kbfs, nixos/keybase, nixos/kbfs: fix KBFS, add enableRedirector option

[tadfisher]

Motivation for this change

KBFS wasn't working on my system using the NixOS module, so I updated the systemd services to mirror the upstream service files. Comments from upstream are included, and the main changes are:

• Use the notify service type which is now supported upstream.
• Set KEYBASE_SERVICE_TYPE=systemd in the environment for keybase.service; this is apparently what fixed the issues between the keybase and kbfs on my system.
• Read the service environment from $XDG_CONFIG_DIR/keybase/keybase{.autogen}.env, which is populated by the keybase ctl init command as specified in the documentation. This is entirely optional and my setup works without doing this.

I also wanted to run keybase-redirector on a multi-user machine, so I added config.services.enableRedirector. This requires the following shenanigans:

• Build the redirector binary as part of the kbfs package.
• /keybase needs to exist; use systemd.tmpfiles.rules to add it and clean it up if enableRedirector is disabled. If there is a standard way to do this for user services, I'd be happy to change this.
• Make a setuid wrapper for ${pkgs.kbfs}/bin/redirector, named keybase-redirector for consistency with the documentation and other distributions.
• I'm happy to not do any of this, by the way, or change to a setpcap wrapper instead; however, the redirector calls setreuid and thus would require CAP_SYS_ADMIN anyway.

Things done

• Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
• Built on platform(s)
  • NixOS
  • macOS
  • other Linux distributions
• Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
• Tested compilation of all pkgs that depend on this change using nix-shell -p nix-review --run "nix-review wip"
• Tested execution of all binary files (usually in ./result/bin/)
• Determined the impact on package closure size (by running nix path-info -S before and after)
• Ensured that relevant documentation is up to date
• Fits CONTRIBUTING.md.

Notify maintainers

cc @rvolosatovs @bennofs @np

[rvolosatovs]

LGTM

[rvolosatovs]

--debug seems unnecessary, but I guess since upstream does that it should be fine

[tadfisher]

✔️

[rvolosatovs]

Remove newline

[tadfisher]

✔️

[tadfisher]

Addressed feedback. I was also able to remove the NotifyAccess attrs by using serviceConfig.ExecStart instead of script.

[nixos-discourse]

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/prs-ready-for-review-may-2019/3032/104

[marsam]

LGTM, Thank you