diff --git a/TODO.md b/TODO.md
index 1de6454..63ed648 100644
--- a/TODO.md
+++ b/TODO.md
@@ -1,5 +1,3 @@
 # TODOs
 
-* provide separate packages / modules for outposts
-* configure github checks
 * add some more subtests to VM test
diff --git a/components/0002-admin-file-dir-doesn-t-have-to-be-a-mountpoint.patch b/components/0002-admin-file-dir-doesn-t-have-to-be-a-mountpoint.patch
new file mode 100644
index 0000000..b08bb3c
--- /dev/null
+++ b/components/0002-admin-file-dir-doesn-t-have-to-be-a-mountpoint.patch
@@ -0,0 +1,24 @@
+From 2f51711b64204d090ad8cd6b2ef19fd11a1a6469 Mon Sep 17 00:00:00 2001
+From: Maximilian Bosch <maximilian@mbosch.me>
+Date: Fri, 16 Jan 2026 21:50:11 +0100
+Subject: [PATCH 2/2] admin: file dir doesn't have to be a mountpoint
+
+---
+ authentik/admin/files/backends/file.py | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/authentik/admin/files/backends/file.py b/authentik/admin/files/backends/file.py
+index 7858ed5e9b..8a6d55ce64 100644
+--- a/authentik/admin/files/backends/file.py
++++ b/authentik/admin/files/backends/file.py
+@@ -47,7 +47,6 @@ class FileBackend(ManageableBackend):
+     def manageable(self) -> bool:
+         return (
+             self.base_path.exists()
+-            and (self._base_dir.is_mount() or (self._base_dir / self.usage.value).is_mount())
+             or (settings.DEBUG or settings.TEST)
+         )
+ 
+-- 
+2.51.2
+
diff --git a/components/authentik_media_tenant_files_migration.patch b/components/authentik_media_tenant_files_migration.patch
deleted file mode 100644
index 4cc997f..0000000
--- a/components/authentik_media_tenant_files_migration.patch
+++ /dev/null
@@ -1,15 +0,0 @@
-diff --git a/lifecycle/system_migrations/tenant_files.py b/lifecycle/system_migrations/tenant_files.py
-index 40795d460..7ac1efb34 100644
---- a/lifecycle/system_migrations/tenant_files.py
-+++ b/lifecycle/system_migrations/tenant_files.py
-@@ -2,8 +2,9 @@
- from pathlib import Path
- 
- from lifecycle.migrate import BaseMigration
-+from authentik.lib.config import CONFIG
- 
--MEDIA_ROOT = Path(__file__).parent.parent.parent / "media"
-+MEDIA_ROOT = Path(CONFIG.get("storage.media.file.path"))
- TENANT_MEDIA_ROOT = MEDIA_ROOT / "public"
- 
- 
diff --git a/components/authentik_media_upload.patch b/components/authentik_media_upload.patch
deleted file mode 100644
index 74558c1..0000000
--- a/components/authentik_media_upload.patch
+++ /dev/null
@@ -1,11 +0,0 @@
-diff --git a/authentik/api/v3/config.py b/authentik/api/v3/config.py
---- a/authentik/api/v3/config.py
-+++ b/authentik/api/v3/config.py
-@@ -71,6 +71,7 @@ class ConfigView(APIView):
-         if (
-             CONFIG.get("storage.media.backend", "file") == "s3"
-             or Path(settings.STORAGES["default"]["OPTIONS"]["location"]).is_mount()
-+            or CONFIG.get_bool("media.enable_upload")
-             or deb_test
-         ):
-             caps.append(Capabilities.CAN_SAVE_MEDIA)
diff --git a/components/docs-extra-package-locks/js-fetch-npm-shrinkwrap.json b/components/docs-extra-package-locks/js-fetch-npm-shrinkwrap.json
index 25b7bf9..cf9011a 100644
--- a/components/docs-extra-package-locks/js-fetch-npm-shrinkwrap.json
+++ b/components/docs-extra-package-locks/js-fetch-npm-shrinkwrap.json
@@ -4,57 +4,58 @@
   "lockfileVersion": 1,
