diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
index d45675d2a392..d89d294b0469 100644
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@@ -193,6 +193,7 @@
   ./programs/gnome-disks.nix
   ./programs/gnome-terminal.nix
   ./programs/gnupg.nix
+  ./programs/goldwarden.nix
   ./programs/gpaste.nix
   ./programs/gphoto2.nix
   ./programs/haguichi.nix
diff --git a/nixos/modules/programs/goldwarden.nix b/nixos/modules/programs/goldwarden.nix
new file mode 100644
index 000000000000..26f9a87c1986
--- /dev/null
+++ b/nixos/modules/programs/goldwarden.nix
@@ -0,0 +1,50 @@
+{ lib, config, pkgs, ... }:
+let
+  cfg = config.programs.goldwarden;
+in
+{
+  options.programs.goldwarden = {
+    enable = lib.mkEnableOption "Goldwarden";
+    package = lib.mkPackageOption pkgs "goldwarden" {};
+    useSshAgent = lib.mkEnableOption "Goldwarden's SSH Agent" // { default = true; };
+  };
+
+  config = lib.mkIf cfg.enable {
+    assertions = [{
+       assertion = cfg.useSshAgent -> !config.programs.ssh.startAgent;
+       message = "Only one ssh-agent can be used at a time.";
+    }];
+
+    environment = {
+      etc = lib.mkIf config.programs.chromium.enable {
+        "chromium/native-messaging-hosts/com.8bit.bitwarden.json".source = "${cfg.package}/etc/chromium/native-messaging-hosts/com.8bit.bitwarden.json";
+        "opt/chrome/native-messaging-hosts/com.8bit.bitwarden.json".source = "${cfg.package}/etc/chrome/native-messaging-hosts/com.8bit.bitwarden.json";
+      };
+
+      extraInit = lib.mkIf cfg.useSshAgent ''
+        if [ -z "$SSH_AUTH_SOCK" -a -n "$HOME" ]; then
+          export SSH_AUTH_SOCK="$HOME/.goldwarden-ssh-agent.sock"
+        fi
+      '';
+
+      systemPackages = [
+        # for cli and polkit action
+        cfg.package
+        # binary exec's into pinentry which should match the DE
+        config.programs.gnupg.agent.pinentryPackage
+      ];
+    };
+
+    programs.firefox.nativeMessagingHosts.packages = [ cfg.package ];
+
+    # see https://github.com/quexten/goldwarden/blob/main/cmd/goldwarden.service
+    systemd.user.services.goldwarden = {
+      description = "Goldwarden daemon";
+      wantedBy = [ "graphical-session.target" ];
+      after = [ "graphical-session.target" ];
+      serviceConfig.ExecStart = "${lib.getExe cfg.package} daemonize";
+      path = [ config.programs.gnupg.agent.pinentryPackage ];
+      unitConfig.ConditionUser = "!@system";
+    };
+  };
+}
diff --git a/pkgs/by-name/go/goldwarden/package.nix b/pkgs/by-name/go/goldwarden/package.nix
index 35b18ab1e51c..ad80debb3ee6 100644
--- a/pkgs/by-name/go/goldwarden/package.nix
+++ b/pkgs/by-name/go/goldwarden/package.nix
@@ -1,43 +1,102 @@
 { lib
 , buildGoModule
 , fetchFromGitHub
-, makeBinaryWrapper
+, fetchpatch
+, gobject-introspection
+, gtk4
+, libadwaita
 , libfido2
-, dbus
-, pinentry-gnome3
-, nix-update-script
+, libnotify
+, python3
+, wrapGAppsHook
 }:
 
 buildGoModule rec {
   pname = "goldwarden";
-  version = "0.2.13";
+  version = "0.2.13-unstable-2024-03-14";
 
   src = fetchFromGitHub {
     owner = "quexten";
     repo = "goldwarden";
-    rev = "v${version}";
-    hash = "sha256-4KxPtsIEW46p+cFx6yeSdNlsffy9U31k+ZSkE6V0AFc=";
+    rev = "d6e1cd263365611e520a2ef6c7847c9da19362f1";
+    hash = "sha256-IItKOmE0xHKO2u5jp7R20/T2eSvQ3QCxlzp6R4oiqf8=";
   };
 
