## MODIFIED Requirements

### Requirement: TLS certificate is provisioned via Let's Encrypt
The trojan role SHALL use certbot to obtain a TLS certificate for the landing server's domain, with automatic renewal. After provisioning or renewal, the certificate and key SHALL be copied to a trojan-owned directory (`/etc/trojan-go/tls/`) so the service user can read them.

#### Scenario: Certificate provisioning
- **WHEN** the trojan role runs with a configured domain name
- **THEN** certbot obtains a TLS certificate for that domain
- **THEN** the certificate and key are copied to `/etc/trojan-go/tls/` owned by the trojan user

#### Scenario: Certificate auto-renewal
- **WHEN** the certificate is within 30 days of expiry
- **THEN** certbot renews it automatically via systemd timer or cron
- **THEN** a deploy-hook copies the renewed certs to `/etc/trojan-go/tls/`
- **THEN** the Trojan service is reloaded after renewal

### Requirement: Trojan runs as a systemd service
The trojan role SHALL create a systemd unit file for Trojan and ensure it is enabled and started. The unit SHALL include both `AmbientCapabilities` and `CapabilityBoundingSet` for `CAP_NET_BIND_SERVICE`.

#### Scenario: Service is running
- **WHEN** the trojan role completes
- **THEN** the Trojan systemd service is enabled and running
- **THEN** the service runs under a dedicated non-root user with `CAP_NET_BIND_SERVICE` for port 443
- **THEN** the trojan user can read the TLS certificate and key files from `/etc/trojan-go/tls/`