diff --git a/services/terraform/self-host/.gitignore b/services/terraform/self-host/.gitignore
--- a/services/terraform/self-host/.gitignore
+++ b/services/terraform/self-host/.gitignore
@@ -1,3 +1,5 @@
+.env
+
 # Local .terraform directories
 **/.terraform/*
 
diff --git a/services/terraform/self-host/aws_db.tf b/services/terraform/self-host/aws_db.tf
--- a/services/terraform/self-host/aws_db.tf
+++ b/services/terraform/self-host/aws_db.tf
@@ -1,3 +1,10 @@
+locals {
+  mariadb_database_name = local.local_with_default_environment_vars.COMM_DATABASE_DATABASE
+  mariadb_username      = local.local_with_default_environment_vars.COMM_DATABASE_USER
+  mariadb_password      = local.local_with_default_environment_vars.COMM_DATABASE_PASSWORD
+  mariadb_port          = jsondecode(local.local_with_default_environment_vars.COMM_DATABASE_PORT)
+}
+
 # MariaDB Security Group
 resource "aws_security_group" "keyserver_mariadb_security_group" {
   name        = "keyserver-mariadb-sg"
@@ -6,15 +13,15 @@
 
   # Inbound rules
   ingress {
-    from_port       = 3307
-    to_port         = 3307
+    from_port       = local.mariadb_port
+    to_port         = local.mariadb_port
     protocol        = "tcp"
     security_groups = [aws_security_group.keyserver_service.id]
   }
 
   ingress {
-    from_port   = 3307
-    to_port     = 3307
+    from_port   = local.mariadb_port
+    to_port     = local.mariadb_port
     protocol    = "tcp"
     cidr_blocks = ["${var.allowed_ip}/32"]
   }
@@ -40,12 +47,12 @@
   instance_class         = "db.m6g.large"
   db_subnet_group_name   = aws_db_subnet_group.public_db_subnet_group.name
   vpc_security_group_ids = [aws_security_group.keyserver_mariadb_security_group.id]
-  username               = var.mariadb_username
-  password               = var.mariadb_password
+  username               = local.mariadb_username
+  password               = local.mariadb_password
   parameter_group_name   = aws_db_parameter_group.mariadb_parameter_group.name
   storage_encrypted      = true
   publicly_accessible    = true
-  port                   = 3307
+  port                   = local.mariadb_port
   skip_final_snapshot    = true
 }
 
@@ -103,11 +110,11 @@
 
   provisioner "local-exec" {
     command = <<EOT
-    mysql --user=${var.mariadb_username} \
-          --port=3307 \
+    mysql --user=${local.mariadb_username} \
+          --port=${local.mariadb_port} \
           --host=${aws_db_instance.mariadb.address} \
-          --execute="CREATE DATABASE IF NOT EXISTS comm;" \
-          --password=${var.mariadb_password}
+          --execute="CREATE DATABASE IF NOT EXISTS ${local.mariadb_database_name};" \
+          --password=${local.mariadb_password}
     EOT
   }
 }
diff --git a/services/terraform/self-host/env.tf b/services/terraform/self-host/env.tf
new file mode 100644
--- /dev/null
+++ b/services/terraform/self-host/env.tf
@@ -0,0 +1,23 @@
+data "dotenv" "local" {}
+
+locals {
+  default_environment_vars = {
+    "COMM_DATABASE_PORT" = "3307"
+  }
+
+  local_with_default_environment_vars = merge(
+    local.default_environment_vars,
+    data.dotenv.local.entries
+  )
+
+  aws_resource_environment_vars = {
+    "REDIS_URL"          = "rediss://${aws_elasticache_serverless_cache.redis.endpoint[0].address}:6379"
+    "COMM_DATABASE_HOST" = "${aws_db_instance.mariadb.address}"
+  }
+
+  shared_environment_vars = merge(
+    local.local_with_default_environment_vars,
+    local.aws_resource_environment_vars
+  )
+}
+
diff --git a/services/terraform/self-host/keyserver_primary.tf b/services/terraform/self-host/keyserver_primary.tf
--- a/services/terraform/self-host/keyserver_primary.tf
+++ b/services/terraform/self-host/keyserver_primary.tf
@@ -2,6 +2,18 @@
   keyserver_service_image_tag      = "1.0.100"
   keyserver_service_server_image   = "commapp/keyserver:${local.keyserver_service_image_tag}"
   keyserver_primary_container_name = "keyserver-primary"
+
+  primary_environment_vars = merge(local.shared_environment_vars,
+    {
+      "COMM_NODE_ROLE" = "primary"
+  })
+
+  primary_environment = [
+    for name, value in local.primary_environment_vars : {
+      name  = name
+      value = value
+    }
+  ]
 }
 
