diff --git a/services/terraform/self-host/.gitignore b/services/terraform/self-host/.gitignore
index d9fafa2dc..697b6f5c5 100644
--- a/services/terraform/self-host/.gitignore
+++ b/services/terraform/self-host/.gitignore
@@ -1,35 +1,37 @@
+.env
+
 # Local .terraform directories
 **/.terraform/*
 
 # .tfstate files
 *.tfstate
 *.tfstate.*
 .terraform.lock.hcl
 
 # Crash log files
 crash.log
 crash.*.log
 
 # Exclude all .tfvars files, which are likely to contain sensitive data, such as
 # password, private keys, and other secrets. These should not be part of version
 # control as they are data points which are potentially sensitive and subject
 # to change depending on the environment.
 *.tfvars
 *.tfvars.json
 
 # Ignore override files as they are usually used to override resources locally and so
 # are not checked in
 override.tf
 override.tf.json
 *_override.tf
 *_override.tf.json
 
 # Include override files you do wish to add to version control using negated pattern
 # !example_override.tf
 
 # Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
 # example: *tfplan*
 
 # Ignore CLI configuration files
 .terraformrc
 terraform.rc
diff --git a/services/terraform/self-host/aws_db.tf b/services/terraform/self-host/aws_db.tf
index 1699fa7dc..d599073bf 100644
--- a/services/terraform/self-host/aws_db.tf
+++ b/services/terraform/self-host/aws_db.tf
@@ -1,113 +1,120 @@
+locals {
+  mariadb_database_name = local.local_with_default_environment_vars.COMM_DATABASE_DATABASE
+  mariadb_username      = local.local_with_default_environment_vars.COMM_DATABASE_USER
+  mariadb_password      = local.local_with_default_environment_vars.COMM_DATABASE_PASSWORD
+  mariadb_port          = jsondecode(local.local_with_default_environment_vars.COMM_DATABASE_PORT)
+}
+
 # MariaDB Security Group
 resource "aws_security_group" "keyserver_mariadb_security_group" {
   name        = "keyserver-mariadb-sg"
   description = "Allow inbound traffic on port 3307 and all outbound traffic"
   vpc_id      = local.vpc_id
 
   # Inbound rules
   ingress {
-    from_port       = 3307
-    to_port         = 3307
+    from_port       = local.mariadb_port
+    to_port         = local.mariadb_port
     protocol        = "tcp"
     security_groups = [aws_security_group.keyserver_service.id]
   }
 
   ingress {
-    from_port   = 3307
-    to_port     = 3307
+    from_port   = local.mariadb_port
+    to_port     = local.mariadb_port
     protocol    = "tcp"
     cidr_blocks = ["${var.allowed_ip}/32"]
   }
 
   # Outbound rules
   egress {
     from_port   = 0
     to_port     = 0
     protocol    = "-1"
     cidr_blocks = ["0.0.0.0/0"]
   }
 }
 
 # MariaDB RDS Instance
 resource "aws_db_instance" "mariadb" {
   allocated_storage      = 100
   max_allocated_storage  = 3000
   storage_type           = "gp3"
   db_name                = "mariadb"
   identifier             = "mariadb-instance"
   engine                 = "mariadb"
   engine_version         = "10.11"
   instance_class         = "db.m6g.large"
   db_subnet_group_name   = aws_db_subnet_group.public_db_subnet_group.name
   vpc_security_group_ids = [aws_security_group.keyserver_mariadb_security_group.id]
-  username               = var.mariadb_username
-  password               = var.mariadb_password
+  username               = local.mariadb_username
+  password               = local.mariadb_password
   parameter_group_name   = aws_db_parameter_group.mariadb_parameter_group.name
   storage_encrypted      = true
   publicly_accessible    = true
-  port                   = 3307
+  port                   = local.mariadb_port
   skip_final_snapshot    = true
 }
 
