Refactor mount system

Refactor the way mounts are managed. This changes the mount system to use a pre-defined set of mount points, isabelle.shared_directories, instead of dynamic on-demand mounts. The main benefit here is security, where a malicious client may not gain potential read-only access to host resources. It succeeds the previous allowed_prefix mechanism and should also enable the creation of a docker/podman executor.

The main change is that mounts are created as disk devices during Executor.StartInstance. The mechanism for path hashing stays the same however the management of path aliases has been handed off to the executors with Executor.MapMount.

This also adjusts the module to allow a 'config-only' mode, where the nixos module can be used for config generation without a systemd service. This allows clean integration of the nixos module with the LXC container in the tests.