 resource "aws_cloudwatch_log_group" "keyserver_primary_service" {
@@ -40,76 +52,7 @@
         },
 
       ]
-      environment = [
-        {
-          name  = "REDIS_URL"
-          value = "rediss://${aws_elasticache_serverless_cache.redis.endpoint[0].address}:6379"
-        },
-        {
-          name  = "COMM_NODE_ROLE"
-          value = "primary"
-        },
-        {
-          name  = "COMM_LISTEN_ADDR"
-          value = "0.0.0.0"
-        },
-        {
-          name  = "COMM_DATABASE_HOST"
-          value = "${aws_db_instance.mariadb.address}"
-        },
-        {
-          name  = "COMM_DATABASE_DATABASE"
-          value = "comm"
-        },
-        {
-          name  = "COMM_DATABASE_PORT"
-          value = "3307"
-        },
-        {
-          name  = "COMM_DATABASE_USER"
-          value = "${var.mariadb_username}"
-        },
-        {
-          name  = "COMM_DATABASE_PASSWORD"
-          value = "${var.mariadb_password}"
-        },
-        {
-          name  = "COMM_JSONCONFIG_secrets_user_credentials"
-          value = jsonencode(var.keyserver_user_credentials)
-        },
-        {
-          name = "COMM_JSONCONFIG_facts_webapp_cors"
-          value = jsonencode({
-            "domain" : "https://web.comm.app"
-          })
-        },
-        {
-          name = "COMM_JSONCONFIG_facts_keyserver_url"
-          value = jsonencode({
-            "baseDomain" : "https://${var.domain_name}",
-            "basePath" : "/",
-            "baseRoutePath" : "/",
-            "https" : true,
-            "proxy" : "aws"
-          })
-        },
-        {
-          name = "COMM_JSONCONFIG_secrets_identity_service_config",
-          value = jsonencode({
-            "identitySocketAddr" : "${var.identity_socket_address}"
-          })
-        },
-        {
-          name  = "COMM_JSONCONFIG_facts_authoritative_keyserver",
-          value = jsonencode(var.authoritative_keyserver_config),
-        },
-        {
-          name = "COMM_JSONCONFIG_facts_tunnelbroker",
-          value = jsonencode({
-            "url" : "${var.tunnelbroker_url}"
-          })
-        }
-      ]
+      environment = local.primary_environment
       logConfiguration = {
         "logDriver" = "awslogs"
         "options" = {
@@ -199,5 +142,3 @@
     create_before_destroy = true
   }
 }
-
-
diff --git a/services/terraform/self-host/keyserver_secondary.tf b/services/terraform/self-host/keyserver_secondary.tf
--- a/services/terraform/self-host/keyserver_secondary.tf
+++ b/services/terraform/self-host/keyserver_secondary.tf
@@ -1,5 +1,17 @@
 locals {
   keyserver_secondary_container_name = "keyserver-secondary"
+
+  secondary_environment_vars = merge(local.shared_environment_vars,
+    {
+      "COMM_NODE_ROLE" = "secondary"
+  })
+
+  secondary_environment = [
+    for name, value in local.secondary_environment_vars : {
+      name  = name
+      value = value
+    }
+  ]
 }
 
 resource "aws_cloudwatch_log_group" "keyserver_secondary_service" {
@@ -36,76 +48,7 @@
         },
 
