diff --git a/Dockerfile-test b/Dockerfile-test
index 8c099cecb06..b46a7be7cae 100644
--- a/Dockerfile-test
+++ b/Dockerfile-test
@@ -27,9 +27,9 @@ WORKDIR /go/src/github.com/square/ghostunnel
 ENV GHOSTUNNEL_TEST_PKCS11=true
 
 # Set params for PKCS11 module
-ENV PKCS11_MODULE=/usr/lib/softhsm/libsofthsm2.so
-ENV PKCS11_LABEL=ghostunnel-pkcs11-test
-ENV PKCS11_PIN=1234
+ENV GHOSTUNNEL_TEST_PKCS11_MODULE=/usr/lib/softhsm/libsofthsm2.so
+ENV GHOSTUNNEL_TEST_PKCS11_LABEL=ghostunnel-pkcs11-test
+ENV GHOSTUNNEL_TEST_PKCS11_PIN=1234
 
 # Set SoftHSM config file
 ENV SOFTHSM2_CONF=/etc/softhsm/softhsm2.conf
diff --git a/Makefile b/Makefile
index 6a3a250b594..3381f134b80 100644
--- a/Makefile
+++ b/Makefile
@@ -19,8 +19,8 @@ $(INTEGRATION_TESTS): ghostunnel.test
 	@cd tests && ./runner.py $@
 
 softhsm-import:
-	softhsm2-util --init-token --slot 0 --label ${PKCS11_LABEL} --so-pin ${PKCS11_PIN} --pin ${PKCS11_PIN}
-	softhsm2-util --id 01 --token ${PKCS11_LABEL} --label ${PKCS11_LABEL} --import test-keys/server.pkcs8.key --so-pin ${PKCS11_PIN} --pin ${PKCS11_PIN}
+	softhsm2-util --init-token --slot 0 --label ${GHOSTUNNEL_TEST_PKCS11_LABEL} --so-pin ${GHOSTUNNEL_TEST_PKCS11_PIN} --pin ${GHOSTUNNEL_TEST_PKCS11_PIN}
+	softhsm2-util --id 01 --token ${GHOSTUNNEL_TEST_PKCS11_LABEL} --label ${GHOSTUNNEL_TEST_PKCS11_LABEL} --import test-keys/server.pkcs8.key --so-pin ${GHOSTUNNEL_TEST_PKCS11_PIN} --pin ${GHOSTUNNEL_TEST_PKCS11_PIN}
 
 docker-build:
 	docker build -t squareup/ghostunnel .
@@ -29,7 +29,7 @@ docker-test-build:
 	docker build --build-arg GO_VERSION=${GO_VERSION} -t squareup/ghostunnel-test -f Dockerfile-test .
 
 docker-test-run:
-	docker run -v /dev/log:/dev/log -v ${PWD}:/go/src/github.com/square/ghostunnel squareup/ghostunnel-test
+	docker run -v ${PWD}:/go/src/github.com/square/ghostunnel squareup/ghostunnel-test
 
 docker-test: docker-test-build docker-test-run
 
diff --git a/main.go b/main.go
index 59f86f8d0a5..ec44d700a31 100644
--- a/main.go
+++ b/main.go
@@ -92,7 +92,6 @@ var (
 	// Status & logging
 	statusAddress = app.Flag("status", "Enable serving /_status and /_metrics on given HOST:PORT (or unix:SOCKET).").PlaceHolder("ADDR").String()
 	enableProf    = app.Flag("enable-pprof", "Enable serving /debug/pprof endpoints alongside /_status (for profiling).").Bool()
-	useSyslog     = app.Flag("syslog", "Send logs to syslog instead of stderr (not supported on Windows).").Bool()
 )
 
 var exitFunc = os.Exit
@@ -115,11 +114,11 @@ type Dialer interface {
 // Global logger instance
 var logger = log.New(os.Stderr, "", log.LstdFlags|log.Lmicroseconds)
 
-func initLogger() (err error) {
+func initLogger(syslog bool) (err error) {
 	// If user has indicated request for syslog, override default stderr
 	// logger with a syslog one instead. This can fail, e.g. in containers
 	// that don't have syslog available.
-	if *useSyslog {
+	if syslog {
 		var syslogWriter gsyslog.Syslogger
 		syslogWriter, err = gsyslog.NewLogger(gsyslog.LOG_INFO, "DAEMON", "")
 		if err == nil {
@@ -219,7 +218,7 @@ func run(args []string) error {
 	command := kingpin.MustParse(app.Parse(args))
 
