diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8d487fd6..62e42104 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,7 +1,20 @@
 # Change Log
 
 ## UNRELEASED [x.y.z](https://github.com/davidalger/warden/tree/x.y.z) (yyyy-mm-dd)
-[All Commits](https://github.com/davidalger/warden/compare/0.2.0..develop)
+[All Commits](https://github.com/davidalger/warden/compare/0.2.1..develop)
+
+## Version [0.2.1](https://github.com/davidalger/warden/tree/0.2.1) (2020-01-30)
+[All Commits](https://github.com/davidalger/warden/compare/0.2.0..0.2.1)
+
+**Upgrade Notes:**
+
+If you're upgrading from version 0.1.x to 0.2.x for the first time, please reference upgrade notes for [Warden 0.2.0](https://docs.warden.dev/changelog.html#version-0-2-0-2020-01-27) and plan accordingly.
+
+**Enhancements:**
+
+* Added support for using `~/.warden/.env` to configure aspects of Global Services ([see docs for details](https://docs.warden.dev/services.html)) (issue [#13](https://github.com/davidalger/warden/issues/13))
+* Updated `sync start` to no longer call `mutagen daemon start` as Mutagen now does this automatically.
+* Updated `warden install` to include short hostname in the common name used when signing the Root CA used by Warden allowing easier identification and interoperability when a single user is running Warden across multiple workstations.
 
 ## Version [0.2.0](https://github.com/davidalger/warden/tree/0.2.0) (2020-01-27)
 [All Commits](https://github.com/davidalger/warden/compare/0.1.12..0.2.0)
diff --git a/commands/down.cmd b/commands/down.cmd
index b7a3c746..5579d3f2 100755
--- a/commands/down.cmd
+++ b/commands/down.cmd
@@ -1,5 +1,5 @@
 #!/usr/bin/env bash
 [[ ! ${WARDEN_COMMAND} ]] && >&2 echo -e "\033[31mThis script is not intended to be run directly!" && exit 1
 
-pushd "${WARDEN_DIR}" >/dev/null
-docker-compose -p warden -f docker/docker-compose.yml down "${WARDEN_PARAMS[@]}" "$@"
+pushd "${WARDEN_HOME_DIR}" >/dev/null
+docker-compose -p warden -f "${WARDEN_DIR}/docker/docker-compose.yml" down "${WARDEN_PARAMS[@]}" "$@"
diff --git a/commands/install.cmd b/commands/install.cmd
index da1de392..8e88f3a9 100755
--- a/commands/install.cmd
+++ b/commands/install.cmd
@@ -26,12 +26,12 @@ if [[ ! -f "${WARDEN_SSL_DIR}/rootca/private/ca.key.pem" ]]; then
 fi
 
 if [[ ! -f "${WARDEN_SSL_DIR}/rootca/certs/ca.cert.pem" ]]; then
-  echo "==> Signing root certificate (Warden Proxy Local CA)"
+  echo "==> Signing root certificate 'Warden Proxy Local CA ($(hostname -s))'"
   openssl req -new -x509 -days 7300 -sha256 -extensions v3_ca \
     -config "${WARDEN_DIR}/config/openssl/rootca.conf"        \
     -key "${WARDEN_SSL_DIR}/rootca/private/ca.key.pem"        \
     -out "${WARDEN_SSL_DIR}/rootca/certs/ca.cert.pem"         \
-    -subj "/C=US/O=Warden Proxy Local CA"
+    -subj "/C=US/O=Warden Proxy Local CA ($(hostname -s))"
 fi
 
 ## trust root ca differently on Fedora, Ubuntu and macOS
@@ -49,7 +49,7 @@ elif [[ "$OSTYPE" == "linux-gnu" ]] \
   && [[ ! -f /usr/local/share/ca-certificates/warden-proxy-local-ca.crt ]] \
   ## Ubuntu/Debian
 then
-  echo "==> Trusting root certificate (requires sudo privileges)"  
+  echo "==> Trusting root certificate (requires sudo privileges)"
   sudo cp "${WARDEN_SSL_DIR}/rootca/certs/ca.cert.pem" /usr/local/share/ca-certificates/warden-proxy-local-ca.crt
   sudo update-ca-certificates
 elif [[ "$OSTYPE" == "darwin"* ]] \
@@ -61,11 +61,6 @@ then
     -k /Library/Keychains/System.keychain "${WARDEN_SSL_DIR}/rootca/certs/ca.cert.pem"
 fi
 
