diff --git a/compose.yml b/compose.yml
index dc8fc88..920692b 100644
--- a/compose.yml
+++ b/compose.yml
@@ -9,7 +9,6 @@ services:
     secrets:
       - grafana_admin_password
       - grafana_oauth_client_secret
-      - grafana_smtp_password
     configs:
       - source: grafana_custom_ini
         target: /etc/grafana/grafana.ini
@@ -21,7 +20,6 @@ services:
       - GF_SMTP_ENABLED
       - GF_SMTP_FROM_ADDRESS
       - GF_SMTP_SKIP_VERIFY
-      - GF_SECURITY_ALLOW_EMBEDDING
       - GF_INSTALL_PLUGINS=grafana-piechart-panel
       - GF_SERVER_ROOT_URL=https://${GRAFANA_DOMAIN}
       - GF_SECURITY_ADMIN_PASSWORD__FILE=/run/secrets/grafana_admin_password
@@ -190,9 +188,6 @@ secrets:
   grafana_oauth_client_secret:
     external: true
     name: ${STACK_NAME}_grafana_oauth_client_secret_${SECRET_GRAFANA_OAUTH_CLIENT_SECRET_VERSION}
-  grafana_smtp_password:
-    external: true
-    name: ${STACK_NAME}_grafana_smtp_password_${SECRET_GRAFANA_SMTP_PASSWORD_VERSION}
   prometheus_admin_password_hashed:
     external: true
     name: ${STACK_NAME}_prometheus_admin_password_hashed_${SECRET_PROMETHEUS_ADMIN_PASSWORD_HASHED_VERSION}
diff --git a/env b/env
index 387edd9..03f1c6a 100644
--- a/env
+++ b/env
@@ -1,48 +1,30 @@
 TYPE=monitoring
-
 STACK_NAME=gp_monitoring
-
-GRAFANA_DOMAIN=g.monitor.autonomic.zone
-PROMETHEUS_DOMAIN=p.monitor.autonomic.zone
-LOKI_DOMAIN=l.monitor.autonomic.zone
-
 LETS_ENCRYPT_ENV=production
 
-# Edit this in order to allow collection of traefik metrics
-#TRAEFIK_METRICS_ENABLED=1
-#TRAEFIK_SERVICE_NAME=traefik_app
-
-# grafana SMTP configuration (optional)
-#GF_SMTP_HOST=changeme
-#GF_SMTP_ENABLED=1
-#GF_SMTP_FROM_ADDRESS=grafana@example.com
-#GF_SMTP_SKIP_VERIFY=1
-
-# Additional grafana settings (unlikely to require editing)
-GF_SECURITY_ALLOW_EMBEDDING=1
-GF_INSTALL_PLUGINS=grafana-piechart-panel
+GRAFANA_DOMAIN=g.monitor.autonomic.zone
+GRAFANA_CUSTOM_INI_VERSION=v3
 GF_SERVER_ROOT_URL=https://${GRAFANA_DOMAIN}
+SECRET_GRAFANA_ADMIN_PASSWORD_VERSION=v1
+SECRET_GRAFANA_OAUTH_CLIENT_SECRET_VERSION=v1
 
