diff --git a/template/stacks/observability/grafana-operator/manifests/grafana.yaml b/template/stacks/observability/grafana-operator/manifests/grafana.yaml
index 5dd36e8..41f32db 100644
--- a/template/stacks/observability/grafana-operator/manifests/grafana.yaml
+++ b/template/stacks/observability/grafana-operator/manifests/grafana.yaml
@@ -17,6 +17,40 @@ spec:
       resources:
         requests:
           storage: 10Gi
+  deployment:
+    spec:
+      template:
+        spec:
+          containers:
+            - name: grafana
+              env:
+                - name: OAUTH_CLIENT_SECRET
+                  valueFrom:
+                    secretKeyRef:
+                      key: clientSecret
+                      name: dex-grafana-client
+  config:
+    log.console:
+      level: debug
+    server:
+      root_url: "https://{{{ .Env.DOMAIN_GRAFANA }}}"
+    auth:
+      disable_login: "true"
+      disable_login_form: "true"
+    auth.generic_oauth:
+      enabled: "true"
+      name: Forgejo
+      allow_sign_up: "true"
+      use_refresh_token: "true"
+      client_id: grafana
+      client_secret: $__env{OAUTH_CLIENT_SECRET}
+      scopes: openid email profile offline_access groups
+      auth_url: https://{{{ .Env.DOMAIN_DEX }}}/auth
+      token_url: https://{{{ .Env.DOMAIN_DEX }}}/token
+      api_url: https://{{{ .Env.DOMAIN_DEX }}}/userinfo
+      redirect_uri: https://{{{ .Env.DOMAIN_GRAFANA }}}/login/generic_oauth
+      role_attribute_path: "contains(groups[*], 'DevFW') && 'GrafanaAdmin' || 'None'"
+      allow_assign_grafana_admin: "true"
   ingress:
     metadata:
       annotations: