fix: filebot

hosts/fw/modules/pyload/pyload.nix

@@ -1,4 +1,4 @@
-{ pkgs, ... }:
+{ pkgs, lib, ... }:
 {
   environment.systemPackages = with pkgs; [
     unrar    # Required for RAR archive extraction
@@ -52,6 +52,18 @@
       ];
       # Bind mount multimedia directory as writable for FileBot hook scripts
       BindPaths = [ "/multimedia" ];
+
+      # Override SystemCallFilter to allow @resources syscalls
+      # FileBot (Java) needs resource management syscalls like setpriority
+      # during cleanup operations. Still block privileged syscalls for security.
+      # Use mkForce to completely replace the NixOS module's default filter.
+      SystemCallFilter = lib.mkForce [
+        "@system-service"
+        "@resources"       # Explicitly allow resource management syscalls
+        "~@privileged"     # Still block privileged operations
+        "fchown"           # Re-allow fchown for FileBot file operations
+        "fchown32"         # 32-bit compatibility
+      ];
     };
   };
 }