ansible-proxy-chain/openspec/changes/archive/2026-04-22-fix-trojan-go-startup-failure/specs/trojan-landing/spec.md

MODIFIED Requirements

Requirement: TLS certificate is provisioned via Let's Encrypt

The trojan role SHALL use certbot to obtain a TLS certificate for the landing server's domain, with automatic renewal. After provisioning or renewal, the certificate and key SHALL be copied to a trojan-owned directory (/etc/trojan-go/tls/) so the service user can read them.

Scenario: Certificate provisioning

• WHEN the trojan role runs with a configured domain name
• THEN certbot obtains a TLS certificate for that domain
• THEN the certificate and key are copied to /etc/trojan-go/tls/ owned by the trojan user

Scenario: Certificate auto-renewal

• WHEN the certificate is within 30 days of expiry
• THEN certbot renews it automatically via systemd timer or cron
• THEN a deploy-hook copies the renewed certs to /etc/trojan-go/tls/
• THEN the Trojan service is reloaded after renewal

Requirement: Trojan runs as a systemd service

The trojan role SHALL create a systemd unit file for Trojan and ensure it is enabled and started. The unit SHALL include both AmbientCapabilities and CapabilityBoundingSet for CAP_NET_BIND_SERVICE.

Scenario: Service is running

• WHEN the trojan role completes
• THEN the Trojan systemd service is enabled and running
• THEN the service runs under a dedicated non-root user with CAP_NET_BIND_SERVICE for port 443
• THEN the trojan user can read the TLS certificate and key files from /etc/trojan-go/tls/