diff --git a/template/stacks/core/dex.yaml b/template/stacks/core/dex.yaml
new file mode 100644
index 0000000..d41c0bf
--- /dev/null
+++ b/template/stacks/core/dex.yaml
@@ -0,0 +1,29 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: dex
+  namespace: argocd
+  labels:
+    env: dev
+spec:
+  project: default
+  syncPolicy:
+    automated:
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+    retry:
+      limit: -1
+  destination:
+    name: in-cluster
+    namespace: dex
+  sources:
+    - repoURL: https://charts.dexidp.io
+      chart: dex
+      targetRevision: 0.23.0
+      helm:
+        valueFiles:
+          - $values/{{{ .Env.CLIENT_REPO_ID }}}/{{{ .Env.DOMAIN }}}/stacks/core/dex/values.yaml
+    - repoURL: https://{{{ .Env.CLIENT_REPO_DOMAIN }}}/{{{ .Env.CLIENT_REPO_ORG_NAME }}}
+      targetRevision: HEAD
+      ref: values
diff --git a/template/stacks/core/dex/values.yaml b/template/stacks/core/dex/values.yaml
new file mode 100644
index 0000000..116cbdd
--- /dev/null
+++ b/template/stacks/core/dex/values.yaml
@@ -0,0 +1,76 @@
+ingress:
+  enabled: true
+  className: nginx
+  annotations:
+    cert-manager.io/cluster-issuer: main
+  hosts:
+    - host: {{{ .Env.DOMAIN_DEX }}}
+      paths:
+        - path: /
+          pathType: Prefix
+  tls:
+    - hosts:
+        - {{{ .Env.DOMAIN_DEX }}}
+      secretName: dex-cert
+
+envVars:
+  - name: FORGEJO_CLIENT_SECRET
+    valueFrom:
+      secretKeyRef:
+        name: dex-forgejo-client
+        key: clientSecret
+  - name: FORGEJO_CLIENT_ID
+    valueFrom:
+      secretKeyRef:
+        name: dex-forgejo-client
+        key: clientID
+  - name: OIDC_DEX_GRAFANA_CLIENT_SECRET
+    valueFrom:
+      secretKeyRef:
+        name: dex-grafana-client
+        key: clientSecret
+  - name: OIDC_DEX_ARGO_CLIENT_SECRET
+    valueFrom:
+      secretKeyRef:
+        name: dex-argo-client
+        key: clientSecret
+  - name: LOG_LEVEL
+    value: debug
+
+config:
+  # Set it to a valid URL
+  issuer: https://{{{ .Env.DOMAIN_DEX }}}
+
+  # See https://dexidp.io/docs/storage/ for more options
+  storage:
+    type: memory
+
+  oauth2:
+    skipApprovalScreen: true
+    alwaysShowLoginScreen: false
+
+  connectors:
+    - type: gitea
+      id: gitea
+      name: Forgejo
+      config:
+        clientID: "$FORGEJO_CLIENT_ID"
+        clientSecret: "$FORGEJO_CLIENT_SECRET"
+        redirectURI: https://{{{ .Env.DOMAIN_DEX }}}/callback
+        baseURL: https://edp.buildth.ing
+        # loadAllGroups: true
+        orgs:
+          - name: DevFW
+  enablePasswordDB: false
+
+  staticClients:
+    - id: controller-argocd-dex
+      name: ArgoCD Client
+      redirectURIs:
+        - "http://{{{ .Env.DOMAIN_ARGOCD }}}/auth/callback"
+      secret: "{{`{{ .Env.OIDC_DEX_ARGO_CLIENT_SECRET }}`}}"
+    - id: grafana
+      redirectURIs:
+        - "https://{{{ .Env.DOMAIN_GRAFANA }}}/login/generic_oauth"
+      name: "Grafana"
+      secret: "thisisasecret"
diff --git a/template/stacks/observability/grafana-operator/manifests/grafana.yaml b/template/stacks/observability/grafana-operator/manifests/grafana.yaml
index 4b9abe2..5dd36e8 100644
--- a/template/stacks/observability/grafana-operator/manifests/grafana.yaml
+++ b/template/stacks/observability/grafana-operator/manifests/grafana.yaml
@@ -25,7 +25,7 @@ spec:
     spec:
       ingressClassName: nginx
       rules:
-      - host: grafana.{{{ .Env.DOMAIN }}}
+      - host: {{{ .Env.DOMAIN_GRAFANA }}}
         http:
           paths:
           - backend:
@@ -37,5 +37,5 @@ spec:
             pathType: Prefix
       tls:
       - hosts:
-        - grafana.{{{ .Env.DOMAIN }}}
+        - {{{ .Env.DOMAIN_GRAFANA }}}
         secretName: grafana-net-tls