 	// Logger
-	err := initLogger()
+	err := initLogger(useSyslog())
 	if err != nil {
 		fmt.Fprintf(os.Stderr, "error initializing logger: %s\n", err)
 		os.Exit(1)
diff --git a/main_test.go b/main_test.go
index 77d43edab8c..53197ae402d 100644
--- a/main_test.go
+++ b/main_test.go
@@ -81,10 +81,8 @@ func TestIntegrationMain(t *testing.T) {
 }
 
 func TestInitLoggerSyslog(t *testing.T) {
-	*useSyslog = true
-	defer func() { *useSyslog = false }()
 	originalLogger := logger
-	err := initLogger()
+	err := initLogger(true)
 	updatedLogger := logger
 	if err != nil {
 		// Tests running in containers often don't have access to syslog,
diff --git a/tests/test-server-pkcs11-module.py b/tests/test-server-pkcs11-module.py
index bae6f3952e5..727eb827e13 100755
--- a/tests/test-server-pkcs11-module.py
+++ b/tests/test-server-pkcs11-module.py
@@ -17,9 +17,9 @@
     # hack: point target to STATUS_PORT so that /_status doesn't 503.
     ghostunnel = run_ghostunnel(['server', '--listen={0}:13001'.format(LOCALHOST),
       '--target={0}:{1}'.format(LOCALHOST, STATUS_PORT), '--keystore=../test-keys/server.crt',
-      '--pkcs11-module={0}'.format(os.environ['PKCS11_MODULE']),
-      '--pkcs11-token-label={0}'.format(os.environ['PKCS11_LABEL']),
-      '--pkcs11-pin={0}'.format(os.environ['PKCS11_PIN']),
+      '--pkcs11-module={0}'.format(os.environ['GHOSTUNNEL_TEST_PKCS11_MODULE']),
+      '--pkcs11-token-label={0}'.format(os.environ['GHOSTUNNEL_TEST_PKCS11_LABEL']),
+      '--pkcs11-pin={0}'.format(os.environ['GHOSTUNNEL_TEST_PKCS11_PIN']),
       '--cacert=../test-keys/root.crt', '--allow-ou=client',
       '--status={0}:{1}'.format(LOCALHOST, STATUS_PORT)])
 
diff --git a/tls_cgo.go b/tls_cgo.go
index 9e358473ad4..4fec979aa83 100644
--- a/tls_cgo.go
+++ b/tls_cgo.go
@@ -25,9 +25,9 @@ import (
 )
 
 var (
-	pkcs11Module     = app.Flag("pkcs11-module", "Path to PKCS11 module (SO) file (optional)").PlaceHolder("PATH").ExistingFile()
-	pkcs11TokenLabel = app.Flag("pkcs11-token-label", "Token label for slot/key in PKCS11 module (optional)").PlaceHolder("LABEL").String()
-	pkcs11PIN        = app.Flag("pkcs11-pin", "PIN code for slot/key in PKCS11 module (optional)").PlaceHolder("PIN").String()
+	pkcs11Module     = app.Flag("pkcs11-module", "Path to PKCS11 module (SO) file (optional).").Envar("PKCS11_MODULE").PlaceHolder("PATH").ExistingFile()
+	pkcs11TokenLabel = app.Flag("pkcs11-token-label", "Token label for slot/key in PKCS11 module (optional).").Envar("PKCS11_TOKEN_LABEL").PlaceHolder("LABEL").String()
+	pkcs11PIN        = app.Flag("pkcs11-pin", "PIN code for slot/key in PKCS11 module (optional).").Envar("PKCS11_PIN").PlaceHolder("PIN").String()
 )
 
 func newPKCS11(pubkey crypto.PublicKey) (crypto.PrivateKey, error) {
diff --git a/signals_unix.go b/unix.go
similarity index 85%
rename from signals_unix.go
rename to unix.go
index b05f30e7aa8..172266560a0 100644
--- a/signals_unix.go
+++ b/unix.go
@@ -26,4 +26,9 @@ import (
 var (
 	shutdownSignals = []os.Signal{syscall.SIGINT, syscall.SIGTERM}
 	refreshSignals  = []os.Signal{syscall.SIGUSR1}
+	syslogFlag      = app.Flag("syslog", "Send logs to syslog instead of stderr.").Bool()
 )
+
+func useSyslog() bool {
+	return *syslogFlag
+}
diff --git a/signals_windows.go b/windows.go
similarity index 94%
rename from signals_windows.go
rename to windows.go
index 50f0ab4a494..d288e836512 100644
--- a/signals_windows.go
+++ b/windows.go
@@ -26,3 +26,7 @@ var (
 	shutdownSignals = []os.Signal{os.Interrupt}
 	refreshSignals  = []os.Signal{ /* Not supported on Windows */ }
 )
+
+func useSyslog() bool {
+	return false
+}