Terminate TLS at the app level

Kind of builds on #68 with secret reload.

It would be nice to be able to encrypt communications all the way to the application. This would allow doing e2e in-transit encryption and e2e http/2 or http/3.

I don't think the app needs to manage certificate request and renewal (leave this to certbot, acme.sh, lego, step or other), but it should be able to reload the tls key and cert when receiving a SIGHUP signal.