diff --git a/ristretto.nix b/ristretto.nix
new file mode 100644
index 0000000000000000000000000000000000000000..ba86315f02ce9f5a14087561851947358a1d9376
--- /dev/null
+++ b/ristretto.nix
@@ -0,0 +1,10 @@
+{ fetchFromGitHub, callPackage }:
+let
+  src = fetchFromGitHub {
+    owner = "LeastAuthority";
+    repo = "privacypass";
+    rev = "f74b371cdf179454f3ad540a4d0deea879fbe5e1";
+    sha256 = "0a020ks8awlpil58zcaj5apk1ls0q2y492wsh62kl529jp518v4b";
+  };
+in
+  callPackage "${src}/ristretto.nix" { }
diff --git a/stack-shell.nix b/stack-shell.nix
new file mode 100644
index 0000000000000000000000000000000000000000..8800cbbd773f7386033d30036ff026a169420e5f
--- /dev/null
+++ b/stack-shell.nix
@@ -0,0 +1,17 @@
+# This is intended to be used as the shell-file for the stack configuration.
+# It sets up the non-Haskell parts of the stack build environment.
+{ ghc }:
+let
+  pkgs = import <nixpkgs> { };
+  # Get our Ristretto bindings.
+  ristretto = pkgs.callPackage ./ristretto.nix { };
+in
+  # This is what you're supposed to call in a stack shell-file.  I don't
+  # *really* know what it does but I know it works...
+  pkgs.haskell.lib.buildStackProject {
+    inherit ghc;
+    name = "PrivacyPass";
+    # zlib is a common dependency of many of our dependencies.  and we put our
+    # ristretto library in as well.
+    buildInputs = [ pkgs.zlib ristretto ];
+  }
diff --git a/stack.yaml b/stack.yaml
index 68525a9d9ad1a4d55daeb55655e07428ed3bd143..82ee2a90ec939dc789b673ce10afaaab9c1753dd 100644
--- a/stack.yaml
+++ b/stack.yaml
@@ -64,3 +64,7 @@ extra-deps:
 #
 # Allow a newer minor version of GHC than the snapshot specifies
 # compiler-check: newer-minor
+
+nix:
+  enable: true
+  shell-file: "stack-shell.nix"