+++ b/flux/infrastructure/infra-gitops/kustomization.yaml
@@ -0,0 +1,10 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - helmrelease-gitea.yaml
+  - helmrelease-gitea-actions.yaml
+  - configmap-templates.yaml
+  - configmap-actions-dind.yaml
+  - ingress-static-gitea.yaml
+  - loadbalancer-ssh.yaml
+  - networkpolicy-gitea.yaml
diff --git a/apps/infra/gitops/gitea/loadbalancer-ssh.yaml b/flux/infrastructure/infra-gitops/loadbalancer-ssh.yaml
similarity index 92%
rename from apps/infra/gitops/gitea/loadbalancer-ssh.yaml
rename to flux/infrastructure/infra-gitops/loadbalancer-ssh.yaml
index d24c78d..81f50e1 100644
--- a/apps/infra/gitops/gitea/loadbalancer-ssh.yaml
+++ b/flux/infrastructure/infra-gitops/loadbalancer-ssh.yaml
@@ -11,4 +11,4 @@ spec:
     - protocol: TCP
       port: 22
       targetPort: 2222
-  type: LoadBalancer
\ No newline at end of file
+  type: LoadBalancer
diff --git a/apps/infra/gitops/gitea/networkpolicy.yaml b/flux/infrastructure/infra-gitops/networkpolicy-gitea.yaml
similarity index 95%
rename from apps/infra/gitops/gitea/networkpolicy.yaml
rename to flux/infrastructure/infra-gitops/networkpolicy-gitea.yaml
index 1f4c175..63ed105 100644
--- a/apps/infra/gitops/gitea/networkpolicy.yaml
+++ b/flux/infrastructure/infra-gitops/networkpolicy-gitea.yaml
@@ -13,4 +13,4 @@ spec:
     - {}
   policyTypes:
     - Ingress
-    - Egress
\ No newline at end of file
+    - Egress
diff --git a/apps/infra/monitor/loki/helmchart-loki.yaml b/flux/infrastructure/infra-monitor/helmrelease-loki.yaml
similarity index 54%
rename from apps/infra/monitor/loki/helmchart-loki.yaml
rename to flux/infrastructure/infra-monitor/helmrelease-loki.yaml
index aba663a..980bf91 100644
--- a/apps/infra/monitor/loki/helmchart-loki.yaml
+++ b/flux/infrastructure/infra-monitor/helmrelease-loki.yaml
@@ -1,32 +1,32 @@
-apiVersion: helm.cattle.io/v1
-kind: HelmChart
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
 metadata:
   name: loki
   namespace: infra-monitor
 spec:
-  repo: https://grafana.github.io/helm-charts
-  chart: loki
-  targetNamespace: infra-monitor
-  version: 6.53.0
-  valuesContent: |-
+  interval: 30m
+  chart:
+    spec:
+      chart: loki
+      version: 6.53.0
+      sourceRef:
+        kind: HelmRepository
+        name: grafana
+        namespace: infra-gitops
+      interval: 12h
+  values:
     deploymentMode: SingleBinary
     gateway:
       enabled: false
     lokiCanary:
-      nodeSelector:
-        svccontroller.k3s.cattle.io/enablelb: "true"
       extraArgs:
         # 降低测试日志生成条数
         - -interval=30s
         - -labelname=service_name
         - -labelvalue=loki-canary
     resultsCache:
-      nodeSelector:
-        kubernetes.io/hostname: tce
       allocatedMemory: 1024
     chunksCache:
-      nodeSelector:
-        kubernetes.io/hostname: tce
       allocatedMemory: 1024
     loki:
       auth_enabled: false
@@ -37,24 +37,21 @@ spec:
         max_query_series: 10000
         volume_enabled: true
       storage:
-        type: 'filesystem'
+        type: "filesystem"
       schemaConfig:
         configs:
-        - from: "2024-01-01"
-          store: tsdb
-          index:
-            prefix: loki_index_
-            period: 24h
-          object_store: filesystem
-          schema: v13
+          - from: "2024-01-01"
+            store: tsdb
+            index:
+              prefix: loki_index_
+              period: 24h
+            object_store: filesystem
+            schema: v13
     singleBinary:
       replicas: 1
-      nodeSelector:
-        kubernetes.io/hostname: tce
     read:
       replicas: 0
     backend:
       replicas: 0
     write:
       replicas: 0
-
diff --git a/apps/infra/monitor/prometheus/helmchart.yaml b/flux/infrastructure/infra-monitor/helmrelease-prometheus.yaml
similarity index 71%
rename from apps/infra/monitor/prometheus/helmchart.yaml
