docker: rebase again on hpk/tls-external and modify our end

Remove the custom certmon timer (polling via sha1sum every 60s),
replaced by the deployer's tls-cert-reload.path unit (inotify).

chatmail-init.sh: inject TLS_EXTERNAL_CERT_AND_KEY env var into
chatmail.ini at startup if not already present.

docker-compose.yaml: remove CMDEPLOY_STAGES, CHATMAIL_NOSYSCTL,
TLS_EXTERNAL_CERT_AND_KEY from base environment (set in init script
or via override file).

docker/files/chatmail-init.sh

@@ -30,6 +30,13 @@ if [ ! -f "$CHATMAIL_INI" ]; then
     $CMDEPLOY init --config "$CHATMAIL_INI" "$MAIL_DOMAIN"
 fi
 
+# Inject external TLS paths from env var (unless user mounted their own ini)
+if [ -n "${TLS_EXTERNAL_CERT_AND_KEY:-}" ]; then
+    if ! grep -q '^tls_external_cert_and_key' "$CHATMAIL_INI"; then
+        echo "tls_external_cert_and_key = $TLS_EXTERNAL_CERT_AND_KEY" >> "$CHATMAIL_INI"
+    fi
+fi
+
 # --- Deploy fingerprint: skip cmdeploy run if nothing changed ---
 # On restart with identical image+config, systemd already brings up all
 # enabled services — the full cmdeploy run is redundant (~30s saved).