diff --git a/pkgs/development/python-modules/libagent/default.nix b/pkgs/development/python-modules/libagent/default.nix
index 5334513e23c..6fdc286855a 100644
--- a/pkgs/development/python-modules/libagent/default.nix
+++ b/pkgs/development/python-modules/libagent/default.nix
@@ -2,6 +2,8 @@
   unidecode, mock, pytest , backports-shutil-which, ConfigArgParse,
   python-daemon, pymsgbox }:
 
+# XXX: when changing this package, please test the package onlykey-agent.
+
 buildPythonPackage rec {
   pname = "libagent";
   version = "0.14.1";
diff --git a/pkgs/development/tools/analysis/radare2/default.nix b/pkgs/development/tools/analysis/radare2/default.nix
index a8e7c10ce44..7a297037dc0 100644
--- a/pkgs/development/tools/analysis/radare2/default.nix
+++ b/pkgs/development/tools/analysis/radare2/default.nix
@@ -1,6 +1,7 @@
 { lib
 , stdenv
 , fetchFromGitHub
+, fetchpatch
 , buildPackages
 , pkg-config
 , libusb-compat-0_1
@@ -37,6 +38,14 @@ stdenv.mkDerivation rec {
     sha256 = "sha256-VS8eG5RXwKtJSLmyaSifopJU7WYGMUcznn+burPqEYE=";
   };
 
+  patches = [
+    (fetchpatch {
+      name = "CVE-2021-3673.patch";
+      url = "https://github.com/radareorg/radare2/commit/d7ea20fb2e1433ebece9f004d87ad8f2377af23d.patch";
+      sha256 = "14vr2chcyx9xrb1krczppwy619fb3k5dnyc4mcg40mvfl70ndbwn";
+    })
+  ];
+
   postInstall = ''
     install -D -m755 $src/binr/r2pm/r2pm $out/bin/r2pm
   '';
diff --git a/pkgs/servers/sql/mysql/8.0.x.nix b/pkgs/servers/sql/mysql/8.0.x.nix
index 8e7c5a0425d..e37789e7ee6 100644
--- a/pkgs/servers/sql/mysql/8.0.x.nix
+++ b/pkgs/servers/sql/mysql/8.0.x.nix
@@ -1,6 +1,6 @@
 { lib, stdenv, fetchurl, bison, cmake, pkg-config
 , boost, icu, libedit, libevent, lz4, ncurses, openssl, protobuf, re2, readline, zlib, zstd
-, numactl, perl, cctools, CoreServices, developer_cmds, libtirpc, rpcsvc-proto, curl
+, numactl, perl, cctools, CoreServices, developer_cmds, libtirpc, rpcsvc-proto, curl, DarwinTools
 }:
 
 let
@@ -32,7 +32,7 @@ self = stdenv.mkDerivation rec {
   ] ++ lib.optionals stdenv.isLinux [
     numactl libtirpc
   ] ++ lib.optionals stdenv.isDarwin [
-    cctools CoreServices developer_cmds
+    cctools CoreServices developer_cmds DarwinTools
   ];
 
