diff --git a/flake.nix b/flake.nix
index 4234e3b..d01fe3d 100644
--- a/flake.nix
+++ b/flake.nix
@@ -90,6 +90,7 @@
 
             age.secrets.sasl-passwd.file = ./secrets/postfix_sasl_passwd.age;
             age.secrets.borgbackup-password.file = ./secrets/vno1-oh2/borgbackup/password.age;
+            age.secrets.grafana-oidc.file = ./secrets/grafana.jakstys.lt/oidc.age;
             age.secrets.letsencrypt-account-key.file = ./secrets/letsencrypt/account.key.age;
           }
         ];
diff --git a/hosts/vno1-oh2/configuration.nix b/hosts/vno1-oh2/configuration.nix
index 13890c8..584c11f 100644
--- a/hosts/vno1-oh2/configuration.nix
+++ b/hosts/vno1-oh2/configuration.nix
@@ -157,6 +157,16 @@
           http_addr = "0.0.0.0";
           http_port = myData.ports.grafana;
         };
+        auth.oauth_allow_insecure_email_lookup = true;
+        "auth.generic_oauth" = {
+          enabled = true;
+          client_id = "5349c113-467d-4b95-a61b-264f2d844da8";
+          client_secret = "$__file{/run/grafana/oidc-secret}";
+          auth_url = "https://git.jakstys.lt/login/oauth/authorize";
+          api_url = "https://git.jakstys.lt/login/oauth/userinfo";
+          token_url = "https://git.jakstys.lt/login/oauth/access_token";
+        };
+        feature_toggles.accessTokenExpirationCheck = true;
       };
     };
 
@@ -215,6 +225,14 @@
       wants = ["nsd-acme-grafana.jakstys.lt.service"];
     };
 
+    grafana = {
+      preStart = "ln -sf $CREDENTIALS_DIRECTORY/oidc /run/grafana/oidc-secret";
+      serviceConfig = {
+        RuntimeDirectory = "grafana";
+        LoadCredential = ["oidc:${config.age.secrets.grafana-oidc.path}"];
+      };
+    };
+
     cert-watcher = {
       description = "Restart caddy when tls keys/certs change";
       wantedBy = ["multi-user.target"];
diff --git a/secrets.nix b/secrets.nix
index 95e07bc..21ff044 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -29,6 +29,7 @@ in
   // mk ([vno1-oh2] ++ motiejus) [
     "secrets/hel1-a/zfs-passphrase.age"
     "secrets/vno1-oh2/borgbackup/password.age"
+    "secrets/grafana.jakstys.lt/oidc.age"
     "secrets/letsencrypt/account.key.age"
   ]
   // mk (systems ++ motiejus) [
diff --git a/secrets/grafana.jakstys.lt/oidc.age b/secrets/grafana.jakstys.lt/oidc.age
new file mode 100644
index 0000000..a28dba4
--- /dev/null
+++ b/secrets/grafana.jakstys.lt/oidc.age
@@ -0,0 +1,15 @@
+age-encryption.org/v1
+-> ssh-ed25519 gJrHQg ej79kBVT2fAw7UssjrWr2PzaHZTg/Kz4zszS2Otod0M
+e6gkJMB9/ew3MVCtaeDqo71e/HGJCCGxqLw6PLCeHfE
+-> X25519 B4CDnVnaOb9EZ5BT5Td8HSpO7doIqFxPaOyt2ySzFQs
+U85oEdx/nw9Z4Ojrx78qmGFo4QMk6qSdLxPf6kj1NDE
+-> piv-p256 +y2G/w AnlTfEux0XOjf37KUuizAWymOID0N6VlMAQbREYPFgv6
+l7aJCDjdDK6Nf5o7laLK8BfhQLt3UkQS8pX/OysaHZI
+-> piv-p256 jNqd3A A2I3noVPaw/0g22jIM/VCIHo5vl9JbAMfbi3KHsgS+UE
+xiANL8jrJqUor9n3WZhJSzJ6fH/FMg+PXJpM3y4U3Jc
+-> Y%SI-grease
+DSiy2TEGnnDeJaLuvKDGN8nJz7D57vgJSpmy269chWlCiYH3IGvI5HGdshPt30Ih
+kDzqtPQU/cLrsBHyTRmuQ7Mn0jdp6l/lVKWwHHCArun/+Y+ormDXTEneLoTaUI3f
+dkg
+--- fn/9LJm/9+imjk782wITmMC1nTE76VR94qdvV1gpbZw
+�$�J1?�a�l�6/Cў�J����K���x����������}L~6�~���c1�4��6MӪ�i���2%�F!	�,ښ��R���
\ No newline at end of file