diff --git a/Dockerfile b/Dockerfile
index 18db985..1d0f529 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -10,12 +10,14 @@ RUN \
 
 FROM scratch
 ENV \
+    APP_KEY="" \
     OAUTH2_CLIENT_ID="" \
     OAUTH2_CLIENT_SECRET="" \
-    APP_KEY="" \
     OAUTH2_AUTH_URL="https://gitlab.example.com/oauth/authorize" \
     OAUTH2_TOKEN_URL="https://gitlab.example.com/oauth/token" \
+    OAUTH2_REDIRECT_URL="https://certman.example.com/login/oauth2/redirect" \
     USER_ENDPOINT="https://gitlab.example.com/api/v4/user" \
-    OAUTH2_REDIRECT_URL="https://certman.example.com/login/oauth2/redirect"
+    APP_KEY=""
+COPY --from=0 /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
 COPY --from=0 /go/src/git.klink.asia/paul/certman/certman /
 ENTRYPOINT ["/certman"]
diff --git a/handlers/README.md b/README.md
similarity index 94%
rename from handlers/README.md
rename to README.md
index cef2157..0563ca0 100644
--- a/handlers/README.md
+++ b/README.md
@@ -34,4 +34,5 @@ variables:
  * `OAUTH2_TOKEN_URL` the URL to the "/token" endpoint of the identity provider
  * `OAUTH2_REDIRECT_URL` the redirect URL used by the app, usually the hostname suffixed by "/login/oauth2/redirect"
  * `USER_ENDPOINT` the URL to the Identity provider user endpoint, for gitlab this is "/api/v4/user". The "username" attribute of the returned JSON will used for authentication.
- * `APP_KEY` random ASCII string, 32 characters in length. Used for cookie generation.
\ No newline at end of file
+ * `APP_KEY` random ASCII string, 32 characters in length. Used for cookie generation.
+ * `APP_LISTEN` port and ip to listen on, e.g. `:8000` or `127.0.0.1:3000`
\ No newline at end of file
diff --git a/main.go b/main.go
index b357e61..eb74fc6 100644
--- a/main.go
+++ b/main.go
@@ -39,7 +39,7 @@ func main() {
 	mux := router.HandleRoutes(serviceProvider)
 
 	log.Println(".. server")
-	err := http.ListenAndServe(":8000", mux)
+	err := http.ListenAndServe(os.Getenv("APP_LISTEN"), mux)
 	log.Fatalf(err.Error())
 }