## Why

The `localhost` play that generates `surge-client.conf` references `trojan_domain`, `trojan_port`, and `trojan_password`, but these variables are defined in `group_vars/landing.yml` which only applies to hosts in the `landing` group. Since `localhost` is not in any host group, these variables are undefined, causing the playbook to fail at the template rendering step.

## What Changes

- Move trojan-related variables (`trojan_domain`, `trojan_password`, `trojan_port`, `trojan_fallback_port`) from `group_vars/landing.yml` to `group_vars/all.yml` so they are available when rendering the Surge template on `localhost`
- Keep `tls_cert_path` and `tls_key_path` in `group_vars/landing.yml` since they are only needed on the landing server itself

## Capabilities

### New Capabilities
<!-- none -->

### Modified Capabilities
<!-- none -->

## Impact

- `group_vars/landing.yml`: loses trojan variable definitions (moved to `all.yml`)
- `group_vars/all.yml`: gains trojan variable definitions
- No change to `templates/surge-client.conf.j2` or `site.yml` — the fix is purely in variable scope