diff --git a/docs/faq.md b/docs/faq.md
index 9b60020..5f6252b 100644
--- a/docs/faq.md
+++ b/docs/faq.md
@@ -32,5 +32,3 @@
     * **A:** Check your clightning logs with `journalctl -eu clightning`. Do you see something like `bitcoin-cli getblock ... false` failed? Are you using pruned mode? That means that clightning hasn't seen all the blocks it needs to and it can't get that block because your node is pruned. If you're just setting up a new node you can `systemctl stop clightning` and wipe your `/var/lib/clightning` directory. Otherwise you need to reindex the Bitcoin node.
 * **Q:** My disk space is getting low due to nix.
     * **A:** run `nix-collect-garbage -d`
-* **Q:** `nix-shell` takes too long and doesn't finish generating `/secrets`
-    * **A:** This might be the result of low system entropy. Check your entropy with `cat /proc/sys/kernel/random/entropy_avail`. If necessary, take steps to increase entropy like performing some tasks on the system or acquiring a hardware true random number generator.
diff --git a/examples/configuration.nix b/examples/configuration.nix
index 1225f8b..125d475 100644
--- a/examples/configuration.nix
+++ b/examples/configuration.nix
@@ -9,8 +9,7 @@
     # FIXME: The hardened kernel profile improves security but
     # decreases performance by ~50%.
     # Turn it off when not needed.
-    # Source: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/hardened.nix
-    <nixpkgs/nixos/modules/profiles/hardened.nix>
+    <nix-bitcoin/modules/presets/hardened.nix>
 
     # FIXME: Uncomment next line to import your hardware configuration. If so,
     # add the hardware configuration file to the same directory as this file.
@@ -208,10 +207,6 @@
   # FIXME: Add custom options (like boot options, output of
   # nixos-generate-config, etc.):
 
-  # If the hardened profile is imported above, we need to explicitly allow
-  # user namespaces to enable sanboxed builds and services.
-  security.allowUserNamespaces = true;
-
   # This value determines the NixOS release with which your system is to be
   # compatible, in order to avoid breaking some software such as database
   # servers. You should change this only after NixOS release notes say you
diff --git a/examples/deploy-qemu-vm.sh b/examples/deploy-qemu-vm.sh
index e155126..331451f 100755
--- a/examples/deploy-qemu-vm.sh
+++ b/examples/deploy-qemu-vm.sh
@@ -17,6 +17,8 @@ if [[ ! -v IN_NIX_SHELL ]]; then
     exec nix-shell --run "./${BASH_SOURCE[0]##*/} $*"
 fi
 
+cd "${BASH_SOURCE[0]%/*}"
+
 tmpDir=/tmp/nix-bitcoin-qemu-vm
 mkdir -p $tmpDir
 
diff --git a/modules/presets/hardened.nix b/modules/presets/hardened.nix
new file mode 100644
index 0000000..16833a6
--- /dev/null
+++ b/modules/presets/hardened.nix
@@ -0,0 +1,14 @@
+{
+  imports = [
+    # Source: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/hardened.nix
+    <nixpkgs/nixos/modules/profiles/hardened.nix>
+  ];
+
+  ## Reset some options set by the hardened profile
+
+  # Needed for sandboxed builds and services
+  security.allowUserNamespaces = true;
+
+  # The "scudo" allocator is broken on NixOS 20.09
+  environment.memoryAllocator.provider = "libc";
+}
diff --git a/pkgs/extra-container/default.nix b/pkgs/extra-container/default.nix
index 9f93667..83385ae 100644
--- a/pkgs/extra-container/default.nix
+++ b/pkgs/extra-container/default.nix
@@ -4,11 +4,11 @@
 
 stdenv.mkDerivation rec {
   name = "extra-container-${version}";
-  version = "0.5-pre";
+  version = "0.5";
 
   src = builtins.fetchTarball {
     url = "https://github.com/erikarvstedt/extra-container/archive/${version}.tar.gz";
-    sha256 = "0gdy2dpqrdv7f4kyqz88j34x1p2fpav04kznv41hwqq88hmzap90";
+    sha256 = "12xqa11v583ajdv51g1833rxvrndmly9h4r62wc3llm8xs6k7ais";
   };
 
   buildCommand = ''
@@ -17,7 +17,7 @@ stdenv.mkDerivation rec {
     share=$out/share/extra-container
     install $src/eval-config.nix -Dt $share
 
