## MODIFIED Requirements

### Requirement: TLS certificate is provisioned via Let's Encrypt
The trojan role SHALL use certbot to obtain a TLS certificate for the landing server's domain, with automatic renewal. After provisioning or renewal, the certificate and key SHALL be copied to a trojan-owned directory (`/etc/trojan-go/tls/`) so the service user can read them. The certbot deploy-hook SHALL be placed in `/etc/letsencrypt/renewal-hooks/post/` for automatic execution.

#### Scenario: Certificate provisioning
- **WHEN** the trojan role runs with a configured domain name
- **THEN** certbot obtains a TLS certificate for that domain
- **THEN** the certificate and key are copied to `/etc/trojan-go/tls/` owned by the trojan user

#### Scenario: Certificate auto-renewal
- **WHEN** the certificate is within 30 days of expiry
- **THEN** certbot renews it automatically via systemd timer or cron
- **THEN** a deploy-hook in `/etc/letsencrypt/renewal-hooks/post/` copies the renewed certs to `/etc/trojan-go/tls/`
- **THEN** the Trojan service is reloaded after renewal