diff --git a/internal/cmd/server.go b/internal/cmd/server.go
index d6a6cd7..4bc902e 100644
--- a/internal/cmd/server.go
+++ b/internal/cmd/server.go
@@ -4,6 +4,7 @@ import (
 	"github.com/jsiebens/ionscale/internal/config"
 	"github.com/jsiebens/ionscale/internal/server"
 	"github.com/muesli/coral"
+	"time"
 )
 
 func serverCommand() *coral.Command {
@@ -13,13 +14,15 @@ func serverCommand() *coral.Command {
 		SilenceUsage: true,
 	}
 
+	var cbf = configByFlags{}
 	var configFile string
 
+	cbf.prepareCommand(command)
 	command.Flags().StringVarP(&configFile, "config", "c", "", "Path to the configuration file.")
 
 	command.RunE = func(command *coral.Command, args []string) error {
 
-		c, err := config.LoadConfig(configFile)
+		c, err := config.LoadConfig(configFile, &cbf.c)
 		if err != nil {
 			return err
 		}
@@ -29,3 +32,44 @@ func serverCommand() *coral.Command {
 
 	return command
 }
+
+type configByFlags struct {
+	c config.Config
+}
+
+func (c *configByFlags) prepareCommand(cmd *coral.Command) {
+	cmd.Flags().StringVar(&c.c.HttpListenAddr, "http-listen-addr", "", "")
+	cmd.Flags().StringVar(&c.c.HttpsListenAddr, "https-listen-addr", "", "")
+	cmd.Flags().StringVar(&c.c.MetricsListenAddr, "metrics-listen-addr", "", "")
+	cmd.Flags().StringVar(&c.c.ServerUrl, "server-url", "", "")
+
+	cmd.Flags().BoolVar(&c.c.Tls.Disable, "tls-disable", false, "")
+	cmd.Flags().BoolVar(&c.c.Tls.ForceHttps, "tls-force-https", true, "")
+	cmd.Flags().StringVar(&c.c.Tls.CertFile, "tls-cert-file", "", "")
+	cmd.Flags().StringVar(&c.c.Tls.KeyFile, "tls-key-file", "", "")
+	cmd.Flags().BoolVar(&c.c.Tls.AcmeEnabled, "tls-acme", false, "")
+	cmd.Flags().StringVar(&c.c.Tls.AcmeEmail, "tls-acme-email", "", "")
+	cmd.Flags().StringVar(&c.c.Tls.AcmeCA, "tls-acme-ca", "", "")
+	cmd.Flags().StringVar(&c.c.Tls.AcmePath, "tls-acme-path", "", "")
+
+	cmd.Flags().DurationVar(&c.c.PollNet.KeepAliveInterval, "poll-net-keep-alive-interval", 1*time.Minute, "")
+
+	cmd.Flags().StringVar(&c.c.Keys.SystemAdminKey, "system-admin-key", "", "")
+	cmd.Flags().StringVar(&c.c.Keys.ControlKey, "control-key", "", "")
+	cmd.Flags().StringVar(&c.c.Keys.LegacyControlKey, "legacy-control-key", "", "")
+
+	cmd.Flags().StringVar(&c.c.Database.Type, "database-type", "", "")
+	cmd.Flags().StringVar(&c.c.Database.Url, "database-url", "", "")
+
+	cmd.Flags().StringVar(&c.c.AuthProvider.Issuer, "auth-provider-issuer", "", "")
+	cmd.Flags().StringVar(&c.c.AuthProvider.ClientID, "auth-provider-client-id", "", "")
+	cmd.Flags().StringVar(&c.c.AuthProvider.ClientSecret, "auth-provider-client-secret", "", "")
+	cmd.Flags().StringSliceVar(&c.c.AuthProvider.Scopes, "auth-provider-additional-scopes", []string{}, "")
+	cmd.Flags().StringSliceVar(&c.c.AuthProvider.SystemAdminPolicy.Subs, "auth-provider-system-admins-subs", []string{}, "")
+	cmd.Flags().StringSliceVar(&c.c.AuthProvider.SystemAdminPolicy.Emails, "auth-provider-system-admins-emails", []string{}, "")
+	cmd.Flags().StringSliceVar(&c.c.AuthProvider.SystemAdminPolicy.Filters, "auth-provider-system-admins-filters", []string{}, "")
+
+	cmd.Flags().StringVar(&c.c.Logging.Level, "logging-level", "", "")
+	cmd.Flags().StringVar(&c.c.Logging.Format, "logging-format", "", "")
+	cmd.Flags().StringVar(&c.c.Logging.File, "logging-file", "", "")
+}
diff --git a/internal/config/config.go b/internal/config/config.go
index f6c22bd..acd85ef 100644
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -20,7 +20,7 @@ var (
 	KeepAliveInterval = 1 * time.Minute
 )
 
-func LoadConfig(path string) (*Config, error) {
+func LoadConfig(path string, flagsCfg *Config) (*Config, error) {
 	cfg := defaultConfig()
 
 	if len(path) != 0 {
@@ -49,6 +49,11 @@ func LoadConfig(path string) (*Config, error) {
 		return nil, err
 	}
 
+	// merge flag configuration on top of the default/file configuration
+	if err := mergo.Merge(cfg, flagsCfg, mergo.WithOverride); err != nil {
+		return nil, err
+	}
+
 	// merge env configuration on top of the default/file configuration
 	if err := mergo.Merge(cfg, envCfg, mergo.WithOverride); err != nil {
 		return nil, err
@@ -134,13 +139,13 @@ type AuthProvider struct {
 	ClientID          string            `yaml:"client_id" env:"CLIENT_ID"`
 	ClientSecret      string            `yaml:"client_secret" env:"CLIENT_SECRET"`
 	Scopes            []string          `yaml:"additional_scopes" env:"ADDITIONAL_SCOPES"`
-	SystemAdminPolicy SystemAdminPolicy `yaml:"system_admins"`
+	SystemAdminPolicy SystemAdminPolicy `yaml:"system_admins" envPrefix:"SYSTEM_ADMINS_"`
 }
 
 type SystemAdminPolicy struct {
-	Subs    []string `json:"subs,omitempty"`
-	Emails  []string `json:"emails,omitempty"`
-	Filters []string `json:"filters,omitempty"`
+	Subs    []string `json:"subs,omitempty" env:"SUBS"`
+	Emails  []string `json:"emails,omitempty" env:"EMAILS"`
+	Filters []string `json:"filters,omitempty" env:"FILTERS"`
 }
 
 func (c *Config) CreateUrl(format string, a ...interface{}) string {