diff --git a/README.rst b/README.rst
index cd4dca3..f0ac833 100644
--- a/README.rst
+++ b/README.rst
@@ -136,6 +136,18 @@ ArgoCD bootstrap
         "dex.github.clientSecret": "REPLACE"
       }}'
 
+* Create new Oauth application https://github.com/settings/applications/new:
+
+  * Application name: grafana.ioot.xyz
+  * Homepage URL: https://grafana.ioot.xyz/
+  * Authorization callback URL: https://grafana.ioot.xyz/login/github
+  * Update client secret and admin password:
+
+    .. code-block:: bash
+
+      argocd app set argocd/grafana --parameter githubClientSecret=REPLACE
+      argocd app set argocd/grafana --parameter adminPassword=`pwgen -1 12`
+
 * Remove secret ``kubectl --context gullfaxi -n argocd delete secret argocd-initial-admin-secret``.
 
 Passing Sensitive Parameters in ArgoCD apps
diff --git a/state/gullfaxi/system/observability/grafana/application.yaml b/state/gullfaxi/system/observability/grafana/application.yaml
new file mode 100644
index 0000000..38d4b98
--- /dev/null
+++ b/state/gullfaxi/system/observability/grafana/application.yaml
@@ -0,0 +1,26 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: grafana
+  labels:
+    stack: observability
+spec:
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: grafana
+  project: system
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+  source:
+    repoURL: git@github.com:amkartashov/gf-k8s.git
+    targetRevision: main
+    path: state/gullfaxi/system/observability/grafana/manifests/
+    helm:
+      values: |
+        hostname: grafana.ioot.xyz
+        adminPassword: change_in_argocd
+        githubClientSecret: change_in_argocd
diff --git a/state/gullfaxi/system/observability/grafana/manifests/Chart.yaml b/state/gullfaxi/system/observability/grafana/manifests/Chart.yaml
new file mode 100644
index 0000000..fd23f63
--- /dev/null
+++ b/state/gullfaxi/system/observability/grafana/manifests/Chart.yaml
@@ -0,0 +1,2 @@
+name: grafana
+version: 0.1.0
diff --git a/state/gullfaxi/system/observability/grafana/manifests/templates/grafana.yaml b/state/gullfaxi/system/observability/grafana/manifests/templates/grafana.yaml
new file mode 100644
index 0000000..0ed3edc
--- /dev/null
+++ b/state/gullfaxi/system/observability/grafana/manifests/templates/grafana.yaml
@@ -0,0 +1,45 @@
+# https://github.com/grafana-operator/grafana-operator/blob/v5.0.0-rc1/docs/docs/api.md#grafana
+apiVersion: grafana.integreatly.org/v1beta1
+kind: Grafana
+metadata:
+  name: grafana
+  labels:
+    instance: grafana
+spec:
+  config:
+    server:
+      root_url: https://{{ .Values.hostname }}
+    security:
+      admin_user: admin
+      admin_password: {{ .Values.adminPassword }}
+    auth.github:
+      enabled: "true"
+      allow_sign_up: "true"
+      auto_login: "true"
+      allow_assign_grafana_admin: "true"
+      role_attribute_path: >-
+        [login=='amkartashov'][0] && 'GrafanaAdmin'
+      role_attribute_strict: "true"
+      client_id: 593511d4b21277d52242
+      client_secret: {{ .Values.githubClientSecret }}
+  ingress:
+    metadata:
+      annotations:
+        cert-manager.io/cluster-issuer: letsencrypt
+    spec:
+      ingressClassName: nginx
+      tls:
+        - hosts:
+            - {{ .Values.hostname }}
+          secretName: grafana-tls-secret
+      rules:
+        - host: {{ .Values.hostname }}
+          http:
+            paths:
+              - backend:
+                  service:
+                    name: grafana-service
+                    port:
+                      number: 3000
+                path: /
+                pathType: Prefix
diff --git a/state/gullfaxi/system/observability/grafana/manifests/values.yaml b/state/gullfaxi/system/observability/grafana/manifests/values.yaml
new file mode 100644
index 0000000..e69de29