 # MariaDB Parameter Group
 resource "aws_db_parameter_group" "mariadb_parameter_group" {
   name   = "mariadb-parameter-group"
   family = "mariadb10.11"
 
   parameter {
     apply_method = "pending-reboot"
     name         = "performance_schema"
     value        = "1"
   }
 
   parameter {
     apply_method = "immediate"
     name         = "max_allowed_packet"
     # 256 MiB: (1024 * 1024 * 256)
     value = "268435456"
   }
 
   parameter {
     apply_method = "immediate"
     name         = "local_infile"
     value        = "0"
   }
 
   parameter {
     apply_method = "immediate"
     name         = "sql_mode"
     value        = "STRICT_ALL_TABLES"
   }
 
   parameter {
     apply_method = "pending-reboot"
     name         = "innodb_buffer_pool_size"
     value        = "{DBInstanceClassMemory*3/4}"
   }
 
   parameter {
     apply_method = "pending-reboot"
     name         = "innodb_ft_min_token_size"
     value        = "1"
   }
 
   parameter {
     apply_method = "immediate"
     name         = "innodb_ft_enable_stopword"
     value        = "0"
   }
 }
 
 resource "null_resource" "create_comm_database" {
   depends_on = [aws_db_instance.mariadb, aws_security_group.keyserver_mariadb_security_group]
 
   provisioner "local-exec" {
     command = <<EOT
-    mysql --user=${var.mariadb_username} \
-          --port=3307 \
+    mysql --user=${local.mariadb_username} \
+          --port=${local.mariadb_port} \
           --host=${aws_db_instance.mariadb.address} \
-          --execute="CREATE DATABASE IF NOT EXISTS comm;" \
-          --password=${var.mariadb_password}
+          --execute="CREATE DATABASE IF NOT EXISTS ${local.mariadb_database_name};" \
+          --password=${local.mariadb_password}
     EOT
   }
 }
diff --git a/services/terraform/self-host/env.tf b/services/terraform/self-host/env.tf
new file mode 100644
index 000000000..d075d0ad4
--- /dev/null
+++ b/services/terraform/self-host/env.tf
@@ -0,0 +1,23 @@
+data "dotenv" "local" {}
+
+locals {
+  default_environment_vars = {
+    "COMM_DATABASE_PORT" = "3307"
+  }
+
+  local_with_default_environment_vars = merge(
+    local.default_environment_vars,
+    data.dotenv.local.entries
+  )
+
+  aws_resource_environment_vars = {
+    "REDIS_URL"          = "rediss://${aws_elasticache_serverless_cache.redis.endpoint[0].address}:6379"
+    "COMM_DATABASE_HOST" = "${aws_db_instance.mariadb.address}"
+  }
+
+  shared_environment_vars = merge(
+    local.local_with_default_environment_vars,
+    local.aws_resource_environment_vars
+  )
+}
+
diff --git a/services/terraform/self-host/keyserver_primary.tf b/services/terraform/self-host/keyserver_primary.tf
index ba98ba8d1..26b1c16c3 100644
--- a/services/terraform/self-host/keyserver_primary.tf
+++ b/services/terraform/self-host/keyserver_primary.tf
@@ -1,203 +1,144 @@
 locals {
   keyserver_service_image_tag      = "1.0.100"
   keyserver_service_server_image   = "commapp/keyserver:${local.keyserver_service_image_tag}"
   keyserver_primary_container_name = "keyserver-primary"
+
+  primary_environment_vars = merge(local.shared_environment_vars,
+    {
+      "COMM_NODE_ROLE" = "primary"
+  })
+
+  primary_environment = [
+    for name, value in local.primary_environment_vars : {
+      name  = name
+      value = value
+    }
+  ]
 }
 
 resource "aws_cloudwatch_log_group" "keyserver_primary_service" {
   name              = "/ecs/keyserver-primary-task-def"
   retention_in_days = 7
 }
 
 output "mariadb_address" {
   value = aws_db_instance.mariadb.address
 }
 
 resource "aws_ecs_task_definition" "keyserver_primary_service" {
   network_mode             = "awsvpc"
   family                   = "keyserver-primary-task-def"
   requires_compatibilities = ["FARGATE"]
   task_role_arn            = aws_iam_role.ecs_task_role.arn
   execution_role_arn       = aws_iam_role.ecs_task_execution.arn
   cpu                      = "2048"
   memory                   = "4096"
 
   ephemeral_storage {
     size_in_gib = 40
   }
 
   container_definitions = jsonencode([
     {
       name      = local.keyserver_primary_container_name
       image     = local.keyserver_service_server_image
       essential = true
       portMappings = [
         {
           name          = "keyserver-port"
           containerPort = 3000
           hostPort      = 3000,
           protocol      = "tcp"
         },
 
