## 1. Fix TLS certificate access

- [x] 1.1 Add task to copy initial cert files to `/etc/trojan-go/tls/` after certbot obtains the certificate
- [x] 1.2 Update certbot renewal hook to copy certs and reload trojan after renewal
- [x] 1.3 Update `trojan-config.json.j2` to use `/etc/trojan-go/tls/` for cert and key paths

## 2. Fix systemd capabilities

- [x] 2.1 Add `CapabilityBoundingSet=CAP_NET_BIND_SERVICE` to `trojan.service.j2`

## 3. Verify

- [x] 3.1 Run `ansible-playbook site.yml --syntax-check` to confirm playbook parses