diff --git a/hosts/ward/microvms/grafana.nix b/hosts/ward/microvms/grafana.nix
index 2e1c606..1b47a4c 100644
--- a/hosts/ward/microvms/grafana.nix
+++ b/hosts/ward/microvms/grafana.nix
@@ -23,11 +23,23 @@ in {
   };
 
   age.secrets.grafana-influxdb-token = {
-    rekeyFile = config.node.secretsDir + "/grafana-influxdb-token.age";
+    generator.script = "alnum";
+    generator.tags = ["influxdb"];
     mode = "440";
     group = "grafana";
   };
 
+  nodes.ward-influxdb.services.influxdb2.provision.ensureApiTokens = [
+    {
+      name = "grafana servers:telegraf (${config.node.name})";
+      org = "servers";
+      user = "admin";
+      readBuckets = ["telegraf"];
+      writeBuckets = ["telegraf"];
+      tokenFile = config.age.secrets.grafana-influxdb-token.path;
+    }
+  ];
+
   nodes.sentinel = {
     age.secrets.loki-basic-auth-hashes.generator.dependencies = [
       config.age.secrets.grafana-loki-basic-auth-password
diff --git a/secrets/generated/ward-grafana/grafana-influxdb-token.age b/secrets/generated/ward-grafana/grafana-influxdb-token.age
new file mode 100644
index 0000000..c606003
Binary files /dev/null and b/secrets/generated/ward-grafana/grafana-influxdb-token.age differ