Merge fort-nix/nix-bitcoin#586: Misc. improvements

addfa8ec6b test: support `run`, `debug` commands in basic NixOS tests (Erik Arvstedt)
ae733d887e tests/clightning-replication: reuse `pkgs` instance (Erik Arvstedt)
6cbd0d93ae tests: rename `clightningReplication` -> `clightning-replication` (Erik Arvstedt)
85310b533a secrets: use type `lines` for `generateSecretsCmds` (Erik Arvstedt)
bc2f66d4f1 bitcoind, liquid: increase start/stop timeouts (Erik Arvstedt)
519ae31202 netns-isolation: improve formatting (Erik Arvstedt)
a1023696e6 netns-isolation: reserve netns id for mempool (Erik Arvstedt)
34fe8675bd add option `nix-bitcoin.pkgOverlays` (Erik Arvstedt)
a3bdecb10b helper: add start-bash-session.sh (Erik Arvstedt)
690a8f6256 nodeinfo: extract fn `mkInfoLong` (Erik Arvstedt)
2af642f56a improve comments (Erik Arvstedt)
5634f08873 rtl: make `extraConfig` recursively mergeable (Erik Arvstedt)
b76728a1ec treewide: use bool literals for systemd (Erik Arvstedt)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK addfa8ec6b

Tree-SHA512: 46f779f8477b566ffc6d0dfb024f2098757f509b2b3e0cbb509cf3308de7029e913f6e6c3d6d3d226cc72f8a5031fd5586b2efdf7c2d9d15f4bdd7ed08b27425

pkgs/lib.nix

@@ -7,28 +7,28 @@ with lib;
 let self = {
   # These settings roughly follow systemd's "strict" security profile
   defaultHardening = {
-      PrivateTmp = "true";
+      PrivateTmp = true;
       ProtectSystem = "strict";
-      ProtectHome = "true";
-      NoNewPrivileges = "true";
-      PrivateDevices = "true";
-      MemoryDenyWriteExecute = "true";
-      ProtectKernelTunables = "true";
-      ProtectKernelModules = "true";
-      ProtectKernelLogs = "true";
-      ProtectClock = "true";
+      ProtectHome = true;
+      NoNewPrivileges = true;
+      PrivateDevices = true;
+      MemoryDenyWriteExecute = true;
+      ProtectKernelTunables = true;
+      ProtectKernelModules = true;
+      ProtectKernelLogs = true;
+      ProtectClock = true;
       ProtectProc = "invisible";
       ProcSubset = "pid";
-      ProtectControlGroups = "true";
+      ProtectControlGroups = true;
       RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
-      RestrictNamespaces = "true";
-      LockPersonality = "true";
+      RestrictNamespaces = true;
+      LockPersonality = true;
       IPAddressDeny = "any";
-      PrivateUsers = "true";
-      RestrictSUIDSGID = "true";
-      RemoveIPC = "true";
-      RestrictRealtime = "true";
-      ProtectHostname = "true";
+      PrivateUsers = true;
+      RestrictSUIDSGID = true;
+      RemoveIPC = true;
+      RestrictRealtime = true;
+      ProtectHostname = true;
       CapabilityBoundingSet = "";
       # @system-service whitelist and docker seccomp blacklist (except for "clone"
       # which is a core requirement for systemd services)
@@ -42,7 +42,7 @@ let self = {
   };
 
   # nodejs applications require memory write execute for JIT compilation
-  nodejs = { MemoryDenyWriteExecute = "false"; };
+  nodejs = { MemoryDenyWriteExecute = false; };
 
   # Allow takes precedence over Deny.
   allowLocalIPAddresses = {

pkgs/python-packages/default.nix

@@ -39,7 +39,6 @@ rec {
       ## Specific versions of packages that already exist in nixpkgs
 
       # cryptography 3.3.2, required by joinmarketdaemon
-      # Used in the private python package set for joinmarket (../joinmarket/default.nix)
       cryptography = callPackage ./specific-versions/cryptography {
         openssl = super.pkgs.openssl_1_1;
         cryptography_vectors = callPackage ./specific-versions/cryptography/vectors.nix {};