I have a similar toolchain, fully using native system packages, built around Holo [1] as a config management tool and holo-build [2] as a distro-independent package building tool. In the intended state, the root configuration package (e.g. [3] for my desktop PC) is the only explicitly installed package on the system.