diff --git a/nixos/doc/manual/release-notes/rl-2405.section.md b/nixos/doc/manual/release-notes/rl-2405.section.md
index e9d13cc3c265..09360366d7a0 100644
--- a/nixos/doc/manual/release-notes/rl-2405.section.md
+++ b/nixos/doc/manual/release-notes/rl-2405.section.md
@@ -211,6 +211,8 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m
 
 - [private-gpt](https://github.com/zylon-ai/private-gpt), a service to interact with your documents using the power of LLMs, 100% privately, no data leaks. Available as [services.private-gpt](#opt-services.private-gpt.enable).
 
+- [keto](https://www.ory.sh/keto/), a permission & access control server, the first open source implementation of ["Zanzibar: Google's Consistent, Global Authorization System"](https://research.google/pubs/zanzibar-googles-consistent-global-authorization-system/).
+
 ## Backward Incompatibilities {#sec-release-24.05-incompatibilities}
 
 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
diff --git a/pkgs/by-name/ke/keto/package.nix b/pkgs/by-name/ke/keto/package.nix
new file mode 100644
index 000000000000..8f50762bfeb2
--- /dev/null
+++ b/pkgs/by-name/ke/keto/package.nix
@@ -0,0 +1,45 @@
+{
+  fetchFromGitHub,
+  buildGoModule,
+  lib,
+}:
+let
+  pname = "keto";
+  version = "0.13.0-alpha.0";
+  commit = "c75695837f170334b526359f28967aa33d61bce6";
+in
+buildGoModule {
+  inherit pname version commit;
+
+  src = fetchFromGitHub {
+    owner = "ory";
+    repo = "keto";
+    rev = "v${version}";
+    sha256 = "sha256-0yylaaXogN2HWXY8Tb7ScN4jdyeHecJ0gBYlVvcwaNE=";
+  };
+
+  vendorHash = "sha256-lgwV4Ysjmd9e850Rf5c0wSZtMW3U34/piwwG7dQEUV4=";
+
+  tags = [
+    "sqlite"
+    "json1"
+    "hsm"
+  ];
+
+  subPackages = [ "." ];
+
+  # Pass versioning information via ldflags
+  ldflags = [
+    "-s"
+    "-w"
+    "-X github.com/ory/keto/internal/driver/config.Version=${version}"
+    "-X github.com/ory/keto/internal/driver/config.Commit=${commit}"
+  ];
+
+  meta = {
+    description = "ORY Keto, the open source access control server";
+    homepage = "https://www.ory.sh/keto/";
+    license = lib.licenses.asl20;
+    maintainers = with lib.maintainers; [ mrmebelman ];
+  };
+}