diff --git a/.taskfiles/cluster/Taskfile.dist.yaml b/.taskfiles/cluster/Taskfile.dist.yaml
index 802d71d9..2bb0107d 100644
--- a/.taskfiles/cluster/Taskfile.dist.yaml
+++ b/.taskfiles/cluster/Taskfile.dist.yaml
@@ -1,6 +1,11 @@
 ---
 version: "3"
 
+includes:
+  flux:
+    internal: true
+    taskfile: ../flux
+
 vars:
   C: '{{.C | default "biohazard"}}'
   APPLY: '{{.APPLY | default "0"}}'
@@ -14,22 +19,18 @@ tasks:
       - |
         sed -i 's/current-context: admin@.*/current-context: admin@{{.C}}/g' ~/.kube/config || true
 
-  cluster-init-flux:
-    aliases: [initflux]
-    vars:
-      C: '{{ or .C (fail "Missing `C` environment variable for cluster!") }}'
-    cmds:
-      - task: cluster-switch
-        vars:
-          C: '{{.C}}'
-      - kubectl apply --server-side --kustomize ./kube/bootstrap/flux/
-
   cluster-init:
     aliases: [init]
     vars:
       C: '{{ or .C (fail "Missing C environment variable for cluster!") }}'
       APPLY: '1'
     cmds:
+      - task: cluster-switch
+        vars:
+          C: '{{ or .C (fail "Missing C environment variable for cluster!") }}'
+      - task: flux:install
+        vars:
+          C: '{{ or .C (fail "Missing C environment variable for cluster!") }}'
       - task: cluster-init-config
         vars:
           C: '{{ or .C (fail "Missing C environment variable for cluster!") }}'
diff --git a/.taskfiles/flux/Taskfile.dist.yaml b/.taskfiles/flux/Taskfile.dist.yaml
index 147ab972..ce4d0b78 100644
--- a/.taskfiles/flux/Taskfile.dist.yaml
+++ b/.taskfiles/flux/Taskfile.dist.yaml
@@ -2,6 +2,9 @@
 version: "3"
 
 tasks:
+  install:
+    cmds:
+      - kubectl apply --server-side --kustomize /{{.ROOT_DIR}}/kube/bootstrap/flux/
 
   get-all-watch:
     aliases: [ga, fga, getall]
diff --git a/.taskfiles/k8s/Taskfile.dist.yaml b/.taskfiles/k8s/Taskfile.dist.yaml
index fbeaf7ed..042e9c19 100644
--- a/.taskfiles/k8s/Taskfile.dist.yaml
+++ b/.taskfiles/k8s/Taskfile.dist.yaml
@@ -7,6 +7,15 @@ vars:
     sh: date +%Y%m%d-%H%M%S
 
 tasks:
+  race-ns-pod-security:
+    aliases: [nsps]
+    desc: While true loop labelling a given namespace with Pod Security labels, if external source creates namespace (e.g. Azure Arc's Helm apply with `--create-namespace`)
+    vars:
+      NS: '{{ or .NS (fail "Missing `NS` environment variable!") }}'
+      PS: '{{ or .PS (fail "Missing `PS` environment variable!") }}'
+    cmds:
+      - while true; do kubectl label namespaces {{.NS}} "pod-security.kubernetes.io/enforce={{.PS}}" >/dev/null 2>/dev/null || true; kubectl label namespaces {{.NS}} "pod-security.kubernetes.io/enforce-version=latest" >/dev/null 2>/dev/null || true; done
+
   wait-pod-pending:
     aliases: [waitp]
     internal: true
@@ -67,11 +76,11 @@ tasks:
     vars:
       app: '{{ or .app (fail "Missing `app` variable!") }}'
     cmds:
-      - cp -r ./kube/templates/test ./kube/3-deploy/2-apps/{{.app}}
+      - cp -r ./kube/templates/test ./kube/deploy/apps/{{.app}}
       # lowercase, used for resource names etc
-      - grep -lR 'APPNAME' ./kube/3-deploy/2-apps/{{.app}}/ | xargs -I% sed -i 's/${APPNAME}/{{.app}}/g' %
+      - grep -lR 'APPNAME' ./kube/deploy/apps/{{.app}}/ | xargs -I% sed -i 's/${APPNAME}/{{.app}}/g' %
       # uppercase, for variable substitution references e.g. ${APP_DNS_AUTHENTIK}
-      - grep -lR 'APPNAME' ./kube/3-deploy/2-apps/{{.app}}/ | xargs -I% sed -i 's/_APPNAME}/_{{.app}}}/g;s/\(_{{.app}}}\)/\U\1/g' %
+      - grep -lR 'APPNAME' ./kube/deploy/apps/{{.app}}/ | xargs -I% sed -i 's/_APPNAME}/_{{.app}}}/g;s/\(_{{.app}}}\)/\U\1/g' %
 
