Change ownership of /opt/venvs + run pip non-root

Previously, the virtualenvs were owned by root and the pip installs were
done as root as well. This worked fine, but it meant that I can't use
pip-tools' pip-sync function without sudo. This makes it simpler by
giving ownership to the app user (tildes in prod, vagrant in dev).

salt/salt/python.sls

@@ -1,4 +1,4 @@
-{% from 'common.jinja2' import app_dir, bin_dir, python_version, venv_dir %}
+{% from 'common.jinja2' import app_dir, app_username, bin_dir, python_version, venv_dir %}
 
 deadsnakes:
   pkgrepo.managed:
@@ -7,6 +7,12 @@ deadsnakes:
     - name: python{{ python_version }}
     - refresh: True
 
+/opt/venvs:
+  file.directory:
+    - user: {{ app_username }}
+    - group: {{ app_username }}
+    - dir_mode: 755
+
 delete-obsolete-venv:
   file.absent:
     - name: {{ venv_dir }}
@@ -19,6 +25,7 @@ venv-setup:
   cmd.run:
     - name: python{{ python_version }} -m venv {{ venv_dir }}
     - creates: {{ venv_dir }}
+    - runas: {{ app_username }}
     - require:
       - pkg: python{{ python_version }}-venv
 
@@ -37,6 +44,7 @@ pip-installs:
     {% else %}
     - requirements: {{ app_dir }}/requirements.txt
     {% endif %}
+    - user: {{ app_username }}
     - bin_env: {{ venv_dir }}
   require:
     - cmd: venv-setup