## Why

The trojan-go service is configured to forward non-Trojan traffic to `remote_port: 8080` as a fallback camouflage web server, but no service is currently listening on port 8080. This causes trojan-go to fail on startup because the fallback port is unreachable.

## What Changes

- Install nginx as the fallback web server listening on `trojan_fallback_port` (8080)
- Deploy a minimal nginx vhost that serves as HTTPS camouflage (a generic static page)
- Add a UFW firewall rule to allow traffic on the fallback port
- Extend the trojan role to manage the nginx fallback

## Capabilities

### New Capabilities
- `nginx-fallback`: Nginx fallback web server on the landing server for Trojan camouflage

### Modified Capabilities
<!-- none -->

## Impact

- `roles/trojan/tasks/main.yml` — add nginx installation and configuration tasks
- `roles/trojan/templates/` — new nginx vhost template
- `group_vars/landing.yml.example` — document the fallback port variable