Are values from SEQ_* environment variables persisted in Seq.json?

[mloskot]

I'm trying to understand the Seq configuration behaviour of overriding Seq.json properties with corresponding SEQ_* environment variables during initial run of Seq in container. (I build custom Windows container based on ServerCore with Seq 2025.2.x).

I found seemingly related discussion in #1923 where this part of #1923 (comment) seems to be exactly on the issue I'd like to understand:

Still no password data in Seq.json.

Issue

In my custom Dockerfile, I set the following environment variables:

ENV \
SEQ_DATA_PATH=C:\\ProgramData\\Seq \
SEQ_FIRSTRUN_ADMINUSERNAME=admin \
SEQ_FIRSTRUN_ADMINPASSWORD= \
SEQ_FIRSTRUN_NOAUTHENTICATION=true \
SEQ_FIRSTRUN_REQUIREAUTHENTICATIONFORHTTPINGESTION=true

In my PowerShell script of the entrypoint, before I run seq service install, I promote all the SEQ_* variables to the Machine scope to ensure they are available for the processes of the service:

Get-ChildItem -Path env: | Where-Object { $_.Name.StartsWith('SEQ_') } | ForEach-Object {
  [Environment]::SetEnvironmentVariable($_.Name, $_.Value, [EnvironmentVariableTarget]::Machine)
}

I run the container with the defaults

docker run -it --rm -p 5341:5341 `
  -e SEQ_DATA_PATH=C:\data\seq `
  -v ('{0}\data:{1}' -f $PSScriptRoot, 'C:\data') `
  seq/servercore:latest

The Seq startup logs seem to confirm my setup, in other words, my SEQ_FIRSTRUN_* environment variables are effective:

{"@t":"2025-07-15T08:31:27.3406605Z","@mt":"Using the supplied username {AdminUsername} for the default admin user","AdminUsername":"admin"}
{"@t":"2025-07-15T08:31:27.3413761Z","@mt":"Skipping authentication setup; `firstRun.noAuthentication` is specified","@l":"Warning"}
{"@t":"2025-07-15T08:31:27.3417859Z","@mt":"Requiring an API key for HTTP/S ingestion"}

and I can browse the Seq UI at http://localhost:5341 without the authentication, no password prompt for admin, as expected.

But, in the generated Seq.json file, I see this:

  "firstRun": {
    "adminPasswordHash": null,
    "adminPassword": null,
    "adminUsername": null,
    "requireAuthenticationForHttpIngestion": false,
    "noAuthentication": false
  },

Is this expected behaviour that, despite setting custom values via my SEQ_FIRSTRUN_* environment variables, these settings i.e. adminPassword, noAuthentication and requireAuthenticationForHttpIngestion are initialised/persisted with the Seq defaults in the Seq.json?

At first, I'd have expected the seq service install to generate Seq.json with values taken from my SEQ_* variables.

[liammclennan]

Hi @mloskot,

The behavior is described in https://datalust.co/docs/json-config.

Environment variables override Seq.json, and secret store settings override everything.

[mloskot]

Hi @liammclennan,
Thanks.
Yes, I have read that piece, but, to my simple mind, it misses explicit confirmation that the overriden settings are not persisted in the Seq.json, not even those overriden during the Seq initialisation.