diff --git a/cluster/base/manifests.yaml b/cluster/base/manifests.yaml
new file mode 100644
index 000000000..a4b1437e4
--- /dev/null
+++ b/cluster/base/manifests.yaml
@@ -0,0 +1,50 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+  name: manifests
+  namespace: flux-system
+spec:
+  interval: 5m
+  dependsOn:
+    - name: infrastructure
+    - name: crds
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  path: ./cluster/manifests
+  prune: true
+  wait: true
+  timeout: 5m0s
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-age
+  postBuild:
+    substitute: {}
+    substituteFrom:
+      - kind: ConfigMap
+        name: cluster-settings
+      - kind: Secret
+        name: cluster-secrets
+  patches:
+    # Used to keep kustomizations DRY that require decryption and substitution variables
+    # TODO: Consider if there are use cases where decryption is used but not substitution and vice versa, if so split this into two separate optional patches
+    - patch: |-
+        apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+        kind: Kustomization
+        metadata:
+          name: not-used
+        spec:
+          decryption:
+            provider: sops
+            secretRef:
+              name: sops-age
+          postBuild:
+            substituteFrom:
+              - kind: Secret
+                name: cluster-secrets
+              - kind: ConfigMap
+                name: cluster-settings
+      target:
+        labelSelector: substitution.flux.home.arpa/enabled=true