   "requires": true,
   "dependencies": {
-    "asynckit": {
-      "version": "0.4.0",
-      "resolved": "https://registry.npmjs.org/asynckit/-/asynckit-0.4.0.tgz",
-      "integrity": "sha1-x57Zf380y48robyXkLzDZkdLS3k=",
+    "data-uri-to-buffer": {
+      "version": "4.0.1",
+      "resolved": "https://registry.npmjs.org/data-uri-to-buffer/-/data-uri-to-buffer-4.0.1.tgz",
+      "integrity": "sha512-0R9ikRb668HB7QDxT1vkpuUBtqc53YyAwMwGeUFKRojY/NWKvdZ+9UYtRfGmhqNbRkTSVpMbmyhXipFFv2cb/A==",
       "dev": true
     },
-    "combined-stream": {
-      "version": "1.0.8",
-      "resolved": "https://registry.npmjs.org/combined-stream/-/combined-stream-1.0.8.tgz",
-      "integrity": "sha512-FQN4MRfuJeHf7cBbBMJFXhKSDq+2kAArBlmRBvcvFE5BB1HZKXtSFASDhdlz9zOYwxh8lDdnvmMOe/+5cdoEdg==",
+    "fetch-blob": {
+      "version": "3.2.0",
+      "resolved": "https://registry.npmjs.org/fetch-blob/-/fetch-blob-3.2.0.tgz",
+      "integrity": "sha512-7yAQpD2UMJzLi1Dqv7qFYnPbaPx7ZfFK6PiIxQ4PfkGPyNyl2Ugx+a/umUonmKqjhM4DnfbMvdX6otXq83soQQ==",
       "dev": true,
       "requires": {
-        "delayed-stream": "~1.0.0"
+        "node-domexception": "^1.0.0",
+        "web-streams-polyfill": "^3.0.3"
       }
     },
-    "delayed-stream": {
+    "formdata-node": {
+      "version": "6.0.3",
+      "resolved": "https://registry.npmjs.org/formdata-node/-/formdata-node-6.0.3.tgz",
+      "integrity": "sha512-8e1++BCiTzUno9v5IZ2J6bv4RU+3UKDmqWUQD0MIMVCd9AdhWkO1gw57oo1mNEX1dMq2EGI+FbWz4B92pscSQg==",
+      "dev": true
+    },
+    "formdata-polyfill": {
+      "version": "4.0.10",
+      "resolved": "https://registry.npmjs.org/formdata-polyfill/-/formdata-polyfill-4.0.10.tgz",
+      "integrity": "sha512-buewHzMvYL29jdeQTVILecSaZKnt/RJWjoZCF5OW60Z67/GmSLBkOFM7qh1PI3zFNtJbaZL5eQu1vLfazOwj4g==",
+      "dev": true,
+      "requires": {
+        "fetch-blob": "^3.1.2"
+      }
+    },
+    "node-domexception": {
       "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/delayed-stream/-/delayed-stream-1.0.0.tgz",
-      "integrity": "sha1-3zrhmayt+31ECqrgsp4icrJOxhk=",
+      "resolved": "https://registry.npmjs.org/node-domexception/-/node-domexception-1.0.0.tgz",
+      "integrity": "sha512-/jKZoMpw0F8GRwl4/eLROPA3cfcXtLApP0QzLmUT/HuPCZWyB7IY9ZrMeKw2O/nFIqPQB3PVM9aYm0F312AXDQ==",
       "dev": true
     },
-    "form-data": {
-      "version": "2.5.1",
-      "resolved": "https://registry.npmjs.org/form-data/-/form-data-2.5.1.tgz",
-      "integrity": "sha512-m21N3WOmEEURgk6B9GLOE4RuWOFf28Lhh9qGYeNlGq4VDXUlJy2th2slBNU8Gp8EzloYZOibZJ7t5ecIrFSjVA==",
-      "dev": true,
-      "requires": {
-        "asynckit": "^0.4.0",
-        "combined-stream": "^1.0.6",
-        "mime-types": "^2.1.12"
-      }
-    },
-    "mime-db": {
-      "version": "1.44.0",
-      "resolved": "https://registry.npmjs.org/mime-db/-/mime-db-1.44.0.tgz",
-      "integrity": "sha512-/NOTfLrsPBVeH7YtFPgsVWveuL+4SjjYxaQ1xtM1KMFj7HdxlBlxeyNLzhyJVx7r4rZGJAZ/6lkKCitSc/Nmpg==",
-      "dev": true
-    },
-    "mime-types": {
-      "version": "2.1.27",
-      "resolved": "https://registry.npmjs.org/mime-types/-/mime-types-2.1.27.tgz",
-      "integrity": "sha512-JIhqnCasI9yD+SsmkquHBxTSEuZdQX5BuQnS2Vc7puQQQ+8yiP5AY5uWhpdv4YL4VM5c6iliiYWPgJ/nJQLp7w==",
-      "dev": true,
-      "requires": {