       ]
-      environment = [
-        {
-          name  = "REDIS_URL"
-          value = "rediss://${aws_elasticache_serverless_cache.redis.endpoint[0].address}:6379"
-        },
-        {
-          name  = "COMM_NODE_ROLE"
-          value = "primary"
-        },
-        {
-          name  = "COMM_LISTEN_ADDR"
-          value = "0.0.0.0"
-        },
-        {
-          name  = "COMM_DATABASE_HOST"
-          value = "${aws_db_instance.mariadb.address}"
-        },
-        {
-          name  = "COMM_DATABASE_DATABASE"
-          value = "comm"
-        },
-        {
-          name  = "COMM_DATABASE_PORT"
-          value = "3307"
-        },
-        {
-          name  = "COMM_DATABASE_USER"
-          value = "${var.mariadb_username}"
-        },
-        {
-          name  = "COMM_DATABASE_PASSWORD"
-          value = "${var.mariadb_password}"
-        },
-        {
-          name  = "COMM_JSONCONFIG_secrets_user_credentials"
-          value = jsonencode(var.keyserver_user_credentials)
-        },
-        {
-          name = "COMM_JSONCONFIG_facts_webapp_cors"
-          value = jsonencode({
-            "domain" : "https://web.comm.app"
-          })
-        },
-        {
-          name = "COMM_JSONCONFIG_facts_keyserver_url"
-          value = jsonencode({
-            "baseDomain" : "https://${var.domain_name}",
-            "basePath" : "/",
-            "baseRoutePath" : "/",
-            "https" : true,
-            "proxy" : "aws"
-          })
-        },
-        {
-          name = "COMM_JSONCONFIG_secrets_identity_service_config",
-          value = jsonencode({
-            "identitySocketAddr" : "${var.identity_socket_address}"
-          })
-        },
-        {
-          name  = "COMM_JSONCONFIG_facts_authoritative_keyserver",
-          value = jsonencode(var.authoritative_keyserver_config),
-        },
-        {
-          name = "COMM_JSONCONFIG_facts_tunnelbroker",
-          value = jsonencode({
-            "url" : "${var.tunnelbroker_url}"
-          })
-        }
-      ]
+      environment = local.primary_environment
       logConfiguration = {
         "logDriver" = "awslogs"
         "options" = {
           "awslogs-create-group"  = "true"
           "awslogs-group"         = aws_cloudwatch_log_group.keyserver_primary_service.name
           "awslogs-stream-prefix" = "ecs"
           "awslogs-region"        = "${var.region}"
         }
       }
       linuxParameters = {
         initProcessEnabled = true
       }
     }
   ])
 
   runtime_platform {
     cpu_architecture        = "ARM64"
     operating_system_family = "LINUX"
   }
 
   skip_destroy = false
 }
 
 resource "aws_ecs_service" "keyserver_primary_service" {
   depends_on = [null_resource.create_comm_database]
 
   # Do not change name without replacing primary_service_name in aws-deploy.sh
   name                               = "keyserver-primary-service"
   cluster                            = aws_ecs_cluster.keyserver_cluster.id
   task_definition                    = aws_ecs_task_definition.keyserver_primary_service.arn
   launch_type                        = "FARGATE"
   enable_execute_command             = true
   enable_ecs_managed_tags            = true
   force_new_deployment               = true
   desired_count                      = 1
   deployment_maximum_percent         = 100
   deployment_minimum_healthy_percent = 0
 
 
   network_configuration {
     subnets          = local.vpc_subnets
     security_groups  = [aws_security_group.keyserver_service.id]
     assign_public_ip = true
   }
 
   load_balancer {
     target_group_arn = aws_lb_target_group.keyserver_service.arn
     container_name   = local.keyserver_primary_container_name
     container_port   = 3000
   }
 
   deployment_circuit_breaker {
     enable   = true
     rollback = true
   }
 }
 
 resource "aws_security_group" "keyserver_service" {
   name   = "keyserver-service-ecs-sg"
   vpc_id = local.vpc_id
 
   # Allow all inbound traffic  on port 3000
   ingress {
     from_port   = 3000
     to_port     = 3000
     protocol    = "tcp"
     cidr_blocks = ["0.0.0.0/0"]
   }
 
   ingress {
     description      = "Allow inbound traffic from any IPv6 address"
     from_port        = 3000
     to_port          = 3000
     protocol         = "tcp"
     ipv6_cidr_blocks = ["::/0"]
   }
 
