diff --git a/roles/grafana/README.md b/roles/grafana/README.md
new file mode 100644
index 0000000..d8b6106
--- /dev/null
+++ b/roles/grafana/README.md
@@ -0,0 +1 @@
+Installs and configures grafana
diff --git a/roles/grafana/defaults/main.yaml b/roles/grafana/defaults/main.yaml
new file mode 100644
index 0000000..b3b1519
--- /dev/null
+++ b/roles/grafana/defaults/main.yaml
@@ -0,0 +1,13 @@
+---
+grafana_oauth_name: ""
+grafana_oauth_client_id: ""
+grafana_oauth_auth_url: ""
+grafana_oauth_token_url: ""
+grafana_oauth_api_url: ""
+grafana_oauth_scopes:
+  - openid
+  - profile
+  - email
+grafana_oauth_role_attribute_path: ""
+grafana_oauth_allow_sign_up: true
+grafana_oauth_auto_login: true
diff --git a/roles/grafana/meta/argument_specs.yml b/roles/grafana/meta/argument_specs.yml
new file mode 100644
index 0000000..43bb0ca
--- /dev/null
+++ b/roles/grafana/meta/argument_specs.yml
@@ -0,0 +1,72 @@
+---
+argument_specs:
+  main:
+    description: Installs and configures grafana
+    options:
+      grafana_domain:
+        description: The domain grafana should be available on
+        type: str
+        required: true
+
+      grafana_oauth_name:
+        description: >-
+          Name that refers to the generic OAuth2 authentication from the Grafana
+          user interface. Required to enable OAuth authentication.
+        type: str
+        required: false
+        default: ""
+      grafana_oauth_client_id:
+        description: >-
+          Client ID provided by your OAuth2 app. Required if OAuth is enabled.
+        type: str
+        required: false
+        default: ""
+      grafana_oauth_auth_url:
+        description: Authorization endpoint of your OAuth2 provider. Required if OAuth is enabled.
+        type: str
+        required: false
+        default: ""
+      grafana_oauth_token_url:
+        description: Endpoint used to obtain the OAuth2 access token.
+        type: str
+        required: false
+        default: ""
+      grafana_oauth_api_url:
+        description: Endpoint used to obtain user information compatible with OpenID UserInfo.
+        type: str
+        required: false
+        default: ""
+      grafana_oauth_scopes:
+        description: List of OAuth2 scopes.
+        type: list
+        required: false
+        elements: str
+        default:
+          - openid
+          - profile
+          - email
+      grafana_oauth_role_attribute_path:
+        description: >-
+          JMESPath expression to use for Grafana role lookup. Grafana will first
+          evaluate the expression using the OAuth2 ID token. If no role is found,
+          the expression will be evaluated using the user information obtained
+          from the UserInfo endpoint. The result of the evaluation should be
+          a valid Grafana role (Viewer, Editor, Admin or GrafanaAdmin).
+        type: str
+        required: false
+        default: ""
+      grafana_oauth_allow_sign_up:
+        description: >-
+          Controls Grafana user creation through the generic OAuth2 login. Only
+          existing Grafana users can log in with generic OAuth if set to false.
+        type: bool
+        required: false
+        default: true
+      grafana_oauth_auto_login:
+        description: >-
+          Whether to enable users to bypass the login screen and automatically
+          log in. This setting is ignored if you configure multiple auth
+          providers to use auto-login.
+        type: bool
+        required: false
+        default: true
diff --git a/roles/grafana/tasks/main.yml b/roles/grafana/tasks/main.yml
new file mode 100644
index 0000000..bb0e3d2
--- /dev/null
+++ b/roles/grafana/tasks/main.yml
@@ -0,0 +1,39 @@
+---
+- name: Grafana
+  ansible.builtin.import_role:
+    name: service
+  vars:
+    service_name: grafana
+    service_container_image: "docker.io/grafana/grafana:latest"
+    service_container_mounts:
+      - type: volume
+        source: data
+        destination: /var/lib/grafana
+    service_container_http_port: 3000
+    service_domains:
+      - "{{ grafana_domain }}"
+    service_database_type: postgres
+    service_postgres_tag: 17-alpine
+    service_container_env:
+      GF_DATABASE_TYPE: postgres
+      GF_DATABASE_HOST: grafana-postgres:5432
+      GF_DATABASE_NAME: grafana
+      GF_DATABASE_USER: grafana
+      GF_DATABASE_PASSWORD__FILE: /run/secrets/postgres
+      GF_SERVER_DOMAIN: "{{ grafana_domain }}"
+      GF_SERVER_ROOT_URL: "https://{{ grafana_domain }}"
+
+      GF_AUTH_GENERIC_OAUTH_ENABLED: "{{ 'true' if grafana_oauth_name | length > 0 else 'false' }}"
+      GF_AUTH_GENERIC_OAUTH_NAME: "{{ grafana_oauth_name }}"
+      GF_AUTH_GENERIC_OAUTH_CLIENT_ID: "{{ grafana_oauth_client_id }}"
+      GF_AUTH_GENERIC_OAUTH_AUTH_URL: "{{ grafana_oauth_auth_url }}"
+      GF_AUTH_GENERIC_OAUTH_TOKEN_URL: "{{ grafana_oauth_token_url }}"
+      GF_AUTH_GENERIC_OAUTH_API_URL: "{{ grafana_oauth_userinfo_url }}"
+      GF_AUTH_GENERIC_OAUTH_SCOPES: "{{ grafana_oauth_scopes | join(' ') }}"
+      GF_AUTH_GENERIC_OAUTH_ALLOW_SIGN_UP: "{{ 'true' if grafana_oauth_allow_sign_up else 'false' }}"
+      GF_AUTH_GENERIC_OAUTH_AUTO_LOGIN: "{{ 'true' if grafana_oauth_auto_login else 'false' }}"
+      GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH: "{{ grafana_oauth_role_attribute_path }}"
+      GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_STRICT: "true"
+      GF_AUTH_GENERIC_OAUTH_ALLOW_ASSIGN_GRAFANA_ADMIN: "true"
+      GF_AUTH_GENERIC_OAUTH_USE_PKCE: "true"
+      GF_AUTH_GENERIC_OAUTH_LOGIN_ATTRIBUTE_PATH: preferred_username