diff --git a/ansible/host_vars/a-fsn-de.m.voidlinux.org.yml b/ansible/host_vars/a-fsn-de.m.voidlinux.org.yml
index a048e7ef..1dfc4224 100644
--- a/ansible/host_vars/a-fsn-de.m.voidlinux.org.yml
+++ b/ansible/host_vars/a-fsn-de.m.voidlinux.org.yml
@@ -39,3 +39,6 @@ nomad_host_volumes:
   - name: ccache
     path: /hostdir/ccache
     read_only: true
+
+nomad_extra_caps:
+  - sys_admin
diff --git a/ansible/host_vars/a-hel-fi.m.voidlinux.org.yml b/ansible/host_vars/a-hel-fi.m.voidlinux.org.yml
index fa0462bb..8e477bca 100644
--- a/ansible/host_vars/a-hel-fi.m.voidlinux.org.yml
+++ b/ansible/host_vars/a-hel-fi.m.voidlinux.org.yml
@@ -50,6 +50,9 @@ nomad_host_volumes:
     path: /hostdir/ccache
     read_only: true
 
+nomad_extra_caps:
+  - sys_admin
+
 nomad_reserved_ports:
   - 80  # Legacy nginx on this host
   - 443 # Legacy nginx on this host
diff --git a/ansible/host_vars/b-fsn-de.m.voidlinux.org.yml b/ansible/host_vars/b-fsn-de.m.voidlinux.org.yml
index dfb0489b..f9e4c429 100644
--- a/ansible/host_vars/b-fsn-de.m.voidlinux.org.yml
+++ b/ansible/host_vars/b-fsn-de.m.voidlinux.org.yml
@@ -12,3 +12,6 @@ nomad_host_volumes:
   - name: aarch64_hostdir
     path: /hostdir
     read_only: false
+
+nomad_extra_caps:
+  - sys_admin
diff --git a/ansible/roles/nomad-client/templates/40-client.hcl b/ansible/roles/nomad-client/templates/40-client.hcl
index 5cb56673..7818c5e7 100644
--- a/ansible/roles/nomad-client/templates/40-client.hcl
+++ b/ansible/roles/nomad-client/templates/40-client.hcl
@@ -56,5 +56,12 @@ vault {
 plugin "docker" {
   config {
     extra_labels = ["*"]
+    # default from https://developer.hashicorp.com/nomad/docs/drivers/docker#allow_caps
+    allow_caps = [
+      "audit_write", "chown", "dac_override", "fowner",
+      "fsetid", "kill", "mknod", "net_bind_service",
+      "setfcap", "setgid", "setpcap", "setuid", "sys_chroot",
+      {% for cap in nomad_extra_caps|default([]) %}"{{cap}}", {% endfor %}
+    ]
   }
 }