ECS/Fargate deployment: privileged ports, no way to disable optional services, NGINX_PORT undocumented

[mdwt]

When deploying Plunk to AWS ECS Fargate, several issues arise because the container runs as non-root user plunk (uid 1001):

1. Wiki (port 1000) and SMTP (ports 465/587) crash-loop on privileged ports

Fargate containers run as non-root by default. Ports below 1024 require root or CAP_NET_BIND_SERVICE. The wiki hardcodes port 1000 and SMTP hardcodes 465/587 in the PM2 ecosystem config (docker-entrypoint-nginx.sh), causing immediate EACCES: permission denied
crash-loops.

These ports are not configurable via environment variables.

2. No way to disable optional services

The SERVICE env var only supports api, worker, web, and all. When running SERVICE=all (required for the nginx reverse proxy setup), all 7 services start unconditionally — including wiki and SMTP which may not be needed.

There's no DISABLE_SMTP or DISABLE_WIKI env var to skip them. The crash-loops are cosmetic (PM2 keeps restarting them without killing healthy services), but they waste resources and pollute logs.

3. Nginx port 80 also fails as non-root

NGINX_PORT env var exists in setup-nginx.sh and works, but it's not documented anywhere. Users deploying to non-root environments have no way to discover it. Also, NGINX_PORT can't be set to 8080 because the API upstream already uses that port — this conflict
isn't obvious.

4. NEXT_PUBLIC_* env vars not inlined by Turbopack

The Dockerfile passes NEXT_PUBLIC_API_URI etc. at build time, but Turbopack (Next.js 15) doesn't inline them into client-side JS bundles. The built output contains:

let uf = process.env.NEXT_PUBLIC_API_URI || "http://localhost:8080"

Instead of the expected inlined value. The process.env reference works server-side but falls back to localhost:8080 in the browser. The sed replacement in replace-urls-optimized.sh expects the placeholder URL to be baked in, so it finds nothing to replace in
client chunks.

Suggested fixes

1. Make wiki and SMTP ports configurable via WIKI_PORT and SMTP_PORT env vars (default to current values for backwards compat)
2. Add DISABLE_SMTP and DISABLE_WIKI env vars to conditionally exclude them from the PM2 ecosystem
3. Document NGINX_PORT in self-hosting docs and note the port 8080 conflict with the API upstream
4. Add env block to next.config.js for all Next.js apps to force Turbopack to inline NEXT_PUBLIC_* vars at build time:
   env: {
   NEXT_PUBLIC_API_URI: process.env.NEXT_PUBLIC_API_URI,
   NEXT_PUBLIC_DASHBOARD_URI: process.env.NEXT_PUBLIC_DASHBOARD_URI,
   NEXT_PUBLIC_LANDING_URI: process.env.NEXT_PUBLIC_LANDING_URI,
   NEXT_PUBLIC_WIKI_URI: process.env.NEXT_PUBLIC_WIKI_URI,
   }

Environment

• AWS ECS Fargate (linux/amd64)
• Plunk Docker image built from next branch
• Container runs as non-root user plunk (uid 1001)