diff --git a/.gitignore b/.gitignore
index f65190b..01d5f48 100644
--- a/.gitignore
+++ b/.gitignore
@@ -3,4 +3,8 @@ vault-password
 
 # emacs temp/backup files
 *~
-*#
\ No newline at end of file
+*#
+
+# External resources
+/.ansible-src
+/.password-store
\ No newline at end of file
diff --git a/env-setup b/env-setup
new file mode 100755
index 0000000..6ec57ed
--- /dev/null
+++ b/env-setup
@@ -0,0 +1,37 @@
+#!/bin/bash
+
+# This sets up the environment to use a local Ansible source checkout,
+# allowing a specific version to be used, or even a customised version.
+#
+# This is assumed to be symlinked from `.ansible-src/` to the
+# directory to the one containing this repository. Check it out like
+# this at a location of your choice:
+#
+#     cd $WHEREVER
+#     git clone $ANSIBLE_GIT_REPO ansible-src
+#
+# Then symlink it into this directory:
+#
+#     cd $HERE
+#     ln -sfnr $WHEREVER $HERE/.ansible-src
+#
+# It also sets the environment so that the untility `pass` will use a
+# local password-store directory, not ~/.password-store. Likewise,
+# this is assumed to be in a symlinked directory called
+# `.password-store/`. Ansible has support for `pass` and can use it to
+# retrieve sensitive information which needs to be committed to an
+# encrypted password store.
+#
+# See https://www.passwordstore.org/
+#
+# To use the environment, run this script, which will spawn a subshell
+# with the correct environment:
+#
+
+SCRIPT_DIR="${BASH_SOURCE[0]%/*}"
+ANSIBLE_SRC=$(readlink -f "$SCRIPT_DIR/.ansible-src")
+
+export PATH="$ANSIBLE_SRC/bin:$PATH"
+export PASSWORD_STORE_DIR=$(readlink -f "$SCRIPT_DIR/.password-store")
+
+exec '/bin/bash' '--rcfile' "$ANSIBLE_SRC/hacking/env-setup"