-        "mime-db": "1.44.0"
-      }
-    },
     "node-fetch": {
-      "version": "2.6.7",
-      "resolved": "https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.7.tgz",
-      "integrity": "sha512-ZjMPFEfVx5j+y2yF35Kzx5sF7kDzxuDj6ziH4FFbOp87zKDZNx8yExJIb05OGF4Nlt9IHFIMBkRl41VdvcNdbQ==",
+      "version": "3.3.2",
+      "resolved": "https://registry.npmjs.org/node-fetch/-/node-fetch-3.3.2.tgz",
+      "integrity": "sha512-dRB78srN/l6gqWulah9SrxeYnxeddIG30+GOqK/9OlLVyLg3HPnr6SqOWTWOXKRwC2eGYCkZ59NNuSgvSrpgOA==",
+      "dev": true,
+      "requires": {
+        "data-uri-to-buffer": "^4.0.0",
+        "fetch-blob": "^3.1.4",
+        "formdata-polyfill": "^4.0.10"
+      }
+    },
+    "node-fetch2": {
+      "version": "npm:node-fetch@2.7.0",
+      "resolved": "https://registry.npmjs.org/node-fetch/-/node-fetch-2.7.0.tgz",
+      "integrity": "sha512-c4FRfUm/dbcWZ7U+1Wq0AwCyFL+3nt2bEw05wfxSz+DWpWsitgmSgYmy2dQdWyKC1694ELPqMs/YzUSNozLt8A==",
       "dev": true,
       "requires": {
         "whatwg-url": "^5.0.0"
@@ -66,6 +67,12 @@
       "integrity": "sha512-N3WMsuqV66lT30CrXNbEjx4GEwlow3v6rr4mCcv6prnfwhS01rkgyFdjPNBYd9br7LpXV1+Emh01fHnq2Gdgrw==",
       "dev": true
     },
+    "web-streams-polyfill": {
+      "version": "3.3.3",
+      "resolved": "https://registry.npmjs.org/web-streams-polyfill/-/web-streams-polyfill-3.3.3.tgz",
+      "integrity": "sha512-d2JWLCivmZYTSIoge9MsgFCZrt571BikcWGYkjC1khllbTeDlGqZ2D8vD8E/lJa8WGWbb7Plm8/XJYV7IJHZZw==",
+      "dev": true
+    },
     "webidl-conversions": {
       "version": "3.0.1",
       "resolved": "https://registry.npmjs.org/webidl-conversions/-/webidl-conversions-3.0.1.tgz",
diff --git a/components/docs-extra-package-locks/nodejs-native-npm-shrinkwrap.json b/components/docs-extra-package-locks/nodejs-native-npm-shrinkwrap.json
index 1bb10ce..ca70e49 100644
--- a/components/docs-extra-package-locks/nodejs-native-npm-shrinkwrap.json
+++ b/components/docs-extra-package-locks/nodejs-native-npm-shrinkwrap.json
@@ -48,23 +48,15 @@
       "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz",
       "integrity": "sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg=="
     },
-    "lru-cache": {
-      "version": "6.0.0",
-      "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-6.0.0.tgz",
-      "integrity": "sha512-Jo6dJ04CmSjuznwJSS3pUeWmd/H0ffTlkXXgwZi+eq1UCmqQwCh+eLsYOYCwY991i2Fah4h1BEMCx4qThGbsiA==",
-      "requires": {
-        "yallist": "^4.0.0"
-      }
-    },
     "mime-db": {
       "version": "1.52.0",
       "resolved": "https://registry.npmjs.org/mime-db/-/mime-db-1.52.0.tgz",
       "integrity": "sha512-sPU4uV7dYlvtWJxwwxHD0PuihVNiE7TyAbQ5SWxDCB9mUYvOgroQOwYQQOKPJ8CIbE+1ETVlOoK1UC2nU3gYvg=="
     },
     "mime-format": {
-      "version": "2.0.1",
-      "resolved": "https://registry.npmjs.org/mime-format/-/mime-format-2.0.1.tgz",
-      "integrity": "sha512-XxU3ngPbEnrYnNbIX+lYSaYg0M01v6p2ntd2YaFksTu0vayaw5OJvbdRyWs07EYRlLED5qadUZ+xo+XhOvFhwg==",
+      "version": "2.0.2",
+      "resolved": "https://registry.npmjs.org/mime-format/-/mime-format-2.0.2.tgz",
+      "integrity": "sha512-Y5ERWVcyh3sby9Fx2U5F1yatiTFjNsqF5NltihTWI9QgNtr5o3dbCZdcKa1l2wyfhnwwoP9HGNxga7LqZLA6gw==",
       "requires": {
         "charset": "^1.0.0"
       }
@@ -78,9 +70,9 @@
       }
