diff --git a/Dockerfile b/Dockerfile
index 69cb32fdc..46d4b073e 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -35,11 +35,6 @@ RUN addgroup -g 1001 -S app && \
 # Copy the binary from builder
 COPY --from=builder /app/tsidp-server /tsidp-server
 
-# Copy the entrypoint script
-COPY scripts/docker/run.sh /run.sh
-RUN chmod +x /run.sh
-
 USER app:app
 
-# Run the binary through the entrypoint script
-ENTRYPOINT ["/run.sh"]
\ No newline at end of file
+ENTRYPOINT ["/tsidp-server"]
diff --git a/scripts/docker/run.sh b/scripts/docker/run.sh
deleted file mode 100755
index bb861eedf..000000000
--- a/scripts/docker/run.sh
+++ /dev/null
@@ -1,53 +0,0 @@
-#!/bin/sh
-
-# Build command arguments based on environment variables
-ARGS=""
-
-if [ -n "$TS_STATE_DIR" ]; then
-    ARGS="$ARGS -dir=$TS_STATE_DIR"
-fi
-
-if [ -n "$TS_HOSTNAME" ]; then
-    ARGS="$ARGS -hostname=$TS_HOSTNAME"
-fi
-
-if [ -n "$TSIDP_USE_FUNNEL" ]; then
-    ARGS="$ARGS -funnel"
-fi
-
-if [ -n "$TSIDP_ENABLE_STS" ]; then
-    ARGS="$ARGS -enable-sts"
-fi
-
-if [ -n "$TSIDP_PORT" ]; then
-    ARGS="$ARGS -port=$TSIDP_PORT"
-fi
-
-if [ -n "$TSIDP_LOCAL_PORT" ]; then
-    ARGS="$ARGS -local-port=$TSIDP_LOCAL_PORT"
-fi
-
-# logging control
-if [ -n "$TSIDP_LOG" ]; then
-    case "$TSIDP_LOG" in
-        debug|info|warn|error)
-            ARGS="$ARGS -log=$TSIDP_LOG"
-            ;;
-        *)
-            echo "Error: TSIDP_LOG_LEVEL must be one of: debug, info, warn, error"
-            echo "Current value: $TSIDP_LOG"
-            exit 1
-            ;;
-    esac
-fi
-
-if [ -n "$TSIDP_DEBUG_ALL_REQUESTS" ]; then
-    ARGS="$ARGS -debug-all-requests"
-fi
-
-if [ -n "$TSIDP_DEBUG_TSNET" ]; then
-    ARGS="$ARGS -debug-tsnet"
-fi
-
-# Execute tsidp-server with the built arguments
-exec /tsidp-server $ARGS "$@"
\ No newline at end of file
diff --git a/tsidp-server.go b/tsidp-server.go
index 26ec132c2..0246e654c 100644
--- a/tsidp-server.go
+++ b/tsidp-server.go
@@ -19,6 +19,7 @@ import (
 	"net/http"
 	"os"
 	"os/signal"
+	"strconv"
 	"strings"
 	"time"
 
@@ -37,20 +38,20 @@ import (
 // Command line flags
 // Migrated from legacy/tsidp.go:64-73
 var (
-	flagPort               = flag.Int("port", 443, "port to listen on")
-	flagLocalPort          = flag.Int("local-port", -1, "allow requests from localhost")
-	flagUseLocalTailscaled = flag.Bool("use-local-tailscaled", false, "use local tailscaled instead of tsnet")
-	flagFunnel             = flag.Bool("funnel", false, "use Tailscale Funnel to make tsidp available on the public internet")
-	flagHostname           = flag.String("hostname", "idp", "tsnet hostname to use instead of idp")
-	flagDir                = flag.String("dir", "", "tsnet state directory; a default one will be created if not provided")
-	flagEnableSTS          = flag.Bool("enable-sts", false, "enable OIDC STS token exchange support")
+	flagPort               = flag.Int("port", envInt("TSIDP_PORT", 443), "port to listen on")
+	flagLocalPort          = flag.Int("local-port", envInt("TSIDP_LOCAL_PORT", -1), "allow requests from localhost")
+	flagUseLocalTailscaled = flag.Bool("use-local-tailscaled", envBool("TSIDP_USE_LOCAL_TAILSCALED", false), "use local tailscaled instead of tsnet")
+	flagFunnel             = flag.Bool("funnel", envBool("TSIDP_USE_FUNNEL", false), "use Tailscale Funnel to make tsidp available on the public internet")
+	flagHostname           = flag.String("hostname", envString("TS_HOSTNAME", "idp"), "tsnet hostname to use instead of idp")
+	flagDir                = flag.String("dir", envString("TS_STATE_DIR", ""), "tsnet state directory; a default one will be created if not provided")
+	flagEnableSTS          = flag.Bool("enable-sts", envBool("TSIDP_ENABLE_STS", false), "enable OIDC STS token exchange support")
 
 	// application logging levels
-	flagLogLevel = flag.String("log", "info", "log levels: debug, info, warn, error")
+	flagLogLevel = flag.String("log", envString("TSIDP_LOG", "info"), "log levels: debug, info, warn, error")
 
 	// extended debugging information
-	flagDebugAllRequests = flag.Bool("debug-all-requests", false, "capture and print all HTTP requests and responses")
-	flagDebugTSNet       = flag.Bool("debug-tsnet", false, "enable tsnet.Server logging")
+	flagDebugAllRequests = flag.Bool("debug-all-requests", envBool("TSIDP_DEBUG_ALL_REQUESTS", false), "capture and print all HTTP requests and responses")
+	flagDebugTSNet       = flag.Bool("debug-tsnet", envBool("TSIDP_DEBUG_TSNET", false), "enable tsnet.Server logging")
 )
 
 // main initializes and starts the tsidp server
@@ -345,3 +346,39 @@ func (rw *responseWrapper) Write(b []byte) (int, error) {
 	// Write to the original response writer
 	return rw.ResponseWriter.Write(b)
 }
+
+func envString(key, defaultVal string) string {
+	str := os.Getenv(key)
+	if str == "" {
+		return defaultVal
+	}
+	return str
+}
+
+func envBool(key string, defaultVal bool) bool {
+	str := os.Getenv(key)
+	if str == "" {
+		return defaultVal
+	}
+
+	v, err := strconv.ParseBool(str)
+	if err != nil {
+		slog.Error("invalid value for bool env", "key", key)
+		os.Exit(1)
+	}
+	return v
+}
+
+func envInt(key string, defaultVal int) int {
+	str := os.Getenv(key)
+	if str == "" {
+		return defaultVal
+	}
+
+	v, err := strconv.Atoi(str)
+	if err != nil {
+		slog.Error("invalid value for int env", "key", key)
+		os.Exit(1)
+	}
+	return v
+}