tor-keymgr: Move keystore.kind under keystore.primary.kind

This is a follow-up from !2394 (merged)

This moves the current keystore settings to storage.keystore.primary in preparation for a change I'm going to make soon to ArtiKeystoreConfig to support configuring secondary keystores.

Currently, we only support configuring the "primary" (previously known as "default") keystore, which can be either "native" (the on-disk Arti keystore), or "ephemeral" (an in-memory keystore). To implement #858, we will need to support configuring additional keystores too, so we will need to move to a config of the form

[storage.keystore]
# Whether the keystore is enabled.
enabled = "auto"

# Configure the primary keystore.
[storage.keystore.primary]
# The type of primary keystore to use
kind = "auto" | "native" | "ephemeral"

# Optionally configure C Tor keystores for arti to use.
#
# Note: The keystores listed here are read-only (keys are only
# ever written to the primary keystore, configured in
# `storage.keystore.primary`).
[[storage.keystore.ctor]]
# If the `kind` is `service`, this should be set to the `HiddenServiceDirectory`
# of your hidden service. Arti will read `HiddenServiceDirectory/hostname`
# and `HiddenServiceDirectory/private_key`. (Note: if your service is running
# in restricted discovery mode, you must set the
# `[[onion_services."<the nickname of your svc>".restricted_discovery.key_dirs]]`
# to `HiddenServiceDirectory/client_keys`
#
# If the `kind` is `client`, this should be set to `ClientOnionAuthDir` of
# your client. If Arti is configured to run as a client (i.e. if it runs in SOCKS
# proxy mode), it will read the client restricted discovery keys from this path.
path  = "/foo/bar"
# The type of keystore `path` should be interpreted as
kind = "client" | "service"