diff --git a/flake.lock b/flake.lock
index 90a6eea..d50d85c 100644
--- a/flake.lock
+++ b/flake.lock
@@ -717,11 +717,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1739047488,
-        "narHash": "sha256-XRidLinKPemmrWZbxFLJMV21Phc529Q6nfx/8HzwnRg=",
+        "lastModified": 1739053638,
+        "narHash": "sha256-pAJmNmRu2rwFOw6yNwLH1jZn7J1FQqKyfY7u63oi1io=",
         "owner": "~repomaa",
         "repo": "workout-sync",
-        "rev": "275adde9c83df8e6cd4eed091913faf0e6e05197",
+        "rev": "00a0f1ae718d0fdb5dea9c362658bb29f9eb3d78",
         "type": "sourcehut"
       },
       "original": {
diff --git a/modules/services/workout-sync.nix b/modules/services/workout-sync.nix
index 7337814..29e9ca7 100644
--- a/modules/services/workout-sync.nix
+++ b/modules/services/workout-sync.nix
@@ -31,7 +31,16 @@ in
         ExecStart = "${workout-sync}/bin/workout-sync";
         Restart = "always";
         DynamicUser = true;
-        EnvironmentFile = "/var/secrets/workout-sync.env";
+        BindReadOnlyPaths = [
+          /run/systemd/resolve/stub-resolv.conf
+          /etc/ssl
+          /etc/static/ssl
+          /etc/resolv.conf
+          /etc/static/resolv.conf
+          /etc/nsswitch.conf
+          /etc/static/nsswitch.conf
+          /etc/hosts
+        ];
       };
       wantedBy = [ "multi-user.target" ];
       confinement.enable = true;