diff --git a/roles/promtail/defaults/main.yml b/roles/promtail/defaults/main.yml
index e5066e7..ba17f8f 100644
--- a/roles/promtail/defaults/main.yml
+++ b/roles/promtail/defaults/main.yml
@@ -1,3 +1,5 @@
+promtail_dac_read_search: false
+
 promtail_positions_file: /tmp/positions.yaml
 
 promtail_clients:
diff --git a/roles/promtail/handlers/main.yml b/roles/promtail/handlers/main.yml
index 4438971..d5371e9 100644
--- a/roles/promtail/handlers/main.yml
+++ b/roles/promtail/handlers/main.yml
@@ -1,4 +1,8 @@
-- name: reload promtail
+- name: reload systemd
+  systemd:
+    daemon_reload: true
+
+- name: restart promtail
   service:
     name: promtail
     state: restarted
diff --git a/roles/promtail/tasks/deploy.yml b/roles/promtail/tasks/deploy.yml
index dbdb7c5..b240864 100644
--- a/roles/promtail/tasks/deploy.yml
+++ b/roles/promtail/tasks/deploy.yml
@@ -18,7 +18,7 @@
     owner: root
     group: root
   notify:
-  - reload promtail
+  - restart promtail
   tags:
   - config
 
@@ -31,11 +31,33 @@
     group: root
     mode: u=rw,go=r
   notify:
-  - reload promtail
+  - restart promtail
   tags:
   - config
   - cert
 
+- name: ensure promtail systemd unit extension directory exists
+  file:
+    path: /etc/systemd/system/promtail.service.d
+    owner: root
+    group: root
+    mode: u=rwx,go=rx
+    state: directory
+  tags:
+  - systemd
+- name: ensure promtail service capabilities are configured
+  template:
+    src: capabilities.conf.j2
+    dest: /etc/systemd/system/promtail.service.d/capabilities.conf
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  notify:
+  - reload systemd
+  - restart promtail
+  tags:
+  - systemd
+
 - name: ensure promtail service starts at boot
   service:
     name: promtail
@@ -43,6 +65,8 @@
   tags:
   - service
 
+- meta: flush_handlers
+
 - name: ensure promtail is running
   service:
     name: promtail
diff --git a/roles/promtail/templates/capabilities.conf.j2 b/roles/promtail/templates/capabilities.conf.j2
new file mode 100644
index 0000000..17bf99b
--- /dev/null
+++ b/roles/promtail/templates/capabilities.conf.j2
@@ -0,0 +1,4 @@
+[Service]
+{% if promtail_dac_read_search %}
+AmbientCapabilities=CAP_DAC_READ_SEARCH
+{% endif %}