reverseproxy: rework cert logic

9c8f78a059 already fixed many of the cert issues.

However, some issues were caught in the CI:

* The TLS addon has to be rebuilt and not just restarted. For this reason, we now
  move things to a directory instead of mounting files. This way the container is just restarted.

* Cleanups must be driven by the database and not the filesystem . Deleting files on disk or after a restore,
  the certs are left dangling forever in the db.

* Separate the db cert logic and disk cert logic. This way we can sync as many times as we want and whenever we want.

src/blobs.js

@@ -9,6 +9,8 @@ exports = module.exports = {
     setString,
     del,
 
+    listCertIds,
+
     ACME_ACCOUNT_KEY: 'acme_account_key',
     ADDON_TURN_SECRET: 'addon_turn_secret',
     SFTP_PUBLIC_KEY: 'sftp_public_key',
@@ -16,6 +18,7 @@ exports = module.exports = {
     PROXY_AUTH_TOKEN_SECRET: 'proxy_auth_token_secret',
 
     CERT_PREFIX: 'cert',
+    CERT_SUFFIX: 'cert',
 
     _clear: clear
 };
@@ -62,3 +65,8 @@ async function del(id) {
 async function clear() {
     await database.query('DELETE FROM blobs');
 }
+
+async function listCertIds() {
+    const result = await database.query('SELECT id FROM blobs WHERE id LIKE ?', [ `${exports.CERT_PREFIX}-%.${exports.CERT_SUFFIX}` ]);
+    return result.map(r => r.id);
+}