diff --git a/nixos/modules/services/hardware/udev.nix b/nixos/modules/services/hardware/udev.nix
index dc87c9215e65..74ec335c7509 100644
--- a/nixos/modules/services/hardware/udev.nix
+++ b/nixos/modules/services/hardware/udev.nix
@@ -116,6 +116,7 @@ let
           )"
           echo "$localFile ($remoteFile) contains references to $refs."
         done
+        ${optionalString (!cfg.allowImpurePaths) "exit 1"}
       fi
 
       ${optionalString config.networking.usePredictableInterfaceNames ''
@@ -231,6 +232,20 @@ in
         '';
       };
 
+      allowImpurePaths = mkOption {
+        default = true;
+        example = false;
+        type = types.bool;
+        description = ''
+          If this is disabled, the build will fail whenever one of the
+          <command>udev</command> rules contains a reference to
+          <filename>/usr/bin</filename>, <filename>/usr/sbin</filename>,
+          <filename>/bin</filename> or <filename>/sbin</filename>.
+
+          By default only a warning is printed during build.
+        '';
+      };
+
     };
 
     hardware.firmware = mkOption {