diff --git a/nixos/modules/security/grsecurity.nix b/nixos/modules/security/grsecurity.nix
index 3aabbc8fe1bc1c..236206026c3f45 100644
--- a/nixos/modules/security/grsecurity.nix
+++ b/nixos/modules/security/grsecurity.nix
@@ -28,8 +28,7 @@ in
 
       kernelPatch = mkOption {
         type = types.attrs;
-        default = pkgs.kernelPatches.grsecurity_latest;
-        example = pkgs.kernelPatches.grsecurity_4_1;
+        example = lib.literalExample "pkgs.kernelPatches.grsecurity_4_1";
         description = ''
           Grsecurity patch to use.
         '';
@@ -231,6 +230,8 @@ in
         }
       ];
 
+    security.grsecurity.kernelPatch = lib.mkDefault pkgs.kernelPatches.grsecurity_latest;
+
     systemd.services.grsec-lock = mkIf cfg.config.sysctl {
       description     = "grsecurity sysctl-lock Service";
       requires        = [ "systemd-sysctl.service" ];