diff --git a/pkgs/development/python-modules/libagent/default.nix b/pkgs/development/python-modules/libagent/default.nix
index 24d8ada5890..a485bf3a604 100644
--- a/pkgs/development/python-modules/libagent/default.nix
+++ b/pkgs/development/python-modules/libagent/default.nix
@@ -2,6 +2,8 @@
   unidecode, mock, pytest , backports-shutil-which, configargparse,
   python-daemon, pymsgbox }:
 
+# XXX: when changing this package, please test the package onlykey-agent.
+
 buildPythonPackage rec {
   pname = "libagent";
   version = "0.14.1";
diff --git a/pkgs/tools/security/onlykey-agent/default.nix b/pkgs/tools/security/onlykey-agent/default.nix
new file mode 100644
index 00000000000..84c65b91345
--- /dev/null
+++ b/pkgs/tools/security/onlykey-agent/default.nix
@@ -0,0 +1,61 @@
+{ lib
+, python3Packages
+, onlykey-cli
+}:
+
+let
+  # onlykey requires a patched version of libagent
+  lib-agent = with python3Packages; libagent.overridePythonAttrs (oa: rec{
+    version = "1.0.2";
+    src = fetchPypi {
+      inherit version;
+      pname = "lib-agent";
+      sha256 = "sha256-NAimivO3m4UUPM4JgLWGq2FbXOaXdQEL/DqZAcy+kEw=";
+    };
+    propagatedBuildInputs = oa.propagatedBuildInputs or [ ] ++ [
+      pynacl
+      docutils
+      pycryptodome
+      wheel
+    ];
+
+    # turn off testing because I can't get it to work
+    doCheck = false;
+    pythonImportsCheck = [ "libagent" ];
+
+    meta = oa.meta // {
+      description = "Using OnlyKey as hardware SSH and GPG agent";
+      homepage = "https://github.com/trustcrypto/onlykey-agent/tree/ledger";
+      maintainers = with maintainers; [ kalbasit ];
+    };
+  });
+in
+python3Packages.buildPythonApplication rec {
+  pname = "onlykey-agent";
+  version = "1.1.11";
+
+  src = python3Packages.fetchPypi {
+    inherit pname version;
+    sha256 = "sha256-YH/cqQOVy5s6dTp2JwxM3s4xRTXgwhOr00whtHAwZZI=";
+  };
+
+  propagatedBuildInputs = with python3Packages; [ lib-agent onlykey-cli ];
+
+  # move the python library into the sitePackages.
+  postInstall = ''
+    mkdir $out/${python3Packages.python.sitePackages}/onlykey_agent
+    mv $out/bin/onlykey_agent.py $out/${python3Packages.python.sitePackages}/onlykey_agent/__init__.py
+    chmod a-x $out/${python3Packages.python.sitePackages}/onlykey_agent/__init__.py
+  '';
+
+  # no tests
+  doCheck = false;
+  pythonImportsCheck = [ "onlykey_agent" ];
+
+  meta = with lib; {
+    description = " The OnlyKey agent is essentially middleware that lets you use OnlyKey as a hardware SSH/GPG device.";
+    homepage = "https://github.com/trustcrypto/onlykey-agent";
+    license = licenses.lgpl3Only;
+    maintainers = with maintainers; [ kalbasit ];
+  };
+}
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index 099a151cd26..5a133a3aee5 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -7687,6 +7687,8 @@ with pkgs;
 
   onioncircuits = callPackage ../tools/security/onioncircuits { };
 
+  onlykey-agent = callPackage ../tools/security/onlykey-agent { };
+
   onlykey-cli = callPackage ../tools/security/onlykey-cli { };
 
   openapi-generator-cli = callPackage ../tools/networking/openapi-generator-cli { jre = pkgs.jre_headless; };