diff --git a/configuration.nix b/configuration.nix
index cb10954..6da6ed0 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -2,7 +2,7 @@
 # nix-channel --add https://nixos.org/channels/nixos-unstable unstable
 # nix-channel --update
 #
-{ config, pkgs, ... }:
+{ config, pkgs, lib, ... }:
 let
   unstable = import <unstable> {};
   secrets = import ./secrets.nix;
@@ -50,6 +50,9 @@ in {
     '';
   };
 
+  systemd.services.gitea.serviceConfig.SystemCallFilter =
+    lib.mkForce "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @raw-io @reboot @resources @setuid @swap";
+
   services.nginx = {
     enable = true;
     virtualHosts."${hostname}" = {