I want to run the Distrust server so I can turn Discourse into an OIDC provider for Forgejo. I’m following this guide.

I changed the container definition:

 templates:
   - "templates/postgres.template.yml"
   - "templates/redis.template.yml"
   - "templates/web.template.yml"
   ## Uncomment the next line to enable the IPv6 listener
   #- "templates/web.ipv6.template.yml"
   - "templates/web.ratelimited.template.yml"
   ## Uncomment these two lines if you wish to add Lets Encrypt (https)
-  - "templates/web.ssl.template.yml"
-  - "templates/web.letsencrypt.ssl.template.yml"
+  # - "templates/web.ssl.template.yml"
+  # - "templates/web.letsencrypt.ssl.template.yml"
+  ## NGINX sock
+  - "templates/web.socketed.template.yml"

 ## which TCP/IP ports should this container expose?
 ## If you want Discourse to share a port with another webserver like Apache or nginx,
 ## see https://meta.discourse.org/t/17247 for details
-expose:
-  - "80:80"   # http
-  - "443:443" # https
+#expose:
+#  - "80:80"   # http
+#  - "443:443" # https

I rebuilt the service:

cd /var/discourse
./launcher rebuild app

I stopped the container:

cd /var/discourse
./launcher stop app

I installed nginx and certbot:

sudo apt-get update && sudo apt-get install nginx certbot python3-certbot-nginx

I created /etc/nginx/sites-available/forum.tsuki.games:

server {
    root /var/www/html;
 
    index index.html index.htm index.nginx-debian.html;
    server_name forum.tsuki.games;
 
    location / {
        proxy_pass http://unix:/var/discourse/shared/standalone/nginx.http.sock:;
        proxy_set_header Host $http_host;
        proxy_http_version 1.1;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
    }
}

I enabled the site file for Discourse (and disabled the default one):

cd /etc/nginx/sites-enabled
unlink default
ln -s ../sites-available/discourse.example.com

I enabled certbot:

certbot --nginx

Then I restarted Discourse:

cd /var/discourse
./launcher run app

That didn’t seem to work (I get a 502 error code), so I try reloading nginx:

service nginx reload

I’m still getting a 502, so I check /var/log/nginx/error.log:

2025/04/07 03:39:54 [crit] 11572#11572: *110 connect() to unix:/var/discourse/shared/standalone/nginx.http.sock failed (2: No such file or directory) while connecting to upstream, client: 73.162.167.54, server: forum.tsuki.games, request: "GET / HTTP/1.1", upstream: "http://unix:/var/discourse/shared/standalone/nginx.http.sock:/", host: "forum.tsuki.games"

Reading /var/discourse/templates/web.socketed.template.yml, I see:

run:
  - file:
     path: /etc/runit/1.d/remove-old-socket
     chmod: "+x"
     contents: |
        #!/bin/bash
        rm -f /shared/nginx.http*.sock
  - file:
     path: /etc/runit/3.d/remove-old-socket
     chmod: "+x"
     contents: |
        #!/bin/bash
        rm -rf /shared/nginx.http*.sock
  - replace:
     filename: "/etc/nginx/conf.d/discourse.conf"
     from: /listen 80;/
     to: |
       listen unix:/shared/nginx.http.sock;
       set_real_ip_from unix:;
  - replace:
     filename: "/etc/nginx/conf.d/discourse.conf"
     from: /listen 443 ssl;/
     to: |
       listen unix:/shared/nginx.https.sock ssl;
       set_real_ip_from unix:;

I notice that unix:/shared/nginx.http.sock ssl is not similar to the proxy_pass value in the nginx configuration, so I update that (which I notice now has a bunch of certbot stuff in it):

 server {
     root /var/www/html;
 
     index index.html index.htm index.nginx-debian.html;
     server_name forum.tsuki.games;
 
     location / {
-        proxy_pass http://unix:/var/discourse/shared/standalone/nginx.http.sock:;
+        proxy_pass http://unix:/var/discourse/shared/nginx.http.sock:;
         proxy_set_header Host $http_host;
         proxy_http_version 1.1;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header X-Forwarded-Proto $scheme;
         proxy_set_header X-Real-IP $remote_addr;
     }
 
     listen 443 ssl; # managed by Certbot
     ssl_certificate /etc/letsencrypt/live/forum.tsuki.games/fullchain.pem; # managed by Certbot
     ssl_certificate_key /etc/letsencrypt/live/forum.tsuki.games/privkey.pem; # managed by Certbot
     include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
     ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
 }
 
 server {
     if ($host = forum.tsuki.games) {
         return 301 https://$host$request_uri;
     } # managed by Certbot
 
     server_name forum.tsuki.games;
     listen 80;
     return 404; # managed by Certbot
 }

But that didn’t work either, so I revert the change. I try a rebuild for sanity:

cd /var/discourse
./launcher rebuild app
./launcher run app

And I reload nginx:

service nginx restart

But I accidentally typed in restart instead of reload, so I run reload:

service nginx reload

Now t/suki is working again!

Now I need to run distrust as a service. Beforehand, I had already copied a compiled version of distrust and it’s config to /var/distrust from my machine.

I know that in Arch Linux, this would involve writing a unit file for systemd. However, I have no idea how it works for Ubuntu. A cursory internet search indicates that Ubuntu does the same. So, I follow the official tutorial for creating a systemd unit file:

I create etc/systemd/system/distrust.service:

[Unit]
Description=distrust

[Service]
Type=simple
WorkingDirectory=/var/distrust
ExecStart=/var/distrust/distrust
Restart=on-failure

[Install]
WantedBy=multi-user.target

And I start it:

sudo systemctl enable distrust
sudo systemctl start distrust

Then I update /etc/nginx/sites-available/forum.tsuki.games:

 server {
     root /var/www/html;
 
     index index.html index.htm index.nginx-debian.html;
     server_name forum.tsuki.games;
 
+    location /oauth2/ {
+        proxy_pass http://localhost:3000;
+        proxy_set_header Host $http_host;
+        proxy_http_version 1.1;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Real-IP $remote_addr;
+    }
    
     location / {
         proxy_pass http://unix:/var/discourse/shared/standalone/nginx.http.sock:;
         proxy_set_header Host $http_host;
         proxy_http_version 1.1;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header X-Forwarded-Proto $scheme;
         proxy_set_header X-Real-IP $remote_addr;
     }
 
     listen 443 ssl; # managed by Certbot
     ssl_certificate /etc/letsencrypt/live/forum.tsuki.games/fullchain.pem; # managed by Certbot
     ssl_certificate_key /etc/letsencrypt/live/forum.tsuki.games/privkey.pem; # managed by Certbot
     include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
     ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
 }
 
 server {
     if ($host = forum.tsuki.games) {
         return 301 https://$host$request_uri;
     } # managed by Certbot
 
     server_name forum.tsuki.games;
     listen 80;
     return 404; # managed by Certbot
 }

Navigating to https://forum.tsuki.games/oauth2/.well-known/openid-configuration, it appears distrust is working now on HTTPS!

Following the distrust instructions and then the forgejo instructions results in a working login! Yaaaay!