## MODIFIED Requirements

### Requirement: TLS certificate is provisioned via Let's Encrypt
The trojan role SHALL use certbot to obtain a TLS certificate for the domain configured on each individual host. The trojan role SHALL ensure port 80 is allowed through UFW before attempting certificate provisioning. After provisioning or renewal, the certificate and key SHALL be copied to `/etc/trojan-go/tls/` so the service user can read them.

#### Scenario: Certificate provisioning with UFW allowing port 80
- **WHEN** the trojan role runs on a host with `trojan_domain` configured
- **THEN** port 80 is allowed through UFW before certbot attempts ACME validation
- **THEN** certbot obtains a TLS certificate for the configured domain
- **THEN** the certificate and key are copied to `/etc/trojan-go/tls/` owned by the trojan service user

#### Scenario: Certificate provisioning on a second host with different domain
- **WHEN** the trojan role runs on a host with `trojan_domain: "proxy2.example.com"`
- **THEN** certbot obtains a TLS certificate for `proxy2.example.com`
- **THEN** the certificate is independent from other hosts

#### Scenario: Certificate auto-renewal
- **WHEN** the certificate is within 30 days of expiry
- **THEN** certbot renews it automatically
- **THEN** a deploy-hook copies the renewed certs to `/etc/trojan-go/tls/`
- **THEN** the Trojan service is reloaded after renewal