Jonas SchäferTIL: systemd-modules-load.service, available e.g. on Debian trixie, which allows to load a set of kernel modules during (mid-)early boot, using textfiles in /etc/modules-load.d/.
Combined with:
```
[Unit]
Description=Hardening: disable late loading of kernel modules
Wants=network-pre.target
Before=network-pre.target
After=systemd-modules-load.service
Requires=systemd-modules-load.service
[Install]
WantedBy=multi-user.target
[Service]
Type=oneshot
RemainAfterExit=true
ExecStart=/usr/sbin/sysctl kernel.modules_disabled=1
```
I'm freezing the set of kernel modules loaded on my servers as defense-in-depth.