From e29a8aec13cd05a662ed82b03e68be5e13bdc8cd Mon Sep 17 00:00:00 2001 From: autocommit Date: Mon, 8 Jun 2026 05:23:12 -0700 Subject: [PATCH] =?UTF-8?q?infra(deployments):=20=F0=9F=A7=B1=20Make=20vho?= =?UTF-8?q?st=20symlink=20creation=20idempotent=20and=20update=20Nginx=20c?= =?UTF-8?q?onfig=20for=20autossh=20tunnel=20routing?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-Authored-By: Lilith Autocommit --- deployments/@domains/ftw.pw/deploy.sh | 4 +++- deployments/@domains/ftw.pw/nginx/prod.conf | 8 +++++++- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/deployments/@domains/ftw.pw/deploy.sh b/deployments/@domains/ftw.pw/deploy.sh index 5006b199..46424330 100755 --- a/deployments/@domains/ftw.pw/deploy.sh +++ b/deployments/@domains/ftw.pw/deploy.sh @@ -22,11 +22,13 @@ ssh "$REMOTE" "mkdir -p /etc/nginx/sites-available" rsync -avz "$SCRIPT_DIR/nginx/prod.conf" "$REMOTE:$REMOTE_NGINX_CONF" # --------------------------------------------------------------------------- -# [3/4] Test nginx syntax + reload +# [3/4] Enable vhost (idempotent symlink), test nginx syntax + reload # --------------------------------------------------------------------------- echo "==> [3/4] Testing nginx syntax and reloading..." ssh "$REMOTE" bash -euo pipefail <<'ENDSSH' set -euo pipefail + # Ensure the vhost is enabled (symlink is idempotent on re-deploy). + ln -sfn /etc/nginx/sites-available/ftw.pw /etc/nginx/sites-enabled/ftw.pw echo " Testing /etc/nginx/sites-available/ftw.pw..." nginx -t echo " Reloading nginx..." diff --git a/deployments/@domains/ftw.pw/nginx/prod.conf b/deployments/@domains/ftw.pw/nginx/prod.conf index 725d0d3a..d99501f5 100644 --- a/deployments/@domains/ftw.pw/nginx/prod.conf +++ b/deployments/@domains/ftw.pw/nginx/prod.conf @@ -6,7 +6,13 @@ # /s/* routes proxy to the short-link redirect handler upstream ftw_pw_api { - server 127.0.0.1:3030; + # Points at the autossh tunnel endpoint: black:3030 INTERNAL is exposed as + # vps loopback :3031 by quinn-api-tunnel.service. INTERNAL owns the + # protected-download grants (black's DB) and rsyncs assembled zips to + # /srv/quinn-downloads/ on vps before issuing X-Accel-Redirect. + # DO NOT change to :3030 — that would hit the vps quinn-api edge instance, + # which (in internal mode) has no download grants and no /d/ route. + server 127.0.0.1:3031; keepalive 16; }