Deployment
Configuration

All configuration is done through environment variables in the .env file at the root of your deployment directory. Docker Compose reads this file automatically — no --env-file flag is needed.

Variables marked required must be set before starting the containers. All others have defaults and are optional.

Project

These variables define the identity and access point of your rtCloud instance.

VariableDefaultRequiredDescription
PROJECT_IDYesUnique identifier for this deployment. No spaces or special characters. Used as a prefix for internal naming.
PROJECT_URLYesDomain name or IP address where users access the app (e.g., rtcloud.example.com or 192.168.1.100).
PROJECT_TYPErtsurveyNoPlatform variant to activate. Options: rtwork, rtsurvey, rthome.
PROJECT_PORT80NoPort the application listens on inside the container. Do not change unless you know what you are doing.
HTTP_PROTOCOLhttpsNoProtocol used to construct internal URLs. Set to http if you are not using SSL.

Database

MySQL connection credentials. The database is managed automatically by the MySQL container — you only need to set strong passwords.

VariableDefaultRequiredDescription
MYSQL_DATABASEsmartsurveyNoName of the application database.
MYSQL_USERsmartsurveyNoMySQL user for the application.
MYSQL_PASSWORDYesPassword for MYSQL_USER. Use a strong, unique value.
MYSQL_ROOT_PASSWORDYesMySQL root password. Required for database initialization and admin operations.
MYSQL_HOSTmysqlNoMySQL hostname. Use the default unless you are connecting to an external database.
MYSQL_PORT3306NoMySQL port.

Admin Account

The admin account is created automatically on the first boot of a fresh database.

VariableDefaultRequiredDescription
ADMIN_PASSWORDadminYesPassword for the built-in admin user. Set this before first boot. Has no effect if the database already exists.

After first login, change the admin password from the Account Settings page in the web UI.

Ports

Control which host ports the application binds to.

VariableDefaultDescription
APP_PORT8080Host port for the main web UI. Change this if port 8080 is already in use on your server.
SHINY_PORT3838Host port for the Shiny analytics server.

Runtime

VariableDefaultDescription
RUN_ENVprodRuntime environment. Use prod for production deployments, dev for local development.
RUN_MODEadminContainer role. admin runs the full stack (web + queue + cron). worker runs background processing only (for horizontal scaling).
TZAsia/Ho_Chi_MinhServer timezone. Affects log timestamps, cron schedules, and date display. Use a TZ database name (opens in a new tab) (e.g., UTC, America/New_York, Europe/London).
LOG_LEVELinfoApplication log verbosity. Options: debug, info, warning, error.
COMPOSE_PROJECT_NAMErtcloudPrefix applied to all Docker container and volume names. Change this when running multiple rtCloud instances on the same host.
RESTART_POLICYunless-stoppedDocker container restart behavior. Options: no, always, on-failure, unless-stopped.
RTCLOUD_IMAGErtawebteam/rta-smartsurvey:survey-dockerizeDocker image to use. Change the tag to pin a specific version.
REQUIRE_LICENSEfalseEnable license key validation on startup. Contact RTA for license information.

Security

VariableDefaultDescription
CSRF_VALIDATION_ENABLEDtrueEnable CSRF token validation. Keep this true in production. Set to false only in local development if you encounter 400 CSRF token could not be verified errors.
GII_ENABLEDfalseEnable the Yii framework code generator tool. Never enable in production.

SSO — Embedded Keycloak

Enable the bundled Keycloak container for full-featured enterprise SSO. Requires a domain with HTTPS.

VariableDefaultDescription
EMBED_KEYCLOAKfalseSet to true to start the embedded Keycloak container. Activates the embed-keycloak Docker Compose profile.
KEYCLOAK_URLFull URL of the Keycloak server (e.g., https://rtcloud.example.com/auth).
KEYCLOAK_REALMKeycloak realm name (e.g., rtsurvey).
KEYCLOAK_CLIENT_IDKeycloak client ID for the rtCloud application.
KEYCLOAK_CLIENT_SECRETKeycloak client secret. Generate this from the Keycloak admin console.
KEYCLOAK_ADMIN_USERadminKeycloak administrator username.
KEYCLOAK_ADMIN_PASSWORDKeycloak administrator password.
KEYCLOAK_DBkeycloakDatabase name for Keycloak. Created automatically on first boot.
KEYCLOAK_DB_USERkeycloakDatabase user for Keycloak.
KEYCLOAK_DB_PASSWORDDatabase password for the Keycloak user.
KC_HOSTNAMEKeycloak frontend URL (e.g., https://rtcloud.example.com/auth).
KC_HOSTNAME_STRICTfalseEnforce strict hostname matching. Set to true in production with a fixed domain.

