diff --git a/nixos/modules/security/wrappers/default.nix b/nixos/modules/security/wrappers/default.nix
index 71799175011c..757765ed08c4 100644
--- a/nixos/modules/security/wrappers/default.nix
+++ b/nixos/modules/security/wrappers/default.nix
@@ -8,21 +8,24 @@ let
       (n: v: (if v ? "program" then v else v // {program=n;}))
       wrappers);
 
-  mkWrapper = { program, source ? null, ...}: ''
-    parentWrapperDir=$(dirname ${wrapperDir})
-    gcc -Wall -O2 -DSOURCE_PROG=\"${source}\" -DWRAPPER_DIR=\"$parentWrapperDir\" \
-        -lcap-ng -lcap ${./wrapper.c} -o $out/bin/${program}.wrapper -L ${pkgs.libcap.lib}/lib -L ${pkgs.libcap_ng}/lib \
-        -I ${pkgs.libcap.dev}/include -I ${pkgs.libcap_ng}/include -I ${pkgs.linuxHeaders}/include
-  '';
-
-  wrappedPrograms = pkgs.stdenv.mkDerivation {
-    name         = "permissions-wrapper";
-    unpackPhase  = "true";
-    installPhase = ''
-      mkdir -p $out/bin
-      ${lib.concatMapStrings mkWrapper programs}
-    '';
-  };
+  mkWrapper = { program, source ? null, ...}:
+    let buildWrapper = ''
+          parentWrapperDir=$(dirname ${wrapperDir})
+          gcc -Wall -O2 -DSOURCE_PROG=\"${source}\" -DWRAPPER_DIR=\"$parentWrapperDir\" \
+              -Wformat -Wformat-security -Werror=format-security \
+              -fstack-protector-strong --param ssp-buffer-size=4 \
+              -D_FORTIFY_SOURCE=2 -fPIC \
+              -lcap-ng -lcap ${./wrapper.c} -o $out/bin/${program}.wrapper -L ${pkgs.libcap.lib}/lib -L ${pkgs.libcap_ng}/lib \
+              -I ${pkgs.libcap.dev}/include -I ${pkgs.libcap_ng}/include -I ${pkgs.linuxHeaders}/include
+        '';
+    in pkgs.stdenv.mkDerivation {
+      name         = "${program}-wrapper";
+      unpackPhase  = "true";
+      installPhase = ''
+        mkdir -p $out/bin
+        ${buildWrapper}
+      '';
+    };
 
   ###### Activation script for the setcap wrappers
   mkSetcapProgram =
@@ -32,10 +35,11 @@ let
     , owner  ? "nobody"
     , group  ? "nogroup"
     , ...
-    }: 
+    }:
     assert (lib.versionAtLeast (lib.getVersion config.boot.kernelPackages.kernel) "4.3");
-    ''
-      cp ${wrappedPrograms}/bin/${program}.wrapper $wrapperDir/${program}
+    let wrapperDrv = mkWrapper { inherit program source; };
+    in ''
+      cp ${wrapperDrv}/bin/${program}.wrapper $wrapperDir/${program}
 
       # Prevent races
       chmod 0000 $wrapperDir/${program}
@@ -60,8 +64,10 @@ let
     , setgid ? false
     , permissions ? "u+rx,g+x,o+x"
     , ...
-    }: ''
-      cp ${wrappedPrograms}/bin/${program}.wrapper $wrapperDir/${program}
+    }:
+    let wrapperDrv = mkWrapper { inherit program source; };
+    in ''
+      cp ${wrapperDrv}/bin/${program}.wrapper $wrapperDir/${program}
 
       # Prevent races
       chmod 0000 $wrapperDir/${program}