diff --git a/docker/bosh-lite.yml b/docker/bosh-lite.yml
new file mode 100644
index 000000000..bb02e9a41
--- /dev/null
+++ b/docker/bosh-lite.yml
@@ -0,0 +1,6 @@
+- type: replace
+  path: /instance_groups/name=bosh/jobs/name=garden/properties/garden/apparmor_profile?
+  value: "" # overwrites garden-default which is the default
+- path: /instance_groups/name=bosh/properties/agent/env/bosh/blobstores/provider=dav/options/endpoint
+  type: replace
+  value: https://10.254.50.4:25250
diff --git a/docker/create-env.sh b/docker/create-env.sh
new file mode 100755
index 000000000..de9c538a0
--- /dev/null
+++ b/docker/create-env.sh
@@ -0,0 +1,144 @@
+#!/bin/bash
+
+set -eu -o pipefail
+
+STEP() { echo ; echo ; echo "==\\" ; echo "===>" "$@" ; echo "==/" ; echo ; }
+
+bosh_deployment="$(cd "$(dirname "${BASH_SOURCE[0]}")"; cd ..; pwd)"
+bosh_deployment_sha="$(cd "${bosh_deployment}"; git rev-parse --short HEAD)"
+
+if [ "${PWD##${bosh_deployment}}" != "${PWD}" ] || [ -e docker/create-env.sh ] || [ -e ../docker/create-env.sh ]; then
+  echo "It looks like you are running this within the ${bosh_deployment} repository."
+  echo "To avoid secrets ending up in this repo, run this from another directory."
+  echo
+
+  exit 1
+fi
+
+####
+STEP "Creating Docker Network"
+####
+
+docker_network=bosh
+docker_network_ip=10.245.0.10
+docker_network_gw=10.245.0.1
+docker_network_cidr=10.245.0.0/16
+
+if ! docker network ls | grep -q "${docker_network}"; then
+    echo "Creating docker network: ${docker_network} with range: ${docker_network_cidr}"
+    docker network create -d bridge --subnet=${docker_network_cidr} ${docker_network} --attachable 1>/dev/null
+else
+    echo "Using existing docker network: ${docker_network}"
+fi
+
+
+####
+STEP "Creating BOSH Director"
+####
+
+docker_host=$(docker context inspect | jq -r '.[0].Endpoints.docker.Host')
+docker_tls=$(docker context inspect | jq -r '.[0].Endpoints.docker.SkipTLSVerify')
+
+#time bosh create-env "${bosh_deployment}/bosh.yml" \
+bosh create-env "${bosh_deployment}/bosh.yml" \
+  --state "${PWD}/state.json" \
+  --ops-file "${bosh_deployment}/docker/cpi.yml" \
+  --ops-file "${bosh_deployment}/docker/localhost.yml" \
+  --ops-file "${bosh_deployment}/bosh-lite.yml" \
+  --ops-file "${bosh_deployment}/docker/bosh-lite.yml" \
+  --ops-file "${bosh_deployment}/uaa.yml" \
+  --ops-file "${bosh_deployment}/credhub.yml" \
+  --ops-file "${bosh_deployment}/jumpbox-user.yml" \
+  --vars-store "${PWD}/creds.yml" \
+  --var director_name=bosh-lite \
+  --var docker_host="${docker_host}" \
+  --var docker_tls="${docker_tls}" \
+  --var network="${docker_network}" \
+  --var static_ip="${docker_network_ip}" \
+  --var internal_ip="localhost" \
+  --var internal_gw="${docker_network_gw}" \
+  --var internal_cidr="${docker_network_cidr}" "$@"
+
+
+####
+STEP "Adding Network Routes (sudo is required)"
+####
+
+if [ "$(uname)" = "Darwin" ]; then
+  sudo route add -net 10.244.0.0/16 ${docker_network_ip}
+elif [ "$(uname)" = "Linux" ]; then
+  if type ip > /dev/null 2>&1; then
+    sudo ip route add 10.244.0.0/16 via ${docker_network_ip}
+  elif type route > /dev/null 2>&1; then
+    sudo route add -net 10.244.0.0/16 gw ${docker_network_ip}
+  else
+    echo "ERROR adding route"
+    exit 1
+  fi
+fi
+
+####
+STEP "Generating .envrc"
+####
+
+cat > .envrc <<EOF
+export BOSH_ENVIRONMENT=docker
+export BOSH_CA_CERT=\$( bosh interpolate ${PWD}/creds.yml --path /director_ssl/ca )
+export BOSH_CLIENT=admin
+export BOSH_CLIENT_SECRET=\$( bosh interpolate ${PWD}/creds.yml --path /admin_password )
+
+export CREDHUB_SERVER=https://localhost:8844
+export CREDHUB_CA_CERT="\$( bosh interpolate ${PWD}/creds.yml --path=/credhub_tls/ca )
+\$( bosh interpolate ${PWD}/creds.yml --path=/uaa_ssl/ca )"
+export CREDHUB_CLIENT=credhub-admin
+export CREDHUB_SECRET=\$( bosh interpolate ${PWD}/creds.yml --path=/credhub_admin_client_secret )
+
+EOF
+echo "export BOSH_DEPLOYMENT_SHA=${bosh_deployment_sha}" >> .envrc
+
+
+source .envrc
+
+echo Succeeded
+
+
+####
+STEP "Configuring Environment Alias"
+####
+
+bosh \
+  --environment localhost \
+  --ca-cert <( bosh interpolate "${PWD}/creds.yml" --path /director_ssl/ca ) \
+  alias-env docker
+
+
+####
+STEP "Updating Cloud Config"
+####
+
+bosh -n update-cloud-config "${bosh_deployment}/warden/cloud-config.yml" \
+  > /dev/null
+
+echo Succeeded
+
+####
+STEP "Updating Runtime Config"
+####
+
+bosh -n update-runtime-config "${bosh_deployment}/runtime-configs/dns.yml" \
+  > /dev/null
+
+echo Succeeded
+
+####
+STEP "Completed"
+####
+
+echo "Credentials for your environment have been generated and stored in creds.yml."
+echo "Details about the state of your VM have been stored in state.json."
+echo "You should keep these files for future updates and to destroy your environment."
+echo
+echo "BOSH Director is now running. You may need to run the following before using bosh commands:"
+echo
+echo "    source .envrc"
+echo
diff --git a/docker/localhost.yml b/docker/localhost.yml
new file mode 100644
index 000000000..10e3420c7
--- /dev/null
+++ b/docker/localhost.yml
@@ -0,0 +1,19 @@
+- type: replace
+  path: /resource_pools/name=vms/cloud_properties/PortBindings?
+  value:
+    6868/tcp: [{ HostPort: "6868", HostIp: "0.0.0.0" }] # bosh agent
+    8844/tcp: [{ HostPort: "8844", HostIp: "0.0.0.0" }] # credhub
+    8443/tcp: [{ HostPort: "8443", HostIp: "0.0.0.0" }] # uaa
+    25555/tcp: [{ HostPort: "25555", HostIp: "0.0.0.0" }] # director
+    22/tcp: [{ HostPort: "2222", HostIp: "0.0.0.0" }] # ssh
+
+# disable ipv6 so agent port forwarding works
+# when enabled curl -k -I https://localhost:6868/agent results in
+# empty response
+- type: replace
+  path: /resource_pools/name=vms/env/bosh/ipv6?/enable
+  value: false
+
+- type: replace
+  path: /instance_groups/name=bosh/networks/name=default/static_ips
+  value: [((static_ip))]