rename to flux/infrastructure/infra-monitor/helmrelease-prometheus.yaml
index f4c48b5..649ecc2 100644
--- a/apps/infra/monitor/prometheus/helmchart.yaml
+++ b/flux/infrastructure/infra-monitor/helmrelease-prometheus.yaml
@@ -1,14 +1,24 @@
-apiVersion: helm.cattle.io/v1
-kind: HelmChart
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
 metadata:
   name: prometheus
   namespace: infra-monitor
 spec:
-  repo: https://prometheus-community.github.io/helm-charts
-  chart: kube-prometheus-stack
-  targetNamespace: infra-monitor
-  version: 81.6.5
-  valuesContent: |-
+  interval: 30m
+  chart:
+    spec:
+      chart: kube-prometheus-stack
+      version: 81.6.5
+      sourceRef:
+        kind: HelmRepository
+        name: prometheus-community
+        namespace: infra-gitops
+      interval: 12h
+  install:
+    crds: CreateReplace
+  upgrade:
+    crds: CreateReplace
+  values:
     kubeControllerManager:
       enabled: false
     kubeScheduler:
@@ -18,26 +28,11 @@ spec:
     kubeEtcd:
       enabled: false
 
-    prometheusOperator:
-      nodeSelector:
-        kubernetes.io/hostname: hwa
-        
-    kube-state-metrics:
-      nodeSelector:
-        kubernetes.io/hostname: hwa
-              
+    prometheusOperator: {}
+
+    kube-state-metrics: {}
+
     grafana:
-      affinity:
-        podAffinity:
-          preferredDuringSchedulingIgnoredDuringExecution:
-            - weight: 100
-              podAffinityTerm:
-                labelSelector:
-                  matchLabels:
-                    cnpg.io/cluster: cnpg17-cluster-sh
-                    role: primary
-                topologyKey: kubernetes.io/hostname
-                namespaceSelector: {}
       ingress:
         enabled: true
         ingressClassName: nginx
@@ -77,19 +72,15 @@ spec:
       persistence:
         type: pvc
         enabled: true
-        storageClassName: local-path
         accessModes:
           - ReadWriteOnce
         size: 10Gi
-        
+
     prometheus:
       prometheusSpec:
-        nodeSelector:
-          kubernetes.io/hostname: hwa
         storageSpec:
           volumeClaimTemplate:
             spec:
-              storageClassName: local-path
               accessModes:
                 - ReadWriteOnce
               resources:
@@ -107,15 +98,12 @@ spec:
           - monitor.dev.cm
         paths:
           - /prometheus
-                
+
     alertmanager:
       alertmanagerSpec:
-        nodeSelector:
-          kubernetes.io/hostname: hwa
-        storage: 
+        storage:
           volumeClaimTemplate:
             spec:
-              storageClassName: local-path
               accessModes:
                 - ReadWriteOnce
               resources:
diff --git a/apps/infra/monitor/loki/helmchart-promtail.yaml b/flux/infrastructure/infra-monitor/helmrelease-promtail.yaml
similarity index 52%
rename from apps/infra/monitor/loki/helmchart-promtail.yaml
rename to flux/infrastructure/infra-monitor/helmrelease-promtail.yaml
index fb5f5e3..437b53b 100644
--- a/apps/infra/monitor/loki/helmchart-promtail.yaml
+++ b/flux/infrastructure/infra-monitor/helmrelease-promtail.yaml
@@ -1,15 +1,21 @@
-apiVersion: helm.cattle.io/v1
-kind: HelmChart
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
 metadata:
   name: loki-promtail
   namespace: infra-monitor
 spec:
-  repo: https://grafana.github.io/helm-charts
-  chart: promtail
-  targetNamespace: infra-monitor
-  valuesContent: |-
-    nodeSelector:
-      svccontroller.k3s.cattle.io/enablelb: "true"
+  interval: 30m
+  dependsOn:
+    - name: loki
+  chart:
+    spec:
+      chart: promtail
+      sourceRef:
+        kind: HelmRepository
+        name: grafana
+        namespace: infra-gitops
+      interval: 12h
+  values:
     configmap:
       enabled: true
     config:
@@ -19,10 +25,12 @@ spec:
       snippets:
         extraRelabelConfigs:
           # 匹配 devcm-log-collecting/enabled 标签 只有为true时才收集日志
