diff --git a/nixos/modules/security/grsecurity.xml b/nixos/modules/security/grsecurity.xml
index 97628b0fe329..5b3e4db03a13 100644
--- a/nixos/modules/security/grsecurity.xml
+++ b/nixos/modules/security/grsecurity.xml
@@ -153,10 +153,6 @@
Trusted path execution: a desirable feature, but
requires some more work to operate smoothly on NixOS.
-
- Module hardening: would break user initiated module
- loading. Might enable this at some point, depending on the potential
- breakage.
@@ -292,6 +288,10 @@
to override
this behavior.
+ User initiated autoloading of modules (e.g., when
+ using fuse or loop devices) is disallowed; either load requisite modules
+ as root or add them to.
+
Virtualization: KVM is the preferred virtualization
solution. Xen, Virtualbox, and VMWare are
unsupported and most likely require a custom kernel.
diff --git a/pkgs/os-specific/linux/kernel/grsecurity-nixos-config.nix b/pkgs/os-specific/linux/kernel/grsecurity-nixos-config.nix
index 96da936642d2..c426799f59dd 100644
--- a/pkgs/os-specific/linux/kernel/grsecurity-nixos-config.nix
+++ b/pkgs/os-specific/linux/kernel/grsecurity-nixos-config.nix
@@ -31,6 +31,8 @@ PAX_KERNEXEC_PLUGIN_METHOD_BTS y
GRKERNSEC_IO y
GRKERNSEC_SYSFS_RESTRICT y
+GRKERNSEC_MODHARDEN y
+
# Disable protections rendered useless by redistribution
GRKERNSEC_HIDESYM n
GRKERNSEC_RANDSTRUCT n
@@ -51,9 +53,6 @@ GRKERNSEC_FORKFAIL y
# Wishlist: support trusted path execution
GRKERNSEC_TPE n
-# Wishlist: enable this, but breaks user initiated module loading
-GRKERNSEC_MODHARDEN n
-
GRKERNSEC_SYSCTL y
GRKERNSEC_SYSCTL_DISTRO y
# Assume that appropriate sysctls are toggled once the system is up