From 46d51ac70c7211d4a5caa0800b247c5c9717f13f Mon Sep 17 00:00:00 2001
From: vincent <vincent@ducamps.win>
Date: Sun, 27 Nov 2022 08:41:53 +0100
Subject: [PATCH] feat: manage custom docker caps

---
 defaults/main.yml       |  1 +
 templates/config.hcl.j2 |  3 +++
 vars/main.yml           | 14 ++++++++++++++
 3 files changed, 18 insertions(+)

diff --git a/defaults/main.yml b/defaults/main.yml
index ca596cb..7849243 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -23,3 +23,4 @@ nomad_host_networks:
   #    reserved_ports:
 nomad_allow_privileged: False
 nomad_plugins_podman: False
+nomad_docker_allow_caps: []
diff --git a/templates/config.hcl.j2 b/templates/config.hcl.j2
index a95c0d9..8f27c83 100644
--- a/templates/config.hcl.j2
+++ b/templates/config.hcl.j2
@@ -41,6 +41,9 @@ plugin "docker"{
       enabled      = true
       selinuxlabel = "z"
     }
+    {%if 'nomad_docker_allow_caps' %}
+    allow_caps = [ "{{nomad_docker_default_caps|join('","')}}","{{nomad_docker_allow_caps|join('","')}}"]
+    {% endif %}
     allow_privileged = {{ nomad_allow_privileged|lower }}
   }
 }
diff --git a/vars/main.yml b/vars/main.yml
index e69de29..59acd99 100644
--- a/vars/main.yml
+++ b/vars/main.yml
@@ -0,0 +1,14 @@
+nomad_docker_default_caps:
+  - audit_write
+  - chown
+  - dac_override
+  - fowner
+  - fsetid
+  - kill
+  - mknod
+  - net_bind_service
+  - setfcap
+  - setgid
+  - setpcap
+  - setuid
+  - sys_chroot