Indeed I think the best option would be to make openssh listen on another port and to use an iptable rule to redirect port 22 to the default hgkeeper port.
This is because very few people have an real ssh access to the machine and developers will not have to change their setup.
hgkeeper has its own ssh service. So this means it must listen to another port than the standard 22 if we still want to have ssh access to the server.
Indeed I think the best option would be to have a second IP address on the server. Unfortunately the kimsufi service does not allow to add extra IP addresses. Anyway, we need to change the service because it is old, it does not have raid so we could get a VPS at OVH which allow to have multiple IPs.
mercurial-server does not seem to be maintained anymore and it has no support for Python3 (it will be masked on Gentoo in 30 days). I think it will be better to use hg-ssh. For that we need:
* update tryton-tools/roundup_sshkeys.py to generate a proper .ssh/authorized_keys for user hg.
* patch (and propose upstream) to set HGUSER environment per key like I did for mercurial-server  to support acl.