run as the teleterm user

also unset HOME so that we fall back to /var/lib/teleterm

2 files changed, 12 insertions, 2 deletions

diff --git a/modules/tozt/manifests/teleterm.pp b/modules/tozt/manifests/teleterm.pp
index 71cf3e6..17e15b8 100644
--- a/modules/tozt/manifests/teleterm.pp
+++ b/modules/tozt/manifests/teleterm.pp
@@ -17,5 +17,15 @@ class tozt::teleterm {
       content => template("tozt/teleterm.toml"),
       require => File["/etc/teleterm"],
       notify => Service["teleterm"];
+    "/var/lib/teleterm":
+      ensure => directory,
+      owner => "teleterm",
+      group => "teleterm",
+      mode => "0700",
+      require => [
+        User["teleterm"],
+        Group["teleterm"],
+      ],
+      before => Service["teleterm"];
   }
 }
diff --git a/modules/tozt/templates/teleterm.toml b/modules/tozt/templates/teleterm.toml
index 4524814..f651e52 100644
--- a/modules/tozt/templates/teleterm.toml
+++ b/modules/tozt/templates/teleterm.toml
@@ -2,8 +2,8 @@
 listen_address = "0.0.0.0:4144"
 allowed_login_methods = ["recurse_center"]
 tls_identity_file = "/media/persistent/certbot/live/tozt.net/identity.pfx"
-uid = "nobody"
-gid = "nobody"
+uid = "teleterm"
+gid = "teleterm"
 
 [oauth.recurse_center]
 client_id = "<%= @client_id %>"