diff --git a/hosts/nachtigall/apps/matrix/irc.nix b/hosts/nachtigall/apps/matrix/irc.nix
index defe991..fb2c1e0 100644
--- a/hosts/nachtigall/apps/matrix/irc.nix
+++ b/hosts/nachtigall/apps/matrix/irc.nix
@@ -13,6 +13,11 @@ let
   synapseClientPort = "${toString listenerWithClient.port}";
 in
 {
+  systemd.services.matrix-appservice-irc.serviceConfig.SystemCallFilter = lib.mkForce [
+    "@system-service @pkey"
+    "~@privileged @resources"
+    "@chown"
+  ];
   services.matrix-appservice-irc = {
     enable = true;
     localpart = "irc_bot";