nixos/yggdrasil: set proper SystemCallFilter

nixos/modules/services/networking/yggdrasil.nix

@@ -180,7 +180,7 @@ in {
         RestrictNamespaces = true;
         RestrictRealtime = true;
         SystemCallArchitectures = "native";
-        SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @resources";
+        SystemCallFilter = [ "@system-service" "~@privileged @keyring" ];
       } // (if (cfg.group != null) then {
         Group = cfg.group;
       } else {});