diff --git a/hosts/nachtigall/apps/matrix/irc.nix b/hosts/nachtigall/apps/matrix/irc.nix
index 8f65985..da20617 100644
--- a/hosts/nachtigall/apps/matrix/irc.nix
+++ b/hosts/nachtigall/apps/matrix/irc.nix
@@ -1,5 +1,10 @@
-{lib, ...}:
+{pkgs, lib, ...}:
 {
+  systemd.services.matrix-appservice-irc.serviceConfig.SystemCallFilter = lib.mkForce [
+    "@system-service @pkey"
+    "~@privileged @resources"
+    "@chown"
+  ];
   services.matrix-appservice-irc = {
     enable = true;
     localpart = "irc_bot";