-## sign certificate used by services run on warden.test sub-domains
-if [[ ! -f "${WARDEN_SSL_DIR}/certs/warden.test.crt.pem" ]]; then
-  "${WARDEN_DIR}/bin/warden" sign-certificate warden.test
-fi
-
 ## configure resolver for .test domains; allow linux machines to prevent warden
 ## from touching dns configuration if need be since unlike macOS there is not
 ## support for resolving only *.test domains via /etc/resolver/test settings
diff --git a/commands/restart.cmd b/commands/restart.cmd
index 80d2393e..e970c32f 100755
--- a/commands/restart.cmd
+++ b/commands/restart.cmd
@@ -4,5 +4,5 @@
 source "${WARDEN_DIR}/utils/install.sh"
 assertWardenInstall
 
-pushd "${WARDEN_DIR}" >/dev/null
-docker-compose -p warden -f docker/docker-compose.yml restart "${WARDEN_PARAMS[@]}" "$@"
+pushd "${WARDEN_HOME_DIR}" >/dev/null
+docker-compose -p warden -f "${WARDEN_DIR}/docker/docker-compose.yml" restart "${WARDEN_PARAMS[@]}" "$@"
diff --git a/commands/sign-certificate.cmd b/commands/sign-certificate.cmd
index c1c6a928..725c84fc 100755
--- a/commands/sign-certificate.cmd
+++ b/commands/sign-certificate.cmd
@@ -50,7 +50,8 @@ openssl x509 -req -days 365 -sha256 -extensions v3_req            \
   -in "${WARDEN_SSL_DIR}/certs/${CERTIFICATE_NAME}.csr.pem"       \
   -out "${WARDEN_SSL_DIR}/certs/${CERTIFICATE_NAME}.crt.pem" 
 
-if [[ "$(cd "${WARDEN_DIR}" && docker-compose -p warden -f docker/docker-compose.yml ps -q traefik)" ]]; then
+if [[ "$(cd "${WARDEN_HOME_DIR}" && docker-compose -p warden -f "${WARDEN_DIR}/docker/docker-compose.yml" ps -q traefik)" ]]
+then
   echo "==> Updating traefik"
   "${WARDEN_DIR}/bin/warden" up traefik
   "${WARDEN_DIR}/bin/warden" restart traefik
diff --git a/commands/start.cmd b/commands/start.cmd
index 9cad7795..dd842daf 100755
--- a/commands/start.cmd
+++ b/commands/start.cmd
@@ -4,5 +4,5 @@
 source "${WARDEN_DIR}/utils/install.sh"
 assertWardenInstall
 
-pushd "${WARDEN_DIR}" >/dev/null
-docker-compose -p warden -f docker/docker-compose.yml start "${WARDEN_PARAMS[@]}" "$@"
+pushd "${WARDEN_HOME_DIR}" >/dev/null
+docker-compose -p warden -f "${WARDEN_DIR}/docker/docker-compose.yml" start "${WARDEN_PARAMS[@]}" "$@"
diff --git a/commands/stop.cmd b/commands/stop.cmd
index 2ca14018..a1c74510 100755
--- a/commands/stop.cmd
+++ b/commands/stop.cmd
@@ -1,5 +1,5 @@
 #!/usr/bin/env bash
 [[ ! ${WARDEN_COMMAND} ]] && >&2 echo -e "\033[31mThis script is not intended to be run directly!" && exit 1
 
-pushd "${WARDEN_DIR}" >/dev/null
-docker-compose -p warden -f docker/docker-compose.yml stop "${WARDEN_PARAMS[@]}" "$@"
+pushd "${WARDEN_HOME_DIR}" >/dev/null
+docker-compose -p warden -f "${WARDEN_DIR}/docker/docker-compose.yml" stop "${WARDEN_PARAMS[@]}" "$@"
diff --git a/commands/sync.cmd b/commands/sync.cmd
index 04cd2a3f..c20136a9 100644
--- a/commands/sync.cmd
+++ b/commands/sync.cmd
@@ -43,9 +43,6 @@ fi
 ## sub-command execution
 case "${WARDEN_PARAMS[0]}" in
     start)
-        ## start mutagen daemon if not already running
-        mutagen daemon start
-
         ## terminate any existing sessions with matching env label
         mutagen sync terminate --label-selector "warden-sync=${WARDEN_ENV_NAME}"
 
diff --git a/commands/up.cmd b/commands/up.cmd
index 7432422a..f7c546bb 100755
--- a/commands/up.cmd
+++ b/commands/up.cmd
@@ -4,13 +4,29 @@
 source "${WARDEN_DIR}/utils/install.sh"
 assertWardenInstall
 
