design.md 644 B
Context
The base role's UFW task loops over allowed_ports from group_vars. The landing group vars only lists trojan_port (443). Let's Encrypt's HTTP-01 challenge serves a token on port 80, which certbot uses in standalone mode to prove domain ownership.
Goals / Non-Goals
Goals:
- Allow inbound port 80 on the landing server for Let's Encrypt HTTP-01 challenge
Non-Goals:
- No changes to certbot or trojan role configuration
Decisions
Add port 80 to allowed_ports in group_vars/landing.yml.example. This is a simple UFW allow rule that lets certbot's standalone HTTP server receive the HTTP-01 challenge request.