   # Allow all outbound traffic
   egress {
     from_port   = 0
     to_port     = 0
     protocol    = "-1"
     cidr_blocks = ["0.0.0.0/0"]
   }
 
   lifecycle {
     create_before_destroy = true
   }
 }
-
-
diff --git a/services/terraform/self-host/keyserver_secondary.tf b/services/terraform/self-host/keyserver_secondary.tf
index a36371a57..839e5ca52 100644
--- a/services/terraform/self-host/keyserver_secondary.tf
+++ b/services/terraform/self-host/keyserver_secondary.tf
@@ -1,176 +1,119 @@
 locals {
   keyserver_secondary_container_name = "keyserver-secondary"
+
+  secondary_environment_vars = merge(local.shared_environment_vars,
+    {
+      "COMM_NODE_ROLE" = "secondary"
+  })
+
+  secondary_environment = [
+    for name, value in local.secondary_environment_vars : {
+      name  = name
+      value = value
+    }
+  ]
 }
 
 resource "aws_cloudwatch_log_group" "keyserver_secondary_service" {
   name              = "/ecs/keyserver-secondary-task-def"
   retention_in_days = 7
 }
 
 resource "aws_ecs_task_definition" "keyserver_secondary_service" {
   depends_on = [aws_ecs_service.keyserver_primary_service]
 
   network_mode             = "awsvpc"
   family                   = "keyserver-secondary-task-def"
   requires_compatibilities = ["FARGATE"]
   task_role_arn            = aws_iam_role.ecs_task_role.arn
   execution_role_arn       = aws_iam_role.ecs_task_execution.arn
   cpu                      = "2048"
   memory                   = "4096"
 
   ephemeral_storage {
     size_in_gib = 40
   }
 
   container_definitions = jsonencode([
     {
       name      = local.keyserver_secondary_container_name
       image     = local.keyserver_service_server_image
       essential = true
       portMappings = [
         {
           name          = "keyserver-port"
           containerPort = 3000
           hostPort      = 3000,
           protocol      = "tcp"
         },
 
       ]
-      environment = [
-        {
-          name  = "REDIS_URL"
-          value = "rediss://${aws_elasticache_serverless_cache.redis.endpoint[0].address}:6379"
-        },
-        {
-          name  = "COMM_NODE_ROLE"
-          value = "secondary"
-        },
-        {
-          name  = "COMM_LISTEN_ADDR"
-          value = "0.0.0.0"
-        },
-        {
-          name  = "COMM_DATABASE_HOST"
-          value = "${aws_db_instance.mariadb.address}"
-        },
-        {
-          name  = "COMM_DATABASE_DATABASE"
-          value = "comm"
-        },
-        {
-          name  = "COMM_DATABASE_PORT"
-          value = "3307"
-        },
-        {
-          name  = "COMM_DATABASE_USER"
-          value = "${var.mariadb_username}"
-        },
-        {
-          name  = "COMM_DATABASE_PASSWORD"
-          value = "${var.mariadb_password}"
-        },
-        {
-          name  = "COMM_JSONCONFIG_secrets_user_credentials"
-          value = jsonencode(var.keyserver_user_credentials)
-        },
-        {
-          name = "COMM_JSONCONFIG_facts_keyserver_url"
-          value = jsonencode({
-            "baseDomain" : "https://${var.domain_name}",
-            "basePath" : "/",
-            "baseRoutePath" : "/",
-            "https" : true,
-            "proxy" : "aws"
-          })
-        },
-        {
-          name = "COMM_JSONCONFIG_facts_webapp_cors"
-          value = jsonencode({
-            "domain" : "https://web.comm.app"
-          })
-        },
-        {
-          name = "COMM_JSONCONFIG_facts_tunnelbroker",
-          value = jsonencode({
-            "url" : "${var.tunnelbroker_url}"
-          })
-        },
-        {
-          name = "COMM_JSONCONFIG_secrets_identity_service_config",
-          value = jsonencode({
-            "identitySocketAddr" : "${var.identity_socket_address}"
-          })
-        },
-        {
-          name  = "COMM_JSONCONFIG_facts_authoritative_keyserver",
-          value = jsonencode(var.authoritative_keyserver_config),
-        }
-      ]
+      environment = local.secondary_environment
       logConfiguration = {
         "logDriver" = "awslogs"
         "options" = {
           "awslogs-create-group"  = "true"
           "awslogs-group"         = aws_cloudwatch_log_group.keyserver_secondary_service.name
           "awslogs-stream-prefix" = "ecs"
           "awslogs-region"        = "${var.region}"
         }
       }
       linuxParameters = {
         initProcessEnabled = true
       }
     }
   ])
 
   runtime_platform {
     cpu_architecture        = "ARM64"
     operating_system_family = "LINUX"
   }
 