-          - source_labels: [__meta_kubernetes_pod_label_devcm_log_collecting_enabled]
+          - source_labels:
+              [__meta_kubernetes_pod_label_devcm_log_collecting_enabled]
             action: keep
             regex: true
           # 匹配 devcm-log-collecting/only-errors标签并只保留stderr流
-          - source_labels: [__meta_kubernetes_pod_label_devcm_log_collecting_only_errors]
+          - source_labels:
+              [__meta_kubernetes_pod_label_devcm_log_collecting_only_errors]
             action: drop
             regex: stdout
diff --git a/apps/infra/monitor/prometheus/ingress-static.yaml b/flux/infrastructure/infra-monitor/ingress-static-grafana.yaml
similarity index 100%
rename from apps/infra/monitor/prometheus/ingress-static.yaml
rename to flux/infrastructure/infra-monitor/ingress-static-grafana.yaml
diff --git a/flux/infrastructure/infra-monitor/kustomization.yaml b/flux/infrastructure/infra-monitor/kustomization.yaml
new file mode 100644
index 0000000..78fca96
--- /dev/null
+++ b/flux/infrastructure/infra-monitor/kustomization.yaml
@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - namespace.yaml
+  - helmrelease-loki.yaml
+  - helmrelease-promtail.yaml
+  - helmrelease-prometheus.yaml
+  - ingress-static-grafana.yaml
diff --git a/apps/infra/gitops/namespaces.yaml b/flux/infrastructure/infra-monitor/namespace.yaml
similarity index 65%
rename from apps/infra/gitops/namespaces.yaml
rename to flux/infrastructure/infra-monitor/namespace.yaml
index f46880b..b7f43f3 100644
--- a/apps/infra/gitops/namespaces.yaml
+++ b/flux/infrastructure/infra-monitor/namespace.yaml
@@ -1,4 +1,4 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: infra-gitops
\ No newline at end of file
+  name: infra-monitor
diff --git a/apps/infra/net/nginx/certificate-dev-cm.yaml b/flux/infrastructure/infra-net/certificate-dev-cm.yaml
similarity index 100%
rename from apps/infra/net/nginx/certificate-dev-cm.yaml
rename to flux/infrastructure/infra-net/certificate-dev-cm.yaml
diff --git a/apps/infra/net/nginx/configmap-static.yaml b/flux/infrastructure/infra-net/configmap-static.yaml
similarity index 100%
rename from apps/infra/net/nginx/configmap-static.yaml
rename to flux/infrastructure/infra-net/configmap-static.yaml
diff --git a/apps/infra/net/crowdsec/helmchart.yaml b/flux/infrastructure/infra-net/helmrelease-crowdsec.yaml
similarity index 85%
rename from apps/infra/net/crowdsec/helmchart.yaml
rename to flux/infrastructure/infra-net/helmrelease-crowdsec.yaml
index 2656fb6..31e68fa 100644
--- a/apps/infra/net/crowdsec/helmchart.yaml
+++ b/flux/infrastructure/infra-net/helmrelease-crowdsec.yaml
@@ -1,28 +1,28 @@
-apiVersion: helm.cattle.io/v1
-kind: HelmChart
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
 metadata:
   name: crowdsec
   namespace: infra-net
 spec:
-  repo: https://crowdsecurity.github.io/helm-charts
-  chart: crowdsec
-  targetNamespace: infra-net
-  version: 0.22.0
-  valuesContent: |-
+  interval: 30m
+  dependsOn:
+    - name: ingress-nginx
+    - name: loki
+      namespace: infra-monitor
+  chart:
+    spec:
+      chart: crowdsec
+      version: 0.22.0
+      sourceRef:
+        kind: HelmRepository
+        name: crowdsec
+        namespace: infra-gitops
+      interval: 12h
+  values:
     container_runtime: containerd
     image:
       tag: v1.7.6
     agent:
-      affinity:
-        podAffinity:
-          preferredDuringSchedulingIgnoredDuringExecution:
-            - weight: 100
-              podAffinityTerm:
-                labelSelector:
-                  matchLabels:
-                    app.kubernetes.io/name: loki
-                topologyKey: kubernetes.io/hostname
-                namespaceSelector: {}
       isDeployment: true
       additionalAcquisition:
         - source: loki
@@ -32,7 +32,7 @@ spec:
           query: |
             {job="infra-net/ingress-nginx"}
