diff --git a/lib/kernel.nix b/lib/kernel.nix
index 2ce19f8cb68..8045a228d05 100644
--- a/lib/kernel.nix
+++ b/lib/kernel.nix
@@ -14,7 +14,7 @@ with lib;
   freeform = x: { freeform = x; };
 
   /*
-    Common patterns/legacy used in common-config/hardened-config.nix
+    Common patterns/legacy used in common-config/hardened/config.nix
    */
   whenHelpers = version: {
     whenAtLeast = ver: mkIf (versionAtLeast version ver);
diff --git a/pkgs/os-specific/linux/kernel/anthraxx.asc b/pkgs/os-specific/linux/kernel/hardened/anthraxx.asc
similarity index 100%
rename from pkgs/os-specific/linux/kernel/anthraxx.asc
rename to pkgs/os-specific/linux/kernel/hardened/anthraxx.asc
diff --git a/pkgs/os-specific/linux/kernel/hardened-config.nix b/pkgs/os-specific/linux/kernel/hardened/config.nix
similarity index 100%
rename from pkgs/os-specific/linux/kernel/hardened-config.nix
rename to pkgs/os-specific/linux/kernel/hardened/config.nix
diff --git a/pkgs/os-specific/linux/kernel/hardened-patches.json b/pkgs/os-specific/linux/kernel/hardened/patches.json
similarity index 100%
rename from pkgs/os-specific/linux/kernel/hardened-patches.json
rename to pkgs/os-specific/linux/kernel/hardened/patches.json
diff --git a/pkgs/os-specific/linux/kernel/tag-hardened.patch b/pkgs/os-specific/linux/kernel/hardened/tag-hardened.patch
similarity index 100%
rename from pkgs/os-specific/linux/kernel/tag-hardened.patch
rename to pkgs/os-specific/linux/kernel/hardened/tag-hardened.patch
diff --git a/pkgs/os-specific/linux/kernel/update-hardened.py b/pkgs/os-specific/linux/kernel/hardened/update.py
similarity index 94%
rename from pkgs/os-specific/linux/kernel/update-hardened.py
rename to pkgs/os-specific/linux/kernel/hardened/update.py
index bc9110578d6..1ef5acd3eb0 100755
--- a/pkgs/os-specific/linux/kernel/update-hardened.py
+++ b/pkgs/os-specific/linux/kernel/hardened/update.py
@@ -1,7 +1,7 @@
 #! /usr/bin/env nix-shell
 #! nix-shell -i python -p "python3.withPackages (ps: [ps.PyGithub])" git gnupg
 
-# This is automatically called by ./update.sh.
+# This is automatically called by ../update.sh.
 
 import json
 import os
@@ -14,9 +14,11 @@ from tempfile import TemporaryDirectory
 from github import Github
 
 HERE = Path(__file__).resolve().parent
+NIXPKGS_KERNEL_PATH = HERE.parent
+NIXPKGS_PATH = HERE.parents[4]
 HARDENED_GITHUB_REPO = "anthraxx/linux-hardened"
 HARDENED_TRUSTED_KEY = HERE / "anthraxx.asc"
-HARDENED_PATCHES_PATH = HERE / "hardened-patches.json"
+HARDENED_PATCHES_PATH = HERE / "patches.json"
 MIN_KERNEL_VERSION = [4, 14]
 
 
@@ -128,16 +130,16 @@ def commit_patches(*, kernel_key, message):
         json.dump(patches, new_patches_file, indent=4, sort_keys=True)
         new_patches_file.write("\n")
     os.rename(new_patches_path, HARDENED_PATCHES_PATH)
-    message = f"linux/hardened-patches/{kernel_key}: {message}"
+    message = f"linux/hardened/patches/{kernel_key}: {message}"
     print(message)
     if os.environ.get("COMMIT"):
         run(
             "git",
             "-C",
-            HERE,
+            NIXPKGS_PATH,
             "commit",
             f"--message={message}",
-            "hardened-patches.json",
+            HARDENED_PATCHES_PATH,
         )
 
 
@@ -156,10 +158,10 @@ NIX_VERSION_RE = re.compile(
 
 # Get the set of currently packaged kernel versions.
 kernel_versions = {}
-for filename in os.listdir(HERE):
+for filename in os.listdir(NIXPKGS_KERNEL_PATH):
     filename_match = re.fullmatch(r"linux-(\d+)\.(\d+)\.nix", filename)
     if filename_match:
-        with open(HERE / filename) as nix_file:
+        with open(NIXPKGS_KERNEL_PATH / filename) as nix_file:
             for nix_line in nix_file:
                 match = NIX_VERSION_RE.fullmatch(nix_line)
                 if match:
diff --git a/pkgs/os-specific/linux/kernel/patches.nix b/pkgs/os-specific/linux/kernel/patches.nix
index 1c4af8c32a6..8ce1ac2b587 100644
--- a/pkgs/os-specific/linux/kernel/patches.nix
+++ b/pkgs/os-specific/linux/kernel/patches.nix
@@ -35,7 +35,7 @@
 
   tag_hardened = {
     name = "tag-hardened";
-    patch = ./tag-hardened.patch;
+    patch = ./hardened/tag-hardened.patch;
   };
 
   hardened = let
@@ -43,7 +43,7 @@
       name = lib.removeSuffix ".patch" src.name;
       patch = fetchurl src;
     };
-    patches = builtins.fromJSON (builtins.readFile ./hardened-patches.json);
+    patches = builtins.fromJSON (builtins.readFile ./hardened/patches.json);
   in lib.mapAttrs mkPatch patches;
 
   # https://bugzilla.kernel.org/show_bug.cgi?id=197591#c6
diff --git a/pkgs/os-specific/linux/kernel/update.sh b/pkgs/os-specific/linux/kernel/update.sh
index c483661b6f5..55fdce06c97 100755
--- a/pkgs/os-specific/linux/kernel/update.sh
+++ b/pkgs/os-specific/linux/kernel/update.sh
@@ -62,4 +62,4 @@ done
 COMMIT=1 $NIXPKGS/pkgs/os-specific/linux/kernel/update-libre.sh
 
 # Update linux-hardened
-COMMIT=1 $NIXPKGS/pkgs/os-specific/linux/kernel/update-hardened.py
+COMMIT=1 $NIXPKGS/pkgs/os-specific/linux/kernel/hardened/update.py
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index 349bc242ee1..f6419394b2d 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -17014,7 +17014,7 @@ in
 
   # Hardened linux
   hardenedLinuxPackagesFor = kernel: linuxPackagesFor (kernel.override {
-    structuredExtraConfig = import ../os-specific/linux/kernel/hardened-config.nix {
+    structuredExtraConfig = import ../os-specific/linux/kernel/hardened/config.nix {
       inherit stdenv;
       inherit (kernel) version;
     };