## Why

The trojan-go service on the landing server exits immediately with status=1/FAILURE and enters an auto-restart loop. The most likely causes are: (1) the TLS certificate and key files under `/etc/letsencrypt/` are not readable by the `trojan` service user, and (2) the systemd unit uses `AmbientCapabilities` without `CapabilityBoundingSet`, which may not properly grant `CAP_NET_BIND_SERVICE` to the process.

## What Changes

- Fix TLS certificate file permissions: use a certbot `--deploy-hook` to copy certs with correct ownership for the `trojan` user, and update the trojan config template to point to the copied paths
- Add `CapabilityBoundingSet=CAP_NET_BIND_SERVICE` to the systemd unit alongside `AmbientCapabilities`
- Add a task to copy initial cert files after the first certbot run

## Capabilities

### New Capabilities
<!-- none -->

### Modified Capabilities
- `trojan-landing`: TLS certificate access and systemd capability configuration must allow the trojan service to start successfully

## Impact

- `roles/trojan/templates/trojan.service.j2` — add `CapabilityBoundingSet`
- `roles/trojan/tasks/main.yml` — add cert file copy tasks, update deploy-hook
- `roles/trojan/templates/trojan-config.json.j2` — update cert/key paths to copied locations