config: Reload TLS server certificates once in a minute

Use of inotify and possibly other mechanisms poses portability risks.
Notably, "cross-platform" abstractions such as fsnotify library remove
access to certain features that are important to use it correctly in
some cases e.g. it is preferable to listen only for IN_CLOSE_WRITE on
Linux instead of IN_MODIFY to prevent races and unexpected failures.

Pooling approach avoids such problems by either running reload code at a
different time than actual renewal or retrying later if parse fails.
With certificates being renewed before expiry (e.g. 1 week before) delay
is not a signficiant problem.

Closes #160.

docs/tutorials/setting-up.md

@@ -71,17 +71,9 @@ You still need to make keys readable for maddy, though:
 $ sudo setfacl -R -m u:maddy:rX /etc/letsencrypt/{live,archive}
 ```
 
-Additionally, it is a good idea to automatically restart
-maddy on certificate renewal.
-Put that into /etc/letsencrypt/renewal-hooks/post/restart:
-```shell
-#!/bin/bash
-systemctl restart maddy
-```
-And make it executable:
-```
-$ sudo chmod +x /etc/letsencrypt/renewal-hooks/post/restart
-```
+maddy reloads TLS certificates from disk once in a minute so it will notice
+renewal. It is possible to force reload via `systemctl reload maddy` (or just
+`killall -USR2 maddy`).
 
 ## First run