diff --git a/modules/networking/firewall.nix b/modules/networking/firewall.nix
index e0c177f..e28edef 100644
--- a/modules/networking/firewall.nix
+++ b/modules/networking/firewall.nix
@@ -1,24 +1,8 @@
 { config, pkgs, lib, ... }:
 
-let
-  trustedSubnets = [ "192.168.27.0/24" "10.89.0.0/16" ]
-    ++ lib.optional (config.numbus.networking.networkSubnet != "") config.numbus.networking.networkSubnet;
-  trustedSubnetsStr = lib.concatStringsSep ", " trustedSubnets;
-in
-
 {
   config = {
     networking.nftables.enable = true;
-    networking.nftables.tables."numbus-filter" = {
-      family = "inet";
-      content = ''
-        chain input {
-          type filter hook input priority -10; policy accept;
-          tcp dport { 53, 80, 443 } ip saddr != { ${trustedSubnetsStr} } drop
-          udp dport { 53, 443 } ip saddr != { ${trustedSubnetsStr} } drop
-        }
-      '';
-    };
     networking.firewall = {
       enable = true;
       allowPing = true;
diff --git a/modules/services/lib.nix b/modules/services/lib.nix
index 4383562..b41ba45 100644
--- a/modules/services/lib.nix
+++ b/modules/services/lib.nix
@@ -106,16 +106,18 @@ with lib;
           onFailure = [ "service-failure-notify@%n.service" ];
           startLimitBurst = 5;
           startLimitIntervalSec = 600;
-          path = [ pkgs.podman pkgs.podman-compose pkgs.coreutils pkgs.sudo ];
+          path = [ pkgs.podman pkgs.podman-compose pkgs.newuidmap pkgs.coreutils ];
           serviceConfig = {
             Type = "exec";
+            User = "numbus-admin";
+            Group = "users";
             TimeoutStartSec = "1000";
             ExecStartPre = [
               "${pkgs.bash}/bin/bash -c 'sleep $((RANDOM % ${toString startDelay}))'"
-              "${pkgs.sudo}/bin/sudo -u numbus-admin podman-compose -f /etc/podman/${name}/compose.yaml pull"
+              "${pkgs.podman-compose}/bin/podman-compose -f /etc/podman/${name}/compose.yaml pull"
             ];
-            ExecStart = "${pkgs.sudo}/bin/sudo -u numbus-admin podman-compose ${envFileArg} --in-pod ${toString pod} -f /etc/podman/${name}/compose.yaml up --remove-orphans";
-            ExecStop = "${pkgs.sudo}/bin/sudo -u numbus-admin podman-compose ${envFileArg} --in-pod ${toString pod} -f /etc/podman/${name}/compose.yaml down";
+            ExecStart = "${pkgs.podman-compose}/bin/podman-compose ${envFileArg} --in-pod ${toString pod} -f /etc/podman/${name}/compose.yaml up --remove-orphans";
+            ExecStop = "${pkgs.podman-compose}/bin/podman-compose ${envFileArg} --in-pod ${toString pod} -f /etc/podman/${name}/compose.yaml down";
             Restart = "on-failure";
             RestartSec = "3m";
           };