diff --git a/runner/deploy-service-raw/playbook.yml b/runner/deploy-service-raw/playbook.yml
index 445c17b..c402981 100644
--- a/runner/deploy-service-raw/playbook.yml
+++ b/runner/deploy-service-raw/playbook.yml
@@ -7,33 +7,41 @@
   vars:
     remote_dir: /opt/sensusagent
     local_bin_dir: "{{ LOCAL_BIN_DIR | default('./bin/agent') }}"
+    tmp_dir: /tmp/sensusagent_upload
   tasks:
-    - name: Ensure remote dir exists
-      ansible.builtin.raw: "mkdir -p {{ remote_dir }} && chmod 0755 {{ remote_dir }}"
+    - name: Ensure temp and remote dirs exist
+      ansible.builtin.raw: |
+        mkdir -p {{ tmp_dir }} && chmod 0777 {{ tmp_dir }}
+        mkdir -p {{ remote_dir }} && chmod 0755 {{ remote_dir }}
 
-    - name: Copy agent binary via scp (from controller)
+    - name: Copy agent binary via scp to tmp (from controller)
       ansible.builtin.command: >
         scp -B -i {{ ansible_ssh_private_key_file | default('~/.ssh/id_rsa') }}
         -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null
-        {{ local_bin_dir }}/agent {{ ansible_user }}@{{ ansible_host }}:{{ remote_dir }}/agent
+        {{ local_bin_dir }}/agent {{ ansible_user }}@{{ ansible_host }}:{{ tmp_dir }}/agent
       delegate_to: localhost
 
-    - name: Copy config via scp (from controller)
+    - name: Copy config via scp to tmp (from controller)
       ansible.builtin.command: >
         scp -B -i {{ ansible_ssh_private_key_file | default('~/.ssh/id_rsa') }}
         -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null
-        {{ local_bin_dir }}/config.yaml {{ ansible_user }}@{{ ansible_host }}:{{ remote_dir }}/config.yaml
+        {{ local_bin_dir }}/config.yaml {{ ansible_user }}@{{ ansible_host }}:{{ tmp_dir }}/config.yaml
       delegate_to: localhost
 
-    - name: Copy collectors directory via scp -r (from controller)
+    - name: Copy collectors directory via scp -r to tmp (from controller)
       ansible.builtin.command: >
         scp -r -B -i {{ ansible_ssh_private_key_file | default('~/.ssh/id_rsa') }}
         -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null
-        {{ local_bin_dir }}/collectors {{ ansible_user }}@{{ ansible_host }}:{{ remote_dir }}/
+        {{ local_bin_dir }}/collectors {{ ansible_user }}@{{ ansible_host }}:{{ tmp_dir }}/
       delegate_to: localhost
 
-    - name: Ensure collectors are executable
-      ansible.builtin.raw: "chmod -R 0755 {{ remote_dir }}/collectors 2>/dev/null || true"
+    - name: Move files into {{ remote_dir }} with root and fix permissions
+      ansible.builtin.raw: |
+        cp -f {{ tmp_dir }}/agent {{ remote_dir }}/agent && chmod 0755 {{ remote_dir }}/agent
+        cp -f {{ tmp_dir }}/config.yaml {{ remote_dir }}/config.yaml && chmod 0644 {{ remote_dir }}/config.yaml
+        rm -rf {{ remote_dir }}/collectors && mkdir -p {{ remote_dir }}/collectors && cp -r {{ tmp_dir }}/collectors/* {{ remote_dir }}/collectors/ || true
+        chmod -R 0755 {{ remote_dir }}/collectors 2>/dev/null || true
+        rm -rf {{ tmp_dir }}
 
     - name: Install/refresh systemd unit
       ansible.builtin.raw: |