TL;DR I don’t agree with Angus where he argues that legitimate interest can be rested on for most of the processing in Discourse while I am convinced that most of the processing should rely on ‘performance of a contract’ and only some additional processing like collection of IP addresses and keeping statistics for spam prevention belongs to the legitimate interest category.
While I totally agree that people are focusing way to much on consent as a lawful basis for processing, I do not agree with you that legitimate interest is to be preferred (above performance of a contract) as a lawful basis for processing the personal data relevant to running the forum.
Legitimate interest is clearly meant as all processing done “in the background” or “on top” of the performance of a contract (or on top of other lawful bases like legal obligations, vital interests) to protect the interests of the controller. The examples in pages 10-12 of this document give a very clear idea of what kind of processing this lawful basis is meant for.
The pizza delivery example in the document referenced by you is, in my opinion, a bad example. It is contradicted here where the second example mentions the same situation where the address of the customer is being processed but this time as an example for ‘performance of a contract’.
Another objection against using legitimate interest as the lawful basis for processing the basic personal data, is that when providing a forum to a user is not to be seen as a contract, there cannot be a reasonable expectation of the user for processing either. The forum owner cannot just start collecting user data and sign up people for a forum, there has to be some kind of agreement where the user indicates the wish to participate in the forum. Signing up for a forum can IMO be seen as a contract and when that is the case then performance of a contract can be used as a lawful basis, eliminating the need to look further.
Last but not least, don’t forget that a user can object to processing under legitimate interest (GDPR art 21.1) which complicates things a lot.