Adds test 13 to test.sh to verify that server blocks within each
sites-available file are sorted alphabetically by server_name
(LC_ALL=C; regex and wildcard entries excluded).
Fixes aria.conf and mommy.conf to conform: hyphenated names sort
before the bare domain in C locale ('-' < '.'), so trans-bot now
precedes trans, and mommy-slack now precedes mommy.
Removes the listen 80 / listen [::]:80 blocks from cdn.conf since
port 80 is blocked at the firewall. Updates test 6 to enforce that
no custom server block listens on port 80 at all.
Replaces the obsolete test.sh (which referenced configs/prod.conf,
a file that no longer exists) with 12 static-analysis checks:
1. No deprecated TLS versions (TLSv1 / TLSv1.1)
2. No duplicate literal server_name values
3. Every sites-available conf has a sites-enabled symlink
4. No broken symlinks in sites-enabled
5. No orphaned sites-enabled symlinks
6. No HTTP-only server blocks (port 80 without port 443)
7. ssl_certificate / ssl_certificate_key counts match per file
8. Plain-HTTP proxy_pass targets are local only
9. All SSL cert paths use /etc/letsencrypt/live/
10. ssl_certificate uses fullchain.pem, key uses privkey.pem
11. No raw IP addresses as server_name
12. conf.d contains only expected files
Adds .gitea/workflows/test.yml with two CI jobs: static-analysis
(runs test.sh, no nginx required) and syntax-check (installs
nginx-full, copies config, generates stub SSL certs for all
referenced letsencrypt paths, then runs nginx -t).
hikari
naomi