diff --git a/bundles/telegraf/files/override.conf b/bundles/telegraf/files/override.conf
new file mode 100644
index 0000000..c455687
--- /dev/null
+++ b/bundles/telegraf/files/override.conf
@@ -0,0 +1,2 @@
+[Service]
+AmbientCapabilities=${' '.join(sorted(capabilities))}
diff --git a/bundles/telegraf/items.py b/bundles/telegraf/items.py
index c987088..a4b52da 100644
--- a/bundles/telegraf/items.py
+++ b/bundles/telegraf/items.py
@@ -79,11 +79,46 @@ files = {
     },
 }
 
+if node.metadata.get('telegraf/additional_capabilities', set()):
+    files['/etc/systemd/system/telegraf.service.d/bundlewrap.conf'] = {
+        'source': 'override.conf',
+        'content_type': 'mako',
+        'context': {
+            'capabilities': node.metadata['telegraf']['additional_capabilities'],
+        },
+        'triggers': {
+            'action:systemd-reload',
+            'svc_systemd:telegraf:restart',
+        },
+    }
+else:
+    files['/etc/systemd/system/telegraf.service.d/bundlewrap.conf'] = {
+        'delete': True,
+        'triggers': {
+            'action:systemd-reload',
+            'svc_systemd:telegraf:restart',
+        },
+    }
+
+users = {
+    'telegraf': {
+        'groups': node.metadata.get('telegraf/additional_groups', set()),
+        'needs': {
+            'pkg_apt:telegraf',
+        },
+        'triggers': {
+            'svc_systemd:telegraf:restart',
+        },
+    },
+}
+
 svc_systemd = {
     'telegraf': {
         'needs': {
             'file:/etc/telegraf/telegraf.conf',
+            'file:/etc/systemd/system/telegraf.service.d/bundlewrap.conf',
             'pkg_apt:telegraf',
+            'user:telegraf',
         },
     },
 }