diff --git a/.credentials/SECRET_KEY b/.credentials/SECRET_KEY
new file mode 100644
index 0000000..765ddd2
--- /dev/null
+++ b/.credentials/SECRET_KEY
@@ -0,0 +1 @@
+insecure-secret_key
diff --git a/.envrc b/.envrc
new file mode 100644
index 0000000..1d953f4
--- /dev/null
+++ b/.envrc
@@ -0,0 +1 @@
+use nix
diff --git a/.gitignore b/.gitignore
index 516a35b..c6cedea 100644
--- a/.gitignore
+++ b/.gitignore
@@ -3,3 +3,4 @@ venv
 .*.swp
 *.pyc
 *.sqlite3
+.direnv
diff --git a/default.nix b/default.nix
new file mode 100644
index 0000000..152a324
--- /dev/null
+++ b/default.nix
@@ -0,0 +1,44 @@
+{
+  sources ? import ./npins,
+  pkgs ? import sources.nixpkgs { },
+}:
+
+let
+  nix-pkgs = import sources.nix-pkgs { inherit pkgs; };
+
+  python3 = pkgs.python3.override {
+    packageOverrides = _: _: {
+      inherit (nix-pkgs) django-allauth-ens django-wiki loadcredential;
+    };
+  };
+in
+
+{
+  devShell = pkgs.mkShell {
+    name = "annuaire.dev";
+
+    packages = [
+      (python3.withPackages (ps: [
+        ps.django
+        ps.django-allauth-ens
+        ps.django-wiki
+        ps.loadcredential
+      ]))
+    ];
+
+    env = {
+      DJANGO_SETTINGS_MODULE = "app.settings";
+
+      CREDENTIALS_DIRECTORY = builtins.toString ./.credentials;
+
+      WIKIENS_DEBUG = builtins.toJSON true;
+      WIKIENS_STATIC_ROOT = builtins.toString ./.static;
+    };
+
+    shellHook = ''
+      if [ ! -d .static ]; then
+        mkdir .static
+      fi
+    '';
+  };
+}
diff --git a/npins/default.nix b/npins/default.nix
new file mode 100644
index 0000000..5e7d086
--- /dev/null
+++ b/npins/default.nix
@@ -0,0 +1,80 @@
+# Generated by npins. Do not modify; will be overwritten regularly
+let
+  data = builtins.fromJSON (builtins.readFile ./sources.json);
+  version = data.version;
+
+  mkSource =
+    spec:
+    assert spec ? type;
+    let
+      path =
+        if spec.type == "Git" then
+          mkGitSource spec
+        else if spec.type == "GitRelease" then
+          mkGitSource spec
+        else if spec.type == "PyPi" then
+          mkPyPiSource spec
+        else if spec.type == "Channel" then
+          mkChannelSource spec
+        else
+          builtins.throw "Unknown source type ${spec.type}";
+    in
+    spec // { outPath = path; };
+
+  mkGitSource =
+    {
+      repository,
+      revision,
+      url ? null,
+      hash,
+      branch ? null,
+      ...
+    }:
+    assert repository ? type;
+    # At the moment, either it is a plain git repository (which has an url), or it is a GitHub/GitLab repository
+    # In the latter case, there we will always be an url to the tarball
+    if url != null then
+      (builtins.fetchTarball {
+        inherit url;
+        sha256 = hash; # FIXME: check nix version & use SRI hashes
+      })
+    else
+      assert repository.type == "Git";
+      let
+        urlToName =
+          url: rev:
+          let
+            matched = builtins.match "^.*/([^/]*)(\\.git)?$" repository.url;
+
+            short = builtins.substring 0 7 rev;
+
+            appendShort = if (builtins.match "[a-f0-9]*" rev) != null then "-${short}" else "";
+          in
+          "${if matched == null then "source" else builtins.head matched}${appendShort}";
+        name = urlToName repository.url revision;
+      in
+      builtins.fetchGit {
+        url = repository.url;
+        rev = revision;
+        inherit name;
+        # hash = hash;
+      };
+
+  mkPyPiSource =
+    { url, hash, ... }:
+    builtins.fetchurl {
+      inherit url;
+      sha256 = hash;
+    };
+
+  mkChannelSource =
+    { url, hash, ... }:
+    builtins.fetchTarball {
+      inherit url;
+      sha256 = hash;
+    };
+in
+if version == 3 then
+  builtins.mapAttrs (_: mkSource) data.pins
+else
+  throw "Unsupported format version ${toString version} in sources.json. Try running `npins upgrade`"
diff --git a/npins/sources.json b/npins/sources.json
new file mode 100644
index 0000000..0722367
--- /dev/null
+++ b/npins/sources.json
@@ -0,0 +1,22 @@
+{
+  "pins": {
+    "nix-pkgs": {
+      "type": "Git",
+      "repository": {
+        "type": "Git",
+        "url": "https://git.hubrecht.ovh/hubrecht/nix-pkgs"
+      },
+      "branch": "main",
+      "revision": "1a410e36ff817a19b3254af179c89dbf299d98b7",
+      "url": null,
+      "hash": "1yjpy3zicrav2fq4klj7g3waphxcngkcyvm9ndd1xk6pc8977yw4"
+    },
+    "nixpkgs": {
+      "type": "Channel",
+      "name": "nixpkgs-unstable",
+      "url": "https://releases.nixos.org/nixpkgs/nixpkgs-24.11pre694416.ccc0c2126893/nixexprs.tar.xz",
+      "hash": "0cn1z4wzps8nfqxzr6l5mbn81adcqy2cy2ic70z13fhzicmxfsbx"
+    }
+  },
+  "version": 3
+}
\ No newline at end of file
diff --git a/requirements.txt b/requirements.txt
deleted file mode 100644
index a09907a..0000000
--- a/requirements.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Django==3.2.*
-git+https://git.eleves.ens.fr/klub-dev-ens/django-allauth-ens.git@1.1.3
-wiki==0.7.*
diff --git a/requirements_prod.txt b/requirements_prod.txt
deleted file mode 100644
index eb1e7cd..0000000
--- a/requirements_prod.txt
+++ /dev/null
@@ -1,3 +0,0 @@
--r requirements.txt
-psycopg2
-gunicorn
diff --git a/shell.nix b/shell.nix
new file mode 100644
index 0000000..d6d21cf
--- /dev/null
+++ b/shell.nix
@@ -0,0 +1 @@
+(import ./. { }).devShell