-    # Use existing PATH for systemctl and machinectl (for nixos-container)
+    # Use existing PATH for systemctl and machinectl
     scriptPath="export PATH=${lib.makeBinPath [ nixos-container openssh ]}:\$PATH"
 
     sed -i \
diff --git a/pkgs/generate-secrets/default.nix b/pkgs/generate-secrets/default.nix
index 5f88019..d04f06a 100644
--- a/pkgs/generate-secrets/default.nix
+++ b/pkgs/generate-secrets/default.nix
@@ -10,6 +10,6 @@ let
   '';
 in
 writers.writeBash "generate-secrets" ''
-  export PATH=${lib.makeBinPath [ coreutils apg openssl gnugrep rpcauth ]}
+  export PATH=${lib.makeBinPath [ coreutils pwgen openssl gnugrep rpcauth ]}
   . ${./generate-secrets.sh} ${./openssl.cnf}
 ''
diff --git a/pkgs/generate-secrets/generate-secrets.sh b/pkgs/generate-secrets/generate-secrets.sh
index 229b774..a448f9b 100755
--- a/pkgs/generate-secrets/generate-secrets.sh
+++ b/pkgs/generate-secrets/generate-secrets.sh
@@ -5,7 +5,8 @@ set -euo pipefail
 opensslConf=${1:-openssl.cnf}
 
 makePasswordSecret() {
-    [[ -e $1 ]] || apg -m 20 -x 20 -M Ncl -n 1 > "$1"
+    # Passwords have alphabet {a-z, A-Z, 0-9} and ~119 bits of entropy
+    [[ -e $1 ]] || pwgen -s 20 1 > "$1"
 }
 makeHMAC() {
     user=$1
diff --git a/test/lib/make-container.sh b/test/lib/make-container.sh
index 327f13d..6957018 100755
--- a/test/lib/make-container.sh
+++ b/test/lib/make-container.sh
@@ -28,7 +28,7 @@
 #         This args disables auto-destructing containers.
 #
 #
-#   run-tests.sh container --run|-r c systemctl status bitcoind
+#   run-tests.sh container --run c systemctl status bitcoind
 #
 #     Run a command in the shell session environmentand exit.
 #     Destroy the container afterwards.
@@ -39,7 +39,7 @@
 #     run-tests.sh container --run c
 #
 #
-#   run-tests.sh [--scenario|-s <scenario>] container --command|--c
+#   run-tests.sh [--scenario|-s <scenario>] container --command|-c
 #
 #     Provide a custom extra-container command.
 #
@@ -57,8 +57,8 @@ if [[ $EUID != 0 ]]; then
     # NixOS containers require root permissions.
     # By using sudo here and not at the user's call-site extra-container can detect if it is running
     # inside an existing shell session (by checking an internal environment variable).
-    exec sudo scenario="$scenario" testDir="$testDir" NIX_PATH="$NIX_PATH" PATH="$PATH" \
-         scenarioOverridesFile="${scenarioOverridesFile:-}" "$testDir/lib/make-container.sh" "$@"
+    exec sudo scenario="$scenario" scriptDir="$scriptDir" NIX_PATH="$NIX_PATH" PATH="$PATH" \
+         scenarioOverridesFile="${scenarioOverridesFile:-}" "$scriptDir/lib/make-container.sh" "$@"
 fi
 
 export containerName=nb-test
@@ -79,11 +79,11 @@ done
 containerBin=$(type -P extra-container) || true
 if [[ ! ($containerBin && $(realpath $containerBin) == *extra-container-0.5*) ]]; then
     echo "Building extra-container. Skip this step by adding extra-container 0.5 to PATH."
-    nix-build --out-link /tmp/extra-container "$testDir"/../pkgs -A extra-container >/dev/null
+    nix-build --out-link /tmp/extra-container "$scriptDir"/../pkgs -A extra-container >/dev/null
     export PATH="/tmp/extra-container/bin${PATH:+:}$PATH"
 fi
 
 read -d '' src <<EOF || true
-(import "$testDir/tests.nix" { scenario = "$scenario"; }).container
+(import "$scriptDir/tests.nix" { scenario = "$scenario"; }).container
 EOF
 exec extra-container $containerCommand -E "$src" "$@"
diff --git a/test/run-tests.sh b/test/run-tests.sh
index c3fd248..5b24a33 100755
--- a/test/run-tests.sh
+++ b/test/run-tests.sh
@@ -202,10 +202,27 @@ basic() {
     pkgsUnstable
 }
 
-all() {
+# All tests that only consist of building a nix derivation.
+# Their output is cached in /nix/store.
+buildable() {
     basic
     scenario=full buildTest "$@"
     scenario=regtest buildTest "$@"
+    scenario=hardened buildTest "$@"
+}
+
+examples() {
+    script="
+      set -e
+      ./deploy-container.sh
+      ./deploy-qemu-vm.sh
+    "
+    (cd $scriptDir/../examples && nix-shell --run "$script")
+}
+
+all() {
+    buildable
+    examples
 }
 
 # An alias for buildTest
diff --git a/test/tests.nix b/test/tests.nix
index 8a1cecc..f9924ee 100644
--- a/test/tests.nix
+++ b/test/tests.nix
@@ -165,6 +165,13 @@ let testEnv = rec {
       imports = with scenarios; [ netnsBase regtest ];
     };
 
+    hardened = {
+      imports = [
+        scenarios.secureNode
+        ../modules/presets/hardened.nix
+      ];
+    };
+
     netnsBase = {
       nix-bitcoin.netns-isolation.enable = true;
       test.data.netns = config.nix-bitcoin.netns-isolation.netns;