diff --git a/secrets/authentik.toml.age b/secrets/authentik.toml.age
index d3c91cc..e3b6a25 100644
Binary files a/secrets/authentik.toml.age and b/secrets/authentik.toml.age differ
diff --git a/services/authentik.nix b/services/authentik.nix
index b6caf43..0349b87 100644
--- a/services/authentik.nix
+++ b/services/authentik.nix
@@ -75,6 +75,15 @@ in {
   };
   users.groups."${user}" = { };
 
+  services.crowdsec = {
+    localConfig.acquisitions = [{
+      source = "journalctl";
+      journalctl_filter = [ "_SYSTEMD_USER_UNIT=${user}.service" ];
+      labels.type = "authentik";
+    }];
+    hub.collections = [ "firix/authentik" ];
+  };
+
   home-manager.users."${user}" = { config, osConfig, ... }: {
     imports = [ home-manager-quadlet-nix ];
 
@@ -138,11 +147,18 @@ in {
               AUTHENTIK_POSTGRESQL__HOST = "authentik-db";
               AUTHENTIK_POSTGRESQL__NAME = "${user}";
               AUTHENTIK_POSTGRESQL__USER = "${user}";
+              AUTHENTIK_STORAGE__BACKEND = "s3";
             };
             exec = "worker";
             secrets = [
               "AUTHENTIK_POSTGRESQL__PASSWORD,type=env"
               "AUTHENTIK_SECRET_KEY,type=env"
+              "AUTHENTIK_STORAGE__S3__ACCESS_KEY,type=env"
+              "AUTHENTIK_STORAGE__S3__SECRET_KEY,type=env"
+              "AUTHENTIK_STORAGE__S3__BUCKET_NAME,type=env"
+              "AUTHENTIK_STORAGE__S3__REGION,type=env"
+              "AUTHENTIK_STORAGE__S3__ENDPOINT,type=env"
+              "AUTHENTIK_STORAGE__S3__CUSTOM_DOMAIN,type=env"
             ];
             volumes = [
               # Remount media folder into new location based on
@@ -169,6 +185,7 @@ in {
               AUTHENTIK_POSTGRESQL__HOST = "authentik-db";
               AUTHENTIK_POSTGRESQL__NAME = "${user}";
               AUTHENTIK_POSTGRESQL__USER = "${user}";
+              AUTHENTIK_STORAGE__BACKEND = "s3";
             };
             exec = "server";
             secrets = [
@@ -180,6 +197,12 @@ in {
               "AUTHENTIK_EMAIL__PASSWORD,type=env"
               "AUTHENTIK_EMAIL__USE_SSL,type=env"
               "AUTHENTIK_EMAIL__FROM,type=env"
+              "AUTHENTIK_STORAGE__S3__ACCESS_KEY,type=env"
+              "AUTHENTIK_STORAGE__S3__SECRET_KEY,type=env"
+              "AUTHENTIK_STORAGE__S3__BUCKET_NAME,type=env"
+              "AUTHENTIK_STORAGE__S3__REGION,type=env"
+              "AUTHENTIK_STORAGE__S3__ENDPOINT,type=env"
+              "AUTHENTIK_STORAGE__S3__CUSTOM_DOMAIN,type=env"
             ];
 
             # Change from Traefik: publish ports to localhost only via 127.0.0.1