diff --git a/config/default.nix b/config/default.nix
index c46a7343..54619c7e 100644
--- a/config/default.nix
+++ b/config/default.nix
@@ -220,6 +220,12 @@
       internalIp4 = hosts4.auth;
       internalIp6 = hosts6.up4.auth;
       ldapPreset = true;
+      seedSettings.groups = lib.singleton {
+        long_name = "Grafana Administrators";
+        name = "grafana-admins";
+        dont_manage_members = true;
+        permissions = {};
+      };
     };
 
     postgresql.upgrade = {
diff --git a/hosts/grafana/default.nix b/hosts/grafana/default.nix
index a1c2abd9..0c8ccf26 100644
--- a/hosts/grafana/default.nix
+++ b/hosts/grafana/default.nix
@@ -1,8 +1,5 @@
 { config, lib, pkgs, ... }:
 
-let
-  ldapGroup = "grafana-admins";
-in
 {
   microvm.mem = 4096;
   c3d2.deployment.server = "server10";
@@ -61,7 +58,7 @@ in
           icon = "signin";
           name = "auth.c3d2.de";
           oauth_auto_login = true; # redirect automatically to the only oauth provider
-          role_attribute_path = "contains(groups[*], '${ldapGroup}') && 'Admin'";
+          role_attribute_path = "contains(groups[*], 'grafana-admins') && 'Admin'";
           # https://dexidp.io/docs/custom-scopes-claims-clients/
           scopes = "openid email groups profile offline_access";
           token_url = "https://auth.c3d2.de/dex/token";
@@ -108,13 +105,6 @@ in
         };
       };
     };
-
-    portunus.seedingSettings.groups = lib.singleton {
-      long_name = "Grafana Administrators";
-      name = ldapGroup;
-      dont_manage_members = true;
-      permissions = {};
-    };
   };
 
   sops = {