diff --git a/modules/10-services-generic/docker-service/main.tf b/modules/10-services-generic/docker-service/main.tf
index 14d09f3..4e00528 100644
--- a/modules/10-services-generic/docker-service/main.tf
+++ b/modules/10-services-generic/docker-service/main.tf
@@ -144,12 +144,32 @@ resource "docker_container" "service_container" {
   hostname              = var.hostname
   domainname            = var.domainname
   user                  = var.user
+  group_add             = var.group_add
   working_dir           = var.working_dir
   command               = var.command
   entrypoint            = var.entrypoint
   privileged            = var.privileged
   destroy_grace_seconds = var.destroy_grace_seconds
 
+  # Linux capabilities controls
+  dynamic "capabilities" {
+    for_each = length(var.capabilities_add) > 0 || length(var.capabilities_drop) > 0 ? [1] : []
+    content {
+      add  = var.capabilities_add
+      drop = var.capabilities_drop
+    }
+  }
+
+  # Device mappings
+  dynamic "devices" {
+    for_each = var.devices
+    content {
+      host_path      = devices.value.host_path
+      container_path = devices.value.container_path
+      permissions    = devices.value.permissions
+    }
+  }
+
   # Set log options
   log_driver = var.log_driver
   log_opts   = var.log_opts
diff --git a/modules/10-services-generic/docker-service/variables.tf b/modules/10-services-generic/docker-service/variables.tf
index fd1cb3a..b9b02c6 100644
--- a/modules/10-services-generic/docker-service/variables.tf
+++ b/modules/10-services-generic/docker-service/variables.tf
@@ -179,12 +179,42 @@ variable "entrypoint" {
   default     = null
 }
 
+variable "group_add" {
+  description = "Additional groups to add to the container"
+  type        = list(string)
+  default     = []
+}
+
 variable "privileged" {
   description = "Run container in privileged mode"
   type        = bool
   default     = false
 }
 
+// Linux capabilities controls
+variable "capabilities_add" {
+  description = "Linux capabilities to add to the container"
+  type        = list(string)
+  default     = []
+}
+
+variable "capabilities_drop" {
+  description = "Linux capabilities to drop from the container"
+  type        = list(string)
+  default     = []
+}
+
+// Devices to pass through to container
+variable "devices" {
+  description = "List of device mappings for the container"
+  type = list(object({
+    host_path      = string
+    container_path = string
+    permissions    = string
+  }))
+  default = []
+}
+
 variable "destroy_grace_seconds" {
   description = "Grace period in seconds before the container is destroyed"
   type        = number