diff --git a/environments/production.json b/environments/production.json
index d7832ca..84cf15d 100644
--- a/environments/production.json
+++ b/environments/production.json
@@ -106,7 +106,7 @@
     "strfry": {
       "domain": "nostr.kosmos.org",
       "real_ip_header": "x-real-ip",
-      "policy_path": "/opt/strfry-policy.ts",
+      "policy_path": "/opt/strfry/strfry-policy.ts",
       "whitelist_pubkeys": [
         "b3e1b7c1660b7db0ecb93ec55c09e67961171a5c4e9e2602f1b47477ea61c50a"
       ],
diff --git a/site-cookbooks/kosmos_strfry/attributes/default.rb b/site-cookbooks/kosmos_strfry/attributes/default.rb
index e794f13..10b0eba 100644
--- a/site-cookbooks/kosmos_strfry/attributes/default.rb
+++ b/site-cookbooks/kosmos_strfry/attributes/default.rb
@@ -1 +1,2 @@
 node.default["strfry"]["ldap_search_dn"] = "ou=kosmos.org,cn=users,dc=kosmos,dc=org"
+node.default["strfry"]["extras_dir"] = "/opt/strfry"
diff --git a/site-cookbooks/kosmos_strfry/recipes/policies.rb b/site-cookbooks/kosmos_strfry/recipes/policies.rb
index 30bd144..43dfa3a 100644
--- a/site-cookbooks/kosmos_strfry/recipes/policies.rb
+++ b/site-cookbooks/kosmos_strfry/recipes/policies.rb
@@ -11,6 +11,14 @@ include_recipe "deno"
 
 ldap_credentials = Chef::EncryptedDataBagItem.load('credentials', 'dirsrv')
 
+extras_dir = node["strfry"]["extras_dir"]
+
+directory extras_dir do
+  owner node["strfry"]["user"]
+  group node["strfry"]["group"]
+  mode "0755"
+end
+
 env = {
   ldap_url: 'ldap://ldap.kosmos.local:389', # requires "ldap_client" role
   ldap_bind_dn: ldap_credentials["service_dn"],
@@ -19,7 +27,7 @@ env = {
   whitelist_pubkeys: node["strfry"]["whitelist_pubkeys"].join(",")
 }
 
-template "/opt/.env" do
+template "#{extras_dir}/.env" do
   source 'env.erb'
   owner node["strfry"]["user"]
   group node["strfry"]["group"]
@@ -35,7 +43,7 @@ end
 
 base_url = "https://gitea.kosmos.org/kosmos/akkounts/raw/branch/live/extras/strfry"
 
-remote_file "/opt/deno.json" do
+remote_file "#{extras_dir}/deno.json" do
   source "#{base_url}/deno.json"
   owner node["strfry"]["user"]
   group node["strfry"]["group"]
@@ -43,7 +51,7 @@ remote_file "/opt/deno.json" do
   notifies :restart, "service[strfry]", :delayed
 end
 
-remote_file "/opt/deno.lock" do
+remote_file "#{extras_dir}/deno.lock" do
   source "#{base_url}/deno.lock"
   owner node["strfry"]["user"]
   group node["strfry"]["group"]
@@ -51,7 +59,7 @@ remote_file "/opt/deno.lock" do
   notifies :restart, "service[strfry]", :delayed
 end
 
-remote_file "/opt/strfry-policy.ts" do
+remote_file "#{extras_dir}/strfry-policy.ts" do
   source "#{base_url}/strfry-policy.ts"
   owner node["strfry"]["user"]
   group node["strfry"]["group"]
@@ -59,7 +67,7 @@ remote_file "/opt/strfry-policy.ts" do
   notifies :restart, "service[strfry]", :delayed
 end
 
-remote_file "/opt/ldap-policy.ts" do
+remote_file "#{extras_dir}/ldap-policy.ts" do
   source "#{base_url}/ldap-policy.ts"
   owner node["strfry"]["user"]
   group node["strfry"]["group"]
@@ -67,7 +75,7 @@ remote_file "/opt/ldap-policy.ts" do
   notifies :restart, "service[strfry]", :delayed
 end
 
-remote_file "/opt/strfry-sync.ts" do
+remote_file "#{extras_dir}/strfry-sync.ts" do
   source "#{base_url}/strfry-sync.ts"
   owner node["strfry"]["user"]
   group node["strfry"]["group"]