feat: allow port 80 on landing server for Let's Encrypt HTTP-01

Certbot's HTTP-01 challenge requires port 80 to be accessible.
Previously only port 443 was allowed, blocking certificate issuance.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

group_vars/landing.yml.example

@@ -9,4 +9,5 @@ tls_cert_path: "/etc/letsencrypt/live/{{ trojan_domain }}/fullchain.pem"
 tls_key_path: "/etc/letsencrypt/live/{{ trojan_domain }}/privkey.pem"
 
 allowed_ports:
+  - 80
   - "{{ trojan_port }}"

openspec/changes/archive/2026-04-22-allow-http-on-landing/.openspec.yaml

@@ -0,0 +1,2 @@
+schema: spec-driven
+created: 2026-04-22

openspec/changes/archive/2026-04-22-allow-http-on-landing/design.md

@@ -0,0 +1,15 @@
+## Context
+
+The base role's UFW task loops over `allowed_ports` from group_vars. The landing group vars only lists `trojan_port` (443). Let's Encrypt's HTTP-01 challenge serves a token on port 80, which certbot uses in standalone mode to prove domain ownership.
+
+## Goals / Non-Goals
+
+**Goals:**
+- Allow inbound port 80 on the landing server for Let's Encrypt HTTP-01 challenge
+
+**Non-Goals:**
+- No changes to certbot or trojan role configuration
+
+## Decisions
+
+Add port 80 to `allowed_ports` in `group_vars/landing.yml.example`. This is a simple UFW allow rule that lets certbot's standalone HTTP server receive the HTTP-01 challenge request.

openspec/changes/archive/2026-04-22-allow-http-on-landing/proposal.md

@@ -0,0 +1,19 @@
+## Why
+
+Trojan service depends on Let's Encrypt TLS certificates obtained via HTTP-01 challenge, which requires port 80 to be accessible for certbot's standalone HTTP server. The landing server's UFW `allowed_ports` only includes port 443 (Trojan), blocking the Let's Encrypt challenge and preventing certificate issuance.
+
+## What Changes
+
+- Add port 80 to `allowed_ports` in `group_vars/landing.yml.example` for Let's Encrypt HTTP-01 challenge
+
+## Capabilities
+
+### New Capabilities
+<!-- none -->
+
+### Modified Capabilities
+<!-- none -->
+
+## Impact
+
+- `group_vars/landing.yml.example`: add port 80 to `allowed_ports`

openspec/changes/archive/2026-04-22-allow-http-on-landing/specs/NOTE.md

@@ -0,0 +1,3 @@
+## Note
+
+No capability changes. Simple port allow addition.

openspec/changes/archive/2026-04-22-allow-http-on-landing/tasks.md

@@ -0,0 +1,3 @@
+## 1. Add port 80 to landing allowed_ports
+
+- [x] 1.1 Add port 80 to `allowed_ports` in `group_vars/landing.yml.example`