     },
     "postman-collection": {
-      "version": "4.4.0",
-      "resolved": "https://registry.npmjs.org/postman-collection/-/postman-collection-4.4.0.tgz",
-      "integrity": "sha512-2BGDFcUwlK08CqZFUlIC8kwRJueVzPjZnnokWPtJCd9f2J06HBQpGL7t2P1Ud1NEsK9NHq9wdipUhWLOPj5s/Q==",
+      "version": "5.0.0",
+      "resolved": "https://registry.npmjs.org/postman-collection/-/postman-collection-5.0.0.tgz",
+      "integrity": "sha512-1LK795Atv/ZX3jK1MCTx9KCBz0rAiIJJhTLqnJ4AsXLiLSqJuAH1w5jI1CQzHVLpPFg6E8Rl4tQIhF0eBgKNQQ==",
       "requires": {
         "@faker-js/faker": "5.5.3",
         "file-type": "3.9.0",
@@ -88,19 +80,19 @@
         "iconv-lite": "0.6.3",
         "liquid-json": "0.3.1",
         "lodash": "4.17.21",
-        "mime-format": "2.0.1",
+        "mime-format": "2.0.2",
         "mime-types": "2.1.35",
-        "postman-url-encoder": "3.0.5",
-        "semver": "7.5.4",
+        "postman-url-encoder": "3.0.6",
+        "semver": "7.7.1",
         "uuid": "8.3.2"
       }
     },
     "postman-url-encoder": {
-      "version": "3.0.5",
-      "resolved": "https://registry.npmjs.org/postman-url-encoder/-/postman-url-encoder-3.0.5.tgz",
-      "integrity": "sha512-jOrdVvzUXBC7C+9gkIkpDJ3HIxOHTIqjpQ4C1EMt1ZGeMvSEpbFCKq23DEfgsj46vMnDgyQf+1ZLp2Wm+bKSsA==",
+      "version": "3.0.6",
+      "resolved": "https://registry.npmjs.org/postman-url-encoder/-/postman-url-encoder-3.0.6.tgz",
+      "integrity": "sha512-uOlnZW+4Cmpbfbuq02hdj1hSpcIFmQxlAwsO6dflwUIVpt9+1duYVxXv3ikf+wHrAO8Wy98uVKnnuR8R0Qpdng==",
       "requires": {
-        "punycode": "^2.1.1"
+        "punycode": "^2.3.1"
       }
     },
     "punycode": {
@@ -114,22 +106,14 @@
       "integrity": "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg=="
     },
     "semver": {
-      "version": "7.5.4",
-      "resolved": "https://registry.npmjs.org/semver/-/semver-7.5.4.tgz",
-      "integrity": "sha512-1bCSESV6Pv+i21Hvpxp3Dx+pSD8lIPt8uVjRrxAUt/nbswYc+tK6Y2btiULjd4+fnq15PX+nqQDC7Oft7WkwcA==",
-      "requires": {
-        "lru-cache": "^6.0.0"
-      }
+      "version": "7.7.1",
+      "resolved": "https://registry.npmjs.org/semver/-/semver-7.7.1.tgz",
+      "integrity": "sha512-hlq8tAfn0m/61p4BVRcPzIGr6LKiMwo4VM6dGi6pt4qcRkmNzTcWq6eCEjEh+qXjkMDvPlOFFSGwQjoEa6gyMA=="
     },
     "uuid": {
       "version": "8.3.2",
       "resolved": "https://registry.npmjs.org/uuid/-/uuid-8.3.2.tgz",
       "integrity": "sha512-+NYs2QeMWy+GWFOEm9xnn6HCDp0l7QBD7ml8zLUmJ+93Q5NF0NocErnwkTkXVFNiX3/fpC6afS8Dhb/gz7R7eg=="
-    },
-    "yallist": {
-      "version": "4.0.0",
-      "resolved": "https://registry.npmjs.org/yallist/-/yallist-4.0.0.tgz",
-      "integrity": "sha512-3wdGidZyq5PB084XLES5TpOSRA3wjXAlIWMhum2kRcv/41Sn2emQ0dycQW4uZXLejwKvg6EsvbdlVL+FYEct7A=="
     }
   }
 }
diff --git a/components/docs-extra-package-locks/postman-cli-npm-shrinkwrap.json b/components/docs-extra-package-locks/postman-cli-npm-shrinkwrap.json
new file mode 100644
index 0000000..d8e84ce
--- /dev/null
+++ b/components/docs-extra-package-locks/postman-cli-npm-shrinkwrap.json
@@ -0,0 +1,5 @@
+{
+  "name": "@postman/codegen-postman-cli",
+  "version": "0.0.1",
+  "lockfileVersion": 1
+}
diff --git a/components/docs.nix b/components/docs.nix
index 196e076..4bafe12 100644
--- a/components/docs.nix
