diff --git a/nixos/systems/blowhole/firewall.nix b/nixos/systems/blowhole/firewall.nix
index d4c72e1..2e7aa95 100644
--- a/nixos/systems/blowhole/firewall.nix
+++ b/nixos/systems/blowhole/firewall.nix
@@ -262,11 +262,13 @@ in
   };
 
   systemd.services.nftables = {
+    path = with pkgs; [
+      nftables iptables bash
+    ];
     serviceConfig =
       let
         rulesScript = pkgs.writeShellScript "nftables-rules" ''
           set -ex
-          export PATH=${pkgs.nftables}/bin:${pkgs.iptables}/bin:${pkgs.bash}/bin:$PATH
 
           tmpfile="$(mktemp)"
           iptables-save -t filter >> $tmpfile
@@ -289,7 +291,6 @@ in
         ExecReload = mkForce rulesScript;
         ExecStop = mkForce (pkgs.writeShellScript "nftables-flush" ''
           set -ex
-          export PATH=${pkgs.nftables}/bin:${pkgs.iptables}/bin:${pkgs.bash}/bin:$PATH
 
           tmpfile="$(mktemp)"
           iptables-save -t filter >> $tmpfile