Initialize Rust project with Cargo, dependencies, and module skeleton

Set up single-binary reverse-proxy project with all core dependencies
(axum, tokio, hyper, tower, rustls, tokio-rustls, rustls-acme, serde,
toml, arc-swap, tracing, tracing-subscriber, rustls-pemfile,
rustls-pki-types, clap, signal-hook, anyhow, thiserror) pinned to exact
versions. Create module skeleton (config, proxy, tls, rate_limit,
logging, admin, health, shutdown) matching architecture spec.

src/config/dynamic_config.rs

@@ -0,0 +1,50 @@
+use serde::Deserialize;
+
+#[allow(dead_code)]
+#[derive(Debug, Deserialize, Clone)]
+pub struct DynamicConfig {
+    pub sites: Vec<SiteConfig>,
+    pub rate_limit: RateLimitConfig,
+    pub body: BodyConfig,
+}
+
+#[allow(dead_code)]
+#[derive(Debug, Deserialize, Clone)]
+pub struct SiteConfig {
+    pub host: String,
+    pub upstream: String,
+    #[serde(default = "default_upstream_scheme")]
+    pub upstream_scheme: String,
+    #[serde(default = "default_connect_timeout")]
+    pub upstream_connect_timeout_secs: u64,
+    #[serde(default = "default_request_timeout")]
+    pub upstream_request_timeout_secs: u64,
+}
+
+#[allow(dead_code)]
+fn default_upstream_scheme() -> String {
+    "http".to_string()
+}
+
+#[allow(dead_code)]
+fn default_connect_timeout() -> u64 {
+    5
+}
+
+#[allow(dead_code)]
+fn default_request_timeout() -> u64 {
+    60
+}
+
+#[allow(dead_code)]
+#[derive(Debug, Deserialize, Clone)]
+pub struct RateLimitConfig {
+    pub requests_per_second: u32,
+    pub burst: u32,
+}
+
+#[allow(dead_code)]
+#[derive(Debug, Deserialize, Clone)]
+pub struct BodyConfig {
+    pub limit_bytes: u64,
+}

src/config/mod.rs

@@ -0,0 +1,3 @@
+pub mod dynamic_config;
+pub mod static_config;
+pub mod validation;

src/config/static_config.rs

@@ -0,0 +1,107 @@
+use serde::Deserialize;
+
+#[allow(dead_code)]
+#[derive(Debug, Deserialize)]
+pub struct StaticConfig {
+    pub listeners: Vec<ListenerConfig>,
+    #[serde(default)]
+    pub allow_wildcard_bind: bool,
+    #[serde(default = "default_health_check_port")]
+    pub health_check_port: u16,
+    #[serde(default = "default_admin_socket_path")]
+    pub admin_socket_path: String,
+    #[serde(default = "default_shutdown_timeout_secs")]
+    pub shutdown_timeout_secs: u64,
+    #[serde(default)]
+    pub logging: LoggingConfig,
+}
+
+#[allow(dead_code)]
+fn default_health_check_port() -> u16 {
+    9900
+}
+
+#[allow(dead_code)]
+fn default_admin_socket_path() -> String {
+    "/run/reverse-proxy/admin.sock".to_string()
+}
+
+#[allow(dead_code)]
+fn default_shutdown_timeout_secs() -> u64 {
+    30
+}
+
+#[allow(dead_code)]
+#[derive(Debug, Deserialize)]
+pub struct ListenerConfig {
+    pub bind_addr: String,
+    #[serde(default = "default_http_port")]
+    pub http_port: u16,
+    #[serde(default = "default_https_port")]
+    pub https_port: u16,
+    pub tls: TlsConfig,
+    #[serde(default)]
+    pub sites: Vec<crate::config::dynamic_config::SiteConfig>,
+}
+
+#[allow(dead_code)]
+fn default_http_port() -> u16 {
+    80
+}
+
+#[allow(dead_code)]
+fn default_https_port() -> u16 {
+    443
+}
+
+#[allow(dead_code)]
+#[derive(Debug, Deserialize)]
+pub struct TlsConfig {
+    pub mode: String,
+    #[serde(default)]
+    pub acme_domains: Vec<String>,
+    #[serde(default)]
+    pub acme_cache_dir: String,
+    #[serde(default = "default_acme_directory")]
+    pub acme_directory: String,
+    #[serde(default)]
+    pub cert_path: String,
+    #[serde(default)]
+    pub key_path: String,
+}
+
+#[allow(dead_code)]
+fn default_acme_directory() -> String {
+    "production".to_string()
+}
+
+#[allow(dead_code)]
+#[derive(Debug, Deserialize)]
+pub struct LoggingConfig {
+    #[serde(default = "default_log_level")]
+    pub level: String,
+    #[serde(default = "default_log_format")]
+    pub format: String,
+    #[serde(default)]
+    pub log_file_path: Option<String>,
+}
+
+#[allow(dead_code)]
+fn default_log_level() -> String {
+    "info".to_string()
+}
+
+#[allow(dead_code)]
+fn default_log_format() -> String {
+    "text".to_string()
+}
+
+impl Default for LoggingConfig {
+    fn default() -> Self {
+        Self {
+            level: default_log_level(),
+            format: default_log_format(),
+            log_file_path: None,
+        }
+    }
+}

src/config/validation.rs

@@ -0,0 +1,12 @@
+use anyhow::Result;
+
+use super::dynamic_config::DynamicConfig;
+use super::static_config::StaticConfig;
+
+#[allow(dead_code)]
+pub fn validate_config(
+    _static_config: &StaticConfig,
+    _dynamic_config: &DynamicConfig,
+) -> Result<()> {
+    Ok(())
+}