diff --git a/components/authentik_media_upload.patch b/components/authentik_media_upload.patch
new file mode 100644
index 0000000..0a2aab4
--- /dev/null
+++ b/components/authentik_media_upload.patch
@@ -0,0 +1,12 @@
+diff --git a/authentik/api/v3/config.py b/authentik/api/v3/config.py
+--- a/authentik/api/v3/config.py
++++ b/authentik/api/v3/config.py
+@@ -66,7 +66,7 @@ class ConfigView(APIView):
+         """Get all capabilities this server instance supports"""
+         caps = []
+         deb_test = settings.DEBUG or settings.TEST
+-        if Path(settings.MEDIA_ROOT).is_mount() or deb_test:
++        if Path(settings.MEDIA_ROOT).is_mount() or CONFIG.get_bool("media.enable_upload") or deb_test:
+             caps.append(Capabilities.CAN_SAVE_MEDIA)
+         if GEOIP_READER.enabled:
+             caps.append(Capabilities.CAN_GEO_IP)
diff --git a/components/staticWorkdirDeps.nix b/components/staticWorkdirDeps.nix
index 6fd890a..e5d6122 100644
--- a/components/staticWorkdirDeps.nix
+++ b/components/staticWorkdirDeps.nix
@@ -1,10 +1,17 @@
 { authentik-src
 , authentikComponents
 , linkFarm
+, applyPatches
 }:
-
+let
+  patched-src = applyPatches { 
+    src = authentik-src;
+    name = "patched-authentik-source";
+    patches = [ ./authentik_media_upload.patch ];
+  };
+in
 linkFarm "authentik-static-workdir-deps" [
-  { name = "authentik"; path = "${authentik-src}/authentik"; }
+  { name = "authentik"; path = "${patched-src}/authentik"; }
   { name = "locale"; path = "${authentik-src}/locale"; }
   { name = "blueprints"; path = "${authentik-src}/blueprints"; }
   { name = "internal"; path = "${authentik-src}/internal"; }
diff --git a/module.nix b/module.nix
index 2c35ad6..bc3ef58 100644
--- a/module.nix
+++ b/module.nix
@@ -114,6 +114,8 @@ in
             host = mkDefault "";
           };
           cert_discovery_dir = mkIf (cfg.nginx.enable && cfg.nginx.enableACME) "env://CREDENTIALS_DIRECTORY";
+          paths.media = mkDefault "/var/lib/authentik/media";
+          media.enable_upload = mkDefault true;
         };
         redis.servers.authentik = {
           enable = true;
@@ -181,6 +183,7 @@ in
           restartTriggers = [ config.environment.etc."authentik/config.yml".source ];
           preStart = ''
             ln -svf ${cfg.authentikComponents.staticWorkdirDeps}/* /var/lib/authentik/
+            mkdir -p ${cfg.settings.paths.media}
           '';
           serviceConfig = {
             Environment = [