diff --git a/modules/services/woodpecker/agent-exec/default.nix b/modules/services/woodpecker/agent-exec/default.nix
index 743dfbb..0fa8f0a 100644
--- a/modules/services/woodpecker/agent-exec/default.nix
+++ b/modules/services/woodpecker/agent-exec/default.nix
@@ -45,6 +45,9 @@ in
       ];
 
       serviceConfig = {
+        # Same option as upstream, without @setuid
+        SystemCallFilter = lib.mkForce "~@clock @privileged @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap";
+
         BindPaths = [
           "/nix/var/nix/daemon-socket/socket"
           "/run/nscd/socket"