Kill off any forked processes on timeout

Previously we bwrap-ed the whole our.rb script. In this commit we switch
it so that our.rb is run outside of bwrap, but every user command it
executes is done inside bwrap. This allows us to use bwrap's
"--die-with-parent" (along with "--unshare-pid") to kill off any forked
processes when the parent processes is killed due to a timeout.

our.example.service

@@ -4,8 +4,8 @@ After=our.service
 
 [Service]
 Type=simple
-WorkingDirectory=/home/kindrobot/spacework/our
-ExecStart=/home/kindrobot/spacework/our/our.rb
+WorkingDirectory=/home/kindrobot/wrk/our
+ExecStart=/home/kindrobot/wrk/our/our.rb
 Environment="OUR_NICK=your"
 Environment="OUR_CHANNELS=#bots"
 Environment="OUR_CMDS_DIR=/town/our"

our.rb

@@ -83,8 +83,6 @@ i.hook do |msg|
   next unless msg.cmd == 'PRIVMSG'
   target, content = msg.args
   next unless content.delete_prefix! prefix
-
-
   cmd, args = content.split(' ', 2)  
   cmd = "#{cmds_dir}/#{cmd}"
   args ||= ''
@@ -93,9 +91,8 @@ i.hook do |msg|
     i.privmsg target, "#{cmd} isn't executable. try chmod +x"
     next
   end
-
   begin
-    Open3.popen2e(cmd, args, msg.prefix, target) do |_, stdout, wait_thread|
+    Open3.popen2e("#{__dir__}/wrap_it.sh", cmd, args, msg.prefix, target) do |_, stdout, wait_thread|
       out = nil
       Timeout::timeout(3) do
         out = stdout.gets             # only interested in the first line of output

wrap_it.sh

@@ -10,4 +10,6 @@ OUR_CMDS_DIR=${OUR_CMDS_DIR:-/town/our}
 	--share-net \
 	--dev /dev \
 	--tmpfs /tmp \
-	$DIR/our.rb
+	--unshare-pid \
+	--die-with-parent \
+	"$@"