diff --git a/conf/bookwyrm-server.service b/conf/bookwyrm-server.service
index 8aa2716..4a0f6ac 100644
--- a/conf/bookwyrm-server.service
+++ b/conf/bookwyrm-server.service
@@ -37,7 +37,7 @@ RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
 DevicePolicy=closed
 ProtectProc=invisible
 SystemCallArchitectures=native
-SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged
+#SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged
 
 [Install]
 WantedBy=multi-user.target
diff --git a/conf/bookwyrm-worker.service b/conf/bookwyrm-worker.service
index 623a00d..135c633 100644
--- a/conf/bookwyrm-worker.service
+++ b/conf/bookwyrm-worker.service
@@ -13,7 +13,7 @@ ExecStart=__INSTALL_DIR__/venv/bin/celery -A celerywyrm worker -l info -Q high_p
 
 ProtectSystem=strict
 ProtectHome=tmpfs
-#InaccessiblePaths=-/media -/mnt -/srv
+InaccessiblePaths=-/media -/mnt -/srv
 PrivateTmp=yes
 TemporaryFileSystem=/var /run
 #PrivateUsers=true
@@ -37,7 +37,7 @@ RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
 DevicePolicy=closed
 ProtectProc=invisible
 SystemCallArchitectures=native
-SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged
+#SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged
 
 # Denying access to capabilities that should not be relevant for webapps
 # Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html