diff --git a/nixos/modules/installer/tools/nixos-generate-config.pl b/nixos/modules/installer/tools/nixos-generate-config.pl
index 2190cac53d9e..4da752e19050 100644
--- a/nixos/modules/installer/tools/nixos-generate-config.pl
+++ b/nixos/modules/installer/tools/nixos-generate-config.pl
@@ -328,8 +328,7 @@ foreach my $fs (read_file("/proc/self/mountinfo")) {
 
     # Skip special filesystems.
     next if in($mountPoint, "/proc") || in($mountPoint, "/dev") || in($mountPoint, "/sys") || in($mountPoint, "/run") || $mountPoint eq "/var/lib/nfs/rpc_pipefs";
-    next if $mountPoint eq "/var/setuid-wrappers";
-    next if $mountPoint eq "/var/setcap-wrappers";
+    next if $mountPoint eq "/var/permissions-wrappers";
 
     # Skip the optional fields.
     my $n = 6; $n++ while $fields[$n] ne "-"; $n++;
diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
index dde0be5c14c3..6e69cebf7636 100644
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@@ -103,8 +103,7 @@
   ./security/prey.nix
   ./security/rngd.nix
   ./security/rtkit.nix
-  ./security/setuid-wrappers.nix
-  ./security/setcap-wrappers.nix
+  ./security/permissions-wrappers
   ./security/sudo.nix
   ./services/amqp/activemq/default.nix
   ./services/amqp/rabbitmq.nix
diff --git a/nixos/modules/tasks/network-interfaces.nix b/nixos/modules/tasks/network-interfaces.nix
index 12605c245160..1e0b874297a2 100644
--- a/nixos/modules/tasks/network-interfaces.nix
+++ b/nixos/modules/tasks/network-interfaces.nix
@@ -891,7 +891,7 @@ in
 
     # Capabilities won't work unless we have at-least a 4.3 Linux
     # kernel because we need the ambient capability
-    security.setcapCapabilities = mkIf (versionAtLeast (getVersion config.boot.kernelPackages.kernel) "4.3") (
+    security.permissionsWrappers.setcap = mkIf (versionAtLeast (getVersion config.boot.kernelPackages.kernel) "4.3") (
       [
         { program = "ping";
           source  = "${pkgs.iputils.out}/bin/ping";
@@ -908,8 +908,22 @@ in
     );
 
     # If our linux kernel IS older than 4.3, let's setuid ping and ping6
-    security.setuidPrograms = mkIf (versionOlder (getVersion config.boot.kernelPackages.kernel) "4.3") (
-      [ "ping" "ping6" ]
+    security.permissionsWrappers.setuid = mkIf (versionOlder (getVersion config.boot.kernelPackages.kernel) "4.3") (
+      [
+        { program = "ping";
+          source  = "${pkgs.iputils.out}/bin/ping";
+          owner   = "root";
+          group   = "root";
+          setuid  = true;
+        }
+        
+        { program = "ping6";
+          source  = "${pkgs.iputils.out}/bin/ping6";
+          owner   = "root";
+          group   = "root";
+          setuid  = true;
+        }
+      ]
     );
 
     # Set the host and domain names in the activation script.  Don't