diff --git a/cluster/services/attic/server.nix b/cluster/services/attic/server.nix
index 39be7ce..2b9d790 100644
--- a/cluster/services/attic/server.nix
+++ b/cluster/services/attic/server.nix
@@ -65,6 +65,7 @@ in
     serviceConfig = {
       DynamicUser = lib.mkForce false;
       RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" "AF_NETLINK" ];
+      SystemCallFilter = lib.mkAfter [ "@resources" ];
     };
     environment = {
       AWS_SHARED_CREDENTIALS_FILE = "/run/locksmith/garage-attic";