diff --git a/grafana.yml b/grafana.yml
index 88bdd3081..1da22c582 100644
--- a/grafana.yml
+++ b/grafana.yml
@@ -18,7 +18,11 @@
     - name: Install Dependencies
       become: true
       ansible.builtin.package:
-        name: ['python3-virtualenv', 'python3-docker']
+        name: ["python3-virtualenv", "python3-docker", "python3-pip"]
+    - name: Install docker compose python (no rpm available)
+      ansible.builtin.pip:
+        name: docker-compose
+        version: 1.29.2
     - name: Ensure git is installed. (hxr.monitor-ssl)
       become: true
       ansible.builtin.package:
@@ -47,19 +51,21 @@
     - grafana.grafana
   roles:
     ## Starting configuration of the operating system
+    - role: usegalaxy_eu.fw_glxeu_generic
+      become: true
+    - role: geerlingguy.repo-epel # Install EPEL repository
+      become: true
     - role: usegalaxy_eu.handy.os_setup
       become: true
       vars:
         hostname: "{{ grafana_domain }}"
         enable_hostname: true
-        enable_powertools: true         # geerlingguy.repo-epel role doesn't enable PowerTools repository
-    - role: geerlingguy.repo-epel     # Install EPEL repository
-      become: true
-    - role: usegalaxy-eu.autoupdates  # keep all of our packages up to date
+        enable_powertools: true # geerlingguy.repo-epel role doesn't enable PowerTools repository
+    - role: usegalaxy-eu.autoupdates # keep all of our packages up to date
       become: true
       vars:
         hostname: "{{ grafana_domain }}"
-    - influxdata.chrony               # Keep our time in sync.
+    - influxdata.chrony # Keep our time in sync.
 
     ## Monitoring
     - dj-wasabi.telegraf
@@ -114,9 +120,9 @@
             group: "{{ ansible_ssh_user }}"
             mode: "0600"
         - name: Create env
-          copy:
+          ansible.builtin.copy:
             content: |
-              DOMAIN=http://localhost:8080
+              DOMAIN=https://{{ grafana_on_call_domain }}
               SECRET_KEY={{ grafana_on_call_secret }}
               COMPOSE_PROFILES=''
             dest: "{{ grafana_on_call_path }}/.env"
@@ -124,13 +130,7 @@
             group: "{{ ansible_ssh_user }}"
             mode: "0600"
           no_log: true
-        - name: Spin up OnCall
-          community.general.docker_compose:
-            project_src: "{{ grafana_on_call_path }}"
-    - name: Remove OnCall
-      when: not grafana_on_call
-      block:
-        - name: Stop all services
-          community.general.docker_compose:
+        - name: Start OnCall
+          community.docker.docker_compose_v2:
             project_src: "{{ grafana_on_call_path }}"
-            state: absent
+            project_name: oncall
diff --git a/group_vars/grafana/vars.yml b/group_vars/grafana/vars.yml
index 412ebcef3..5ff2aaf16 100644
--- a/group_vars/grafana/vars.yml
+++ b/group_vars/grafana/vars.yml
@@ -4,10 +4,12 @@ certbot_auth_method: --webroot
 certbot_well_known_root: /srv/nginx/_well-known_root
 certbot_share_key_users:
   - nginx
-certbot_virtualenv_command: virtualenv-3.6
 certbot_virtualenv_package_name: python3-virtualenv
 certbot_post_renewal: |
     systemctl restart nginx || true
+certbot_domains:
+  - "{{ grafana_domain }}"
+  - "{{ grafana_on_call_domain }}"
 #hostname: "{{ grafana_domain }}"
 # NGINX
 nginx_enable_default_server: false
@@ -35,7 +37,9 @@ nginx_conf_ssl_certificate: /etc/ssl/certs/fullchain.pem
 nginx_conf_ssl_certificate_key: /etc/ssl/user/privkey-nginx.pem
 
 #setting this to false will remove the on call compose services and it's compose directory
-grafana_on_call: false
+grafana_on_call: true
+grafana_on_call_domain: oncall.galaxyproject.eu
+grafana_on_call_path: /data/grafana-on-call
 # Grafana
 grafana_version: 11.0.0
 
@@ -76,6 +80,7 @@ grafana_auth:
     token_url: "https://github.com/login/oauth/access_token"
     api_url: "https://api.github.com/user"
     allowed_organisations: "usegalaxy.eu galaxyproject"
+    role_attribute_path: contains(groups[*], '@usegalaxy-eu/admingrafana') && 'GrafanaAdmin' || 'Viewer'
 grafana_auth_admin_password: "{{ vault_grafana_auth_admin_password }}"
 
 grafana_image_storage:
@@ -257,5 +262,3 @@ ggb_create_group: true
 bridge_token: "{{ vault_grafana_gitter_bridge_token }}"
 gitter_auth_token: "{{ vault_grafana_gitter_bridge_auth_token }}"
 gitter_room_id: "{{ vault_grafana_gitter_room_id }}"
-
-grafana_on_call_path: /data/grafana-on-call
diff --git a/requirements.yaml b/requirements.yaml
index 81083f615..254423833 100644
--- a/requirements.yaml
+++ b/requirements.yaml
@@ -8,7 +8,7 @@ collections:
     source: https://galaxy.ansible.com
     type: galaxy
   - name: community.docker
-    version: 1.9.0
+    version: 3.12.1
     source: https://galaxy.ansible.com
     type: galaxy
   - name: grafana.grafana
@@ -153,3 +153,6 @@ roles:
   - src: https://github.com/usegalaxy-eu/ansible-traefik
     name: usegalaxy_eu.traefik
     version: 2.0.0
+  - src: "git@github.com:usegalaxy-eu/ansible-fw-glxeu-generic.git"
+    name: usegalaxy_eu.fw_glxeu_generic
+    version: 1.0.0
diff --git a/templates/nginx/grafana-ssl.j2 b/templates/nginx/grafana-ssl.j2
index c709c39fa..4d4d4ea6c 100644
--- a/templates/nginx/grafana-ssl.j2
+++ b/templates/nginx/grafana-ssl.j2
@@ -47,3 +47,21 @@ server {
     }
 
 }
+server {
+
+    listen 443 ssl;
+    listen [::]:443 ssl;
+
+    server_name oncall.galaxyproject.eu;
+
+
+    location / {
+        proxy_set_header           Host $host:$server_port;
+        proxy_set_header           X-Real-IP $remote_addr;
+        proxy_set_header           X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header           X-Forwarded-Proto $scheme;
+        proxy_pass                 http://127.0.0.1:8080;
+        proxy_pass_request_headers on;
+    }
+}
+