grsecrurity have stopped releasing their unstable kernel patches, leaving a bit of a void if you want to add those layers of protection to your kernel.

To fill this obvious need the Kernel Self Protection has started folding some of the grsecurity patches into the mainline kernel.

NixOS ships with the recommended kernel config out of the box, and you can enable it like this:

boot = {
kernelPackages = pkgs.linuxPackages_hardened;
};