Implement SIGHUP certificate reloading for Let's Encrypt

- Add tokio signal handling for SIGHUP
- Implement thread-safe TLS acceptor reloading with Mutex
- Modify main loop to handle signals alongside connections
- Update systemd service (already had ExecReload)
- Add certbot hook script documentation to INSTALL.md
- Enable zero-downtime certificate renewal support

dist/INSTALL.md

@@ -200,6 +200,41 @@ See `config.toml` for all available options. Key settings:
 - `max_concurrent_requests`: Connection limit
 - `log_level`: Logging verbosity
 
+## Certificate Management
+
+The server supports automatic certificate reloading via SIGHUP signals.
+
+### Let's Encrypt Integration
+
+For automatic certificate renewal with certbot:
+
+```bash
+# Create post-renewal hook
+sudo tee /etc/letsencrypt/renewal-hooks/post/reload-pollux.sh > /dev/null << 'EOF'
+#!/bin/bash
+# Reload Pollux after Let's Encrypt certificate renewal
+
+systemctl reload pollux
+logger -t certbot-pollux-reload "Reloaded pollux after certificate renewal"
+EOF
+
+# Make it executable
+sudo chmod +x /etc/letsencrypt/renewal-hooks/post/reload-pollux.sh
+
+# Test the hook
+sudo /etc/letsencrypt/renewal-hooks/post/reload-pollux.sh
+```
+
+### Manual Certificate Reload
+
+```bash
+# Reload certificates without restarting
+sudo systemctl reload pollux
+
+# Check reload in logs
+sudo journalctl -u pollux -f
+```
+
 ## Upgrading
 
 ```bash

dist/pollux.service

@@ -15,6 +15,8 @@ NoNewPrivileges=yes
 ProtectHome=yes
 ProtectSystem=strict
 ReadOnlyPaths=/etc/pollux /etc/letsencrypt/live/example.com /var/www/example.com
+# NOTE: Adjust /etc/letsencrypt/live/example.com and /var/www/example.com to match your config
+# The server needs read access to config, certificates, and content files
 # NOTE: Adjust paths to match your config:
 # - /etc/letsencrypt/live/example.com for Let's Encrypt certs
 # - /var/www/example.com for your content root