diff --git a/components/authentik_media_tenant_files_miration.patch b/components/authentik_media_tenant_files_miration.patch
index cc7a616..4cc997f 100644
--- a/components/authentik_media_tenant_files_miration.patch
+++ b/components/authentik_media_tenant_files_miration.patch
@@ -9,7 +9,7 @@ index 40795d460..7ac1efb34 100644
 +from authentik.lib.config import CONFIG
  
 -MEDIA_ROOT = Path(__file__).parent.parent.parent / "media"
-+MEDIA_ROOT = Path(CONFIG.get("paths.media"))
++MEDIA_ROOT = Path(CONFIG.get("storage.media.file.path"))
  TENANT_MEDIA_ROOT = MEDIA_ROOT / "public"
  
  
diff --git a/module.nix b/module.nix
index e2994ce..8a0fc7f 100644
--- a/module.nix
+++ b/module.nix
@@ -29,6 +29,7 @@ let
 
   inherit (lib.strings)
     concatStringsSep
+    optionalString
     versionOlder;
 
   inherit (lib.trivial)
@@ -177,7 +178,12 @@ in
             host = mkDefault "";
           };
           cert_discovery_dir = mkIf (cfg.nginx.enable && cfg.nginx.enableACME) "env://CREDENTIALS_DIRECTORY";
-          paths.media = mkDefault "/var/lib/authentik/media";
+          storage.media = {
+            backend = mkDefault "file";
+            file = mkDefault {
+              path = "/var/lib/authentik/media";
+            };
+          };
           media.enable_upload = mkDefault true;
         };
         redis.servers.authentik = {
@@ -258,7 +264,9 @@ in
           restartTriggers = [ config.environment.etc."authentik/config.yml".source ];
           preStart = ''
             ln -svf ${cfg.authentikComponents.staticWorkdirDeps}/* /var/lib/authentik/
-            mkdir -p ${cfg.settings.paths.media}
+            ${optionalString (cfg.settings.storage.media.backend == "file") ''
+              mkdir -p ${cfg.settings.storage.media.file.path}
+            ''}
           '';
           environment.TZ = tz;
           serviceConfig = mkMerge [ serviceDefaults {