+  patches = [
+    (fetchpatch {
+      url = "https://github.com/quexten/goldwarden/pull/140/commits/c134a0e61d51079c44865f68ab65cfb3aea6f8f2.patch";
+      hash = "sha256-nClC/FYq3muXMeYXln+VVGUhanqElEgJRosWeSTNlmM=";
+    })
+    (fetchpatch {
+      url = "https://github.com/quexten/goldwarden/pull/140/commits/86d4f907fba241fd66d0fb3c109c0281a9766bb4.patch";
+      hash = "sha256-A8PBzfyd2blFIjCeO4xOVJMQjnEPwtK4wTcRcfsjyDk=";
+    })
+  ];
+
+  postPatch = ''
+    substituteInPlace browserbiometrics/chrome-com.8bit.bitwarden.json browserbiometrics/mozilla-com.8bit.bitwarden.json \
+      --replace-fail "@PATH@" "$out/bin/goldwarden"
+
+    substituteInPlace gui/com.quexten.Goldwarden.desktop \
+      --replace-fail "Exec=goldwarden_ui_main.py" "Exec=$out/bin/goldwarden-gui"
+    substituteInPlace gui/src/gui/browserbiometrics.py \
+      --replace-fail "flatpak run --filesystem=home --command=goldwarden com.quexten.Goldwarden" "goldwarden"
+    substituteInPlace gui/src/gui/ssh.py \
+      --replace-fail "flatpak run --command=goldwarden com.quexten.Goldwarden" "goldwarden" \
+      --replace-fail 'SSH_AUTH_SOCK=/home/$USER/.var/app/com.quexten.Goldwarden/data/ssh-auth-sock' 'SSH_AUTH_SOCK=/home/$USER/.goldwarden-ssh-agent.sock'
+    substituteInPlace gui/src/{linux/main.py,linux/monitors/dbus_monitor.py,gui/settings.py} \
+      --replace-fail "python3" "${(python3.buildEnv.override { extraLibs = pythonPath; }).interpreter}"
+  '';
+
   vendorHash = "sha256-IH0p7t1qInA9rNYv6ekxDN/BT5Kguhh4cZfmL+iqwVU=";
 
   ldflags = [ "-s" "-w" ];
 
-  nativeBuildInputs = [makeBinaryWrapper];
+  nativeBuildInputs = [
+    gobject-introspection
+    python3.pkgs.wrapPython
+    wrapGAppsHook
+  ];
 
-  buildInputs = [libfido2];
+  buildInputs = [
+    gtk4
+    libadwaita
+    libfido2
+    libnotify
+  ];
+
+  pythonPath = with python3.pkgs; [
+    dbus-python
+    pygobject3
+    tendo
+  ];
 
   postInstall = ''
-    wrapProgram $out/bin/goldwarden \
-      --suffix PATH : ${lib.makeBinPath [dbus pinentry-gnome3]}
+    chmod +x gui/goldwarden_ui_main.py
+    ln -s $out/share/goldwarden/goldwarden_ui_main.py $out/bin/goldwarden-gui
+    mkdir -p $out/share/goldwarden
+    cp -r gui/* $out/share/goldwarden/
+    rm $out/share/goldwarden/{com.quexten.Goldwarden.desktop,com.quexten.Goldwarden.metainfo.xml,goldwarden.svg,python3-requirements.json,requirements.txt}
 