       ]
-      environment = [
-        {
-          name  = "REDIS_URL"
-          value = "rediss://${aws_elasticache_serverless_cache.redis.endpoint[0].address}:6379"
-        },
-        {
-          name  = "COMM_NODE_ROLE"
-          value = "secondary"
-        },
-        {
-          name  = "COMM_LISTEN_ADDR"
-          value = "0.0.0.0"
-        },
-        {
-          name  = "COMM_DATABASE_HOST"
-          value = "${aws_db_instance.mariadb.address}"
-        },
-        {
-          name  = "COMM_DATABASE_DATABASE"
-          value = "comm"
-        },
-        {
-          name  = "COMM_DATABASE_PORT"
-          value = "3307"
-        },
-        {
-          name  = "COMM_DATABASE_USER"
-          value = "${var.mariadb_username}"
-        },
-        {
-          name  = "COMM_DATABASE_PASSWORD"
-          value = "${var.mariadb_password}"
-        },
-        {
-          name  = "COMM_JSONCONFIG_secrets_user_credentials"
-          value = jsonencode(var.keyserver_user_credentials)
-        },
-        {
-          name = "COMM_JSONCONFIG_facts_keyserver_url"
-          value = jsonencode({
-            "baseDomain" : "https://${var.domain_name}",
-            "basePath" : "/",
-            "baseRoutePath" : "/",
-            "https" : true,
-            "proxy" : "aws"
-          })
-        },
-        {
-          name = "COMM_JSONCONFIG_facts_webapp_cors"
-          value = jsonencode({
-            "domain" : "https://web.comm.app"
-          })
-        },
-        {
-          name = "COMM_JSONCONFIG_facts_tunnelbroker",
-          value = jsonencode({
-            "url" : "${var.tunnelbroker_url}"
-          })
-        },
-        {
-          name = "COMM_JSONCONFIG_secrets_identity_service_config",
-          value = jsonencode({
-            "identitySocketAddr" : "${var.identity_socket_address}"
-          })
-        },
-        {
-          name  = "COMM_JSONCONFIG_facts_authoritative_keyserver",
-          value = jsonencode(var.authoritative_keyserver_config),
-        }
-      ]
+      environment = local.secondary_environment
       logConfiguration = {
         "logDriver" = "awslogs"
         "options" = {
diff --git a/services/terraform/self-host/providers.tf b/services/terraform/self-host/providers.tf
--- a/services/terraform/self-host/providers.tf
+++ b/services/terraform/self-host/providers.tf
@@ -4,5 +4,9 @@
       source  = "hashicorp/aws"
       version = "~> 5.32.0"
     }
+    dotenv = {
+      source  = "germanbrew/dotenv"
+      version = "1.1.2"
+    }
   }
 }
diff --git a/services/terraform/self-host/variables.tf b/services/terraform/self-host/variables.tf
--- a/services/terraform/self-host/variables.tf
+++ b/services/terraform/self-host/variables.tf
@@ -1,30 +1,8 @@
-variable "keyserver_user_credentials" {
-  description = "Credentials for user authentication"
-  type = object({
-    username                 = string
-    password                 = string
-    usingIdentityCredentials = optional(bool)
-    force                    = optional(bool)
-  })
-}
-
 variable "domain_name" {
   description = "Domain name for your keyserver"
   type        = string
 }
 
-variable "mariadb_username" {
-  description = "MariaDB username"
-  type        = string
-  sensitive   = true
-}
-
-variable "mariadb_password" {
-  description = "MariaDB password"
-  type        = string
-  sensitive   = true
-}
-
 variable "region" {
   description = "The AWS region to deploy your keyserver in"
   type        = string
@@ -40,14 +18,6 @@
   description = "Use non-default vpc and subnets"
 }
 
-variable "authoritative_keyserver_config" {
-  description = "Authoritative keyserver user id"
-  type = object({
-    authoritativeKeyserverID = optional(string)
-  })
-  default = {}
-}
-
 variable "availability_zone_1" {
   description = "First availability zone for vpc subnet if user created vpc"
   type        = string
@@ -60,18 +30,6 @@
   default     = "us-west-1c"
 }
 
-variable "identity_socket_address" {
-  description = "The socket address to access the identity service"
-  type        = string
-  default     = "https://identity.commtechnologies.org:50054"
-}
-
-variable "tunnelbroker_url" {
-  description = "The address to access the tunnelbroker service"
-  type        = string
-  default     = "wss://tunnelbroker.commtechnologies.org:51001"
-}
-
 variable "db_instance_class" {
   description = "The instance class for the MariaDB RDS instance"
   type        = string