fix: correct certbot renewal hooks directory path

Use /etc/letsencrypt/renewal-hooks/post/ instead of the
nonexistent /etc/letsencrypt/renewal-hooks-post/ for the
trojan-go renewal deploy hook

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

openspec/changes/archive/2026-04-22-fix-certbot-renewal-hooks-directory/.openspec.yaml

@@ -0,0 +1,2 @@
+schema: spec-driven
+created: 2026-04-22

openspec/changes/archive/2026-04-22-fix-certbot-renewal-hooks-directory/design.md

@@ -0,0 +1,14 @@
+## Context
+
+The previous `fix-trojan-go-startup-failure` change renamed the renewal hook path from `/etc/letsencrypt/renewal-hooks/post/restart-trojan.sh` to `/etc/letsencrypt/renewal-hooks-post/trojan-go.sh`. The latter directory does not exist — certbot uses `/etc/letsencrypt/renewal-hooks/post/`.
+
+## Goals / Non-Goals
+
+**Goals:**
+- Use the correct certbot renewal hooks directory so the task succeeds
+
+## Decisions
+
+**Use the standard certbot path `/etc/letsencrypt/renewal-hooks/post/`**
+
+Certbot automatically scans this directory for post-renewal hooks. No need to create directories or configure anything else.

openspec/changes/archive/2026-04-22-fix-certbot-renewal-hooks-directory/proposal.md

@@ -0,0 +1,19 @@
+## Why
+
+The certbot renewal hook task references `/etc/letsencrypt/renewal-hooks-post/`, which does not exist. The correct certbot renewal hooks directory is `/etc/letsencrypt/renewal-hooks/post/`. This typo causes the playbook to fail when deploying the renewal hook.
+
+## What Changes
+
+- Fix the certbot renewal hook destination path from `/etc/letsencrypt/renewal-hooks-post/trojan-go.sh` to `/etc/letsencrypt/renewal-hooks/post/trojan-go.sh`
+
+## Capabilities
+
+### New Capabilities
+<!-- none -->
+
+### Modified Capabilities
+<!-- none -->
+
+## Impact
+
+- `roles/trojan/tasks/main.yml` — single path fix in the renewal hook task

openspec/changes/archive/2026-04-22-fix-certbot-renewal-hooks-directory/specs/trojan-landing/spec.md

@@ -0,0 +1,15 @@
+## MODIFIED Requirements
+
+### Requirement: TLS certificate is provisioned via Let's Encrypt
+The trojan role SHALL use certbot to obtain a TLS certificate for the landing server's domain, with automatic renewal. After provisioning or renewal, the certificate and key SHALL be copied to a trojan-owned directory (`/etc/trojan-go/tls/`) so the service user can read them. The certbot deploy-hook SHALL be placed in `/etc/letsencrypt/renewal-hooks/post/` for automatic execution.
+
+#### Scenario: Certificate provisioning
+- **WHEN** the trojan role runs with a configured domain name
+- **THEN** certbot obtains a TLS certificate for that domain
+- **THEN** the certificate and key are copied to `/etc/trojan-go/tls/` owned by the trojan user
+
+#### Scenario: Certificate auto-renewal
+- **WHEN** the certificate is within 30 days of expiry
+- **THEN** certbot renews it automatically via systemd timer or cron
+- **THEN** a deploy-hook in `/etc/letsencrypt/renewal-hooks/post/` copies the renewed certs to `/etc/trojan-go/tls/`
+- **THEN** the Trojan service is reloaded after renewal

openspec/changes/archive/2026-04-22-fix-certbot-renewal-hooks-directory/tasks.md

@@ -0,0 +1,7 @@
+## 1. Fix renewal hook path
+
+- [x] 1.1 Change certbot renewal hook destination from `/etc/letsencrypt/renewal-hooks-post/` to `/etc/letsencrypt/renewal-hooks/post/` in `roles/trojan/tasks/main.yml`
+
+## 2. Verify
+
+- [x] 2.1 Run `ansible-playbook site.yml --syntax-check` to confirm playbook parses

openspec/specs/trojan-landing/spec.md

@@ -40,7 +40,7 @@ The trojan role SHALL use certbot to obtain a TLS certificate for the landing se
 #### Scenario: Certificate auto-renewal
 - **WHEN** the certificate is within 30 days of expiry
 - **THEN** certbot renews it automatically via systemd timer or cron
-- **THEN** a deploy-hook copies the renewed certs to `/etc/trojan-go/tls/`
+- **THEN** a deploy-hook in `/etc/letsencrypt/renewal-hooks/post/` copies the renewed certs to `/etc/trojan-go/tls/`
 - **THEN** the Trojan service is reloaded after renewal
 
 ### Requirement: Trojan listens on port 443 with TLS

roles/trojan/tasks/main.yml

@@ -92,7 +92,7 @@
 
 - name: Deploy certbot renewal hook for trojan
   ansible.builtin.copy:
-    dest: /etc/letsencrypt/renewal-hooks-post/trojan-go.sh
+    dest: /etc/letsencrypt/renewal-hooks/post/trojan-go.sh
     content: |
       #!/bin/bash
       mkdir -p /etc/trojan-go/tls