docker: extract cert monitor from background process to systemd timer

The cert monitoring was an orphaned background process (`monitor_certificates &`)
Replace with a proper systemd timer/service (every 60s).
Also made journald ForwardToConsole=yes idempotent.

docker/files/chatmail-certmon.sh

@@ -0,0 +1,28 @@
+#!/bin/bash
+# Check if TLS certificates have changed and reload services if so.
+# Called by chatmail-certmon.timer (systemd timer, default every 60s).
+set -eo pipefail
+
+PATH_TO_SSL="${PATH_TO_SSL:-/var/lib/acme/live/${MAIL_DOMAIN}}"
+HASH_FILE="/run/chatmail-certmon.hash"
+
+if [ ! -d "$PATH_TO_SSL" ]; then
+    exit 0
+fi
+
+current_hash=$(find "$PATH_TO_SSL" -type f -exec sha1sum {} \; | sort | sha1sum | awk '{print $1}')
+previous_hash=""
+if [ -f "$HASH_FILE" ]; then
+    previous_hash=$(cat "$HASH_FILE")
+fi
+
+if [ -n "$current_hash" ] && [ "$current_hash" != "$previous_hash" ]; then
+    echo "[INFO] Certificate hash changed, reloading nginx, dovecot and postfix."
+    echo "$current_hash" > "$HASH_FILE"
+    # On first run (no previous hash), don't reload — services may not be up yet
+    if [ -n "$previous_hash" ]; then
+        systemctl reload nginx.service
+        systemctl reload dovecot.service
+        systemctl reload postfix.service
+    fi
+fi