use template files to improve security, reproducibility

.gitignore

@@ -0,0 +1,2 @@
+b2_env.sh
+b2_pw.txt

Makefile

@@ -3,7 +3,7 @@
 
 ### Macros ###
 SRCS_SCRIPTS	= $(filter-out %cron_mail, $(wildcard usr/local/sbin/*))
-SRCS_CONF	= $(wildcard etc/restic/*)
+SRCS_CONF	= $(filter-out %template, $(wildcard etc/restic/*))
 SRCS_EXCLUDE	= .backup_exclude
 SRCS_SYSTEMD	= $(wildcard etc/systemd/system/*)
 
@@ -32,10 +32,17 @@ install-scripts:
 	install -d $(DEST_SCRIPTS)
 	install -m 744 $(SRCS_SCRIPTS) $(DEST_SCRIPTS)
 
+etc/restic/b2_env.sh:
+	install -m 0600 etc/restic/b2_env.sh.template etc/restic/b2_env.sh
+
+etc/restic/b2_pw.txt:
+	install -m 0600 etc/restic/b2_pw.txt.template etc/restic/b2_pw.txt
+
 # target: install-conf - Install restic configuration files.
-install-conf:
+# will create these files locally only if they don't already exist
+install-conf: | etc/restic/b2_env.sh etc/restic/b2_pw.txt
 	install -d $(DEST_CONF) -m 700
-	install $(SRCS_CONF) $(DEST_CONF)
+	install -m 0600 $(SRCS_CONF) $(DEST_CONF)
 
 # target: install-exclude - Install backup exclude file.
 install-exclude: