diff --git a/morph/grid/local/grid.nix b/morph/grid/local/grid.nix
index bca902f20440e60e7d71162f273dd65d67317545..b10bd83a94253aa64344571a473e093114f3a9a6 100644
--- a/morph/grid/local/grid.nix
+++ b/morph/grid/local/grid.nix
@@ -55,6 +55,8 @@ let
         stateVersion = "19.09";
       })
     ];
+    # Allow anonymous access to Grafana in local development environment:
+    services.private-storage.monitoring.grafana.googleOAuthClientID = "";
   };
 
   # TBD: derive these automatically:
diff --git a/nixos/modules/monitoring/server/grafana.nix b/nixos/modules/monitoring/server/grafana.nix
index d2214803db0be2d82a8c01030ee26d208e3dee47..3385164f47013dfa9e2bb6cea28bb916355826e9 100644
--- a/nixos/modules/monitoring/server/grafana.nix
+++ b/nixos/modules/monitoring/server/grafana.nix
@@ -7,6 +7,14 @@
 
 let
   cfg = config.services.private-storage.monitoring.grafana;
+  grafanaAuth = if (cfg.googleOAuthClientID == "") then {
+                  anonymous.enable = true;
+                } else {
+                  # Google OAuth2 SSO:
+                  google.enable = true;
+                  google.clientSecretFile = cfg.googleOAuthClientID;
+                  google.clientId = cfg.googleOAuthClientSecretFile;
+                };
 
 in {
   options.services.private-storage.monitoring.grafana = {
@@ -27,6 +35,18 @@ in {
       default = "http://localhost:3100/";
       description = "The URL of the Loki host to access";
     };
+    googleOAuthClientID = lib.mkOption
+    { type = lib.types.str;
+      example = lib.literalExample "grafana-staging-345678";
+      default = "replace-by-your-client-id-or-set-empty-string-for-anonymous-access";
+      description = "The GSuite OAuth2 SSO Client ID.  Empty string turns SSO auth off and anonymous (free for all) access on.";
+    };
+    googleOAuthClientSecretFile = lib.mkOption
+    { type = lib.types.path;
+      example = lib.literalExample "\${privKeyPath}/grafana-gsuite-client-secret";
+      default = null;
+      description = "The path to the GSuite SSO secret file.";
+    };
   };
 
   config = {
@@ -38,13 +58,13 @@ in {
       domain = cfg.domain;
       port = 2342;
       addr = "127.0.0.1";
-
-      # All three are required to forego the user/pass prompt:
-      auth.anonymous.enable = true;
-      auth.anonymous.org_role = "Admin";
-      auth.anonymous.org_name = "Main Org.";
     };
 
+    services.grafana.auth = {
+      anonymous.org_role = "Admin";
+      anonymous.org_name = "Main Org.";
+    } // grafanaAuth;
+
     services.grafana.provision = {
       enable = true;
       # See https://grafana.com/docs/grafana/latest/administration/provisioning/#datasources