+++ b/components/docs.nix
@@ -64,7 +64,7 @@ buildNapalmPackage "${authentik-src}/website" {
   # $ cd postman-code-generators
   # $ git checkout v[version-from-lockfile]
   # $ cd codegens/ 
-  # $ for f in **/npm-shrinkfile.json; do cp "$f" "[this projects root]/comonents/docs-extra-package-locks/${f//\//-}"
+  # $ for f in **/npm-shrinkwrap.json; do cp "$f" "[this projects root]/components/docs-extra-package-locks/${f//\//-}"; done
   #
   #
 
diff --git a/components/gopkgs.nix b/components/gopkgs.nix
index 2bc894d..50ab417 100644
--- a/components/gopkgs.nix
+++ b/components/gopkgs.nix
@@ -2,19 +2,21 @@
   authentik-src,
   authentik-version,
   authentikComponents,
-  buildGo124Module,
+  buildGo125Module,
   lib,
   makeWrapper,
   guacamole-server,
   stdenv,
+  patches,
 }:
 
 let
   guacamoleAvailable = lib.meta.availableOn stdenv.hostPlatform guacamole-server;
 in
-buildGo124Module {
+buildGo125Module {
   pname = "authentik-gopkgs";
   version = authentik-version;
+  inherit patches;
   prePatch = ''
     sed -i"" -e 's,./web/dist/,${authentikComponents.frontend}/dist/,' web/static.go
     sed -i"" -e 's,./web/dist/,${authentikComponents.frontend}/dist/,' internal/web/static.go
@@ -61,7 +63,7 @@ buildGo124Module {
   ] ++ lib.optionals guacamoleAvailable [
     "cmd/rac"
   ];
-  vendorHash = "sha256-m2shrCwoVdbtr8B83ZcAyG+J6dEys2xdjtlfFFF4CDo=";
+  vendorHash = "sha256-u/kAqDCeWHPaw/0+lQ9U6/pHSgdANOeflQLVgUV64Vs=";
   nativeBuildInputs = [ makeWrapper ];
   doCheck = false;
   postInstall = ''
diff --git a/components/staticWorkdirDeps.nix b/components/staticWorkdirDeps.nix
index 2b85f96..41e6427 100644
--- a/components/staticWorkdirDeps.nix
+++ b/components/staticWorkdirDeps.nix
@@ -3,15 +3,13 @@
   authentikComponents,
   linkFarm,
   applyPatches,
+  patches,
 }:
 let
   patched-src = applyPatches {
     src = authentik-src;
     name = "patched-authentik-source";
-    patches = [
-      ./authentik_media_upload.patch
-      ./authentik_media_tenant_files_migration.patch
-    ];
+    inherit patches;
   };
 in
 linkFarm "authentik-static-workdir-deps" [
diff --git a/flake.lock b/flake.lock
index 11a8b63..1a7ad88 100644
--- a/flake.lock
+++ b/flake.lock
@@ -3,16 +3,16 @@
     "authentik-src": {
       "flake": false,
       "locked": {
-        "lastModified": 1765907481,
-        "narHash": "sha256-d0pPNE2T30COdFse0T15Mx8XW4BGg8hgPQvmW2dAV9s=",
-        "owner": "goauthentik",
+        "lastModified": 1768596569,
+        "narHash": "sha256-HDTbQB/sMhYh2b95dQwzF8OgrwLWdl4hVmx6wtDcgE8=",
+        "owner": "ma27",
         "repo": "authentik",
-        "rev": "0d617e4ad1eb9e4540ba5381e6ce06e971affc63",
+        "rev": "72ad5fe320f2201fc2a37372d4c9cb46377a58e5",
         "type": "github"
       },
       "original": {
-        "owner": "goauthentik",
-        "ref": "version/2025.10.3",
+        "owner": "ma27",
+        "ref": "2025.12.1-dependency-fix",
         "repo": "authentik",
         "type": "github"
       }
@@ -97,11 +97,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1765779637,
-        "narHash": "sha256-KJ2wa/BLSrTqDjbfyNx70ov/HdgNBCBBSQP3BIzKnv4=",
+        "lastModified": 1768305791,
+        "narHash": "sha256-AIdl6WAn9aymeaH/NvBj0H9qM+XuAuYbGMZaP0zcXAQ=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "1306659b587dc277866c7b69eb97e5f07864d8c4",
