feat: TLS support for Unix socket listeners

This change enables Miniflux to serve TLS over Unix domain sockets.

If `CERT_FILE` and `KEY_FILE` are configured, Unix socket listeners
specified via `LISTEN_ADDR` will now automatically start with TLS enabled,
using the provided certificates. This uses the existing `http.Server.ServeTLS`
method.

If no certificates are provided, Unix socket listeners will continue to
operate as plain, non-TLS sockets.

internal/http/server/httpd.go

@@ -139,14 +139,33 @@ func startUnixSocketServer(server *http.Server, socketFile string) {
 	}
 
 	go func() {
-		slog.Info("Starting server using a Unix socket", slog.String("socket", socketFile))
+		certFile := config.Opts.CertFile()
-		if err := server.Serve(listener); err != http.ErrServerClosed {
+		keyFile := config.Opts.CertKeyFile()
-			printErrorAndExit("Unix socket server failed to start on %s: %v", socketFile, err)
+
+		if certFile != "" && keyFile != "" {
+			slog.Info("Starting TLS server using a Unix socket",
+				slog.String("socket", socketFile),
+				slog.String("cert_file", certFile),
+				slog.String("key_file", keyFile),
+			)
+			// Ensure HTTPS is marked as true if any listener uses TLS
+			config.Opts.HTTPS = true
+			if err := server.ServeTLS(listener, certFile, keyFile); err != http.ErrServerClosed {
+				printErrorAndExit("TLS Unix socket server failed to start on %s: %v", socketFile, err)
+			}
+		} else {
+			slog.Info("Starting server using a Unix socket", slog.String("socket", socketFile))
+			if err := server.Serve(listener); err != http.ErrServerClosed {
+				printErrorAndExit("Unix socket server failed to start on %s: %v", socketFile, err)
+			}
 		}
 	}()
 }
 
 func startAutoCertTLSServer(server *http.Server, autoTLSConfig *tls.Config) {
+	if server.TLSConfig == nil {
+		server.TLSConfig = &tls.Config{}
+	}
 	server.TLSConfig.GetCertificate = autoTLSConfig.GetCertificate
 	server.TLSConfig.NextProtos = autoTLSConfig.NextProtos