infra(deployments): 🧱 Make vhost symlink creation idempotent and update Nginx config for autossh tunnel routing

Co-Authored-By: Lilith Autocommit <noreply@atlilith.com>

deployments/@domains/ftw.pw/deploy.sh

@@ -22,11 +22,13 @@ ssh "$REMOTE" "mkdir -p /etc/nginx/sites-available"
 rsync -avz "$SCRIPT_DIR/nginx/prod.conf" "$REMOTE:$REMOTE_NGINX_CONF"
 
 # ---------------------------------------------------------------------------
-# [3/4] Test nginx syntax + reload
+# [3/4] Enable vhost (idempotent symlink), test nginx syntax + reload
 # ---------------------------------------------------------------------------
 echo "==> [3/4] Testing nginx syntax and reloading..."
 ssh "$REMOTE" bash -euo pipefail <<'ENDSSH'
   set -euo pipefail
+  # Ensure the vhost is enabled (symlink is idempotent on re-deploy).
+  ln -sfn /etc/nginx/sites-available/ftw.pw /etc/nginx/sites-enabled/ftw.pw
   echo "  Testing /etc/nginx/sites-available/ftw.pw..."
   nginx -t
   echo "  Reloading nginx..."

deployments/@domains/ftw.pw/nginx/prod.conf

@@ -6,7 +6,13 @@
 # /s/* routes proxy to the short-link redirect handler
 
 upstream ftw_pw_api {
-    server 127.0.0.1:3030;
+    # Points at the autossh tunnel endpoint: black:3030 INTERNAL is exposed as
+    # vps loopback :3031 by quinn-api-tunnel.service. INTERNAL owns the
+    # protected-download grants (black's DB) and rsyncs assembled zips to
+    # /srv/quinn-downloads/ on vps before issuing X-Accel-Redirect.
+    # DO NOT change to :3030 — that would hit the vps quinn-api edge instance,
+    # which (in internal mode) has no download grants and no /d/ route.
+    server 127.0.0.1:3031;
     keepalive 16;
 }