diff --git a/roles/grafana/handlers/main.yml b/roles/grafana/handlers/main.yml
new file mode 100644
index 0000000..8608ad2
--- /dev/null
+++ b/roles/grafana/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+- name: restart grafana
+  ansible.builtin.service:
+    name: grafana-container
+    state: restarted
diff --git a/roles/grafana/meta/main.yml b/roles/grafana/meta/main.yml
new file mode 100644
index 0000000..700494e
--- /dev/null
+++ b/roles/grafana/meta/main.yml
@@ -0,0 +1,3 @@
+---
+dependencies:
+  - {role: podman}
diff --git a/roles/grafana/tasks/main.yml b/roles/grafana/tasks/main.yml
new file mode 100644
index 0000000..638f3d1
--- /dev/null
+++ b/roles/grafana/tasks/main.yml
@@ -0,0 +1,67 @@
+---
+- name: create group
+  ansible.builtin.group:
+    name: grafana
+
+- name: create user
+  ansible.builtin.user:
+    name: grafana
+    comment: Podman Grafana
+    group: grafana
+    shell: /sbin/nologin
+
+- name: copy host key
+  ansible.builtin.copy:
+    dest: "{{ tls_private }}/grafana.key"
+    src: "{{ tls_private }}/{{ inventory_hostname }}.key"
+    mode: 0640
+    owner: root
+    group: grafana
+    remote_src: true
+
+- name: create service config
+  ansible.builtin.template:
+    dest: /etc/sysconfig/grafana-container
+    src: grafana-container.sysconfig.j2
+    mode: 0600
+    owner: root
+    group: "{{ ansible_wheel }}"
+  notify: restart grafana
+
+- name: create service file
+  ansible.builtin.template:
+    dest: /etc/systemd/system/grafana-container.service
+    src: grafana-container.service.j2
+    mode: 0644
+    owner: root
+    group: "{{ ansible_wheel }}"
+  notify: restart grafana
+
+- name: create ldap config
+  ansible.builtin.template:
+    dest: /etc/grafana-ldap.toml
+    src: grafana-ldap.toml.j2
+    mode: 0640
+    owner: root
+    group: grafana
+  notify: restart grafana
+
+- name: enable service
+  ansible.builtin.service:
+    name: grafana-container
+    state: started
+    enabled: true
+
+- name: copy nginx config
+  ansible.builtin.copy:
+    dest: /etc/nginx/conf.d/{{ inventory_hostname }}/grafana-container.conf
+    content: |
+      location /grafana/ {
+        proxy_set_header Host noc.foo.sh;
+        proxy_pass http://localhost:8002/;
+      }
+    mode: 0644
+    owner: root
+    group: "{{ ansible_wheel }}"
+  notify: restart nginx
+
diff --git a/roles/grafana/templates/grafana-container.service.j2 b/roles/grafana/templates/grafana-container.service.j2
new file mode 100644
index 0000000..60158f9
--- /dev/null
+++ b/roles/grafana/templates/grafana-container.service.j2
@@ -0,0 +1,17 @@
+[Unit]
+Description=Grafana Container
+
+[Service]
+User=grafana
+EnvironmentFile=/etc/sysconfig/grafana-container
+ExecStart=/usr/bin/podman run --rm -p 127.0.0.1:8002:3000 --name grafana \
+    --volume={{ tls_certs }}/ca.crt:/etc/ssl/certs/ca.crt:ro \
+    --volume={{ tls_certs }}/{{ inventory_hostname }}.crt:/etc/ssl/certs/{{ inventory_hostname }}.crt:ro \
+    --volume={{ tls_private }}/grafana.key:/etc/ssl/private/{{ inventory_hostname }}.key:ro \
+    --volume=/etc/grafana-ldap.toml:/etc/grafana/ldap.toml:ro \
+    --env=GF_*  docker.io/grafana/grafana:9.0.2
+ExecStop=/usr/bin/podman stop grafana
+KillMode=none
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/grafana/templates/grafana-container.sysconfig.j2 b/roles/grafana/templates/grafana-container.sysconfig.j2
new file mode 100644
index 0000000..4bf4246
--- /dev/null
+++ b/roles/grafana/templates/grafana-container.sysconfig.j2
@@ -0,0 +1,13 @@
+GF_DATABASE_TYPE=mysql
+GF_DATABASE_HOST=sqldb02.home.foo.sh
+GF_DATABASE_NAME=grafana
+GF_DATABASE_USER=grafana
+GF_DATABASE_PASSWORD={{ grafana_mysql_pass }}
+GF_DATABASE_SSL_MODE=true
+GF_DATABASE_SERVER_CERT_NAME=sqldb02.home.foo.sh
+GF_DATABASE_CA_CERT_PATH=/etc/ssl/certs/ca.crt
+GF_DATABASE_CLIENT_KEY_PATH=/etc/ssl/private/{{ inventory_hostname }}.key
+GF_DATABASE_CLIENT_CERT_PATH=/etc/ssl/certs/{{ inventory_hostname }}.crt
+
+GF_AUTH_LDAP_ENABLED=true
+GF_AUTH_LDAP_ALLOW_SIGN_UP=true
diff --git a/roles/grafana/templates/grafana-ldap.toml.j2 b/roles/grafana/templates/grafana-ldap.toml.j2
new file mode 100644
index 0000000..4fb7d66
--- /dev/null
+++ b/roles/grafana/templates/grafana-ldap.toml.j2
@@ -0,0 +1,24 @@
+[[servers]]
+host = "ldap.foo.sh"
+port = 636
+use_ssl = true
+ssl_skip_verify = false
+client_cert = "/etc/ssl/certs/{{ inventory_hostname }}.crt"
+client_key = "/etc/ssl/private/{{ inventory_hostname }}.key"
+search_filter = "(uid=%s)"
+search_base_dns = ["{{ ldap_basedn }}"]
+bind_dn = "uid=%s,ou=People,{{ ldap_basedn }}"
+
+group_search_filter = "(&(objectClass=groupOfUniqueNames)(uniqueMember=%s))"
+group_search_base_dns = ["ou=Groups,{{ ldap_basedn }}"]
+group_search_filter_user_attribute = "dn"
+
+[[servers.group_mappings]]
+group_dn = "cn=sysadm,ou=Groups,{{ ldap_basedn }}"
+org_role = "Admin"
+
+[servers.attributes]
+name = "givenName"
+surname = "sn"
+username = "uid"
+email = "mail"