           labels:
-            type: nginx         
+            type: nginx
       env:
         - name: COLLECTIONS
           value: "crowdsecurity/base-http-scenarios crowdsecurity/http-dos"
@@ -42,16 +42,6 @@ spec:
         config:
           enabled: false
     appsec:
-      affinity:
-        nodeAffinity:
-          preferredDuringSchedulingIgnoredDuringExecution:
-            - weight: 1
-              preference:
-                matchExpressions:
-                  - key: topology.kubernetes.io/region
-                    operator: In
-                    values:
-                      - cn-hk
       enabled: false
       acquisitions:
         - source: appsec
@@ -74,16 +64,6 @@ spec:
         - name: COLLECTIONS
           value: "crowdsecurity/appsec-virtual-patching crowdsecurity/appsec-crs"
     lapi:
-      affinity:
-        nodeAffinity:
-          preferredDuringSchedulingIgnoredDuringExecution:
-            - weight: 1
-              preference:
-                matchExpressions:
-                  - key: topology.kubernetes.io/region
-                    operator: In
-                    values:
-                      - cn-hk
       resources:
         requests:
           cpu: 150m
@@ -119,7 +99,7 @@ spec:
                 - "127.0.0.1/32"
                 - "192.168.0.0/16"
                 - "172.16.0.0/12"
-                - "10.0.0.0/8"    
+                - "10.0.0.0/8"
       # api profiles.yaml配置
       profiles.yaml: |
         name: captcha_remediation
@@ -235,5 +215,3 @@ spec:
                     statics:
                       - meta: sub_type
                         value: "req_limit_exceeded"
-            
-
diff --git a/apps/infra/net/nginx/helmchart.yaml b/flux/infrastructure/infra-net/helmrelease-ingress-nginx.yaml
similarity index 87%
rename from apps/infra/net/nginx/helmchart.yaml
rename to flux/infrastructure/infra-net/helmrelease-ingress-nginx.yaml
index 96e43ad..f9c8d0b 100644
--- a/apps/infra/net/nginx/helmchart.yaml
+++ b/flux/infrastructure/infra-net/helmrelease-ingress-nginx.yaml
@@ -1,14 +1,20 @@
-apiVersion: helm.cattle.io/v1
-kind: HelmChart
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
 metadata:
   name: ingress-nginx
   namespace: infra-net
 spec:
-  repo: https://kubernetes.github.io/ingress-nginx
-  chart: ingress-nginx
-  version: 4.13.2
-  targetNamespace: infra-net
-  valuesContent: |-
+  interval: 30m
+  chart:
+    spec:
+      chart: ingress-nginx
+      version: 4.13.2
+      sourceRef:
+        kind: HelmRepository
+        name: ingress-nginx
+        namespace: infra-gitops
+      interval: 12h
+  values:
     fullnameOverride: ingress-nginx
     controller:
       image:
@@ -16,24 +22,12 @@ spec:
         image: crowdsecurity/controller
         tag: v1.13.2
         digest: sha256:4575be24781cad35f8e58437db6a3f492df2a3167fed2b6759a6ff0dc3488d56
-      nodeSelector:
-        svccontroller.k3s.cattle.io/enablelb: "true"
-      tolerations:
-        - key: "node-role.kubernetes.io/control-plane"
-          operator: "Exists"
-          effect: "NoSchedule"
       labels:
         devcm-log-collecting/enabled: "true"
       kind: DaemonSet
       hostNetwork: true
       hostPort:
         enabled: true
-      # 添加 DNS 配置
-      dnsPolicy: "None"
-      dnsConfig:
-        nameservers:
-          - "169.254.20.10"
-          - "10.43.0.10"
       service:
         enabled: false
       publishService:
@@ -44,7 +38,7 @@ spec:
         use-forwarded-headers: "true"
         enable-real-ip: "true"
         forwarded-for-header: "X-Dev-Cm-Real-IP"
-        proxy-real-ip-cidr: "0.0.0.0/0" 
+        proxy-real-ip-cidr: "0.0.0.0/0"
         allow-snippet-annotations: "true"
         annotations-risk-level: Critical
         # 启用http2
@@ -131,7 +125,7 @@ spec:
         plugins: "crowdsec"
         lua-shared-dicts: "crowdsec_cache: 50m"
       # 启用geoip2模块
