diff --git a/nix/nixos-module/collectd/default.nix b/nix/nixos-module/collectd/default.nix
index 0d0bc36..d7575ae 100644
--- a/nix/nixos-module/collectd/default.nix
+++ b/nix/nixos-module/collectd/default.nix
@@ -103,8 +103,8 @@ in
             else maxTimeout
         ) 180 (builtins.attrNames config.site.net);
       in ''
-          Exec "${execUser}" "${pkgs.ruby}/bin/ruby" "${./dhcpcount.rb}" "${toString maxTimeout}"
-        '';
+        Exec "${execUser}" "/run/wrappers/bin/dhcpcount" "${toString maxTimeout}"
+      '';
   }) (lib.optionalAttrs config.services.unbound.enable {
     plugins.exec = ''
         Exec "${execUser}" "${pkgs.ruby}/bin/ruby" "${./unbound.rb}"
@@ -118,6 +118,25 @@ in
 
   systemd.services.collectd = lib.mkIf config.services.dhcpd4.enable {
     after = [ "dhcpd4.service" ];
-    serviceConfig.StateDirectory = "dhcpd4";
+  };
+
+  security.wrappers = lib.mkIf config.services.dhcpd4.enable {
+    collectd-dhcpcount =
+      let
+        dhcpcount = pkgs.runCommand "dhcpcount" {
+          src = ./dhcpcount.rb;
+          buildInputs = [ pkgs.ruby ];
+        } ''
+          cp $src dhcpcount.rb
+          patchShebangs dhcpcount.rb
+          mkdir -p $out/bin
+          cp dhcpcount.rb $out/bin/dhcpcount
+        '';
+      in {
+        setuid = true;
+        owner = "root";
+        group = "root";
+        source = "${dhcpcount}/bin/dhcpcount";
+      };
   };
 }
diff --git a/nix/nixos-module/collectd/dhcpcount.rb b/nix/nixos-module/collectd/dhcpcount.rb
old mode 100644
new mode 100755