diff --git a/otc/observability.t09.de/stacks/core/dex/values.yaml b/otc/observability.t09.de/stacks/core/dex/values.yaml
index 435a7d6..d552b8a 100644
--- a/otc/observability.t09.de/stacks/core/dex/values.yaml
+++ b/otc/observability.t09.de/stacks/core/dex/values.yaml
@@ -68,4 +68,4 @@ config:
       redirectURIs:
         - "https://grafana.observability.t09.de/login/generic_oauth"
       name: "Grafana"
-      secret: "{{`{{ .Env.OIDC_DEX_GRAFANA_CLIENT_SECRET }}`}}"
+      secret: "thisisasecret"
diff --git a/otc/observability.t09.de/stacks/observability/grafana-operator/manifests/grafana.yaml b/otc/observability.t09.de/stacks/observability/grafana-operator/manifests/grafana.yaml
index 0de9c4f..3815699 100644
--- a/otc/observability.t09.de/stacks/observability/grafana-operator/manifests/grafana.yaml
+++ b/otc/observability.t09.de/stacks/observability/grafana-operator/manifests/grafana.yaml
@@ -39,3 +39,21 @@ spec:
       - hosts:
         - grafana.observability.t09.de
         secretName: grafana-net-tls
+  config:
+    auth:
+      disable_login: true
+      disable_login_form: true
+    auth.generic_oauth:
+      enabled: true
+      name: Forgejo
+      allow_sign_up: false
+      use_refresh_token: true
+      client_id: grafana
+      client_secret: "thisisasecret" # $__file{/etc/secrets/auth_generic_oauth/client_secret}
+      scopes: openid email profile offline_access roles
+      auth_url: https://dex.observability.t09.de/auth
+      token_url: https://dex.observability.t09.de/token
+      api_url: https://dex.observability.t09.de/userinfo
+      redirect_uri: https://grafana.observability.t09.de/login/generic_oauth
+      role_attribute_path: "contains(groups[*], 'admin') && 'Admin' || contains(groups[*], 'editor') && 'Editor' || 'Viewer'"
+