-    install -Dm644 $src/resources/com.quexten.goldwarden.policy -t $out/share/polkit-1/actions
+    install -D gui/com.quexten.Goldwarden.desktop -t $out/share/applications
+    install -D gui/goldwarden.svg -t $out/share/icons/hicolor/scalable/apps
+    install -Dm644 gui/com.quexten.Goldwarden.metainfo.xml -t $out/share/metainfo
+    install -Dm644 resources/com.quexten.goldwarden.policy -t $out/share/polkit-1/actions
+
+    install -D browserbiometrics/chrome-com.8bit.bitwarden.json $out/etc/chrome/native-messaging-hosts/com.8bit.bitwarden.json
+    install -D browserbiometrics/chrome-com.8bit.bitwarden.json $out/etc/chromium/native-messaging-hosts/com.8bit.bitwarden.json
+    install -D browserbiometrics/chrome-com.8bit.bitwarden.json $out/etc/edge/native-messaging-hosts/com.8bit.bitwarden.json
+    install -D browserbiometrics/mozilla-com.8bit.bitwarden.json $out/lib/mozilla/native-messaging-hosts/com.8bit.bitwarden.json
   '';
 
-  passthru.updateScript = nix-update-script {};
+  dontWrapGApps = true;
+  postFixup = ''
+    makeWrapperArgs+=("''${gappsWrapperArgs[@]}")
+    wrapPythonProgramsIn $out/share/goldwarden "$out/share/goldwarden $pythonPath"
+  '';
 
   meta = with lib; {
-    description = "A feature-packed Bitwarden compatible desktop integration";
+    description = "Feature-packed Bitwarden compatible desktop integration";
     homepage = "https://github.com/quexten/goldwarden";
     license = licenses.mit;
     maintainers = with maintainers; [ arthsmn ];
diff --git a/pkgs/development/python-modules/tendo/default.nix b/pkgs/development/python-modules/tendo/default.nix
new file mode 100644
index 000000000000..fe02bc0aed29
--- /dev/null
+++ b/pkgs/development/python-modules/tendo/default.nix
@@ -0,0 +1,49 @@
+{ lib
+, buildPythonPackage
+, fetchFromGitHub
+, pytestCheckHook
+, setuptools
+, setuptools-scm
+}:
+
+buildPythonPackage rec {
+  pname = "tendo";
+  version = "0.4.0";
+  pyproject = true;
+
+  src = fetchFromGitHub {
+    owner = "pycontribs";
+    repo = "tendo";
+    rev = "refs/tags/v${version}";
+    hash = "sha256-ZOozMGxAKcEtmUEzHCFSojKc+9Ha+T2MOTmMvdMqNuQ=";
+  };
+
+  postPatch = ''
+    # marken broken and not required
+    sed -i '/setuptools_scm_git_archive/d' pyproject.toml
+    # unused
+    substituteInPlace setup.cfg \
+      --replace-fail "six" ""
+  '';
+
+  nativeBuildInputs = [
+    setuptools
+    setuptools-scm
+  ];
+
+  nativeCheckInputs = [
+    pytestCheckHook
+  ];
+
+  pythonImportsCheck = [
+    "tendo"
+  ];
+
+  meta = with lib; {
+    description = "Adds basic functionality that is not provided by Python";
+    homepage = "https://github.com/pycontribs/tendo";
+    changelog = "https://github.com/pycontribs/tendo/releases/tag/v${version}";
+    license = licenses.psfl;
+    maintainers = with maintainers; [ SuperSandro2000 ];
+  };
+}
diff --git a/pkgs/top-level/python-packages.nix b/pkgs/top-level/python-packages.nix
index 920fa8ce3eb3..7acda5b7144e 100644
--- a/pkgs/top-level/python-packages.nix
+++ b/pkgs/top-level/python-packages.nix
@@ -14557,6 +14557,8 @@ self: super: with self; {
 
   tencentcloud-sdk-python = callPackage ../development/python-modules/tencentcloud-sdk-python { };
 
+  tendo = callPackage ../development/python-modules/tendo { };
+
   tensorboard-data-server = callPackage ../development/python-modules/tensorboard-data-server { };
 
   tensorboard-plugin-profile = callPackage ../development/python-modules/tensorboard-plugin-profile { };