diff --git a/modules/system/services/crowdsec/default.nix b/modules/system/services/crowdsec/default.nix
index 9e45f7e..2b5c78d 100644
--- a/modules/system/services/crowdsec/default.nix
+++ b/modules/system/services/crowdsec/default.nix
@@ -63,9 +63,9 @@ in
         ];
     };
 
-    systemd.services.crowdsec.preStart =
+    systemd.services.crowdsec.serviceConfig.ExecStartPre =
       let
-        addCollection = collection: ''
+        installCollection = collection: ''
           if ! cscli collections list | grep -q "${collection}"; then
             cscli collections install ${collection}
           fi
@@ -78,7 +78,9 @@ in
         (lib.optional (lib.elem "iptables" cfg.sources) "crowdsecurity/iptables")
       ]
       |> lib.flatten
-      |> lib.map addCollection
-      |> lib.concatLines;
+      |> lib.map installCollection
+      |> lib.concatLines
+      |> (text: pkgs.writeShellScript "crowdsec-install-collections" "set -e\n${text}")
+      |> lib.mkAfter;
   };
 }
diff --git a/modules/system/services/crowdsec/firewall-bouncer.nix b/modules/system/services/crowdsec/firewall-bouncer.nix
index 4127214..05613ca 100644
--- a/modules/system/services/crowdsec/firewall-bouncer.nix
+++ b/modules/system/services/crowdsec/firewall-bouncer.nix
@@ -23,10 +23,13 @@ in
       };
     };
 
-    systemd.services.crowdsec.preStart = ''
-      if ! cscli bouncers list | grep -q "firewall"; then
-        cscli bouncers add "firewall" --key "cs-firewall-bouncer"
-      fi
-    '';
+    systemd.services.crowdsec.serviceConfig.ExecStartPre = lib.mkAfter (
+      pkgs.writeShellScript "crowdsec-add-bouncer" ''
+        set -e
+        if ! cscli bouncers list | grep -q "firewall"; then
+          cscli bouncers add "firewall" --key "cs-firewall-bouncer"
+        fi
+      ''
+    );
   };
 }