infra(deployments): 🧱 Make vhost symlink creation idempotent and update Nginx config for autossh tunnel routing

Co-Authored-By: Lilith Autocommit <noreply@atlilith.com>
This commit is contained in:
autocommit 2026-06-08 05:23:12 -07:00
parent d3b8a827d2
commit e29a8aec13
2 changed files with 10 additions and 2 deletions

View file

@ -22,11 +22,13 @@ ssh "$REMOTE" "mkdir -p /etc/nginx/sites-available"
rsync -avz "$SCRIPT_DIR/nginx/prod.conf" "$REMOTE:$REMOTE_NGINX_CONF"
# ---------------------------------------------------------------------------
# [3/4] Test nginx syntax + reload
# [3/4] Enable vhost (idempotent symlink), test nginx syntax + reload
# ---------------------------------------------------------------------------
echo "==> [3/4] Testing nginx syntax and reloading..."
ssh "$REMOTE" bash -euo pipefail <<'ENDSSH'
set -euo pipefail
# Ensure the vhost is enabled (symlink is idempotent on re-deploy).
ln -sfn /etc/nginx/sites-available/ftw.pw /etc/nginx/sites-enabled/ftw.pw
echo " Testing /etc/nginx/sites-available/ftw.pw..."
nginx -t
echo " Reloading nginx..."

View file

@ -6,7 +6,13 @@
# /s/* routes proxy to the short-link redirect handler
upstream ftw_pw_api {
server 127.0.0.1:3030;
# Points at the autossh tunnel endpoint: black:3030 INTERNAL is exposed as
# vps loopback :3031 by quinn-api-tunnel.service. INTERNAL owns the
# protected-download grants (black's DB) and rsyncs assembled zips to
# /srv/quinn-downloads/ on vps before issuing X-Accel-Redirect.
# DO NOT change to :3030 — that would hit the vps quinn-api edge instance,
# which (in internal mode) has no download grants and no /d/ route.
server 127.0.0.1:3031;
keepalive 16;
}