ansible-proxy/roles/trojan/tasks/main.yml

---
- name: Assert trojan_domain is configured for this host
  ansible.builtin.assert:
    that:
      - trojan_domain is defined and trojan_domain | length > 0
      - certbot_email is defined and certbot_email | length > 0
    fail_msg: "trojan_domain and certbot_email must be defined for each host in the trojan group. Set them in inventory/hosts.yml."

- name: Create trojan service user
  ansible.builtin.user:
    name: "{{ trojan_user }}"
    system: yes
    shell: /usr/sbin/nologin
    create_home: no

- name: Create trojan config directory
  ansible.builtin.file:
    path: "{{ trojan_config_path | dirname }}"
    state: directory
    owner: "{{ trojan_user }}"
    group: "{{ trojan_user }}"
    mode: "0750"

- name: Download trojan-go binary
  ansible.builtin.get_url:
    url: "https://github.com/p4gefau1t/trojan-go/releases/download/v{{ trojan_version }}/trojan-go-linux-amd64.zip"
    dest: /tmp/trojan-go.zip
    mode: "0644"

- name: Create extraction directory
  ansible.builtin.file:
    path: /tmp/trojan-go-extract/
    state: directory
    mode: "0755"

- name: Extract trojan-go binary
  ansible.builtin.unarchive:
    src: /tmp/trojan-go.zip
    dest: /tmp/trojan-go-extract/
    remote_src: yes
    creates: /tmp/trojan-go-extract/trojan-go

- name: Install trojan-go binary
  ansible.builtin.copy:
    src: /tmp/trojan-go-extract/trojan-go
    dest: "{{ trojan_bin_path }}"
    remote_src: yes
    owner: root
    group: root
    mode: "0755"
  notify: restart trojan

- name: Grant CAP_NET_BIND_SERVICE to trojan-go
  community.general.capabilities:
    path: "{{ trojan_bin_path }}"
    capability: cap_net_bind_service=+ep
    state: present

- name: Clean up downloaded archive
  ansible.builtin.file:
    path: "{{ item }}"
    state: absent
  loop:
    - /tmp/trojan-go.zip
    - /tmp/trojan-go-extract

- name: Install certbot
  ansible.builtin.apt:
    name:
      - certbot
    state: present

- name: Obtain Let's Encrypt certificate
  ansible.builtin.command:
    cmd: >
      certbot certonly --standalone
      --non-interactive --agree-tos
      --email {{ certbot_email }}
      -d {{ trojan_domain }}
    creates: "/etc/letsencrypt/live/{{ trojan_domain }}/fullchain.pem"

- name: Grant trojan user read access to TLS certificates
  ansible.builtin.file:
    path: /etc/letsencrypt
    state: directory
    mode: "0755"

- name: Ensure live directory is accessible
  ansible.builtin.file:
    path: "/etc/letsencrypt/live/{{ trojan_domain }}"
    state: directory
    mode: "0755"

- name: Ensure archive directory is accessible
  ansible.builtin.file:
    path: "/etc/letsencrypt/archive/{{ trojan_domain }}"
    state: directory
    mode: "0755"

- name: Deploy certbot renewal hook for trojan
  ansible.builtin.copy:
    dest: /etc/letsencrypt/renewal-hooks/post/trojan-go.sh
    content: |
      #!/bin/bash
      mkdir -p /etc/trojan-go/tls
      cp /etc/letsencrypt/live/{{ trojan_domain }}/fullchain.pem /etc/trojan-go/tls/fullchain.pem
      cp /etc/letsencrypt/live/{{ trojan_domain }}/privkey.pem /etc/trojan-go/tls/privkey.pem
      chown -R {{ trojan_user }}:{{ trojan_user }} /etc/trojan-go/tls
      systemctl reload trojan-go
    owner: root
    group: root
    mode: "0755"

- name: Copy initial TLS certificates to trojan-owned directory
  ansible.builtin.shell: |
    mkdir -p /etc/trojan-go/tls
    cp /etc/letsencrypt/live/{{ trojan_domain }}/fullchain.pem /etc/trojan-go/tls/fullchain.pem
    cp /etc/letsencrypt/live/{{ trojan_domain }}/privkey.pem /etc/trojan-go/tls/privkey.pem
    chown -R {{ trojan_user }}:{{ trojan_user }} /etc/trojan-go/tls
  args:
    creates: /etc/trojan-go/tls/privkey.pem
  notify: restart trojan

- name: Deploy trojan-go configuration
  ansible.builtin.template:
    src: config.json.j2
    dest: "{{ trojan_config_path }}"
    owner: "{{ trojan_user }}"
    group: "{{ trojan_user }}"
    mode: "0640"
  notify: restart trojan

- name: Deploy trojan-go systemd unit
  ansible.builtin.template:
    src: trojan-go.service.j2
    dest: /etc/systemd/system/trojan-go.service
    owner: root
    group: root
    mode: "0644"
  notify: restart trojan

- name: Install nginx for Trojan fallback
  ansible.builtin.apt:
    name:
      - nginx
    state: present

- name: Deploy nginx fallback config
  ansible.builtin.template:
    src: nginx-fallback.conf.j2
    dest: /etc/nginx/conf.d/trojan-fallback.conf
    owner: root
    group: root
    mode: "0644"
  notify: restart nginx

- name: Create fallback web root
  ansible.builtin.file:
    path: /var/www/trojan-fallback
    state: directory
    owner: www-data
    group: www-data
    mode: "0755"

- name: Deploy fallback index page
  ansible.builtin.copy:
    content: |
      <!DOCTYPE html>
      <html>
      <head><title>Welcome</title></head>
      <body><h1>Welcome</h1></body>
      </html>
    dest: /var/www/trojan-fallback/index.html
    owner: www-data
    group: www-data
    mode: "0644"
  notify: restart nginx

- name: Remove default nginx site
  ansible.builtin.file:
    path: /etc/nginx/sites-enabled/default
    state: absent
  notify: restart nginx

- name: Enable and start nginx
  ansible.builtin.systemd:
    name: nginx
    enabled: yes
    state: started

- name: Enable and start trojan-go service
  ansible.builtin.systemd:
    name: trojan-go
    daemon_reload: yes
    enabled: yes
    state: started

- name: Enable certbot auto-renewal timer
  ansible.builtin.systemd:
    name: certbot.timer
    enabled: yes
    state: started

- name: Allow Trojan port through UFW
  community.general.ufw:
    rule: allow
    port: "{{ trojan_port }}"
    proto: tcp