Motivation for this change

This change adds a new script to run before Tor starts. For any hidden services, if they have a predefined keyPath, it will be copied and used as the hidden service's hs_ed25519_secret_key.

In this way, you can generate Tor hidden service keys, encrypt them with sops-nix, embed them into an image, and have them securely, automatically boot into serving a given hidden site.

This is particularly nice because you can now effectively predictably automate a NAT-hole punch with a "stateless" static image, in conjunction with any unlocker that sops supports (Azure KeyVault, KMS, GPG, etc).

For reviewers: please advise on other options for how I can prevent copying the private key to the torDirectory. I am using sops-nix, and I'm not sure what the problem was, but I could not get any sort of symlink to work, no matter how much I ensure the permissions were exactly correct.

But, I really don't like copying the private key to disk, especially when sops-nix goes so far out of its way to keep it off disk. I think I may need to try to consult with the Tor folks to see if is particular in this regard.

Things done

• Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
• Built on platform(s)
  • NixOS
  • macOS
  • other Linux distributions
• Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
• Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
• Tested execution of all binary files (usually in ./result/bin/)
• Determined the impact on package closure size (by running nix path-info -S before and after)
• Ensured that relevant documentation is up to date
• Fits CONTRIBUTING.md.