diff --git a/attributes/default.rb b/attributes/default.rb
index aec2e83..a844acb 100644
--- a/attributes/default.rb
+++ b/attributes/default.rb
@@ -8,3 +8,4 @@ node.default["strfry"]["db_path"] = "/var/lib/strfry"
 node.default["strfry"]["bind_ip"] = "0.0.0.0"
 node.default["strfry"]["real_ip_header"] = ""
 node.default["strfry"]["info"] = {}
+node.default["strfry"]["policy_path"] = ""
diff --git a/recipes/default.rb b/recipes/default.rb
index 5ecdda7..dfba4a3 100644
--- a/recipes/default.rb
+++ b/recipes/default.rb
@@ -55,8 +55,8 @@ group node["strfry"]["group"]
 
 user node["strfry"]["user"] do
   gid node["strfry"]["group"]
-  manage_home false
-  shell "/usr/sbin/nologin"
+  manage_home true
+  shell "/bin/bash"
 end
 
 directory node["strfry"]["db_path"] do
@@ -76,7 +76,8 @@ template "/etc/strfry.conf" do
     real_ip_header: node["strfry"]["real_ip_header"],
     port: node["strfry"]["port"],
     nofiles: node["strfry"]["nofiles"],
-    info: node["strfry"]["info"]
+    info: node["strfry"]["info"],
+    policy_path: node["strfry"]["policy_path"]
   }
   notifies :restart, "service[strfry]", :delayed
 end
@@ -97,7 +98,7 @@ systemd_unit "strfry.service" do
       ExecStart: "/usr/local/bin/strfry relay",
       Restart: "on-failure",
       RestartSec: "5",
-      ProtectHome: "yes",
+      ProtectHome: "no",
       NoNewPrivileges: "yes",
       ProtectSystem: "full",
       LimitCORE: "1000000000"
diff --git a/templates/default/strfry.conf.erb b/templates/default/strfry.conf.erb
index 146caa8..f45a571 100644
--- a/templates/default/strfry.conf.erb
+++ b/templates/default/strfry.conf.erb
@@ -82,7 +82,7 @@ relay {
 
     writePolicy {
         # If non-empty, path to an executable script that implements the writePolicy plugin logic
-        plugin = ""
+        plugin = "<%= @config[:policy_path] %>"
     }
 
     compression {