diff --git a/flake.nix b/flake.nix
index 089d94b..095c125 100644
--- a/flake.nix
+++ b/flake.nix
@@ -84,16 +84,16 @@
             }
           ];
         };
-        template = nixpkgs.lib.nixosSystem {
-          inherit system;
-          modules = [
-            agenix.nixosModules.default
-            "${inputs.self}/systems/minimalVMConfig.nix"
-            {
-              networking.hostName = "nixos";
-            }
-          ];
-        };
+#        template = nixpkgs.lib.nixosSystem {
+#          inherit system;
+#          modules = [
+#            agenix.nixosModules.default
+#            "${inputs.self}/systems/minimalVMConfig.nix"
+#            {
+#              networking.hostName = "nixos";
+#            }
+#          ];
+#        };
         jellyfin = nixpkgs.lib.nixosSystem {
           inherit system;
           modules = [
diff --git a/secrets.nix b/secrets.nix
index 50c0927..26b78f3 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -11,6 +11,7 @@ in
 {
   "secrets/initialPassword.age".publicKeys = users ++ systems;
   "services/grafana/secrets/grafana-db.age".publicKeys = [ tbarnouin grafana ];
+  "services/grafana/secrets/grafana-oauth_secret.age".publicKeys = [ tbarnouin grafana ];
   "services/grafana/secrets/kuma-token.age".publicKeys = [ tbarnouin grafana ];
   "services/onlyoffice/secrets/office-dbpass.age".publicKeys  = [ tbarnouin onlyoffice ];
   "services/onlyoffice/secrets/office-jwtpass.age".publicKeys = [ tbarnouin onlyoffice ];
diff --git a/services/grafana/default.nix b/services/grafana/default.nix
index 20439a6..4afd0f1 100644
--- a/services/grafana/default.nix
+++ b/services/grafana/default.nix
@@ -19,11 +19,17 @@ in
     };
   };
   config = lib.mkIf cfg.enable {
-    age.secrets.grafana-db = {
-      file  = ./secrets/grafana-db.age;
-      owner = "grafana";
+    age.secrets ={
+      grafana-db = {
+        file  = ./secrets/grafana-db.age;
+        owner = "grafana";
+      };
+      grafana-oauth_secret = {
+        file  = ./secrets/grafana-oauth_secret.age;
+        owner = "grafana";
+      };
+      kuma-token.file  = ./secrets/kuma-token.age;
     };
-    age.secrets.kuma-token.file  = ./secrets/kuma-token.age;
     services.rsyslogd = {
       enable = true;
       extraConfig = ''
@@ -37,10 +43,10 @@ in
         module(load="imtcp")
         input(type="imtcp" port="514" ruleset="remote")
       '';
-    };  
+    };
     services.influxdb2 = {
       enable = true;
-    };  
+    };
     services.grafana = {
       enable = true;
       settings = {
@@ -59,6 +65,19 @@ in
           user     = "grafana";
           password = "\$__file{${config.age.secrets.grafana-db.path}}";
         };
+        "auth.generic_oauth" = {
+          enabled       = "true";
+          name          = "authentik";
+          allow_sign_up = "true";
+          client_id     = "9HV82G8F92Jcbw4nP8eppMcPpLcAw5uYpejfReLy";
+          client_secret = "\$__file{${config.age.secrets.grafana-oauth_secret.path}}";
+          scopes        = "openid email profile";
+          auth_url      = "https://authentik.le43.eu/application/o/authorize/";
+          token_url     = "https://authentik.le43.eu/application/o/token/";
+          api_url       = "https://authentik.le43.eu/application/o/userinfo/";
+          role_attribute_path = "contains(groups, 'admin') && 'Admin' || contains(groups, 'admin') && 'Editor' || 'Viewer';role_attribute_strict = false";
+          allow_assign_grafana_admin = "true";
+        };
       };
     };
     services.prometheus = {
diff --git a/services/grafana/secrets/grafana-oauth_secret.age b/services/grafana/secrets/grafana-oauth_secret.age
new file mode 100644
index 0000000..1d606ce
--- /dev/null
+++ b/services/grafana/secrets/grafana-oauth_secret.age
@@ -0,0 +1,13 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBtMm9n
+VGJyeEdFckZjWHNybm94b2crSE0wclE1QlRXZkVGMVk4U1hMdFJBCnhQL3FSdW9l
+cUdNNThIdDVwQkxZWEQ2ZXZuekpKcWxQNy9jZlVoTVArZEkKLT4gc3NoLWVkMjU1
+MTkgd25FVXB3IEtwTmV3ckQybkd3L3R0TFp0a2JMTzNiMmdyNkNyVkdHUkQyd0Fm
+cGkxamMKeGNCSmF6TCtkVXZ5WG5Cd1F6WmkxWjlRZ0FCZ0p1NklPcmw1bFJ6dFNv
+ZwotPiAoLWdyZWFzZSAzfUpGL0QgOEtFWXdwCnJCNTFoeTQzUVJlejRUakRqREVy
+WS8zTmh3aUptcE56RDBqMld3NXNKZwotLS0gRnlBdEc1cVZOeDFQblAwOVN1MDUx
+Yko2UEJ6UE14Z3haUW5XWjJzNFVodwrg7eJ6dnbIAjvsz/XoktAot7G1+u1UJsAE
+QkLEtM7DpcFEvESO3JOhuIO/l6qoWjDuksh7yNhdLv2uOKa7ZpM5Q0DGFnRke3Qk
+RU2E2UU4w30cmAXFm75NT2T9Po0R182Px25gV7fvfNHMHmONFJZRqNxS2IUDS20W
+hDqk+ea9mnYNG1icpmYPj56OpKt+mqrf6kSFuU+R6zwIcoKpMR2wCA==
+-----END AGE ENCRYPTED FILE-----
diff --git a/services/nginx/default.nix b/services/nginx/default.nix
index 9095fcf..f637385 100644
--- a/services/nginx/default.nix
+++ b/services/nginx/default.nix
@@ -61,7 +61,7 @@ in
 
           # Enable CSP for your services.
           #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
-          add_header Content-Security-Policy "frame-ancestors self cloud.le43.eu office.le43.eu; upgrade-insecure-requests; frame-src 'self' http://office.le43.eu;";
+          add_header Content-Security-Policy "frame-ancestors self *.le43.eu; upgrade-insecure-requests; frame-src 'self' http://office.le43.eu;";
 
 
           # Minimize information leaked to other domains