-      maxmindLicenseKey: "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"
+      maxmindLicenseKey: ""
       extraArgs:
         default-ssl-certificate: "infra-net/dev-cm-crt"
       # crowdsec插件配置
@@ -199,13 +193,3 @@ spec:
       extraVolumeMounts:
         - name: static
           mountPath: /app/static
-      affinity:
-        nodeAffinity:
-          requiredDuringSchedulingIgnoredDuringExecution:
-            nodeSelectorTerms:
-              - matchExpressions:
-                  - key: topology.kubernetes.io/region
-                    operator: In
-                    values:
-                      - "cn-sh"
-                      - "cn-hk"
diff --git a/apps/infra/net/tailscale/helmchart.yaml b/flux/infrastructure/infra-net/helmrelease-tailscale-derp.yaml
similarity index 64%
rename from apps/infra/net/tailscale/helmchart.yaml
rename to flux/infrastructure/infra-net/helmrelease-tailscale-derp.yaml
index a179c1d..d4a1575 100644
--- a/apps/infra/net/tailscale/helmchart.yaml
+++ b/flux/infrastructure/infra-net/helmrelease-tailscale-derp.yaml
@@ -1,16 +1,20 @@
-apiVersion: helm.cattle.io/v1
-kind: HelmChart
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
 metadata:
   name: tailscale-derp-hk
   namespace: infra-net
 spec:
-  repo: https://devcm-repo.github.io/helm-charts
-  chart: tailscale-derp
-  version: 0.0.9
-  targetNamespace: infra-net
-  valuesContent: |-
-    nodeSelector:
-      kubernetes.io/hostname: tchk
+  interval: 30m
+  chart:
+    spec:
+      chart: tailscale-derp
+      version: 0.0.9
+      sourceRef:
+        kind: HelmRepository
+        name: devcm-repo
+        namespace: infra-gitops
+      interval: 12h
+  values:
     image:
       tag: v1.94.1
     hostNetwork: true
@@ -27,7 +31,7 @@ spec:
       - name: cert-volume
         mountPath: /certs
     derp:
-      hostname: 'tchk.node.dev.cm'
+      hostname: "tchk.node.dev.cm"
       verify_clients: true
       http_port: -1
       https_port: 30443
diff --git a/apps/infra/net/nginx/ingress-cdn.yaml b/flux/infrastructure/infra-net/ingress-cdn.yaml
similarity index 100%
rename from apps/infra/net/nginx/ingress-cdn.yaml
rename to flux/infrastructure/infra-net/ingress-cdn.yaml
diff --git a/flux/infrastructure/infra-net/kustomization.yaml b/flux/infrastructure/infra-net/kustomization.yaml
new file mode 100644
index 0000000..1c19fa2
--- /dev/null
+++ b/flux/infrastructure/infra-net/kustomization.yaml
@@ -0,0 +1,10 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - namespace.yaml
+  - helmrelease-ingress-nginx.yaml
+  - configmap-static.yaml
+  - certificate-dev-cm.yaml
+  - ingress-cdn.yaml
+  - helmrelease-crowdsec.yaml
+  - helmrelease-tailscale-derp.yaml
diff --git a/apps/infra/data/namespaces.yaml b/flux/infrastructure/infra-net/namespace.yaml
similarity index 69%
rename from apps/infra/data/namespaces.yaml
rename to flux/infrastructure/infra-net/namespace.yaml
index e6a787a..6e11a04 100644
--- a/apps/infra/data/namespaces.yaml
+++ b/flux/infrastructure/infra-net/namespace.yaml
@@ -1,4 +1,4 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: infra-data
\ No newline at end of file
+  name: infra-net
diff --git a/apps/kube/coredns/configmap.yaml b/flux/infrastructure/kube-system/configmap-coredns.yaml
similarity index 100%
rename from apps/kube/coredns/configmap.yaml
rename to flux/infrastructure/kube-system/configmap-coredns.yaml
diff --git a/flux/infrastructure/kube-system/kustomization.yaml b/flux/infrastructure/kube-system/kustomization.yaml
new file mode 100644
index 0000000..995f984
--- /dev/null
+++ b/flux/infrastructure/kube-system/kustomization.yaml
@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - configmap-coredns.yaml
+  - nodelocaldns.yaml
diff --git a/apps/kube/coredns/nodelocaldns.yaml b/flux/infrastructure/kube-system/nodelocaldns.yaml
similarity index 100%
rename from apps/kube/coredns/nodelocaldns.yaml
