I feel I should chime in about key selling sites, then after the fact I'd appreciate it if people stuck with the OP's PC build and save the grey market talk for another topic.
Is G2A, G2Play, Kinguin, CJS CD Keys et al illegal? The answer is no. Why? Because they're a marketplace. For the most part (CJS excluded, they buy keys and sell them themselves), they do not buy and sell keys. They're merely a vessel for transactions to be made between the seller and buyer, similar to eBay. They take a cut of the sale, and offer their own "insurance" in case a transaction goes bad. This is mainly because they have to, but also because they don't see the full sale profit, so they charge a few pence in order to cover their expenses for refunds in the event the seller doesn't pay up for a refund.
How are the keys obtained and sold so cheaply? This is where legality and illegality crossover into a "grey" area. For OEM keys, the seller is violating the terms of service. For the buyer, they're not technically doing anything wrong - you could easily claim "ignorance" when pressed by the software manufacturer. The owness is on the seller, but as a buyer you should be street smart; only buy "retail".
For CD keys it comes to a few different options:
The first and most rare occasion is a rogue key generator. Software companies who don't run their own key generation outsource to third parties. These third parties receive generation requests from software developers, and are told to generate a specific amount of keys and send the database to whomever - this may be Steam, it might be GreenManGaming, it might be me (a review key). Assuming the people in "The Circle of Life of Keys" do their jobs properly, the database of keys is managed cleanly, keys are marked off with an owner, a transaction and all other official information, and this is how companies like Ubisoft can tell a legitimate key from an unauthorised sale (that's how Far Cry 3 owners got their keys revoked, the database of keys didn't match up with official transactions from trusted members of "The Circle of Life of Keys"). Sometimes somebody gets a hold of this company's key generator (could be an employee), runs off a batch of keys, and tosses them out into the wild for personal financial gain, obviously selling them at a significantly lower price. Sometimes this is discovered, and in Ubisoft's case, either the keys are revoked or left as a loss. Sometimes nobody ever finds out.
The second is an even rarer occasion, and involves unauthorised distribution of promotional keys. This could be a YouTuber, a Twitcher, or a website that gets sent a batch of a few thousand keys for a promotional offer/competition/review. Sometimes the person that gets sent these promotional keys will sell some or all of them off to a CD key website for money, instead of distributing them to winners of a competition. If I got sent 10,000 keys for X game and only sent out 9,000 and sold the other 1,000 to G2A, who exactly is going to know? Nobody checks, because in some instances, that person isn't held accountable by anyone. We've heard of instances of reviewers being sent review keys and just selling them because they either aren't interested, or they pirate the game and sell the legit copy. It's scum tactics, but believe me, it happens more often than you think. I sometimes don't get review keys for AAA games. That means I miss out on masses of traffic during that release week, because everyone else is reviewing a soon-to-be popular game and I'm not. I choose to review smaller titles legitimately, other more unscrupulous media outlets choose to pirate the game and bang out a review during the same period all the authorised reviewers in order to "cash in" on the spike in potential traffic.
The third is the most common, which is playing the conversion rate on currency. Most "grey" keys are bought legitimately, usually in a country where the currency is absolutely insane. That means a guy in the US can buy Rainbow Six: Siege for $50, however, another guy on the island of Potatoland can buy the same Rainbow Six: Siege game for 5000 potatian dollars. Unfortunately this Potatian's currency is screwed, so the converted cost of 5,000 potatian dollars is around $25. That's cool, Potatoland can buy the game cheaper. Mr Potatian then decides to profit from this, so he creates a piece of software that acts as a Bot on G2A. He decides to sell his Rainbow Six: Siege keys for $28, $2 profit for himself, and $1 for G2A fees. He can't very well buy 5,000 keys all at once, nor can he sit around all day buying the same game over and over whenever he gets a purchase request from a buyer. So he decides to write a program. This program has a Steam account/Online marketplace account for PotatoManGaming, and whenever he gets an order for Rainbow Six: Siege, the program buys the game, then either adds it to his Steam Gifts and automatically emails out the Steam Gift link, or it orders the game from an online outlet and emails the key to the buyer.
Then the really dubious things happen. G2A doesn't add VAT on automatically. After all, it doesn't know if buyers are in the EU or not. So G2A sells everything at ExVAT prices, and then asks the buyer to tick a box that says they're not in the EU and don't pay 20% VAT. Three things happen here:
1: You tick the box blindly. You don't care what it says, you have to tick it so you do and proceed with your transaction - you just accidentally broke the law by committing tax fraid
2: You see the box, know what it says, don't want to pay tax, so you tick it anyway - you just purposefully broke the law by committing tax fraud
3: You select your country and agree to pay 20% VAT - you just bought a potentially illegally obtained key without committing tax fraud, congratz! (It might not have been illegally obtained though!)
The fourth option is wholly illegal, and usually ends badly for everyone - Keys bought with stolen credit cards/PayPal/Bank accounts. This used to be the most common, but not so much any more. Thieves/hackers would steal personal information from random people, buy hundreds of games through legitimate sources with a stolen payment method, and then sell them back on marketplaces like Kinguin/G2A/G2Play. The thief makes way more profit assuming they aren't caught, transfers the funds they made to a different anonymous account, and goes merrily on their way. The bank/PayPal are then told by a customer that their card/account was hacked. PayPal/the bank then kill the account, the card, and any transactions. Because the transactions have been killed, the key is then revoked because the payment is no longer valid - the buyer of said key then has their game/software deactivated. They then have to go to G2A/Kinguin and ask for a refund due to a revoked key - this is where "G2A Shield" comes into play. If you paid for Shield, you get your refund after a long, arduous and immensely frustrating process (it's made this way on purpose because G2A are going to be out of pocket on this transaction, they got screwed, and they really don't want to give you money they don't have any more). You should eventually get a refund though. In the event you didn't insure your transaction - you're screwed and G2Play/Kinguin don't give a damn. Shoulda paid that 0.79c charge.
That's pretty much the tall and the short of it.
Disclaimer: I bought two Windows 8.1 Pro keys (retail, duh) from G2A over two years ago. I paid for Shield, and I did not commit tax fraud. Both are still currently legitimately activated.