Ejabberd support to Traefik's certificate-changed event

[stephdl]

Description

Use traefik to generate the default self signed certificate, like the LE certificate

Proposed solution

Introduce a certificate-changed event in ejabberd, triggered when a new certificate is deployed via get-certificate or a similar mechanism. This event should:

Allow custom hooks or modules to subscribe and act upon it (e.g., reload listeners, log, or notify admins).

Optionally trigger TLS context reloads for affected listeners without requiring a full restart.

This aligns with changes made in NethServer when upgrading to Core 3.6.0, where an event handler was added for certificate-changed to facilitate automated service updates.

Alternative solutions

Do nothing and continue to use the selfsigned certificate created by ejabberd

Additional context

This feature is already being used in production in NethServer-based systems with custom logic, and integrating it upstream would benefit a broader community.

[stephdl]

QA ejabberd

tested version ghcr.io/nethserver/ejabberd:1.0.11-dev.1

• update
  The upgrade from ejabberd:1.0.10 to ejabberd:1.0.11-dev.1 is good, the service is up and working after the upgrade

• first install
  the service is up and workable after the first configuration

Important Note

Now the certificate comes from traefik, it is a self certificate with a CN which does not match the hostname set inside Ejabberd. Some XMPP clients could complains and refuse to connect

• GAJIM refuses to connect
• PIDGIM OK
• WEBTOP OK

what to do

• go to a let's encrypt certificate in the setting of ejabberd
• upload a certificate in cluster admin that match the CN of the hostname you are using in ejabberd

[stephdl]

released as https://github.com/NethServer/ns8-ejabberd/releases/tag/1.0.11