diff --git a/src/nix/modules/service/docker-compose-service.nix b/src/nix/modules/service/docker-compose-service.nix
index 0fc3f5c..9f336f9 100644
--- a/src/nix/modules/service/docker-compose-service.nix
+++ b/src/nix/modules/service/docker-compose-service.nix
@@ -10,6 +10,8 @@ let
inherit (lib) mkOption types;
inherit (types) listOf nullOr attrsOf str either int bool;
+ link = url: text:
+ ''${text}'';
dockerComposeRef = fragment:
''See Docker Compose#${fragment}'';
dockerComposeKitchenSink = ''
@@ -17,6 +19,10 @@ let
${dockerComposeRef "domainname-hostname-ipc-mac_address-privileged-read_only-shm_size-stdin_open-tty-user-working_dir"}
'';
+
+ cap_add = lib.attrNames (lib.filterAttrs (name: value: value == true) config.service.capabilities);
+ cap_drop = lib.attrNames (lib.filterAttrs (name: value: value == false) config.service.capabilities);
+
in
{
options = {
@@ -153,6 +159,24 @@ in
default = null;
description = dockerComposeRef "stop_signal";
};
+ service.capabilities = mkOption {
+ type = attrsOf (nullOr bool);
+ default = {};
+ example = { ALL = true; SYS_ADMIN = false; NET_ADMIN = false; };
+ description = ''
+ Enable/disable linux capabilities, or pick Docker's default.
+
+ Setting a capability to true means that it will be
+ "added". Setting it to false means that it will be "dropped".
+ ${dockerComposeRef "cap_add-cap_drop"}
+
+ Omitted and null capabilities will therefore be set
+ according to Docker's ${
+ link "https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities"
+ "default list of capabilities."
+ }
+ '';
+ };
};
config.build.service = {
@@ -163,6 +187,10 @@ in
;
} // lib.optionalAttrs (config.service.build.context != null) {
inherit (config.service) build;
+ } // lib.optionalAttrs (cap_add != []) {
+ inherit cap_add;
+ } // lib.optionalAttrs (cap_drop != []) {
+ inherit cap_drop;
} // lib.optionalAttrs (config.service.command != null) {
inherit (config.service) command;
} // lib.optionalAttrs (config.service.depends_on != []) {