[Feature] Headscale TLS reload on SIGHUP

[racterub]

Use case

I have a pipeline dedicated to manage all of my certificate and deploy to remote serve via ansible.
Headscale then uses the deployed certificate with tls_cert_path and tls_key_path.

Description

Headscale currently only reload ACL when receiving SIGHUP as normally certificate should also be reloaded (e.g. nginx).
This causes that whenever my certificate is renewed, new certificate does not served by headscale.

Contribution

• I can write the design doc for this feature
• I can contribute this feature

How can it be implemented?

Adjust the TLSConfig when using "Bring your own certficate" to use GetCertificate callback function. [ref]
Similiar implementation can also be seen in autocert [ref]

Ideally we also need to take good care about the ongoing connections with old certificate?

[roock]

I'm having the exact same use case and would like to see this feature too!

(To be honest I think this functionality might have been present at some point in the past. We've noticed this issue in the last 2-3 months, but we are using headscale with the same (external) cert renewal functionality since mid of 2024.)