## Context

The base role's UFW task loops over `allowed_ports` from group_vars. The landing group vars only lists `trojan_port` (443). Let's Encrypt's HTTP-01 challenge serves a token on port 80, which certbot uses in standalone mode to prove domain ownership.

## Goals / Non-Goals

**Goals:**
- Allow inbound port 80 on the landing server for Let's Encrypt HTTP-01 challenge

**Non-Goals:**
- No changes to certbot or trojan role configuration

## Decisions

Add port 80 to `allowed_ports` in `group_vars/landing.yml.example`. This is a simple UFW allow rule that lets certbot's standalone HTTP server receive the HTTP-01 challenge request.