diff --git a/config/hosts/metrics-nekomesh/grafana.nix b/config/hosts/metrics-nekomesh/grafana.nix
index 5443fce..7697748 100644
--- a/config/hosts/metrics-nekomesh/grafana.nix
+++ b/config/hosts/metrics-nekomesh/grafana.nix
@@ -10,7 +10,7 @@
       security = {
         cookie_secure = true;
         cookie_samesite = "strict";
-        admin_user = "fi";
+        admin_user = "admin";
         admin_password = "$__file{/secrets/metrics-nekomesh-grafana-admin-password.secret}";
         admin_email = "fi@nekover.se";
       };
@@ -23,6 +23,24 @@
         from_name = "Nekomesh";
         startTLS_policy = "NoStartTLS";
       };
+      "auth.generic_oauth" = {
+        enabled = true;
+        name = "Nekoverse ID";
+        allow_sign_up = true;
+        client_id = "nekomesh";
+        client_secret = "$__file{/secrets/metrics-nekomesh-grafana-keycloak-client-secret.secret}";
+        scopes = "openid email profile offline_access roles";
+        email_attribute_path = "email";
+        login_attribute_path = "preferred_username";
+        name_attribute_path = "preferred_username";
+        auth_url = "https://id.nekover.se/realms/nekoverse/protocol/openid-connect/auth";
+        token_url = "https://id.nekover.se/realms/nekoverse/protocol/openid-connect/token";
+        api_url = "https://id.nekover.se/realms/nekoverse/protocol/openid-connect/userinfo";
+        use_refresh_token = true;
+        allow_assign_grafana_admin = true;
+        role_attribute_strict = true;
+        role_attribute_path = "contains(resource_access.nekomesh.roles[*], 'grafanaadmin') && 'GrafanaAdmin' || contains(resource_access.nekomesh.roles[*], 'admin') && 'Admin' || contains(resource_access.nekomesh.roles[*], 'editor') && 'Editor' || 'Viewer'";
+      };
     };
     provision.datasources.settings.datasources = [
       {
diff --git a/config/hosts/metrics-nekomesh/secrets.nix b/config/hosts/metrics-nekomesh/secrets.nix
index 4b68fbb..ef6bcec 100644
--- a/config/hosts/metrics-nekomesh/secrets.nix
+++ b/config/hosts/metrics-nekomesh/secrets.nix
@@ -9,6 +9,14 @@
       permissions = "0640";
       uploadAt = "pre-activation";
     };
+    "metrics-nekomesh-grafana-keycloak-client-secret.secret" = {
+      keyCommand = keyCommandEnv ++ [ "pass" "metrics-nekomesh/grafana/keycloak-client-secret" ];
+      destDir = "/secrets";
+      user = "grafana";
+      group = "grafana";
+      permissions = "0640";
+      uploadAt = "pre-activation";
+    };
     "mail-nekomesh-nekover-se.secret" = {
       keyCommand = keyCommandEnv ++ [ "pass" "mail/nekomesh-nekover-se" ];
       destDir = "/secrets";