server: fix tempdir handling

tempfile::tempdir() creates a directory that is automatically cleaned up. Unfortunately that cleanup happens almost immediately because our workload process is systemd-run itself (which finishes very quickly), not the process started by systemd-run.

PrivateTmp=yes doesn't work in for systemd-run --user, so we have to emulate this ourselves. Do this by passing the created directory as TMPDIR to the process and removing it in ExecStopPost.

Doesn't help with processes accessing /tmp directly but hopefully anything we run uses $TMPDIR as first choice.

The safety checks are hopefully enough to never delete the wrong directory - and done twice: assert for picking errors during development and an if condition to avoid issues if assert is not enabled.