diff --git a/hosts/common/nomad.nix b/hosts/common/nomad.nix
index 1c40e75..2b437ac 100644
--- a/hosts/common/nomad.nix
+++ b/hosts/common/nomad.nix
@@ -7,6 +7,7 @@ in
 {
   services.nomad = {
     enable = true;
+    package = pkgs.unstable.nomad;
     # true breaks at least CSI volumes
     dropPrivileges = false;
 
@@ -30,7 +31,11 @@ in
   };
 
   environment.etc."nomad-alo.json".text = builtins.toJSON {
-    plugin.docker.config.allow_privileged = true;
+    plugin.docker.config = {
+      allow_privileged = true;
+      # for keepalived, though only really needing "NET_ADMIN","NET_BROADCAST","NET_RAW" on top of default
+      allow_caps = ["all"];
+    };
   };
 
   environment.persistence."/persist".directories = [