Add a keys group with read access to /run/keys

This allows processes running as unprivileged users access to keys they might need

nixos/modules/misc/ids.nix

@@ -201,6 +201,7 @@
       openldap = 93;
       connman = 94;
       munin = 95;
+      keys = 96;
 
       # When adding a gid, make sure it doesn't match an existing uid.
 

nixos/modules/system/boot/stage-2-init.sh

@@ -136,7 +136,8 @@ fi
 # elsehwere)
 if ! mountpoint -q /run/keys; then
     rm -rf /run/keys
-    mkdir -m 0700 /run/keys
+    mkdir -m 0750 /run/keys
+    chown root:keys /run/keys
     mount -t ramfs none /run/keys
 fi
 

nixos/modules/system/boot/systemd.nix

@@ -645,6 +645,8 @@ in
       '';
 
     # Target for ‘charon send-keys’ to hook into.
+    users.extraGroups.keys.gid = config.ids.gids.keys;
+
     systemd.targets.keys =
       { description = "Security Keys";
       };