diff --git a/sys/srv/authelia.nix b/sys/srv/authelia.nix
index 914ff47..a4e5455 100644
--- a/sys/srv/authelia.nix
+++ b/sys/srv/authelia.nix
@@ -4,7 +4,36 @@
   ...
 }:
 with lib; {
-  systemd.services.authelia.serviceConfig.LoadCredential = ["storageEncryptionKeyFile.txt:/var/trust/authelia/storageEncryptionKeyFile.csv" "jwtSecretFile.txt:/var/trust/authelia/jwtSecretFile.csv"];
+  #TODO: no poner authelia-main en todo lado, usar config (o let o no sé)
+  systemd.services.authelia-main = {
+    preStart = ''
+      mkdir -p /var/trust/authelia-main/
+      chown authelia-main:authelia-main /var/trust/authelia-main/
+      chmod 700 /var/trust/authelia-main/
+    
+      [ -f /var/trust/authelia-main/jwt-secret ] || {
+        "${pkgs.openssl}/bin/openssl" rand -base64 32 > /var/trust/authelia-main/jwt-secret
+        chown authelia-main:authelia-main /var/trust/authelia-main/jwt-secret
+        chmod 600 /var/trust/authelia-main/jwt-secret
+      }
+      [ -f /var/trust/authelia-main/storage-encryption-file ] || {
+        "${pkgs.openssl}/bin/openssl" rand -base64 32 > /var/trust/authelia-main/storage-encryption-file
+        chown authelia-main:authelia-main /var/trust/authelia-main/storage-encryption-file
+        chmod 600 /var/trust/authelia-main/storage-encryption-file
+      }
+      [ -f /var/trust/authelia-main/session-secret-file ] || {
+        "${pkgs.openssl}/bin/openssl" rand -base64 32 > /var/trust/authelia-main/session-secret-file
+        chown authelia-main:authelia-main /var/trust/authelia-main/session-secret-file
+        chmod 600 /var/trust/authelia-main/session-secret-file
+      }
+    '';
+
+    serviceConfig.LoadCredential = [
+      "jwt-secret:/var/trust/authelia-main/jwt-secret"
+      "storage-encryption-file:/var/trust/authelia-main/storage-encryption-file"
+      "session-secret-file:/var/trust/authelia-main/session-secret-file"
+    ];
+  };
 
   services = {
     nginx = {
@@ -19,8 +48,9 @@ with lib; {
       # config based on https://github.com/authelia/authelia/blob/master/config.template.yml
       settings = {
         secrets = {
-          jwtSecretFile = "TODO:";
-          storageEncryptionKeyFile = "TODO:";
+          jwtSecretFile = "/var/trust/authelia-main/jwt-secret";
+          storageEncryptionKeyFile = "/var/trust/authelia-main/storage-encryption-file";
+          sessionSecretFile = "/var/trust/authelia-main/session-secret-file";
         };
 
         theme = "dark";
@@ -49,7 +79,7 @@ with lib; {
         duo_api.disable = true;
         # identity_validation default values assumed: https://github.com/authelia/authelia/blob/master/config.template.yml#L266
         authentication_backend.file = {
-          path = "/var/trust/authelia/users_database.yml"; #TODO:
+          path = "/var/trust/authelia-main/users_database.yml"; #TODO:
           password.algorithm = "argon2";
           password_policy.zxcvbn = {
             enable = true;
@@ -92,11 +122,11 @@ with lib; {
           ban_time = "5 minutes";
         };
 
-        storage.local.path = "/var/trust/authelia/db.sqlite3"; #TODO:
+        storage.local.path = "/var/trust/authelia-main/db.sqlite3"; #TODO:
 
         # TODO:
         #notifier.smtp = {
-        #  
+        #
         #};
 
         # TODO: voy por acá: https://github.com/authelia/authelia/blob/master/config.template.yml#L714