feat: implement multi-listener TLS setup with ConnectInfo propagation

- Add server module that orchestrates the full startup sequence:
  parse config, init dynamic config, init shared state, bind health
  check, bind admin socket, bind all listener ports, load TLS config,
  start TCP listeners, start background tasks, signal readiness
- For each ListenerConfig: bind TCP listener, construct appropriate
  ServerConfig (manual or ACME via TlsMode), create TlsAcceptor
- ConnectInfo<SocketAddr> populated from TcpStream::peer_addr() BEFORE
  TLS wrapping via ConnectInfoService wrapper that inserts ConnectInfo
  into request extensions for each connection
- Per-listener axum::Router instances sharing Arc<ProxyState> via State
- Fail-fast: if any bind or TLS load fails, exit with non-zero code
- All ports bound before any connections accepted
- /health endpoint available on HTTPS listener(s) as fallback
  (proxy_router already includes /health route)
- sd_notify(READY=1) sent after all listeners started
- Use hyper_util for TLS connection serving with TowerToHyperService
  and ConnectInfoService to bridge ConnectInfo from pre-TLS peer_addr
- Add sd-notify dependency for systemd readiness notification

Cargo.lock

@@ -1625,6 +1625,7 @@ dependencies = [
  "rustls-native-certs",
  "rustls-pemfile",
  "rustls-pki-types",
+ "sd-notify",
  "serde",
  "serde_json",
  "signal-hook",
@@ -1790,6 +1791,15 @@ version = "1.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49"
 
+[[package]]
+name = "sd-notify"
+version = "0.4.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b943eadf71d8b69e661330cb0e2656e31040acf21ee7708e2c238a0ec6af2bf4"
+dependencies = [
+ "libc",
+]
+
 [[package]]
 name = "security-framework"
 version = "3.7.0"