diff --git a/kubernetes/apps/observability/grafana/app/externalsecret.yaml b/kubernetes/apps/observability/grafana/app/externalsecret.yaml
index 14775f5a..44385b62 100644
--- a/kubernetes/apps/observability/grafana/app/externalsecret.yaml
+++ b/kubernetes/apps/observability/grafana/app/externalsecret.yaml
@@ -24,6 +24,27 @@ spec:
         GF_DATABASE_PASSWORD: "{{ .grafana_postgres_password }}"
         GF_DATABASE_SSL_MODE: "require"
         GF_DATABASE_TYPE: postgres
+        GF_ANALYTICS_CHECK_FOR_UPDATES: "false"
+        GF_ANALYTICS_CHECK_FOR_PLUGIN_UPDATES: "false"
+        GF_ANALYTICS_REPORTING_ENABLED: "false"
+        GF_AUTH_ANONYMOUS_ENABLED: "false"
+        GF_AUTH_BASIC_ENABLED: "false"
+        GF_AUTH_GENERIC_OAUTH_ENABLED: "true"
+        GF_AUTH_GENERIC_OAUTH_API_URL: https://auth.hsn.dev/application/o/userinfo/
+        GF_AUTH_GENERIC_OAUTH_AUTH_URL: https://auth.hsn.dev/application/o/authorize/
+        GF_AUTH_GENERIC_OAUTH_TOKEN_URL: https://auth.hsn.dev/application/o/token/
+        GF_AUTH_GENERIC_OAUTH_CLIENT_ID: CoV7ae1HxuNzwCbVPf3U7TfYMX2rVqC5T9RAUo5M
+        GF_AUTH_GENERIC_OAUTH_EMPTY_SCOPES: "false"
+        GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH: "contains(groups[*], 'Grafana Admins') && 'Admin' || contains(groups[*], 'Grafana Editors') && 'Editor' || 'Viewer'"
+        GF_AUTH_GENERIC_OAUTH_SCOPES: openid profile email groups
+        GF_AUTH_OAUTH_AUTO_LOGIN: "true"
+        GF_EXPLORE_ENABLED: "true"
+        GF_FEATURE_TOGGLES_ENABLE: publicDashboards
+        GF_LOG_MODE: console
+        GF_NEWS_NEWS_FEED_ENABLED: "false"
+        GF_PLUGINS_ALLOW_LOADING_UNSIGNED_PLUGINS: natel-discrete-panel,pr0ps-trackmap-panel,panodata-map-panel
+        GF_SECURITY_COOKIE_SAMESITE: grafana
+
   dataFrom:
     - extract:
         key: Authentik
diff --git a/kubernetes/apps/observability/grafana/app/helmrelease.yaml b/kubernetes/apps/observability/grafana/app/helmrelease.yaml
index 76345560..e4c37b87 100644
--- a/kubernetes/apps/observability/grafana/app/helmrelease.yaml
+++ b/kubernetes/apps/observability/grafana/app/helmrelease.yaml
@@ -30,37 +30,4 @@ spec:
       namespace: observability
   values:
     replicas: 2
-    envFromSecret: grafana-secret
-    grafana.ini:
-      analytics:
-        check_for_updates: false
-        check_for_plugin_updates: false
-        reporting_enabled: false
-      # auth:
-      #   oauth_auto_login: true
-      #   oauth_allow_insecure_email_lookup: true
-      # auth.generic_oauth:
-      #   enabled: true
-      #   name: Authentik
-      #   icon: signin
-      #   scopes: openid profile email
-      #   empty_scopes: false
-      #   login_attribute_path: preferred_username
-      #   groups_attribute_path: groups
-      #   name_attribute_path: name
-      #   use_pkce: true
-      #   client_id: CoV7ae1HxuNzwCbVPf3U7TfYMX2rVqC5T9RAUo5M
-      #   client_secret: # Set by env vars
-      #   auth_url: https://auth.hsn.dev/application/o/authorize/
-      #   token_url: https://auth.hsn.dev/application/o/token/
-      #   api_url: https://auth.hsn.dev/application/o/userinfo/
-      #   role_attribute_path: |
-      #     contains(groups[*], 'Grafana Admins') && 'Admin' || contains(groups[*], 'Grafana Editors') && 'Editor' || 'Viewer'
-      # auth.basic:
-      #   enabled: false
-      # auth.anonymous:
-      #   enabled: false
-      #   # org_id: 1
-      #   # org_role: Viewer
-      # news:
-      #   news_feed_enabled: false
\ No newline at end of file
+    envFromSecret: grafana-secret
\ No newline at end of file