diff --git a/main.go b/main.go
index b21497c..f70c23b 100644
--- a/main.go
+++ b/main.go
@@ -11,27 +11,13 @@ import (
 
 	"git.xeserv.us/xena/route/lib/routecrypto"
 	"git.xeserv.us/xena/route/server"
+	"github.com/Xe/ln"
+	"github.com/caarlos0/env"
 	"github.com/facebookgo/flagenv"
 	_ "github.com/joho/godotenv/autoload"
-	"golang.org/x/crypto/acme/autocert"
 )
 
 var (
-	rethinkDBHost     = flag.String("rethink-host", "", "RethinkDB host")
-	rethinkDBDatabase = flag.String("rethink-database", "", "RethinkDB database")
-
-	torDataDir        = flag.String("tor-data-dir", "./var", "Tor data directory")
-	torHashedPassword = flag.String("tor-hashed-password", "", "Tor hashed password")
-	torPassword       = flag.String("tor-password", "hunter2", "Tor clear password")
-
-	webPort        = flag.String("web-port", "9234", "HTTP ingress port for backends and users")
-	sslPort        = flag.String("ssl-port", "", "if set use this port for SSL HTTP requests (certs via LE, you agree to follow their TOS)")
-	backendPort    = flag.String("backend-port", "36971", "Port for TCP/TLS backends")
-	backendKCPPort = flag.String("backend-kcp-port", "23154", "Port for KCP/TLS backends")
-
-	domainSuffix = flag.String("domain-suffix", ".apps.xeserv.us", "Domain name suffix associated with the load balancer")
-	acmeEmail    = flag.String("acme-email", "", "ACME email (must be set for SSL to work)")
-
 	sslCertKey = flag.String("ssl-cert-key", "", "if set encrypt SSL certs with this key")
 )
 
@@ -42,28 +28,21 @@ func main() {
 
 	certKey, _ := routecrypto.ParseKey(*sslCertKey)
 
-	s, err := server.New(server.Config{
-		RethinkDBHost:     *rethinkDBHost,
-		RethinkDBDatabase: *rethinkDBDatabase,
-		TorDataDir:        *torDataDir,
-		TorHashedPassword: *torHashedPassword,
-		TorPassword:       *torPassword,
-		WebPort:           *webPort,
-		SSLPort:           *sslPort,
-		DomainSuffix:      *domainSuffix,
-		CertKey:           certKey,
-		BackendPort:       ":" + *backendPort,
-		KCPPort:           ":" + *backendKCPPort,
-	})
+	scfg := server.Config{}
+	err := env.Parse(&scfg)
+	if err != nil {
+		ln.Fatal(ln.F{"err": err, "action": "env.Parse()"})
+	}
+	scfg.CertKey = certKey
+
+	s, err := server.New(scfg)
 	if err != nil {
 		log.Fatal(err)
 	}
 
-	if *sslPort != "" {
-		go setupACME(s)
-	}
+	go setupTLS(s, scfg)
 
-	l, err := net.Listen("tcp", ":"+*webPort)
+	l, err := net.Listen("tcp", scfg.WebAddr)
 	if err != nil {
 		log.Fatal(err)
 	}
@@ -71,25 +50,18 @@ func main() {
 
 	hs := &http.Server{
 		Handler: s,
-		Addr:    ":" + *webPort,
+		Addr:    scfg.WebAddr,
 	}
 
 	hs.Serve(l)
 }
 
-func setupACME(s *server.Server) {
-	m := autocert.Manager{
-		Prompt:     autocert.AcceptTOS,
-		Cache:      s.CertCache,
-		HostPolicy: nil,
-		Email:      *acmeEmail,
-	}
-
+func setupTLS(s *server.Server, scfg server.Config) {
 	hs := &http.Server{
 		Handler: s,
-		Addr:    ":" + *sslPort,
+		Addr:    scfg.SSLAddr,
 		TLSConfig: &tls.Config{
-			GetCertificate: m.GetCertificate,
+			GetCertificate: s.GetCertificate,
 		},
 	}