diff --git a/manifests/authentik-grafana-secret.sh b/manifests/authentik-grafana-secret.sh
new file mode 100755
index 0000000..116dcbd
--- /dev/null
+++ b/manifests/authentik-grafana-secret.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+set -euo pipefail
+source "$(dirname "$0")/../.env"
+
+kubectl create secret generic authentik-grafana-oauth \
+  --namespace monitoring \
+  --from-literal=client-id="${AUTHENTIK_GRAFANA_CLIENT_ID}" \
+  --from-literal=client-secret="${AUTHENTIK_GRAFANA_CLIENT_SECRET}" \
+  --dry-run=client -o yaml | kubectl apply -f -
\ No newline at end of file
diff --git a/manifests/jellyfin.yaml b/manifests/jellyfin.yaml
index aa11e0e..b6d65ae 100644
--- a/manifests/jellyfin.yaml
+++ b/manifests/jellyfin.yaml
@@ -93,12 +93,19 @@ spec:
           env:
             - name: JELLYFIN_PublishedServerUrl
               value: https://jellyfin.home.arpa
+            - name: LIBVA_DRIVER_NAME
+              value: radeonsi
           volumeMounts:
             - name: config
               mountPath: /config
             - name: media
               mountPath: /media
               readOnly: true
+            - name: dri
+              mountPath: /dev/dri
+      securityContext:
+        supplementalGroups:
+          - 992
       volumes:
         - name: config
           persistentVolumeClaim:
@@ -106,6 +113,9 @@ spec:
         - name: media
           persistentVolumeClaim:
             claimName: jellyfin-media
+        - name: dri
+          hostPath:
+            path: /dev/dri
 ---
 apiVersion: v1
 kind: Service
diff --git a/values/kube-prometheus-stack.yaml b/values/kube-prometheus-stack.yaml
index e17d4f0..236178a 100644
--- a/values/kube-prometheus-stack.yaml
+++ b/values/kube-prometheus-stack.yaml
@@ -10,7 +10,20 @@ grafana:
     existingSecret: grafana-admin-secret
     userKey: admin-user
     passwordKey: admin-password
-
+  "grafana.ini":
+    server:
+      root_url: https://grafana.nik4nao.com
+    auth.generic_oauth:
+      enabled: true
+      name: Authentik
+      allow_sign_up: true
+      client_id: $__file{/etc/secrets/authentik-grafana-oauth/client-id}
+      client_secret: $__file{/etc/secrets/authentik-grafana-oauth/client-secret}
+      scopes: openid email profile
+      auth_url: https://auth.nik4nao.com/application/o/authorize/
+      token_url: https://auth.nik4nao.com/application/o/token/
+      api_url: https://auth.nik4nao.com/application/o/userinfo/
+      role_attribute_path: contains(groups, 'authentik Admins') && 'Admin' || 'Viewer'
   ingress:
     enabled: true
     ingressClassName: traefik
@@ -24,16 +37,23 @@ grafana:
       - secretName: grafana-tls
         hosts:
           - grafana.nik4nao.com
-
+  extraSecretMounts:
+    - name: authentik-grafana-oauth
+      secretName: authentik-grafana-oauth
+      mountPath: /etc/secrets/authentik-grafana-oauth
+      readOnly: true
   persistence:
     enabled: true
     size: 2Gi
     initChownData: true
+  securityContext:
+    runAsNonRoot: false
+    runAsUser: 0
+    fsGroup: 472
 
 prometheus:
   prometheusSpec:
     retention: 15d
-
     storageSpec:
       volumeClaimTemplate:
         metadata: