fix: discourse sso env vars, nginx proxy config, and setup docs

DISCOURSE_SETUP.md

@@ -0,0 +1,47 @@
+# Discourse Setup & Configuration Log
+
+This document tracks the manual configuration changes made to the `nexus-vector` server to get Discourse running with SSO and email delivery.
+
+## Server Details
+- **Host**: `nexus-vector` (216.158.230.94)
+- **Domain**: `forum.mtd.runfoo.run`
+- **Container**: `app` (Discourse)
+
+## Manual Configuration Changes
+
+### 1. Discourse Configuration (`/var/discourse/containers/app.yml`)
+The following changes were made to the default `app.yml` to resolve port conflicts and fix email delivery:
+
+- **Port Mapping**: Removed `443:443` to avoid conflict with the host's Traefik/Nginx. Discourse listens on port 80 internally.
+- **SSL**: Commented out internal Let's Encrypt templates (`templates/web.ssl.template.yml`, `templates/web.letsencrypt.ssl.template.yml`). SSL is terminated by the host's reverse proxy.
+- **SMTP Settings**:
+    - `DISCOURSE_SMTP_ADDRESS`: `216.158.230.94` (Host IP)
+    - `DISCOURSE_SMTP_PORT`: `25` (Switched from 587 to bypass TLS handshake issues)
+    - `DISCOURSE_SMTP_DOMAIN`: `mtd.runfoo.run`
+    - `DISCOURSE_NOTIFICATION_EMAIL`: `noreply@mtd.runfoo.run`
+    - `DISCOURSE_SMTP_OPENSSL_VERIFY_MODE`: `none` (Initially tried, but port 25 switch was the effective fix)
+
+### 2. Host Postfix Configuration (`/etc/postfix/main.cf`)
+To allow the Docker container to send emails via the host's Postfix instance:
+
+- **Relay Access**: Added Docker subnets to `mynetworks` to allow relaying.
+    - Added: `192.168.0.0/16` and `172.16.0.0/12`
+    - Command used: `sudo sed -i '/^mynetworks =/ s/$/ 192.168.0.0\/16 172.16.0.0\/12/' /etc/postfix/main.cf`
+    - Service reloaded: `sudo systemctl reload postfix`
+
+### 3. Admin User
+- **User**: `tenwest` (`tenwest@pm.me`)
+- **Creation**: Manually created and activated via Rails console due to initial email issues.
+    ```ruby
+    u = User.new(email: 'tenwest@pm.me', username: 'tenwest', password: '...', active: true, admin: true)
+    u.save!
+    ```
+
+### 4. SSO Configuration
+- **Status**: SSO was temporarily disabled (`enable_sso = false`) to allow local admin login.
+- **Next Steps**: Re-enable SSO in Discourse Admin UI -> Settings -> Login, pointing to the main application's SSO endpoint.
+
+## Deployment Commands
+- **Rebuild**: `cd /var/discourse && ./launcher rebuild app`
+- **Restart**: `cd /var/discourse && ./launcher restart app`
+- **Logs**: `docker logs -f app`

backend/docker-compose.gemini.yml

@@ -53,8 +53,10 @@ services:
       DATABASE_URL: postgresql://admin:${DB_PASSWORD:-gemini-test-password}@postgres:5432/morethanadiagnosis
       REDIS_URL: redis://:${REDIS_PASSWORD:-gemini-test-password}@redis:6379/0
       SECRET_KEY: ${SECRET_KEY:-gemini-test-secret}
-      CORS_ORIGINS: '["http://localhost:3001", "http://localhost:8081", "http://216.158.230.94:8081"]'
+      CORS_ORIGINS: '["http://localhost:3001", "http://localhost:8081", "http://216.158.230.94:8081", "https://mtd.runfoo.run", "https://www.mtd.runfoo.run"]'
       LOG_LEVEL: DEBUG
+      DISCOURSE_URL: https://forum.mtd.runfoo.run
+      DISCOURSE_SSO_SECRET: gemini-test-sso-secret
     ports:
       - "8001:8000"
     depends_on:
@@ -78,7 +80,7 @@ services:
       context: ../web
       dockerfile: Dockerfile
       args:
-        NEXT_PUBLIC_API_BASE_URL: http://216.158.230.94:8001/api/v1
+        NEXT_PUBLIC_API_BASE_URL: https://mtd.runfoo.run/api/v1
     container_name: mtad-web-gemini
     restart: unless-stopped
     expose:
@@ -88,14 +90,14 @@ services:
     depends_on:
       - api
     environment:
-      NEXT_PUBLIC_API_BASE_URL: http://216.158.230.94:8001/api/v1
+      NEXT_PUBLIC_API_BASE_URL: https://mtd.runfoo.run/api/v1
 
   nginx:
     image: nginx:alpine
     container_name: mtad-nginx-gemini
     restart: unless-stopped
     ports:
-      - "8081:80"
+      - "80:80"
       # - "8443:443" # SSL disabled for gemini test to avoid cert conflicts
     volumes:
       - ./nginx.gemini.conf:/etc/nginx/nginx.conf:ro
@@ -106,7 +108,7 @@ services:
     depends_on:
       - api
     healthcheck:
-      test: [ "CMD", "wget", "--quiet", "--tries=1", "--spider", "http://localhost:8080/health" ]
+      test: [ "CMD", "wget", "--quiet", "--tries=1", "--spider", "http://localhost:80/health" ]
       interval: 30s
       timeout: 10s
       retries: 3

backend/nginx.gemini.conf

@@ -41,10 +41,14 @@ http {
         keepalive 32;
     }
 
-    # HTTP server - Gemini Test Deployment
     server {
         listen 80;
-        server_name _; # Catch all
+        server_name mtd.runfoo.run www.mtd.runfoo.run;
+
+        # Force HTTPS (Cloudflare passes X-Forwarded-Proto)
+        if ($http_x_forwarded_proto = "http") {
+            return 301 https://$host$request_uri;
+        }
 
         # Proxy frontend requests to Next.js service
         location / {
@@ -97,4 +101,18 @@ http {
             add_header Content-Type text/plain;
         }
     }
+
+    # Forum Gateway
+    server {
+        listen 80;
+        server_name forum.mtd.runfoo.run;
+
+        location / {
+            proxy_pass http://app:80; # Proxy to Discourse container on internal network
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+        }
+    }
 }