From 5f35a74bd13c173c6dca6ae591692f5174b32c63 Mon Sep 17 00:00:00 2001
From: Bill Kaguru Wanjohi <bill@ka.guru>
Date: Fri, 26 Apr 2019 14:26:05 +0000
Subject: [PATCH] use template files to improve security, reproducibility

---
 .gitignore                                   |  2 ++
 Makefile                                     | 13 ++++++++++---
 etc/restic/{b2_env.sh => b2_env.sh.template} |  0
 etc/restic/{b2_pw.txt => b2_pw.txt.template} |  0
 4 files changed, 12 insertions(+), 3 deletions(-)
 create mode 100644 .gitignore
 rename etc/restic/{b2_env.sh => b2_env.sh.template} (100%)
 rename etc/restic/{b2_pw.txt => b2_pw.txt.template} (100%)

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..4836d90
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,2 @@
+b2_env.sh
+b2_pw.txt
diff --git a/Makefile b/Makefile
index 1058ffd..7a239f1 100644
--- a/Makefile
+++ b/Makefile
@@ -3,7 +3,7 @@
 
 ### Macros ###
 SRCS_SCRIPTS	= $(filter-out %cron_mail, $(wildcard usr/local/sbin/*))
-SRCS_CONF	= $(wildcard etc/restic/*)
+SRCS_CONF	= $(filter-out %template, $(wildcard etc/restic/*))
 SRCS_EXCLUDE	= .backup_exclude
 SRCS_SYSTEMD	= $(wildcard etc/systemd/system/*)
 
@@ -32,10 +32,17 @@ install-scripts:
 	install -d $(DEST_SCRIPTS)
 	install -m 744 $(SRCS_SCRIPTS) $(DEST_SCRIPTS)
 
+etc/restic/b2_env.sh:
+	install -m 0600 etc/restic/b2_env.sh.template etc/restic/b2_env.sh
+
+etc/restic/b2_pw.txt:
+	install -m 0600 etc/restic/b2_pw.txt.template etc/restic/b2_pw.txt
+
 # target: install-conf - Install restic configuration files.
-install-conf:
+# will create these files locally only if they don't already exist
+install-conf: | etc/restic/b2_env.sh etc/restic/b2_pw.txt
 	install -d $(DEST_CONF) -m 700
-	install $(SRCS_CONF) $(DEST_CONF)
+	install -m 0600 $(SRCS_CONF) $(DEST_CONF)
 
 # target: install-exclude - Install backup exclude file.
 install-exclude:
diff --git a/etc/restic/b2_env.sh b/etc/restic/b2_env.sh.template
similarity index 100%
rename from etc/restic/b2_env.sh
rename to etc/restic/b2_env.sh.template
diff --git a/etc/restic/b2_pw.txt b/etc/restic/b2_pw.txt.template
similarity index 100%
rename from etc/restic/b2_pw.txt
rename to etc/restic/b2_pw.txt.template