p2phttp support https

Command/P2PHttp.hs

@@ -37,6 +37,9 @@ cmd = withAnnexOptions [jobsOption] $ command "p2phttp" SectionPlumbing
 data Options = Options
 	{ portOption :: Maybe PortNumber
 	, bindOption :: Maybe String
+	, certFileOption :: Maybe FilePath
+	, privateKeyFileOption :: Maybe FilePath
+	, chainFileOption :: [FilePath]
 	, authEnvOption :: Bool
 	, authEnvHttpOption :: Bool
 	, unauthReadOnlyOption :: Bool
@@ -54,6 +57,18 @@ optParser _ = Options
 		( long "bind" <> metavar paramAddress
 		<> help "specify address to bind to"
 		))
+	<*> optional (strOption
+		( long "certfile" <> metavar paramFile
+		<> help "TLS certificate file for HTTPS"
+		))
+	<*> optional (strOption
+		( long "privatekeyfile" <> metavar paramFile
+		<> help "TLS private key file for HTTPS"
+		))
+	<*> many (strOption
+		( long "chainfile" <> metavar paramFile
+		<> help "TLS chain file"
+		))
 	<*> switch
 		( long "authenv"
 		<> help "authenticate users from environment (https only)"
@@ -83,8 +98,13 @@ seek o = getAnnexWorkerPool $ \workerpool ->
 			mkGetServerMode authenv o
 		let settings = Warp.setPort port $ Warp.setHost host $
 			Warp.defaultSettings
-		Warp.runSettings settings (p2pHttpApp st)
-		--Warp.runTLS settings (p2pHttpApp st)
+		case (certFileOption o, privateKeyFileOption o) of
+			(Nothing, Nothing) -> Warp.runSettings settings (p2pHttpApp st)
+			(Just certfile, Just privatekeyfile) -> do
+				let tlssettings = Warp.tlsSettingsChain
+					certfile (chainFileOption o) privatekeyfile
+				Warp.runTLS tlssettings settings (p2pHttpApp st)
+			_ -> giveup "You must use both --certfile and --privatekeyfile options to enable HTTPS."
   where
 	port = maybe
 		(fromIntegral defaultP2PHttpProtocolPort)

doc/git-annex-p2phttp.mdwn

@@ -52,6 +52,20 @@ convenient way to download the content of any key, by using the path
 
   What address to bind to. The default is to bind to all addresses.
 
+* `--certfile=filename` 
+
+  TLS certificate file to use. Combining this with `--privatekeyfile`
+  makes the server use HTTPS.
+
+* `--privatekeyfile=filename`
+  
+  TLS private key file to use. Combining this with `--certfile`
+  makes the server use HTTPS.
+
+* `--chainfile=filename`
+
+  TLS chain file to use. This option can be repeated any number of times.
+
 * `--authenv`
 
   Allows users to be authenticated with a username and password.

doc/todo/git-annex_proxies.mdwn

@@ -30,6 +30,8 @@ Planned schedule of work:
 
 * Rest of Remote.Git needs implementing.
 
+* git-annex p2phttp serving .well-known for ACME.
+
 * git-annex p2phttp needs to support https. Including serving .well-known
   for ACME.
 
@@ -57,6 +59,8 @@ Planned schedule of work:
 
 * Allow using annex+http urls in remote.name.annexUrl
 
+* Make git-annex p2phttp support https.
+
 ## items deferred until later for [[design/passthrough_proxy]]
 
 * Check annex.diskreserve when proxying for special remotes