diff --git a/config/releases.exs b/config/releases.exs
index 4d47dc31d..fe9e6ccb1 100644
--- a/config/releases.exs
+++ b/config/releases.exs
@@ -11,23 +11,21 @@ database_user = System.fetch_env!("DATABASE_USER")
 database_host = System.fetch_env!("DATABASE_HOST")
 database_port = System.fetch_env!("DATBASE_PORT")
 database_pool = System.fetch_env!("DATBASE_POOL")
-database_encryption_key = System.fetch_env!("DATABASE_ENCRYPTION_KEY")
-phoenix_port = System.fetch_env!("PHOENIX_PORT")
+port = System.fetch_env!("PHOENIX_PORT")
 url_host = System.fetch_env!("URL_HOST")
+admin_email = System.fetch_env!("ADMIN_EMAIL")
+wireguard_interface_name = System.fetch_env!("WIREGUARD_INTERFACE_NAME")
+wireguard_port = System.fetch_env!("WIREGUARD_PORT")
+
+# secrets
+encryption_key = System.fetch_env!("DATABASE_ENCRYPTION_KEY")
 secret_key_base = System.fetch_env!("SECRET_KEY_BASE")
 live_view_signing_salt = System.fetch_env!("LIVE_VIEW_SIGNING_SALT")
-wireguard_private_key = System.fetch_env!("WIREGUARD_SERVER_KEY")
-wireguard_interface_name = System.fetch_env!("WIREGUARD_INTERFACE_NAME")
-wireguard_listen_port = System.fetch_env!("WIREGUARD_LISTEN_PORT")
-admin_email = System.fetch_env!("ADMIN_EMAIL")
+private_key = System.fetch_env!("WIREGUARD_PRIVATE_KEY")
 
 # Password is not needed if using bundled PostgreSQL, so use nil if it's not set.
 database_password = System.get_env("DATABASE_PASSWORD")
 
-default_egress_address =
-  CLI.exec!("ip route get 8.8.8.8 | grep -oP 'src \\K\\S+'")
-  |> String.trim()
-
 config :fz_http,
   disable_signup: disable_signup
 
@@ -57,12 +55,12 @@ config :fz_http, FzHttp.Vault,
       # https://github.com/danielberkompas/cloak/issues/93
       #
       # In Cloak 2.0, this will be the default iv length for AES.GCM.
-      tag: "AES.GCM.V1", key: Base.decode64!(database_encryption_key), iv_length: 12
+      tag: "AES.GCM.V1", key: Base.decode64!(encryption_key), iv_length: 12
     }
   ]
 
 config :fz_http, FzHttpWeb.Endpoint,
-  url: [host: url_host, port: phoenix_port],
+  url: [host: url_host, port: port],
   secret_key_base: secret_key_base,
   live_view: [
     signing_salt: live_view_signing_salt
@@ -71,8 +69,8 @@ config :fz_http, FzHttpWeb.Endpoint,
 
 config :fz_vpn,
   wireguard_interface_name: wireguard_interface_name,
-  wireguard_listen_port: wireguard_listen_port,
-  wireguard_private_key: wireguard_private_key
+  wireguard_port: wireguard_port,
+  wireguard_private_key: private_key
 
 config :fz_http,
   admin_email: admin_email
diff --git a/omnibus/config/software/wireguard-tools.rb b/omnibus/config/software/wireguard-tools.rb
index ea0dcb576..c660bb1a5 100644
--- a/omnibus/config/software/wireguard-tools.rb
+++ b/omnibus/config/software/wireguard-tools.rb
@@ -30,12 +30,9 @@ license "GPL-2.0"
 
 build do
   env = with_standard_compiler_flags(with_embedded_path).merge(
-    "PREFIX" => "#{install_dir}/embedded",
-    "RUNSTATEDIR" => "#{install_dir}/embedded/var/run",
-    "SYSCONFDIR" => "#{install_dir}/embedded/etc",
-    "DESTDIR" => "#{install_dir}/embedded"
+    "PREFIX" => "#{install_dir}/embedded"
   )
 
   make "-j #{workers}", env: env
-  make "install", env: env
+  make "-j #{workers} install", env: env
 end
diff --git a/omnibus/cookbooks/firezone/attributes/default.rb b/omnibus/cookbooks/firezone/attributes/default.rb
index fa0b63c23..9fef8caf1 100644
--- a/omnibus/cookbooks/firezone/attributes/default.rb
+++ b/omnibus/cookbooks/firezone/attributes/default.rb
@@ -193,8 +193,8 @@ default['firezone']['phoenix']['admin_email'] =
 # ## WireGuard
 #
 # The WireGuard interface settings
-default['firezone']['wireguard']['listen_address'] = '0.0.0.0'
-default['firezone']['wireguard']['listen_port'] = 15820
+default['firezone']['wireguard']['interface_name'] = 'wg-firezone'
+default['firezone']['wireguard']['port'] = 11820
 
 # ## Runit
 
@@ -247,6 +247,9 @@ default['firezone']['database']['port'] = node['firezone']['postgresql']['port']
 default['firezone']['database']['pool'] = [10, Etc.nprocessors].max
 default['firezone']['database']['extensions'] = { 'plpgsql' => true, 'pg_trgm' => true }
 