+        "rev": "1412caf7bf9e660f2f962917c14b1ea1c3bc695e",
         "type": "github"
       },
       "original": {
diff --git a/flake.nix b/flake.nix
index 2773218..7a991c3 100644
--- a/flake.nix
+++ b/flake.nix
@@ -42,7 +42,8 @@
     };
     authentik-src = {
       # change version string in outputs as well when updating
-      url = "github:goauthentik/authentik/version/2025.10.3";
+      #url = "github:goauthentik/authentik/version/2025.12.1";
+      url = "github:ma27/authentik/2025.12.1-dependency-fix";
       flake = false;
     };
   };
@@ -67,7 +68,7 @@
         ...
       }:
       let
-        authentik-version = "2025.10.3"; # to pass to the drvs of some components
+        authentik-version = "2025.12.1"; # to pass to the drvs of some components
       in
       {
         systems = import inputs.systems;
@@ -129,6 +130,10 @@
                 # for uv2nix
                 pythonOverlay = final.callPackage ./components/python-overrides.nix { };
 
+                patches = [
+                  ./components/0002-admin-file-dir-doesn-t-have-to-be-a-mountpoint.patch
+                ];
+
                 inherit
                   authentik-src
                   authentik-version
@@ -164,15 +169,15 @@
 
               terraform-provider-authentik = inputs.nixpkgs.legacyPackages.${system}.buildGoModule rec {
                 pname = "terraform-provider-authentik";
-                version = "2025.10.0";
+                version = "2025.12.0";
                 src = pkgs.fetchFromGitHub {
                   owner = "goauthentik";
                   repo = pname;
                   rev = "v${version}";
-                  sha256 = "sha256-w5XBAeUKGui4pnDikIWuN/dWLDqKXVsQ5glZX1o1934=";
+                  sha256 = "sha256-1a8HaOqTckkbbHLM58L+LY1eCp8+sVkuOmAw7xljpTU=";
                 };
                 doCheck = false; # tests are run against authentik -> vm test
-                vendorHash = "sha256-jy+SBlbXnr+k03fJM8eA0DLN8LFqGIBrYIq9fPmqSaw=";
+                vendorHash = "sha256-LvXWlmCBXnHElZyTKpKPwfXgT53HpR+Bc5XjkB7bM/A=";
                 postInstall = ''
                   path="$out/libexec/terraform-providers/registry.terraform.io/goauthentik/authentik/${version}/''${GOOS}_''${GOARCH}/"
                   mkdir -p "$path"
diff --git a/module.nix b/module.nix
index 25e0391..e02a2b2 100644
--- a/module.nix
+++ b/module.nix
@@ -323,10 +323,9 @@ in
             storage.media = {
               backend = mkDefault "file";
               file = mkDefault {
-                path = "/var/lib/authentik/media";
+                path = "/var/lib/authentik";
               };
             };
-            media.enable_upload = mkDefault true;
           };
           postgresql = mkIf cfg.createDatabase {
             enable = true;
@@ -428,9 +427,6 @@ in
             restartTriggers = [ config.environment.etc."authentik/config.yml".source ];
             preStart = ''
               ln -svf ${cfg.authentikComponents.staticWorkdirDeps}/* /var/lib/authentik/
-              ${optionalString (cfg.settings.storage.media.backend == "file") ''
-                mkdir -p ${cfg.settings.storage.media.file.path}
-              ''}
             '';
             environment = mkMerge [
               environment