ansible-proxy-chain/openspec/changes/archive/2026-04-22-fix-trojan-go-startup-failure/tasks.md

1. Fix TLS certificate access

• 1.1 Add task to copy initial cert files to /etc/trojan-go/tls/ after certbot obtains the certificate
• 1.2 Update certbot renewal hook to copy certs and reload trojan after renewal
• 1.3 Update trojan-config.json.j2 to use /etc/trojan-go/tls/ for cert and key paths

2. Fix systemd capabilities

• 2.1 Add CapabilityBoundingSet=CAP_NET_BIND_SERVICE to trojan.service.j2

3. Verify

• 3.1 Run ansible-playbook site.yml --syntax-check to confirm playbook parses