diff --git a/apps/templates/prometheus.yaml b/apps/templates/prometheus.yaml
index c9ed79c..f1bdd5f 100644
--- a/apps/templates/prometheus.yaml
+++ b/apps/templates/prometheus.yaml
@@ -33,6 +33,18 @@ spec:
           persistence:
             enabled: true
             storageClassName: longhorn
+          env:
+            GF_AUTH_GENERIC_OAUTH_ENABLED: "true"
+            GF_AUTH_GENERIC_OAUTH_NAME: authentik
+            GF_AUTH_GENERIC_OAUTH_SCOPES: openid profile email
+            GF_AUTH_GENERIC_OAUTH_AUTH_URL: https://authentik.roxedus.com/application/o/authorize/
+            GF_AUTH_GENERIC_OAUTH_TOKEN_URL: https://authentik.roxedus.com/application/o/token/
+            GF_AUTH_GENERIC_OAUTH_API_URL: https://authentik.roxedus.com/application/o/userinfo/
+            GF_AUTH_SIGNOUT_REDIRECT_URL: https://authentik.roxedus.com/application/o/grafana/
+            GF_AUTH_OAUTH_AUTO_LOGIN: "true"
+            GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH: "contains(groups[*], 'Grafana Admins') && 'Admin' || contains(groups[*], 'Grafana Editors') && 'Editor' || 'Viewer'"
+          envFromSecrets:
+            - name: grafana-oauth
           ingress:
             enabled: true
             ingressClassName: traefik