diff --git a/contracts/migrations/0006_alter_contract_filing_area_and_more.py b/contracts/migrations/0006_alter_contract_filing_area_and_more.py
new file mode 100644
index 0000000000000000000000000000000000000000..7aa861f6bd058d823cdb1bd42b1bb39655ef0a60
--- /dev/null
+++ b/contracts/migrations/0006_alter_contract_filing_area_and_more.py
@@ -0,0 +1,54 @@
+# Generated by Django 4.1.4 on 2023-03-22 09:14
+
+from django.db import migrations, models
+import django.db.models.deletion
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('contracts', '0005_alter_contract_notes_and_more'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='contract',
+            name='filing_area',
+            field=models.ForeignKey(blank=True, help_text='Obsah není veřejně přístupný.', null=True, on_delete=django.db.models.deletion.SET_NULL, related_name='contracts', to='contracts.contractfilingarea', verbose_name='Spisovna'),
+        ),
+        migrations.AlterField(
+            model_name='contract',
+            name='is_approved',
+            field=models.BooleanField(help_text='Mohou měnit jen schvalovatelé. Pokud je smlouva veřejná, schválením se vypustí ven.', verbose_name='Je schválená'),
+        ),
+        migrations.AlterField(
+            model_name='contract',
+            name='is_public',
+            field=models.BooleanField(help_text='Neveřejné smlouvy nejsou vidět bez přihlášení jako min. tajný čtenář.', verbose_name='Je veřejná'),
+        ),
+        migrations.AlterField(
+            model_name='contract',
+            name='issues',
+            field=models.ManyToManyField(blank=True, help_text='Veřejně nazváno "Poznámky".', related_name='contracts', to='contracts.contractissue', verbose_name='Problémy'),
+        ),
+        migrations.AlterField(
+            model_name='contract',
+            name='types',
+            field=models.ManyToManyField(related_name='contracts', to='contracts.contracttype', verbose_name='Typ'),
+        ),
+        migrations.AlterField(
+            model_name='contractee',
+            name='address_country',
+            field=models.CharField(default='CZ', max_length=256, verbose_name='Země'),
+        ),
+        migrations.AlterField(
+            model_name='contractfile',
+            name='file',
+            field=models.FileField(upload_to='private/', verbose_name='Soubor'),
+        ),
+        migrations.AlterField(
+            model_name='signee',
+            name='address_country',
+            field=models.CharField(default='CZ', max_length=256, verbose_name='Země'),
+        ),
+    ]
diff --git a/contracts/models.py b/contracts/models.py
index 10f50361d2e861e670c557a10fe1b51ccd0a398c..65e305376c490463ff327df1bba39080d74916ca 100644
--- a/contracts/models.py
+++ b/contracts/models.py
@@ -621,6 +621,7 @@ class ContractFile(NameStrMixin, models.Model):
 
     file = models.FileField(
         verbose_name="Soubor",
+        upload_to="private/",
     )
 
     contract = models.ForeignKey(
diff --git a/nginx.conf b/nginx.conf
index 4725c76f1dab2ac47717af04a9e227b6af423a30..dd8e8f0911cdca04480f2e18a05deeef7ec191c7 100644
--- a/nginx.conf
+++ b/nginx.conf
@@ -20,4 +20,13 @@ server {
         proxy_set_header X-Forwarded-Proto https;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     }
+
+    location /media/ {
+        alias /var/opt/contract_registry/media/
+    }
+
+    location ~ /media/private/ {
+        deny all;
+        return 404;
+    }
 }