Adds test 13 to test.sh to verify that server blocks within each
sites-available file are sorted alphabetically by server_name
(LC_ALL=C; regex and wildcard entries excluded).
Fixes aria.conf and mommy.conf to conform: hyphenated names sort
before the bare domain in C locale ('-' < '.'), so trans-bot now
precedes trans, and mommy-slack now precedes mommy.
Removes the listen 80 / listen [::]:80 blocks from cdn.conf since
port 80 is blocked at the firewall. Updates test 6 to enforce that
no custom server block listens on port 80 at all.
Replaces the obsolete test.sh (which referenced configs/prod.conf,
a file that no longer exists) with 12 static-analysis checks:
1. No deprecated TLS versions (TLSv1 / TLSv1.1)
2. No duplicate literal server_name values
3. Every sites-available conf has a sites-enabled symlink
4. No broken symlinks in sites-enabled
5. No orphaned sites-enabled symlinks
6. No HTTP-only server blocks (port 80 without port 443)
7. ssl_certificate / ssl_certificate_key counts match per file
8. Plain-HTTP proxy_pass targets are local only
9. All SSL cert paths use /etc/letsencrypt/live/
10. ssl_certificate uses fullchain.pem, key uses privkey.pem
11. No raw IP addresses as server_name
12. conf.d contains only expected files
Adds .gitea/workflows/test.yml with two CI jobs: static-analysis
(runs test.sh, no nginx required) and syntax-check (installs
nginx-full, copies config, generates stub SSL certs for all
referenced letsencrypt paths, then runs nginx -t).
Deletes conf.d/default.conf, snippets/snakeoil.conf, and
snippets/fastcgi-php.conf (all stock example files not used in
production). Strips all commented-out lines and the mail block from
nginx.conf, and drops TLSv1/TLSv1.1 from ssl_protocols. Cleans
sites-available/default down to just the functional catch-all.
Moves custom log formats to conf.d/logging.conf and the
server_names_hash_bucket_size tweak to conf.d/tuning.conf,
leaving nginx.conf as close to stock as possible.
Moves all server blocks out of conf.d/server.conf into individual
files under sites-available/, grouped by logical application. Each
file is symlinked into sites-enabled/ to enable it. The old
server.conf is removed.
hikari
naomi
nhcarrigan