rename to flux/infrastructure/kube-system/nodelocaldns.yaml
diff --git a/flux/infrastructure/sources/helm-repositories.yaml b/flux/infrastructure/sources/helm-repositories.yaml
new file mode 100644
index 0000000..53699dd
--- /dev/null
+++ b/flux/infrastructure/sources/helm-repositories.yaml
@@ -0,0 +1,141 @@
+# cert-manager
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: jetstack
+  namespace: infra-gitops
+spec:
+  interval: 24h
+  url: https://charts.jetstack.io
+---
+# cert-manager-webhook-dnspod (OCI)
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: imroc
+  namespace: infra-gitops
+spec:
+  interval: 24h
+  type: oci
+  url: oci://registry-1.docker.io/imroc
+---
+# reflector
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: emberstack
+  namespace: infra-gitops
+spec:
+  interval: 24h
+  url: https://emberstack.github.io/helm-charts
+---
+# velero
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: vmware-tanzu
+  namespace: infra-gitops
+spec:
+  interval: 24h
+  url: https://vmware-tanzu.github.io/helm-charts
+---
+# cloudnative-pg, plugin-barman-cloud
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: cloudnative-pg
+  namespace: infra-gitops
+spec:
+  interval: 24h
+  url: https://cloudnative-pg.github.io/charts
+---
+# valkey-cluster (OCI)
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: bitnami
+  namespace: infra-gitops
+spec:
+  interval: 24h
+  type: oci
+  url: oci://registry-1.docker.io/bitnamicharts
+---
+# ingress-nginx
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: ingress-nginx
+  namespace: infra-gitops
+spec:
+  interval: 24h
+  url: https://kubernetes.github.io/ingress-nginx
+---
+# crowdsec
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: crowdsec
+  namespace: infra-gitops
+spec:
+  interval: 24h
+  url: https://crowdsecurity.github.io/helm-charts
+---
+# tailscale-derp, rustdesk-server
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: devcm-repo
+  namespace: infra-gitops
+spec:
+  interval: 24h
+  url: https://devcm-repo.github.io/helm-charts
+---
+# loki, promtail
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: grafana
+  namespace: infra-gitops
+spec:
+  interval: 24h
+  url: https://grafana.github.io/helm-charts
+---
+# kube-prometheus-stack
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: prometheus-community
+  namespace: infra-gitops
+spec:
+  interval: 24h
+  url: https://prometheus-community.github.io/helm-charts
+---
+# gitea, gitea-actions
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: gitea
+  namespace: infra-gitops
+spec:
+  interval: 24h
+  url: https://dl.gitea.com/charts
+---
+# whoami
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: cowboysysop
+  namespace: infra-gitops
+spec:
+  interval: 24h
+  url: https://cowboysysop.github.io/charts/
+---
+# halo
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: halo
+  namespace: infra-gitops
+spec:
+  interval: 24h
+  url: https://halo-sigs.github.io/charts/
diff --git a/flux/infrastructure/sources/kustomization.yaml b/flux/infrastructure/sources/kustomization.yaml
new file mode 100644
index 0000000..df39355
--- /dev/null
+++ b/flux/infrastructure/sources/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - helm-repositories.yaml
diff --git a/apps/infra/gitops/flux/clusterrolebinding.yaml b/helmcharts/clusterrolebinding-flux.yaml
similarity index 100%
rename from apps/infra/gitops/flux/clusterrolebinding.yaml
rename to helmcharts/clusterrolebinding-flux.yaml
diff --git a/apps/infra/gitops/flux/helmchart.yaml b/helmcharts/helmchart-flux.yaml
similarity index 100%
rename from apps/infra/gitops/flux/helmchart.yaml
rename to helmcharts/helmchart-flux.yaml
diff --git a/apps/infra/gitops/flux/networkpolicy.yaml b/helmcharts/networkpolicy-flux.yaml
similarity index 100%
rename from apps/infra/gitops/flux/networkpolicy.yaml
rename to helmcharts/networkpolicy-flux.yaml