   iperf2:
     desc: Start a iperf2 server on one node, and iperf2 client on another node, to benchmark network performance.
diff --git a/.taskfiles/rook/Taskfile.dist.yaml b/.taskfiles/rook/Taskfile.dist.yaml
index 0492068e..31f5a7e3 100644
--- a/.taskfiles/rook/Taskfile.dist.yaml
+++ b/.taskfiles/rook/Taskfile.dist.yaml
@@ -75,7 +75,7 @@ tasks:
         kubectl -n kube-system logs job/{{.JOB_NAME}} -f || true;
         until kubectl -n kube-system wait job/{{.JOB_NAME}} --for condition=complete --timeout=2s; do 
           echo "Job {{.JOB_NAME}} is still running, logs:" && 
-          kubectl -n kube-system logs job/{{.JOB_NAME}} -f;
+          kubectl -n kube-system logs job/{{.JOB_NAME}} -f || true;
         done;
       # - kubectl -n kube-system logs job/{{.JOB_NAME}}
       - defer: kubectl -n kube-system delete job {{.JOB_NAME}}
@@ -93,7 +93,7 @@ tasks:
     dir: '/{{.ROOT_DIR}}/.taskfiles/rook'
     cmds:
       - envsubst < <(cat {{.JOB_TEMPLATE}}) | kubectl apply -f -
-      - until kubectl -n kube-system wait job/{{.JOB_NAME}} --for condition=complete --timeout=2s; do echo "Job {{.JOB_NAME}} is still running, logs:" && kubectl -n kube-system logs job/{{.JOB_NAME}} -f; done
+      - until kubectl -n kube-system wait job/{{.JOB_NAME}} --for condition=complete --timeout=2s; do echo "Job {{.JOB_NAME}} is still running, logs:" && kubectl -n kube-system logs job/{{.JOB_NAME}} -f || true; done
       - defer: kubectl -n kube-system delete job {{.JOB_NAME}}
     vars:
       NODE: '{{ or .NODE (fail "`NODE` is required") }}'
diff --git a/.taskfiles/talos/Taskfile.dist.yaml b/.taskfiles/talos/Taskfile.dist.yaml
index 399e8f9a..93bd7ac4 100644
--- a/.taskfiles/talos/Taskfile.dist.yaml
+++ b/.taskfiles/talos/Taskfile.dist.yaml
@@ -15,7 +15,7 @@ vars:
 tasks:
   genconfig:
     desc: Decrypt cluster vars from .env to .yaml for talhelper to consume.
-    dir: '/{{.ROOT_DIR}}/kube/clusters/{{.C}}/talos'
+    dir: "/{{.ROOT_DIR}}/kube/clusters/{{.C}}/talos"
     vars:
       C: '{{ or .C (fail "Missing C environment variable for cluster!") }}'
     cmds:
@@ -27,7 +27,7 @@ tasks:
   cilium-bootstrap-apply:
     aliases: [cilium]
     desc: Bootstrap Cilium onto new cluster, ready for Flux to take over managing Cilium.
-    dir: '/{{.ROOT_DIR}}/kube/clusters/{{.C}}/talos'
+    # dir: "/{{.ROOT_DIR}}/kube/clusters/{{.C}}/talos"
     vars:
       C: '{{ or .C (fail "Missing C environment variable for cluster!") }}'
     cmds:
@@ -37,13 +37,13 @@ tasks:
       - task: k8s:sops-apply
         vars:
           C: '{{.C | default "biohazard"}}'
-          F: '/{{.ROOT_DIR}}/kube/deploy/core/_networking/cilium/app/bootstrap-install'
-          FCMD: 'kustomize build --enable-helm'
+          F: "/{{.ROOT_DIR}}/kube/deploy/core/_networking/cilium/app/bootstrap-install"
+          FCMD: "kustomize build --enable-helm"
 
   bootstrap:
     aliases: [bs]
     desc: Runs all bootstrap related tasks.
-    dir: '/{{.ROOT_DIR}}/kube/clusters/{{.C}}/talos'
+    dir: "/{{.ROOT_DIR}}/kube/clusters/{{.C}}/talos"
     vars:
       C: '{{ or .C (fail "Missing C environment variable for cluster!") }}'
       IP: '{{ or .IP (fail "Missing IP environment variable!") }}'
@@ -63,11 +63,11 @@ tasks:
       - task: cluster:cluster-init-config
         vars:
           C: '{{.C | default "biohazard"}}'
-          APPLY: '1'
+          APPLY: "1"
 
   reboot:
     desc: Reboot nodes based on Kubernetes InternalIP. Assumes only 1 IP in InternalIP, and the IP known to Kubernetes is the same used by `talosctl`.
     vars:
       NODE: '{{ or .NODE (fail "Missing `NODE` environment variable!") }}'
     cmds:
-      - talosctl reboot --nodes $(kubectl get nodes {{.NODE}} -o yaml | yq '.status.addresses | map(select(.type == "InternalIP")) | .[].address)'
\ No newline at end of file
+      - talosctl reboot --nodes $(kubectl get nodes {{.NODE}} -o yaml | yq '.status.addresses | map(select(.type == "InternalIP")) | .[].address')