   # Wait indefinitely for primary service to become healthy before deploying secondary service
   provisioner "local-exec" {
     command = <<EOT
       while true; do
       if curl --silent --output /dev/null --fail "https://${var.domain_name}/health"; then
           echo "Primary service is healthy. Proceeding with deployment of secondary service."
           exit 0
         else
           echo "Primary service is not healthy yet. Waiting 10 seconds before checking again..."
           sleep 10
         fi
       done
     EOT
   }
 
   skip_destroy = false
 }
 
 resource "aws_ecs_service" "keyserver_secondary_service" {
   depends_on = [aws_ecs_service.keyserver_primary_service]
 
   # Do not change name without replacing secondary_service_name in aws-deploy.sh
   name                    = "keyserver-secondary-service"
   cluster                 = aws_ecs_cluster.keyserver_cluster.id
   task_definition         = aws_ecs_task_definition.keyserver_secondary_service.arn
   launch_type             = "FARGATE"
   enable_execute_command  = true
   enable_ecs_managed_tags = true
   force_new_deployment    = true
   desired_count           = var.desired_secondary_nodes
 
   network_configuration {
     subnets          = local.vpc_subnets
     security_groups  = [aws_security_group.keyserver_service.id]
     assign_public_ip = true
   }
 
   load_balancer {
     target_group_arn = aws_lb_target_group.keyserver_service.arn
     container_name   = local.keyserver_secondary_container_name
     container_port   = 3000
   }
 
   deployment_circuit_breaker {
     enable   = true
     rollback = true
   }
 }
diff --git a/services/terraform/self-host/providers.tf b/services/terraform/self-host/providers.tf
index 5b9f2781e..b5a52c03e 100644
--- a/services/terraform/self-host/providers.tf
+++ b/services/terraform/self-host/providers.tf
@@ -1,8 +1,12 @@
 terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
       version = "~> 5.32.0"
     }
+    dotenv = {
+      source  = "germanbrew/dotenv"
+      version = "1.1.2"
+    }
   }
 }
diff --git a/services/terraform/self-host/variables.tf b/services/terraform/self-host/variables.tf
index 3bf3a385f..c182e832d 100644
--- a/services/terraform/self-host/variables.tf
+++ b/services/terraform/self-host/variables.tf
@@ -1,85 +1,43 @@
-variable "keyserver_user_credentials" {
-  description = "Credentials for user authentication"
-  type = object({
-    username                 = string
-    password                 = string
-    usingIdentityCredentials = optional(bool)
-    force                    = optional(bool)
-  })
-}
-
 variable "domain_name" {
   description = "Domain name for your keyserver"
   type        = string
 }
 
-variable "mariadb_username" {
-  description = "MariaDB username"
-  type        = string
-  sensitive   = true
-}
-
-variable "mariadb_password" {
-  description = "MariaDB password"
-  type        = string
-  sensitive   = true
-}
-
 variable "region" {
   description = "The AWS region to deploy your keyserver in"
   type        = string
   default     = "us-west-1"
 }
 
 variable "allowed_ip" {
   description = "IP address"
   type        = string
 }
 
 variable "user_created_vpc" {
   description = "Use non-default vpc and subnets"
 }
 
-variable "authoritative_keyserver_config" {
-  description = "Authoritative keyserver user id"
-  type = object({
-    authoritativeKeyserverID = optional(string)
-  })
-  default = {}
-}
-
 variable "availability_zone_1" {
   description = "First availability zone for vpc subnet if user created vpc"
   type        = string
   default     = "us-west-1b"
 }
 
 variable "availability_zone_2" {
   description = "Second availability zone for vpc subnet if user created vpc"
   type        = string
   default     = "us-west-1c"
 }
 
-variable "identity_socket_address" {
-  description = "The socket address to access the identity service"
-  type        = string
-  default     = "https://identity.commtechnologies.org:50054"
-}
-
-variable "tunnelbroker_url" {
-  description = "The address to access the tunnelbroker service"
-  type        = string
-  default     = "wss://tunnelbroker.commtechnologies.org:51001"
-}
-
 variable "db_instance_class" {
   description = "The instance class for the MariaDB RDS instance"
   type        = string
   default     = "db.t4g.medium"
 }
 
 variable "desired_secondary_nodes" {
   description = "Desired number of secondary nodes"
   type        = number
   default     = 1
 }