+## sign certificate used by global services (by default warden.test)
+if [[ -f "${WARDEN_HOME_DIR}/.env" ]]; then
+  eval "$(grep "^WARDEN_SERVICE_DOMAIN" "${WARDEN_HOME_DIR}/.env")"
+fi
+
+WARDEN_SERVICE_DOMAIN="${WARDEN_SERVICE_DOMAIN:-warden.test}"
+if [[ ! -f "${WARDEN_SSL_DIR}/certs/${WARDEN_SERVICE_DOMAIN}.crt.pem" ]]; then
+  "${WARDEN_DIR}/bin/warden" sign-certificate "${WARDEN_SERVICE_DOMAIN}"
+fi
+
+## copy configuration files into location where they'll be mounted into containers from
 mkdir -p "${WARDEN_HOME_DIR}/etc/traefik"
 cp "${WARDEN_DIR}/config/traefik/traefik.yml" "${WARDEN_HOME_DIR}/etc/traefik/traefik.yml"
-cp "${WARDEN_DIR}/config/traefik/dynamic.yml" "${WARDEN_HOME_DIR}/etc/traefik/dynamic.yml"
 cp "${WARDEN_DIR}/config/dnsmasq.conf" "${WARDEN_HOME_DIR}/etc/dnsmasq.conf"
 
-cat >> "${WARDEN_HOME_DIR}/etc/traefik/dynamic.yml" <<-EOF
+## generate dynamic traefik ssl termination configuration
+cat > "${WARDEN_HOME_DIR}/etc/traefik/dynamic.yml" <<-EOF
 tls:
+  stores:
+    default:
+      defaultCertificate:
+        certFile: /etc/ssl/certs/${WARDEN_SERVICE_DOMAIN}.crt.pem
+        keyFile: /etc/ssl/certs/${WARDEN_SERVICE_DOMAIN}.key.pem
   certificates:
 EOF
 
@@ -21,5 +37,5 @@ for cert in $(find "${WARDEN_SSL_DIR}/certs" -type f -name "*.crt.pem" | sed -E
 	EOF
 done
 
-pushd "${WARDEN_DIR}" >/dev/null
-docker-compose -p warden -f docker/docker-compose.yml up -d "${WARDEN_PARAMS[@]}" "$@"
+pushd "${WARDEN_HOME_DIR}" >/dev/null
+docker-compose -p warden -f "${WARDEN_DIR}/docker/docker-compose.yml" up -d "${WARDEN_PARAMS[@]}" "$@"
diff --git a/config/traefik/dynamic.yml b/config/traefik/dynamic.yml
deleted file mode 100644
index ccbf663f..00000000
--- a/config/traefik/dynamic.yml
+++ /dev/null
@@ -1,7 +0,0 @@
----
-tls:
-  stores:
-    default:
-      defaultCertificate:
-        certFile: /etc/ssl/certs/warden.test.crt.pem
-        keyFile: /etc/ssl/certs/warden.test.key.pem
diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml
index 34c53d02..98c483c3 100644
--- a/docker/docker-compose.yml
+++ b/docker/docker-compose.yml
@@ -2,10 +2,10 @@ version: "3.5"
 services:
   traefik:
     container_name: traefik
-    image: traefik:2.1
+    image: traefik:${TRAEFIK_VERSION:-2.1}
     ports:
-      - "127.0.0.1:80:80"     # The HTTP port
-      - "127.0.0.1:443:443"   # The HTTPS port
+      - "${TRAEFIK_LISTEN:-127.0.0.1}:80:80"     # The HTTP port
+      - "${TRAEFIK_LISTEN:-127.0.0.1}:443:443"   # The HTTPS port
     volumes:
       - ~/.warden/etc/traefik/traefik.yml:/etc/traefik/traefik.yml
       - ~/.warden/etc/traefik/dynamic.yml:/etc/traefik/dynamic.yml
@@ -18,9 +18,9 @@ services:
       - traefik.http.routers.http-redirect.priority=1
       - traefik.http.middlewares.http-redirect.redirectscheme.scheme=https
       - traefik.http.routers.traefik.tls=true
-      - traefik.http.routers.traefik.rule=Host(`traefik.warden.test`)
+      - traefik.http.routers.traefik.rule=Host(`traefik.${WARDEN_SERVICE_DOMAIN:-warden.test}`)
       - traefik.http.routers.traefik.service=api@internal
-    restart: always
+    restart: ${WARDEN_RESTART_POLICY:-always}
 
