For p2phttp support in forgejo-aneksajo I decided to just spawn a git annex p2phttp --wideopen server, do authentication on the Forgejo side, and then proxy requests to p2phttp. Since p2phttp only supports serving one repository at the moment this means that I have to allocate one free port per repository. Actually finding a free port adds complexity and a race condition, as there also seems to be no way to set --port 0 for p2phttp and then figure out which port it bound to.
This would be simplified if p2phttp could listen on unix domain sockets instead.
That might be hard to implement, since it uses servant to do the http serving and that probably does not have a way to listen to a unix domain socket.
Is this needed any more since p2phttp does support serving multiple repositories?
Unfortunately I wasn't able to make use of the multiple repositories feature because Forgejo stores repositories in nested directories (
<username-or-organisation>/<repository>). Even if I was able to use that feature, using unix sockets would still feel cleaner and avoid some security concerns around running the p2phttp server with--wideopen(as-is it is accessible to all local users, with unix sockets permissions could be used to restrict it; but this is more of a theoretical concern, I am not aware of anyone running a Forgejo-aneksajo server on a host with untrusted users).According to https://stackoverflow.com/questions/22621623/warp-binding-to-unix-domain-sockets it should be possible to use warp's runSettingsSocket with a unix socket, instead of runSettings. I am not familiar enough with Haskell or git-annex to judge if there are other obstacles though...
I've made it support nested directories, which was easy.
Should be possible to make it use runSettingsSocket indeed though.
Implemented a --socket option. I have not tried connecting to it as a client, but it seems to be listening to it, so I assume all is good.
Note that it still checks for authentication when using the socket, so you will probably want to combine it with --wideopen. The socket mode allows only the current user to access it.