PR AB: complete Phoenix deployment scaffolding (add 3 missing files referenced by main 4a1f69a)

main 4a1f69a 'deploy: make Phoenix redeploys archive-safe' adopted the
Phoenix deployment scaffolding from the abandoned PR #31 branch but
landed with three referenced-but-missing files. This PR adds exactly
those three files, unchanged from the PR #31 branch, so main is
internally consistent and bootable on CT 8604.

What main references but does not have
--------------------------------------

1. scripts/deployment/webapp-nginx.conf
   Referenced by: systemd/currencicombo-webapp.service (ExecStart calls
   'nginx -c /etc/currencicombo/webapp-nginx.conf') and install.sh
   (NGINX_FILE="${ETC_DIR}/webapp-nginx.conf"; install -m 0644 of
   "${SCRIPT_DIR}/webapp-nginx.conf").
   Without this file: webapp unit fails on start with 'nginx: [emerg]
   open() "/etc/currencicombo/webapp-nginx.conf" failed'.

2. scripts/deployment/systemd/currencicombo-orchestrator.service
   Referenced by: deploy-currencicombo-8604.sh (line 40:
   ${ORCHESTRATOR_UNIT:=currencicombo-orchestrator.service};
   lines 101/104 systemctl stop/start) and install.sh (line 238
   install -m 0644 of
   "${SCRIPT_DIR}/systemd/currencicombo-orchestrator.service";
   line 248 systemctl enable).
   Without this file: install.sh fails at the install step, deploy
   script fails at 'systemctl stop currencicombo-orchestrator.service
   Unit not found'.

3. scripts/deployment/install-prune-cron.sh
   Referenced by: README.md (step 4: 'bash /var/lib/currencicombo/repo/
   scripts/deployment/install-prune-cron.sh' and the 'Backup retention
   / pruning' section).
   Without this file: ops follows the README, hits a 'No such file'
   and has to reconstruct the pruner from prose.

Provenance
----------

All three files are verbatim copies of the same three files from the
closed PR #31 branch devin/1776898782-pr-aa-phoenix-migration (commit
ded7d24), which was the source PR #31 reviewers discussed when the
three ops improvements (loud-failure rollback, keep-min-5 prune cron,
/root/currencicombo-first-keys.txt 0600) were locked. main already
absorbed everything else from PR #31 as commit 4a1f69a.

Verification
------------

- shellcheck --severity=warning scripts/deployment/install-prune-cron.sh: clean
- bash -n on install-prune-cron.sh: clean
- systemd-analyze verify on currencicombo-orchestrator.service: clean
  (only unrelated-host-service errors surface on this build box)
- sudo bash scripts/deployment/install-prune-cron.sh --dry-run: prints
  the exact cron body with retain=30, keep-min=5, targeting
  /var/lib/currencicombo/backups, as expected.
- nginx -T on webapp-nginx.conf: not run (nginx not installed on
  build box); tested on the CT in PR #31's pre-close verification run.

Co-Authored-By: Nakamoto, S <defi@defi-oracle.io>

scripts/deployment/systemd/currencicombo-orchestrator.service

@@ -0,0 +1,34 @@
+[Unit]
+Description=CurrenciCombo orchestrator (Node)
+Documentation=https://gitea.d-bis.org/d-bis/CurrenciCombo
+After=network-online.target postgresql.service redis-server.service redis.service
+Wants=network-online.target
+
+[Service]
+Type=simple
+User=currencicombo
+Group=currencicombo
+WorkingDirectory=/opt/currencicombo/orchestrator
+EnvironmentFile=/etc/currencicombo/orchestrator.env
+ExecStart=/usr/bin/node /opt/currencicombo/orchestrator/dist/index.js
+Restart=on-failure
+RestartSec=5
+TimeoutStopSec=20
+StandardOutput=journal
+StandardError=journal
+SyslogIdentifier=currencicombo-orchestrator
+
+# Hardening
+NoNewPrivileges=yes
+PrivateTmp=yes
+ProtectSystem=strict
+ProtectHome=yes
+ReadWritePaths=/var/log/currencicombo
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectControlGroups=yes
+RestrictSUIDSGID=yes
+LockPersonality=yes
+
+[Install]
+WantedBy=multi-user.target