spec.md 1.5 KB
MODIFIED Requirements
Requirement: TLS certificate is provisioned via Let's Encrypt
The trojan role SHALL use certbot to obtain a TLS certificate for the landing server's domain, with automatic renewal. After provisioning or renewal, the certificate and key SHALL be copied to a trojan-owned directory (/etc/trojan-go/tls/) so the service user can read them.
Scenario: Certificate provisioning
- WHEN the trojan role runs with a configured domain name
- THEN certbot obtains a TLS certificate for that domain
- THEN the certificate and key are copied to
/etc/trojan-go/tls/owned by the trojan user
Scenario: Certificate auto-renewal
- WHEN the certificate is within 30 days of expiry
- THEN certbot renews it automatically via systemd timer or cron
- THEN a deploy-hook copies the renewed certs to
/etc/trojan-go/tls/ - THEN the Trojan service is reloaded after renewal
Requirement: Trojan runs as a systemd service
The trojan role SHALL create a systemd unit file for Trojan and ensure it is enabled and started. The unit SHALL include both AmbientCapabilities and CapabilityBoundingSet for CAP_NET_BIND_SERVICE.
Scenario: Service is running
- WHEN the trojan role completes
- THEN the Trojan systemd service is enabled and running
- THEN the service runs under a dedicated non-root user with
CAP_NET_BIND_SERVICEfor port 443 - THEN the trojan user can read the TLS certificate and key files from
/etc/trojan-go/tls/