docker: streamline overrides, rename datadirs, external TLS

docker-compose.override.yaml.example

@@ -1,37 +1,20 @@
 # Local overrides — copy to docker-compose.override.yaml in the repo root.
 # Compose automatically merges this with docker-compose.yaml.
 #
-#   cp docker/docker-compose.override.yaml.example docker-compose.override.yaml
+#   cp docker-compose.override.yaml.example docker-compose.override.yaml
 #
-# Volumes listed here are APPENDED to the base file's volumes.
-# Scalar values (environment, image, etc.) are REPLACED.
-#
-# --- External TLS certificates ---
-# Use when certs are managed outside the container (certbot, acmetool, Traefik, ...).
-# Mount the cert files and set TLS_EXTERNAL_CERT_AND_KEY to the in-container paths.
-# Changed certs are picked up automatically (inotify via tls-cert-reload.path).
-#
-# Host acmetool (bare-metal migration):
-#   volumes:  - /var/lib/acme/live:/var/lib/acme/live:ro
-#   environment:
-#     TLS_EXTERNAL_CERT_AND_KEY: "/var/lib/acme/live/${MAIL_DOMAIN}/fullchain /var/lib/acme/live/${MAIL_DOMAIN}/privkey"
-#
-# Traefik certs-dumper (see docker/docker-compose-traefik.yaml):
-#   volumes:  - traefik-certs:/certs:ro
-#   environment:
-#     TLS_EXTERNAL_CERT_AND_KEY: "/certs/${MAIL_DOMAIN}/certificate.crt /certs/${MAIL_DOMAIN}/privatekey.key"
-
+# Volumes are APPENDED to the base file's volumes list.
+# Environment and other scalar keys are MERGED by key.
 services:
   chatmail:
     volumes:
       ## Data paths — bind-mount to host directories for easy access/backup.
-      ## Uncomment and adjust paths as needed. These override the named
-      ## volumes in the base docker-compose.yaml.
-      # - ./data/chatmail:/home/vmail
-      # - ./data/chatmail-dkimkeys:/etc/dkimkeys
-      # - ./data/chatmail-acme:/var/lib/acme
+      ## These override the named volumes in the base docker-compose.yaml.
+      # - ./data/mail:/home/vmail
+      # - ./data/dkim:/etc/dkimkeys
+      # - ./data/certs:/var/lib/acme
 
-      ## Or mount data from an existing bare-metal install.
+      ## Or mount from an existing bare-metal install.
       ## Note: DKIM key ownership is fixed automatically on startup
       ## (the host's opendkim UID may differ from the container's).
       # - /home/vmail:/home/vmail
@@ -47,3 +30,16 @@ services:
       ## Debug — mount scripts from the repo for live editing:
       # - ./docker/files/setup_chatmail_docker.sh:/setup_chatmail_docker.sh
       # - ./docker/files/entrypoint.sh:/entrypoint.sh
+
+    # environment:
+      ## --- External TLS certificates ---
+      ## Mount certs (above) and set TLS_EXTERNAL_CERT_AND_KEY to in-container paths.
+      ## Changed certs are picked up automatically (inotify via tls-cert-reload.path).
+      ##
+      ## Host acmetool (bare-metal migration) — also add volume:
+      ##   - /var/lib/acme/live:/var/lib/acme/live:ro
+      # TLS_EXTERNAL_CERT_AND_KEY: "/var/lib/acme/live/${MAIL_DOMAIN}/fullchain /var/lib/acme/live/${MAIL_DOMAIN}/privkey"
+      ##
+      ## Traefik certs-dumper (see docker/docker-compose-traefik.yaml) — also add volume:
+      ##   - traefik-certs:/certs:ro
+      # TLS_EXTERNAL_CERT_AND_KEY: "/certs/${MAIL_DOMAIN}/certificate.crt /certs/${MAIL_DOMAIN}/privatekey.key"