ansible-proxy-chain/openspec/changes/archive/2026-04-22-fix-trojan-domain-undefined/proposal.md

Why

The localhost play that generates surge-client.conf references trojan_domain, trojan_port, and trojan_password, but these variables are defined in group_vars/landing.yml which only applies to hosts in the landing group. Since localhost is not in any host group, these variables are undefined, causing the playbook to fail at the template rendering step.

What Changes

• Move trojan-related variables (trojan_domain, trojan_password, trojan_port, trojan_fallback_port) from group_vars/landing.yml to group_vars/all.yml so they are available when rendering the Surge template on localhost
• Keep tls_cert_path and tls_key_path in group_vars/landing.yml since they are only needed on the landing server itself

Capabilities

New Capabilities

Modified Capabilities

Impact

• group_vars/landing.yml: loses trojan variable definitions (moved to all.yml)
• group_vars/all.yml: gains trojan variable definitions
• No change to templates/surge-client.conf.j2 or site.yml — the fix is purely in variable scope