diff --git a/ristretto.nix b/ristretto.nix
new file mode 100644
index 0000000000000000000000000000000000000000..ba86315f02ce9f5a14087561851947358a1d9376
--- /dev/null
+++ b/ristretto.nix
@@ -0,0 +1,10 @@
+{ fetchFromGitHub, callPackage }:
+let
+  src = fetchFromGitHub {
+    owner = "LeastAuthority";
+    repo = "privacypass";
+    rev = "f74b371cdf179454f3ad540a4d0deea879fbe5e1";
+    sha256 = "0a020ks8awlpil58zcaj5apk1ls0q2y492wsh62kl529jp518v4b";
+  };
+in
+  callPackage "${src}/ristretto.nix" { }
diff --git a/stack-shell.nix b/stack-shell.nix
new file mode 100644
index 0000000000000000000000000000000000000000..8800cbbd773f7386033d30036ff026a169420e5f
--- /dev/null
+++ b/stack-shell.nix
@@ -0,0 +1,17 @@
+# This is intended to be used as the shell-file for the stack configuration.
+# It sets up the non-Haskell parts of the stack build environment.
+{ ghc }:
+let
+  pkgs = import <nixpkgs> { };
+  # Get our Ristretto bindings.
+  ristretto = pkgs.callPackage ./ristretto.nix { };
+in
+  # This is what you're supposed to call in a stack shell-file.  I don't
+  # *really* know what it does but I know it works...
+  pkgs.haskell.lib.buildStackProject {
+    inherit ghc;
+    name = "PrivacyPass";
+    # zlib is a common dependency of many of our dependencies.  and we put our
+    # ristretto library in as well.
+    buildInputs = [ pkgs.zlib ristretto ];
+  }
diff --git a/stack.yaml b/stack.yaml
index 75399a2e58530adf91ef7986d22afc5aff66d297..737ed12ba46d390cce566494363d8cdd91b742f8 100644
--- a/stack.yaml
+++ b/stack.yaml
@@ -64,9 +64,6 @@ extra-deps:
 # Allow a newer minor version of GHC than the snapshot specifies
 # compiler-check: newer-minor
 
-
-# https://docs.haskellstack.org/en/stable/nix_integration/#additions-to-your-stackyaml
 nix:
   enable: true
-  packages:
-    - "zlib"
+  shell-file: "stack-shell.nix"