   outputs = [ "out" "static" ];
diff --git a/pkgs/tools/admin/nomachine-client/default.nix b/pkgs/tools/admin/nomachine-client/default.nix
index 0daa65cc980..be4bef1e160 100644
--- a/pkgs/tools/admin/nomachine-client/default.nix
+++ b/pkgs/tools/admin/nomachine-client/default.nix
@@ -1,9 +1,9 @@
 { lib, stdenv, file, fetchurl, makeWrapper,
   autoPatchelfHook, jsoncpp, libpulseaudio }:
 let
-  versionMajor = "7.4";
-  versionMinor = "1";
-  versionBuild_x86_64 = "1";
+  versionMajor = "7.6";
+  versionMinor = "2";
+  versionBuild_x86_64 = "4";
   versionBuild_i686 = "1";
 in
   stdenv.mkDerivation rec {
@@ -14,12 +14,12 @@ in
       if stdenv.hostPlatform.system == "x86_64-linux" then
         fetchurl {
           url = "https://download.nomachine.com/download/${versionMajor}/Linux/nomachine_${version}_${versionBuild_x86_64}_x86_64.tar.gz";
-          sha256 = "1qir9ii0h5ali87mjzjl72dm1ky626d7y59jfpglakqxzqhjamdz";
+          sha256 = "1kkdf9dlp4j453blnwp1sds4r3h3fy863pvhdh466mrq3f10qca8";
         }
       else if stdenv.hostPlatform.system == "i686-linux" then
         fetchurl {
           url = "https://download.nomachine.com/download/${versionMajor}/Linux/nomachine_${version}_${versionBuild_i686}_i686.tar.gz";
-          sha256 = "1gxiysc09k3jz1pkkyfqgw2fygcnmrnskk6b9vn4fjnvsab4py60";
+          sha256 = "0h4c90hzhbg0qdb585bc9gry9cf9hd8r53m2jha4fdqhzd95ydln";
         }
       else
         throw "NoMachine client is not supported on ${stdenv.hostPlatform.system}";
@@ -90,4 +90,3 @@ in
       platforms = [ "x86_64-linux" "i686-linux" ];
     };
   }
-
diff --git a/pkgs/tools/security/onlykey-agent/default.nix b/pkgs/tools/security/onlykey-agent/default.nix
new file mode 100644
index 00000000000..84c65b91345
--- /dev/null
+++ b/pkgs/tools/security/onlykey-agent/default.nix
@@ -0,0 +1,61 @@
+{ lib
+, python3Packages
+, onlykey-cli
+}:
+
+let
+  # onlykey requires a patched version of libagent
+  lib-agent = with python3Packages; libagent.overridePythonAttrs (oa: rec{
+    version = "1.0.2";
+    src = fetchPypi {
+      inherit version;
+      pname = "lib-agent";
+      sha256 = "sha256-NAimivO3m4UUPM4JgLWGq2FbXOaXdQEL/DqZAcy+kEw=";
+    };
+    propagatedBuildInputs = oa.propagatedBuildInputs or [ ] ++ [
+      pynacl
+      docutils
+      pycryptodome
+      wheel
+    ];
+
+    # turn off testing because I can't get it to work
+    doCheck = false;
+    pythonImportsCheck = [ "libagent" ];
+
+    meta = oa.meta // {
+      description = "Using OnlyKey as hardware SSH and GPG agent";
+      homepage = "https://github.com/trustcrypto/onlykey-agent/tree/ledger";
+      maintainers = with maintainers; [ kalbasit ];
+    };
+  });
+in
+python3Packages.buildPythonApplication rec {
+  pname = "onlykey-agent";
+  version = "1.1.11";
+
+  src = python3Packages.fetchPypi {
+    inherit pname version;
+    sha256 = "sha256-YH/cqQOVy5s6dTp2JwxM3s4xRTXgwhOr00whtHAwZZI=";
+  };
+
+  propagatedBuildInputs = with python3Packages; [ lib-agent onlykey-cli ];
+
+  # move the python library into the sitePackages.
+  postInstall = ''
+    mkdir $out/${python3Packages.python.sitePackages}/onlykey_agent
+    mv $out/bin/onlykey_agent.py $out/${python3Packages.python.sitePackages}/onlykey_agent/__init__.py
+    chmod a-x $out/${python3Packages.python.sitePackages}/onlykey_agent/__init__.py
+  '';
+
+  # no tests
+  doCheck = false;
+  pythonImportsCheck = [ "onlykey_agent" ];
+
+  meta = with lib; {
+    description = " The OnlyKey agent is essentially middleware that lets you use OnlyKey as a hardware SSH/GPG device.";
+    homepage = "https://github.com/trustcrypto/onlykey-agent";
+    license = licenses.lgpl3Only;
+    maintainers = with maintainers; [ kalbasit ];
+  };
+}
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index f29a0f327e3..f0e1b3cacc2 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -7347,6 +7347,8 @@ in
 
   onioncircuits = callPackage ../tools/security/onioncircuits { };
 
+  onlykey-agent = callPackage ../tools/security/onlykey-agent { };
+
   onlykey-cli = callPackage ../tools/security/onlykey-cli { };
 
   openapi-generator-cli = callPackage ../tools/networking/openapi-generator-cli { jre = pkgs.jre_headless; };
@@ -19474,7 +19476,7 @@ in
   };
 
   mysql80 = callPackage ../servers/sql/mysql/8.0.x.nix {
-    inherit (darwin) cctools developer_cmds;
+    inherit (darwin) cctools developer_cmds DarwinTools;
     inherit (darwin.apple_sdk.frameworks) CoreServices;
     boost = boost173; # Configure checks for specific version.
     protobuf = protobuf3_7;