-# Loki stores logs in object storage, fill these up with your
-# minio configuration (or any s3-compatible object store)
+PROMETHEUS_DOMAIN=p.monitor.autonomic.zone
+PROMETHEUS_YML_VERSION=v10
+PROMETHEUS_WEB_YML_VERSION=v2
+SECRET_PROMETHEUS_ADMIN_PASSWORD_VERSION=v1
+SECRET_PROMETHEUS_ADMIN_PASSWORD_HASHED_VERSION=v1
+
+LOKI_DOMAIN=l.monitor.autonomic.zone
 LOKI_AWS_ENDPOINT=https://minio.autonomic.zone
 LOKI_AWS_REGION=eu-west-1
 LOKI_ACCESS_KEY_ID=bush-debrief-approval-robust-scraggly-molecule
 LOKI_BUCKET_NAMES=loki
-
-# NOTE(d1): abra.sh env vars, while we deploy things manually
-PROMETHEUS_YML_VERSION=v10
-PROMTAIL_YML_VERSION=v1
 LOKI_YML_VERSION=v7
-NODE_EXPORTER_ENTRYPOINT_VERSION=v1
-GRAFANA_DATASOURCES_YML_VERSION=v1
-GRAFANA_DASHBOARDS_YML_VERSION=v1
-GRAFANA_SWARM_DASHBOARD_JSON_VERSION=v1
-GRAFANA_STACKS_DASHBOARD_JSON_VERSION=v1
-GRAFANA_TRAEFIK_DASHBOARD_JSON_VERSION=v1
-GRAFANA_CUSTOM_INI_VERSION=v3
-PROMETHEUS_WEB_YML_VERSION=v2
+SECRET_LOKI_AWS_SECRET_ACCESS_KEY_VERSION=v1
+SECRET_LOKI_ADMIN_PASSWORD_HASHED_VERSION=v1
+
 ALERTMANAGER_CONFIG_VERSION=v2
+
 NGINX_CONFIG_VERSION=v5
 HTPASSWD_CONFIG_VERSION=v1
 
@@ -50,20 +32,9 @@ KEYCLOAK_AUTH_URL="https://id.autonomic.zone/auth/realms/autonomic/protocol/open
 KEYCLOAK_API_URL="https://id.autonomic.zone/auth/realms/autonomic/protocol/openid-connect/userinfo"
 KEYCLOAK_TOKEN_URL="https://id.autonomic.zone/auth/realms/autonomic/protocol/openid-connect/token"
 
-SECRET_LOKI_AWS_SECRET_ACCESS_KEY_VERSION=v1
-SECRET_GRAFANA_ADMIN_PASSWORD_VERSION=v1
-SECRET_GRAFANA_OAUTH_CLIENT_SECRET_VERSION=v1
-SECRET_PROMETHEUS_ADMIN_PASSWORD_VERSION=v1
-SECRET_PROMETHEUS_ADMIN_PASSWORD_HASHED_VERSION=v1
-SECRET_ALERTMANAGER_SMTP_PASSWORD_VERSION=v1
-SECRET_LOKI_ADMIN_PASSWORD_HASHED_VERSION=v1
-SECRET_SWARM_DEMO_ADMIN_PASSWORD_VERSION=v1
-
 ALERTMANAGER_SMTP_FROM=noreply@autonomic.zone
 ALERTMANAGER_SMTP_HOST=mail.gandi.net:587
 ALERTMANAGER_SMTP_TO=kaboom@autonomic.zone
+SECRET_ALERTMANAGER_SMTP_PASSWORD_VERSION=v1
 
-GRAFANA_SMTP_HOST=mail.gandi.net:587
-GRAFANA_SMTP_USER=noreply@autonomic.zone
-GRAFANA_SMTP_FROM_ADDRESS=noreply@autonomic.zone
-SECRET_GRAFANA_SMTP_PASSWORD_VERSION=v1
+SECRET_SWARM_DEMO_ADMIN_PASSWORD_VERSION=v1
diff --git a/grafana_custom.ini b/grafana_custom.ini
index 234b33a..cd1c546 100644
--- a/grafana_custom.ini
+++ b/grafana_custom.ini
@@ -28,11 +28,3 @@ enabled = false
 
 [plugins]
 enable_alpha = true
-
-[smtp]
-enabled = true
-host = {{ env "GRAFANA_SMTP_HOST" }}
-user = {{ env "GRAFANA_SMTP_USER" }}
-password = {{ secret "grafana_smtp_password" }}
-from_address = {{ env "GRAFANA_FROM_ADDRESS" }}
-startTLS_policy = MandatoryStartTLS