diff --git a/.circleci/config.yml b/.circleci/config.yml
index 19647282b4687c9b5fddbcfce8c9194fa96b2e89..a51cbb601c07a94bb57b4561a89cb9df64a47795 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -82,9 +82,9 @@ jobs:
             # If nixpkgs changes then potentially a lot of cached packages for
             # the base system will be invalidated so we may as well drop them
             # and make a new cache with the new packages.
-            - paymentserver-nix-store-v1-{{ checksum "nixpkgs.rev" }}-{{ checksum "ristretto.nix" }}
-            - paymentserver-nix-store-v1-{{ checksum "nixpkgs.rev" }}-
-            - paymentserver-nix-store-v1-
+            - paymentserver-nix-store-v2-{{ checksum "nixpkgs.rev" }}-{{ checksum "ristretto.nix" }}
+            - paymentserver-nix-store-v2-{{ checksum "nixpkgs.rev" }}-
+            - paymentserver-nix-store-v2-
 
       - restore_cache:
           # Restore the cache of Stack's state.  This will have all of the
@@ -149,9 +149,14 @@ jobs:
               --no-haddock-deps"
             nix-shell shell.nix --run "$BUILD"
 
+      - run:
+          name: "Building with Nix"
+          command: |
+            nix-build ./nix/ -A PaymentServer.components.exes."PaymentServer-exe"
+
       - save_cache:
           name: "Cache Nix Store Paths"
-          key: paymentserver-nix-store-v1-{{ checksum "nixpkgs.rev" }}-{{ checksum "ristretto.nix" }}
+          key: paymentserver-nix-store-v2-{{ checksum "nixpkgs.rev" }}-{{ checksum "ristretto.nix" }}
           paths:
             - "/nix"
 
diff --git a/nix/PaymentServer.nix b/nix/PaymentServer.nix
index d8a18e8a3ac084d39dcb71ed1c2206c1be276871..22159bab9cb2dadd50423387e70bff877a56d15c 100644
--- a/nix/PaymentServer.nix
+++ b/nix/PaymentServer.nix
@@ -65,6 +65,7 @@ in { system, compiler, flags, pkgs, hsPkgs, pkgconfPkgs, ... }:
           (hsPkgs."wai-extra" or (buildDepError "wai-extra"))
           (hsPkgs."data-default" or (buildDepError "data-default"))
           (hsPkgs."warp" or (buildDepError "warp"))
+          (hsPkgs."warp-tls" or (buildDepError "warp-tls"))
           (hsPkgs."stripe-core" or (buildDepError "stripe-core"))
           (hsPkgs."text" or (buildDepError "text"))
           (hsPkgs."containers" or (buildDepError "containers"))
diff --git a/nix/default.nix b/nix/default.nix
index 9605b5b0c6e1a7ab470edbce26fa13aee556cd2b..349c8369f6a81b1934ad076982d3ef92dbc39a4d 100644
--- a/nix/default.nix
+++ b/nix/default.nix
@@ -1,4 +1,4 @@
-{ pkgs ? import <nixpkgs> {} }:
+{ pkgs ? import <nixpkgs> { overlays = [ (import ./overlay.nix) ]; } }:
 
 let
   # Pin a particular version of haskell.nix.  The particular version isn't
diff --git a/nix/overlay.nix b/nix/overlay.nix
new file mode 100644
index 0000000000000000000000000000000000000000..2673b39a9a30912c088deed29eeaa6a698e0f232
--- /dev/null
+++ b/nix/overlay.nix
@@ -0,0 +1,3 @@
+self: super: {
+  ristretto = super.callPackage ./ristretto.nix { };
+}
diff --git a/nix/privacypass-repo.nix b/nix/privacypass-repo.nix
new file mode 100644
index 0000000000000000000000000000000000000000..6b0c64cff07889c23400e15e1d2824d3ac8905cf
--- /dev/null
+++ b/nix/privacypass-repo.nix
@@ -0,0 +1,7 @@
+{ fetchFromGitHub }:
+fetchFromGitHub {
+  owner = "LeastAuthority";
+  repo = "privacypass";
+  rev = "45855401e163f8e622bd93a5c5bce13de8c8510a";
+  sha256 = "sha256:15wv8vas6x8cdicylp0m632c916p7qxq1k4lnchr8c92lldp0rv7";
+}
diff --git a/nix/ristretto.nix b/nix/ristretto.nix
new file mode 100644
index 0000000000000000000000000000000000000000..4e0912840d99a23263408dd86be620e23c92d7e3
--- /dev/null
+++ b/nix/ristretto.nix
@@ -0,0 +1,5 @@
+{ fetchFromGitHub, callPackage }:
+let
+  src = import ./privacypass-repo.nix { inherit fetchFromGitHub; };
+in
+  callPackage "${src}/ristretto.nix" { }