diff --git a/flake.nix b/flake.nix
index 5f78f79..daf5c95 100644
--- a/flake.nix
+++ b/flake.nix
@@ -52,11 +52,7 @@
 
     in {
       
-      devShells."x86_64-linux".default = pkgs.mkShell {
-        name = "delta";
-        packages = with pkgs; [ gitleaks pre-commit ];
-        shellHook = "pre-commit install &> /dev/null && gitleaks detect -v";
-      };
+      devShells = { "x86_64-linux" = import ./shell.nix { inherit pkgs; }; };
 
       nixosConfigurations = {
         dlaptop = makeSystem "dlaptop" unstable [ ./hosts/dlaptop/system.nix ];
diff --git a/shell.nix b/shell.nix
new file mode 100644
index 0000000..3d293da
--- /dev/null
+++ b/shell.nix
@@ -0,0 +1,30 @@
+#################### DevShell ####################
+#
+# Custom shell for bootstrapping on new hosts, modifying nix-config, and secrets management
+
+{ pkgs ? # If pkgs is not defined, instantiate nixpkgs from locked commit
+  let
+    lock = (builtins.fromJSON (builtins.readFile ./flake.lock)).nodes.nixpkgs.locked;
+    nixpkgs = fetchTarball {
+      url = "https://github.com/nixos/nixpkgs/archive/${lock.rev}.tar.gz";
+      sha256 = lock.narHash;
+    };
+  in
+  import nixpkgs { overlays = [ ]; }
+, ...
+}: {
+  default = pkgs.mkShell {
+    NIX_CONFIG = "extra-experimental-features = nix-command flakes";
+    name = "delta";
+    shellHook = "pre-commit install &> /dev/null && gitleaks detect -v";
+    nativeBuildInputs = builtins.attrValues {
+      inherit (pkgs)
+        # nix
+        # git
+        # age
+        # ssh-to-age
+        # sops
+        gitleaks pre-commit;
+    };
+  };
+}
\ No newline at end of file