fix: correct punycode for мои-товары.рф and add IDN support to generate-nginx-conf.sh

xn--e1afmapc4af.xn--p1af was wrong; correct punycode is xn----8sbfwtmcso8g.xn--p1ai.
generate-nginx-conf.sh now converts IDN domains to punycode before expanding the
template, so cert paths and server_name directives are always ASCII-safe.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

nginx/nginx.conf

@@ -10,7 +10,7 @@ upstream web {
 
 server {
     listen 80;
-    server_name xn--e1afmapc4af.xn--p1af www.xn--e1afmapc4af.xn--p1af;
+    server_name xn----8sbfwtmcso8g.xn--p1ai www.xn----8sbfwtmcso8g.xn--p1ai;
 
     location /.well-known/acme-challenge/ {
         root /var/www/certbot;
@@ -23,10 +23,10 @@ server {
 
 server {
     listen 443 ssl;
-    server_name xn--e1afmapc4af.xn--p1af www.xn--e1afmapc4af.xn--p1af;
+    server_name xn----8sbfwtmcso8g.xn--p1ai www.xn----8sbfwtmcso8g.xn--p1ai;
 
-    ssl_certificate /etc/letsencrypt/live/xn--e1afmapc4af.xn--p1af/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/xn--e1afmapc4af.xn--p1af/privkey.pem;
+    ssl_certificate /etc/letsencrypt/live/xn----8sbfwtmcso8g.xn--p1ai/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/xn----8sbfwtmcso8g.xn--p1ai/privkey.pem;
 
     ssl_protocols TLSv1.2 TLSv1.3;
     ssl_ciphers HIGH:!aNULL:!MD5;