proposal.md 1.2 KB
Why
The trojan-go service on the landing server exits immediately with status=1/FAILURE and enters an auto-restart loop. The most likely causes are: (1) the TLS certificate and key files under /etc/letsencrypt/ are not readable by the trojan service user, and (2) the systemd unit uses AmbientCapabilities without CapabilityBoundingSet, which may not properly grant CAP_NET_BIND_SERVICE to the process.
What Changes
- Fix TLS certificate file permissions: use a certbot
--deploy-hookto copy certs with correct ownership for thetrojanuser, and update the trojan config template to point to the copied paths - Add
CapabilityBoundingSet=CAP_NET_BIND_SERVICEto the systemd unit alongsideAmbientCapabilities - Add a task to copy initial cert files after the first certbot run
Capabilities
New Capabilities
Modified Capabilities
trojan-landing: TLS certificate access and systemd capability configuration must allow the trojan service to start successfully
Impact
roles/trojan/templates/trojan.service.j2— addCapabilityBoundingSetroles/trojan/tasks/main.yml— add cert file copy tasks, update deploy-hookroles/trojan/templates/trojan-config.json.j2— update cert/key paths to copied locations