diff --git a/.gitignore b/.gitignore
index 11f1177228fc6c2a1b84e1772b7ee34d17014966..4248ee1807bd2afc59d4dc92be639bef0c972f62 100644
--- a/.gitignore
+++ b/.gitignore
@@ -4,4 +4,5 @@ __pycache__
 env/
 # ignore dummy_playbook
 debug.yml
-group_vars/all/vault.yml
+# ignore local variables that are used to load passwords
+vars_plugins/pass.ini
diff --git a/vars_plugins/pass.ini.example b/vars_plugins/pass.ini.example
new file mode 100644
index 0000000000000000000000000000000000000000..8878469f53e750e3252787bd94c870550a7ab5b2
--- /dev/null
+++ b/vars_plugins/pass.ini.example
@@ -0,0 +1,3 @@
+[pass]
+password_store_dir=/home/me/.password-store
+crans_password_store_submodule=crans
diff --git a/vars_plugins/pass.py b/vars_plugins/pass.py
index 228cebe704397540760026dd2870f654f4235516..0c53f614037984ea37220a0515f942d3785ab758 100644
--- a/vars_plugins/pass.py
+++ b/vars_plugins/pass.py
@@ -1,10 +1,12 @@
 #!/usr/bin/env python
+
 from functools import lru_cache
-from os import getenv
+import os
 from pathlib import Path
 import subprocess
 import sys
 
+from ansible.module_utils.six.moves import configparser
 from ansible.plugins.vars import BaseVarsPlugin
 
 
@@ -31,8 +33,15 @@ class VarsModule(BaseVarsPlugin):
         Passwords are decrypted from the local password store, then are cached.
         By that way, we don't decrypt these passwords everytime.
         """
-        password_store = Path(getenv('PASSWORD_STORE_DIR', Path.home() / '.password-store'))
-        full_command = ['gpg', '-d', password_store / getenv('CRANS_PASSWORD_STORE_SUBMODULE', 'crans') / 'ansible_vault.gpg']
+        # Load config
+        config = configparser.ConfigParser()
+        config.read(os.path.join(os.path.dirname(os.path.realpath(__file__)), 'pass.ini'))
+
+        password_store = Path(config.get('pass', 'password_store_dir',
+            fallback=os.getenv('PASSWORD_STORE_DIR', Path.home() / '.password-store')))
+        crans_submodule = config.get('pass', 'crans_password_store_submodule',
+                fallback=os.getenv('CRANS_PASSWORD_STORE_SUBMODULE', 'crans'))
+        full_command = ['gpg', '-d', password_store / crans_submodule / 'ansible_vault.gpg']
         proc = subprocess.run(full_command, capture_output=True, close_fds=True)
         clear_text = proc.stdout.decode('UTF-8')
         sys.stderr.write(proc.stderr.decode('UTF-8'))