diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
index 41e369ac1c65..eabb22a446b0 100644
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@@ -193,6 +193,7 @@
   ./programs/gnome-disks.nix
   ./programs/gnome-terminal.nix
   ./programs/gnupg.nix
+  ./programs/goldwarden.nix
   ./programs/gpaste.nix
   ./programs/gphoto2.nix
   ./programs/haguichi.nix
diff --git a/nixos/modules/programs/goldwarden.nix b/nixos/modules/programs/goldwarden.nix
new file mode 100644
index 000000000000..26f9a87c1986
--- /dev/null
+++ b/nixos/modules/programs/goldwarden.nix
@@ -0,0 +1,50 @@
+{ lib, config, pkgs, ... }:
+let
+  cfg = config.programs.goldwarden;
+in
+{
+  options.programs.goldwarden = {
+    enable = lib.mkEnableOption "Goldwarden";
+    package = lib.mkPackageOption pkgs "goldwarden" {};
+    useSshAgent = lib.mkEnableOption "Goldwarden's SSH Agent" // { default = true; };
+  };
+
+  config = lib.mkIf cfg.enable {
+    assertions = [{
+       assertion = cfg.useSshAgent -> !config.programs.ssh.startAgent;
+       message = "Only one ssh-agent can be used at a time.";
+    }];
+
+    environment = {
+      etc = lib.mkIf config.programs.chromium.enable {
+        "chromium/native-messaging-hosts/com.8bit.bitwarden.json".source = "${cfg.package}/etc/chromium/native-messaging-hosts/com.8bit.bitwarden.json";
+        "opt/chrome/native-messaging-hosts/com.8bit.bitwarden.json".source = "${cfg.package}/etc/chrome/native-messaging-hosts/com.8bit.bitwarden.json";
+      };
+
+      extraInit = lib.mkIf cfg.useSshAgent ''
+        if [ -z "$SSH_AUTH_SOCK" -a -n "$HOME" ]; then
+          export SSH_AUTH_SOCK="$HOME/.goldwarden-ssh-agent.sock"
+        fi
+      '';
+
+      systemPackages = [
+        # for cli and polkit action
+        cfg.package
+        # binary exec's into pinentry which should match the DE
+        config.programs.gnupg.agent.pinentryPackage
+      ];
+    };
+
+    programs.firefox.nativeMessagingHosts.packages = [ cfg.package ];
+
+    # see https://github.com/quexten/goldwarden/blob/main/cmd/goldwarden.service
+    systemd.user.services.goldwarden = {
+      description = "Goldwarden daemon";
+      wantedBy = [ "graphical-session.target" ];
+      after = [ "graphical-session.target" ];
+      serviceConfig.ExecStart = "${lib.getExe cfg.package} daemonize";
+      path = [ config.programs.gnupg.agent.pinentryPackage ];
+      unitConfig.ConditionUser = "!@system";
+    };
+  };
+}