   portainer:
     container_name: portainer
@@ -31,9 +31,9 @@ services:
     labels:
       - traefik.enable=true
       - traefik.http.routers.portainer.tls=true
-      - traefik.http.routers.portainer.rule=Host(`portainer.warden.test`)
+      - traefik.http.routers.portainer.rule=Host(`portainer.${WARDEN_SERVICE_DOMAIN:-warden.test}`)
       - traefik.http.services.portainer.loadbalancer.server.port=9000
-    restart: always
+    restart: ${WARDEN_RESTART_POLICY:-always}
 
   dnsmasq:
     container_name: dnsmasq
@@ -45,9 +45,9 @@ services:
     labels:
       - traefik.enable=true
       - traefik.http.routers.dnsmasq.tls=true
-      - traefik.http.routers.dnsmasq.rule=Host(`dnsmasq.warden.test`)
+      - traefik.http.routers.dnsmasq.rule=Host(`dnsmasq.${WARDEN_SERVICE_DOMAIN:-warden.test}`)
       - traefik.http.services.dnsmasq.loadbalancer.server.port=8080
-    restart: always
+    restart: ${WARDEN_RESTART_POLICY:-always}
 
   tunnel:
     container_name: tunnel
@@ -67,7 +67,7 @@ services:
 
       - SSH_USERS=user:2000:2000
       - TCP_FORWARDING=true
-    restart: always
+    restart: ${WARDEN_RESTART_POLICY:-always}
 
 volumes:
   portainer:
diff --git a/docs/netlify.toml b/docs/netlify.toml
new file mode 100644
index 00000000..604e90b1
--- /dev/null
+++ b/docs/netlify.toml
@@ -0,0 +1,4 @@
+## As docs reference files outside build root; disable Netlify attempting to determine need for build.
+## https://docs.netlify.com/configure-builds/file-based-configuration/#ignore-builds
+[build]
+  ignore = "false"
diff --git a/docs/services.md b/docs/services.md
index af3fa57d..42ead6b1 100644
--- a/docs/services.md
+++ b/docs/services.md
@@ -5,3 +5,19 @@ After running `warden up` for the first time following installation, the followi
 * [https://traefik.warden.test/](https://traefik.warden.test/)
 * [https://portainer.warden.test/](https://portainer.warden.test/)
 * [https://dnsmasq.warden.test/](https://dnsmasq.warden.test/)
+
+### Customizable Settings
+
+When spinning up global services via `docker-compose` Warden uses `~/.warden` as the project directory allowing a `.env` placed at `~/.warden/.env` to function for overriding variables in the `docker-compose` configuration used to deploy these services.
+
+The following options are available (with default values indicated):
+
+* `TRAEFIK_LISTEN=127.0.0.1` may be set to `0.0.0.0` for example to have Traefik accept connections from other devices on the local network.
+* `WARDEN_RESTART_POLICY=always` may be set to `no` to prevent Docker from restarting these service containers or any other valid [restart policy](https://docs.docker.com/config/containers/start-containers-automatically/#use-a-restart-policy) value.
+* `WARDEN_SERVICE_DOMAIN=warden.test` may be set to a domain of your choosing if so desired. Please note that this will not currently change network settings or alter `dnsmasq` configuration. Any TLD other than `test` will require DNS resolution be manually configured.
+
+``` warning::
+    Setting ``TRAEFIK_LISTEN=0.0.0.0`` can be quite useful in some cases, but be aware that causing Traefik to listen for requests publicly poses a security risk when on public WiFi or networks otherwise outside of your control.
+```
+
+After changing settings in `~/.warden/.env`, please run `warden up` to apply.