diff --git a/docker/caddy/Caddyfile b/docker/caddy/Caddyfile
index 57fa6ef..716ea76 100644
--- a/docker/caddy/Caddyfile
+++ b/docker/caddy/Caddyfile
@@ -125,6 +125,11 @@ korhonen.cc, *.korhonen.cc {
 		reverse_proxy collabora:9980
 	}
 
+	@grafana host grafana.korhonen.cc
+	handle @grafana {
+		reverse_proxy grafana:3000
+	}
+
 	# Fallback for unhandled domains
 	handle {
 		redir https://korhonen.cc/404.html 301
diff --git a/docker/stats/docker-compose.toml b/docker/stats/docker-compose.toml
new file mode 100644
index 0000000..ff0e084
--- /dev/null
+++ b/docker/stats/docker-compose.toml
@@ -0,0 +1,27 @@
+[services.grafana]
+image = "grafana/grafana"
+container_name = "grafana"
+volumes = ["/docker/stats/grafana:/var/lib/grafana"]
+networks = ["stats", "proxy"]
+user = "1000:984"
+env_file = [".env"]
+environment = [
+  "GF_AUTH_GENERIC_OAUTH_CLIENT_ID",
+  "GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET",
+  "GF_AUTH_GENERIC_OAUTH_ENABLED=true",
+  "GF_AUTH_GENERIC_OAUTH_NAME=authentik",
+  "GF_AUTH_GENERIC_OAUTH_SCOPES=openid profile email",
+  "GF_AUTH_GENERIC_OAUTH_AUTH_URL=https://sso.korhonen.cc/application/o/authorize/",
+  "GF_AUTH_GENERIC_OAUTH_TOKEN_URL=https://sso.korhonen.cc/application/o/token/",
+  "GF_AUTH_GENERIC_OAUTH_API_URL=https://sso.korhonen.cc/application/o/userinfo/",
+  "GF_AUTH_SIGNOUT_REDIRECT_URL=https://sso.korhonen.cc/application/o/grafana/end-session/",
+  "GF_AUTH_OAUTH_AUTO_LOGIN=true",
+  "GF_SERVER_ROOT_URL=https://grafana.korhonen.cc",
+  "GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH=contains(groups[*], 'Administrators') && 'Admin' || 'Viewer'",
+]
+
+[networks.stats]
+external = false
+
+[networks.proxy]
+external = true