diff --git a/.circleci/config.yml b/.circleci/config.yml
index ba3135c009aec9459a4f0623fab72eeced6f6ea2..c6d31b6c79c88bc51a6d80e1e9b0d55347c18b63 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -74,6 +74,42 @@ jobs:
             - paymentserver-v1-{{ checksum "stack.yaml" }}-{{ checksum "PaymentServer.cabal" }}
             - paymentserver-v1-{{ checksum "stack.yaml" }}
 
+      - run:
+          # Build just our dependencies.  It's nice to have this as a separate
+          # step so failures here are more easily identified as being
+          # unrelated to our code.
+          #
+          # See below for explanation of the various flags passed in.  If the
+          # flags here differ from those below in a way that makes ghc think a
+          # library needs to be rebuilt then we'll build everything twice and
+          # our cache will be useless!  Try not to make that happen.
+          name: "Build Dependencies"
+          command: |
+            BUILD="stack build \
+            --no-terminal \
+            --only-dependencies \
+            --fast \
+            --test \
+            --no-run-tests \
+            --jobs 1 \
+            --interleaved-output"
+            nix-shell shell.nix --run "$BUILD"
+
+          # Give it a good long while.  stripe-core, in particular, can take a
+          # while to build.
+          no_output_timeout: "20m"
+
+      - save_cache:
+          # We can save the stack cache right here.  It will have everything
+          # we want in it now that the dependencies have been built.  And this
+          # way we get to save the cache whether or not the test suite goes on
+          # to succeed.
+          name: "Cache Dependencies"
+          key: paymentserver-v1-{{ checksum "stack.yaml" }}-{{ checksum "PaymentServer.cabal" }}
+          paths:
+            - "/root/.stack"
+            - ".stack-work"
+
       - run:
           name: "Run Tests"
           command: |
@@ -107,13 +143,6 @@ jobs:
               --no-haddock-deps"
             nix-shell shell.nix --run "$BUILD"
 
-      - save_cache:
-          name: "Cache Dependencies"
-          key: paymentserver-v1-{{ checksum "stack.yaml" }}-{{ checksum "PaymentServer.cabal" }}
-          paths:
-            - "/root/.stack"
-            - ".stack-work"
-
       - save_cache:
           name: "Cache Nix Store Paths"
           key: paymentserver-nix-store-v1-{{ .Environment.NIXPKGS_REV }}
diff --git a/PaymentServer.cabal b/PaymentServer.cabal
index 5910ce73ba57d00482ba7095a36ddf70fd4cc5bf..df14a53f471c4a879bcac9ddcfd29f73a6efc8a8 100644
--- a/PaymentServer.cabal
+++ b/PaymentServer.cabal
@@ -35,6 +35,7 @@ library
                      , cryptonite
   default-language:    Haskell2010
   ghc-options:       -Wmissing-import-lists -Wunused-imports
+  pkgconfig-depends: ristretto
 
 executable PaymentServer-exe
   hs-source-dirs:      app
diff --git a/ristretto.nix b/ristretto.nix
new file mode 100644
index 0000000000000000000000000000000000000000..ba86315f02ce9f5a14087561851947358a1d9376
--- /dev/null
+++ b/ristretto.nix
@@ -0,0 +1,10 @@
+{ fetchFromGitHub, callPackage }:
+let
+  src = fetchFromGitHub {
+    owner = "LeastAuthority";
+    repo = "privacypass";
+    rev = "f74b371cdf179454f3ad540a4d0deea879fbe5e1";
+    sha256 = "0a020ks8awlpil58zcaj5apk1ls0q2y492wsh62kl529jp518v4b";
+  };
+in
+  callPackage "${src}/ristretto.nix" { }
diff --git a/stack-shell.nix b/stack-shell.nix
new file mode 100644
index 0000000000000000000000000000000000000000..8800cbbd773f7386033d30036ff026a169420e5f
--- /dev/null
+++ b/stack-shell.nix
@@ -0,0 +1,17 @@
+# This is intended to be used as the shell-file for the stack configuration.
+# It sets up the non-Haskell parts of the stack build environment.
+{ ghc }:
+let
+  pkgs = import <nixpkgs> { };
+  # Get our Ristretto bindings.
+  ristretto = pkgs.callPackage ./ristretto.nix { };
+in
+  # This is what you're supposed to call in a stack shell-file.  I don't
+  # *really* know what it does but I know it works...
+  pkgs.haskell.lib.buildStackProject {
+    inherit ghc;
+    name = "PrivacyPass";
+    # zlib is a common dependency of many of our dependencies.  and we put our
+    # ristretto library in as well.
+    buildInputs = [ pkgs.zlib ristretto ];
+  }
diff --git a/stack.yaml b/stack.yaml
index 75399a2e58530adf91ef7986d22afc5aff66d297..c4bc68654c595b44ea24ca113b1b2973e7a3ade7 100644
--- a/stack.yaml
+++ b/stack.yaml
@@ -64,9 +64,7 @@ extra-deps:
 # Allow a newer minor version of GHC than the snapshot specifies
 # compiler-check: newer-minor
 
-
-# https://docs.haskellstack.org/en/stable/nix_integration/#additions-to-your-stackyaml
 nix:
   enable: true
-  packages:
-    - "zlib"
+  # https://docs.haskellstack.org/en/stable/nix_integration/#using-a-custom-shellnix-file
+  shell-file: "stack-shell.nix"