diff --git a/nixos/modules/services/desktops/espanso.nix b/nixos/modules/services/desktops/espanso.nix
index a2c4b77b90464..9ca026a8ecd27 100644
--- a/nixos/modules/services/desktops/espanso.nix
+++ b/nixos/modules/services/desktops/espanso.nix
@@ -15,16 +15,36 @@ in {
     };
   };
 
-  config = mkIf cfg.enable {
-    systemd.user.services.espanso = {
-      description = "Espanso daemon";
-      serviceConfig = {
-        ExecStart = "${lib.getExe cfg.package} daemon";
-        Restart = "on-failure";
-      };
-      wantedBy = [ "default.target" ];
-    };
+  config =
+    let
+      wayland = cfg.package == pkgs.espanso-wayland;
+    in
+    mkMerge [
+      (mkIf cfg.enable {
+        systemd.user.services.espanso = {
+          description = "Espanso daemon";
+          serviceConfig = {
+            ExecStart =
+              # Espanso responsibly tries to drop capabilities as soon as possible
+              # but forks *after* dropping, leaving the `worker` process without the
+              # capabilities required for the EVDEV backend for wayland. Running
+              # `worker` directly from the wrapper works around this issue.
+              # https://github.com/NixOS/nixpkgs/issues/249364#issuecomment-2322837290
+              if wayland then "/run/wrappers/bin/espanso worker" else "${lib.getExe cfg.package} daemon";
+            Restart = "on-failure";
+          };
+          wantedBy = [ "default.target" ];
+        };
 
-    environment.systemPackages = [ cfg.package ];
-  };
+        environment.systemPackages = [ cfg.package ];
+      })
+      (mkIf wayland {
+        security.wrappers.espanso = {
+          source = "${lib.getExe cfg.package}";
+          capabilities = "cap_dac_override+p";
+          owner = "root";
+          group = "root";
+        };
+      })
+    ];
 }