diff --git a/nixos/modules/security/lock-kernel-modules.nix b/nixos/modules/security/lock-kernel-modules.nix
index 30fdb1e2babc..c81521ed9b08 100644
--- a/nixos/modules/security/lock-kernel-modules.nix
+++ b/nixos/modules/security/lock-kernel-modules.nix
@@ -17,6 +17,14 @@ with lib;
   };
 
   config = mkIf config.security.lockKernelModules {
+    boot.kernelModules = concatMap (x:
+      if x.device != null
+        then
+          if x.fsType == "vfat"
+            then [ "vfat" "nls-cp437" "nls-iso8859-1" ]
+            else [ x.fsType ]
+        else []) config.system.build.fileSystems;
+
     systemd.services.disable-kernel-module-loading = rec {
       description = "Disable kernel module loading";