spec.md 2.1 KB
MODIFIED Requirements
Requirement: TLS certificate is provisioned via Let's Encrypt
The trojan role SHALL use certbot to obtain a TLS certificate for the domain configured on each individual host. After provisioning or renewal, the certificate and key SHALL be copied to /etc/trojan-go/tls/ so the service user can read them.
Scenario: Certificate provisioning with per-host domain
- WHEN the trojan role runs on a host with
trojan_domain: "proxy1.example.com" - THEN certbot obtains a TLS certificate for
proxy1.example.com - THEN the certificate and key are copied to
/etc/trojan-go/tls/owned by the trojan service user
Scenario: Certificate provisioning on a second host with different domain
- WHEN the trojan role runs on a host with
trojan_domain: "proxy2.example.com" - THEN certbot obtains a TLS certificate for
proxy2.example.com - THEN the certificate is independent from other hosts
Scenario: Certificate auto-renewal
- WHEN the certificate is within 30 days of expiry
- THEN certbot renews it automatically
- THEN a deploy-hook copies the renewed certs to
/etc/trojan-go/tls/ - THEN the Trojan service is reloaded after renewal
ADDED Requirements
Requirement: Trojan domain is configured per-host
Each host in the trojan group SHALL define its own trojan_domain and certbot_email variables in the inventory. The trojan role SHALL fail with a clear error if a host lacks these variables.
Scenario: Host defines its own domain
- WHEN a host in inventory has
trojan_domain: "proxy.example.com"andcertbot_email: "admin@example.com" - THEN the trojan role uses these values for that host
Scenario: Host missing domain variable
- WHEN a host in the
trojangroup does not definetrojan_domain - THEN the playbook fails with an error indicating the missing variable
Scenario: Inventory example shows per-host domain configuration
- WHEN the user inspects
inventory/hosts.yml.example - THEN it contains per-host
trojan_domainandcertbot_emailexamples