+# Uncomment to specify a database password. Not usually needed if using the bundled Postgresql.
+# default['firezone']['database']['password'] = 'change_me'
+
 # ## App-specific top-level attributes
 #
 # These are used by Phoenix. Most will be exported directly to
diff --git a/omnibus/cookbooks/firezone/libraries/config.rb b/omnibus/cookbooks/firezone/libraries/config.rb
index bac4abdaa..03f59e5f2 100644
--- a/omnibus/cookbooks/firezone/libraries/config.rb
+++ b/omnibus/cookbooks/firezone/libraries/config.rb
@@ -51,10 +51,37 @@ class Firezone
                             node['firezone']['secret_key_base']
                           else
                             Chef::Log.warn 'No secret_key_base set! Generating and writing one to secrets.json. If this FireZone installation has multiple hosts, you must duplicate the secrets.json file exactly across all hosts.'
-                            SecureRandom.hex(50)
+                            SecureRandom.base64(48)
+                          end
+        live_view_signing_salt = if node['firezone'] && node['firezone']['live_view_signing_salt']
+                            Chef::Log.warn 'Using live_view_signing_salt from firezone.json. This value should really be managed in secrets.json. Writing to secrets.json.'
+                            node['firezone']['live_view_signing_salt']
+                          else
+                            Chef::Log.warn 'No live_view_signing_salt set! Generating and writing one to secrets.json. If this FireZone installation has multiple hosts, you must duplicate the secrets.json file exactly across all hosts.'
+                            SecureRandom.base64(24)
+                          end
+        wireguard_private_key = if node['firezone'] && node['firezone']['wireguard_private_key']
+                            Chef::Log.warn 'Using wireguard_private_key from firezone.json. This value should really be managed in secrets.json. Writing to secrets.json.'
+                            node['firezone']['wireguard_private_key']
+                          else
+                            Chef::Log.warn 'No wireguard_private_key set! Generating and writing one to secrets.json. If this FireZone installation has multiple hosts, you must duplicate the secrets.json file exactly across all hosts.'
+                            `#{node['firezone']['install_dir']}/embedded/bin/wg genkey`.chomp
+                          end
+        database_encryption_key = if node['firezone'] && node['firezone']['database_encryption_key']
+                            Chef::Log.warn 'Using database_encryption_key from firezone.json. This value should really be managed in secrets.json. Writing to secrets.json.'
+                            node['firezone']['database_encryption_key']
+                          else
+                            Chef::Log.warn 'No database_encryption_key set! Generating and writing one to secrets.json. If this FireZone installation has multiple hosts, you must duplicate the secrets.json file exactly across all hosts.'
+                            SecureRandom.base64(32)
                           end
 
-        secrets = { 'secret_key_base' => secret_key_base }
+
+        secrets = {
+          'secret_key_base' => secret_key_base,
+          'live_view_signing_salt' => live_view_signing_salt,
+          'wireguard_private_key' => wireguard_private_key,
+          'database_encryption_key' => database_encryption_key
+        }
 
         open(filename, 'w') do |file|
           file.puts Chef::JSONCompat.to_json_pretty(secrets)
@@ -156,6 +183,33 @@ class Firezone
       end
     end
 
+    def self.app_env(attributes)
+      env = {
+        'MIX_ENV' => 'prod',
+        'DATABASE_NAME' => attributes['database']['name'],
+        'DATABASE_USER' => attributes['database']['user'],
+        'DATABASE_HOST' => attributes['database']['host'],
+        'DATABASE_PORT' => attributes['database']['port'],
+        'DATABASE_POOL' => attributes['database']['pool'],
+        'PHOENIX_PORT' => attributes['phoenix']['port'],
+        'URL_HOST' => attributes['url_host'],
+        'ADMIN_EMAIL' => attributes['admin_email'],
+        'WIREGUARD_INTERFACE_NAME' => node['firezone']['wireguard']['interface_name'],
+        'WIREGUARD_PORT' => node['firezone']['wireguard']['port'],
+
+        # secrets
+        'SECRET_KEY_BASE' => attributes['secret_key_base'],
+        'LIVE_VIEW_SIGNING_SALT' => attributes['live_view_signing_salt'],
+        'WIREGUARD_PRIVATE_KEY' => attributes['wireguard_private_key'],
+        'DATABASE_ENCRYPTION_KEY' => attributes['database_encryption_key']
+      }
+
+      if attributes.dig('database', 'password')
+        env.merge!('DATABASE_PASSWORD' => attributes['database']['password'])
+      end
+
+    end
+
     def self.create_directory!(filename)
       dir = File.dirname(filename)
       FileUtils.mkdir(dir, mode: 0700) unless Dir.exist?(dir)
diff --git a/omnibus/cookbooks/firezone/recipes/app.rb b/omnibus/cookbooks/firezone/recipes/app.rb
index d9b9ac3ea..ff5a0c5de 100644
--- a/omnibus/cookbooks/firezone/recipes/app.rb
+++ b/omnibus/cookbooks/firezone/recipes/app.rb
@@ -45,9 +45,6 @@ end
 execute 'database schema' do
   command 'bin/firezone eval "FzHttp.Release.migrate"'
   cwd node['firezone']['app_directory']
-  attributes = node['firezone'].merge(
-    'force_ssl' => node['firezone']['nginx']['force_ssl']
-  )
-  environment(attributes.transform_keys(&:upcase))
+  environment(Firezone::Config.app_env(node['firezone']))
   user node['firezone']['user']
 end