See SSO Authentication for the complete setup guide.

SSO — External OIDC Provider

Connect to an existing OIDC-compatible identity provider (Supabase, Auth0, Authentik, Okta, etc.).

VariableDefaultDescription
OIDC_ISSUER_URLOIDC issuer discovery URL (e.g., https://accounts.google.com).
OIDC_CLIENT_IDClient ID registered in your identity provider.
OIDC_CLIENT_SECRETClient secret from your identity provider.
OIDC_SCOPEopenid profile emailSpace-separated list of OIDC scopes to request.
OIDC_REDIRECT_URICallback URL for the web app (e.g., https://rtcloud.example.com/auth/callback).
OIDC_MOBILE_CLIENT_IDSeparate client ID for the rtSurvey mobile app.
OIDC_MOBILE_REDIRECT_URIMobile app callback URI (e.g., vn.rta.rtsurvey.auth://callback).
OPEN_REGISTRATIONfalseAutomatically create rtCloud accounts for users who authenticate via OIDC for the first time.
OIDC_AUTHORIZATION_ENDPOINTOverride the authorization endpoint URL (leave blank to use discovery).
OIDC_TOKEN_ENDPOINTOverride the token endpoint URL (leave blank to use discovery).
OIDC_USERINFO_ENDPOINTOverride the userinfo endpoint URL (leave blank to use discovery).

SSO — Azure Active Directory

VariableDescription
AZURE_CLIENT_IDAzure AD application (client) ID.
AZURE_TENANT_IDAzure AD directory (tenant) ID.

Optional Integrations

Stata

VariableDefaultDescription
STATA_ENABLEDfalseEnable Stata statistical software integration for data analysis.
STATA_BIN_PATH/usr/bin/stataAbsolute path to the Stata binary inside the container.

Elasticsearch

VariableDescription
ES_HOSTElasticsearch host (e.g., http://elasticsearch:9200).
ES_PORTElasticsearch port.

Matomo Analytics

VariableDescription
PIWIK_URLMatomo (Piwik) server URL.
PIWIK_IDMatomo site ID.
PIWIK_SECRETMatomo authentication token.

OpenCPU (R Computation)

VariableDescription
OCPU_HOSTOpenCPU server URL for R-based statistical computation.

RtBox Integration

VariableDescription
RTBOX_HOSTRtBox service host URL.
RTBOX_USER_APIRtBox user API key.
RTBOX_BASIC_AUTHBasic authentication credentials for RtBox.

Matrix Messaging

VariableDescription
MATRIX_HOMESERVER_HOSTMatrix homeserver host.
MATRIX_HOMESERVER_PORTMatrix homeserver port.

Data Volumes

All application data is stored in named Docker volumes. Volumes are automatically created on first startup and persist across container restarts and updates.

VolumeMount PointContents
rtcloud_mysql_data/var/lib/mysqlMySQL database files
rtcloud_uploads…/uploadsFiles uploaded by survey respondents
rtcloud_audios…/audiosAudio recordings
rtcloud_downloads…/downloadsGenerated export files
rtcloud_gallery…/galleryGallery images
rtcloud_voicemail…/voicemailVoicemail recordings
rtcloud_analytics…/analyticsAnalytics data
rtcloud_aggregate…/aggregateAggregated survey results
rtcloud_converter…/converterData conversion outputs
rtcloud_shiny_data/srv/shiny-server/smartsurveyShiny server R scripts
rtcloud_shiny_logs/var/log/shiny-serverShiny server logs
rtcloud_assets…/assetsWeb assets (CSS, JS)
rtcloud_runtime…/protected/runtimeApplication runtime cache
rtcloud_cache…/cacheApplication cache
rtcloud_tmp…/tmpTemporary files

Volume names are prefixed by the value of COMPOSE_PROJECT_NAME (default: rtcloud).

List all volumes for your deployment:

docker volume ls | grep rtcloud
SSL SetupMaintenance