diff --git a/nixos/modules/system/etc/etc-activation.nix b/nixos/modules/system/etc/etc-activation.nix
index 733166a9175e..f623e6dddc1e 100644
--- a/nixos/modules/system/etc/etc-activation.nix
+++ b/nixos/modules/system/etc/etc-activation.nix
@@ -36,7 +36,7 @@
             where = "/run/etc-metadata";
             what = "/etc-metadata-image";
             type = "erofs";
-            options = "loop";
+            options = "loop,ro";
             unitConfig = {
               # Since this unit depends on the nix store being mounted, it cannot
               # be a dependency of local-fs.target, because if it did, we'd have
diff --git a/nixos/modules/system/etc/etc.nix b/nixos/modules/system/etc/etc.nix
index e8eeae03a360..0b5e65255a51 100644
--- a/nixos/modules/system/etc/etc.nix
+++ b/nixos/modules/system/etc/etc.nix
@@ -232,7 +232,7 @@ in
         echo "remounting /etc..."
 
         tmpMetadataMount=$(mktemp --directory -t nixos-etc-metadata.XXXXXXXXXX)
-        mount --type erofs ${config.system.build.etcMetadataImage} $tmpMetadataMount
+        mount --type erofs -o ro ${config.system.build.etcMetadataImage} $tmpMetadataMount
 
         # Mount the new /etc overlay to a temporary private mount.
         # This needs the indirection via a private bind mount because you