Implement SIGHUP certificate reloading for Let's Encrypt

- Add tokio signal handling for SIGHUP - Implement thread-safe TLS acceptor reloading with Mutex - Modify main loop to handle signals alongside connections - Update systemd service (already had ExecReload) - Add certbot hook script documentation to INSTALL.md - Enable zero-downtime certificate renewal support
2026-01-16 13:05:20 +00:00 · 2026-01-16 13:05:20 +00:00 · caf9d0984f
commit caf9d0984f
parent ea8083fe1f
3 changed files with 102 additions and 14 deletions
--- a/dist/INSTALL.md
+++ b/dist/INSTALL.md
@ -200,6 +200,41 @@ See `config.toml` for all available options. Key settings:
 - `max_concurrent_requests`: Connection limit
 - `log_level`: Logging verbosity

+## Certificate Management
+
+The server supports automatic certificate reloading via SIGHUP signals.
+
+### Let's Encrypt Integration
+
+For automatic certificate renewal with certbot:
+
+```bash
+# Create post-renewal hook
+sudo tee /etc/letsencrypt/renewal-hooks/post/reload-pollux.sh > /dev/null << 'EOF'
+#!/bin/bash
+# Reload Pollux after Let's Encrypt certificate renewal
+
+systemctl reload pollux
+logger -t certbot-pollux-reload "Reloaded pollux after certificate renewal"
+EOF
+
+# Make it executable
+sudo chmod +x /etc/letsencrypt/renewal-hooks/post/reload-pollux.sh
+
+# Test the hook
+sudo /etc/letsencrypt/renewal-hooks/post/reload-pollux.sh
+```
+
+### Manual Certificate Reload
+
+```bash
+# Reload certificates without restarting
+sudo systemctl reload pollux
+
+# Check reload in logs
+sudo journalctl -u pollux -f
+```
+
 ## Upgrading

 ```bash