Merge pull request #15 from billwanjohi/tweak_file_permissions

Use file templates to improve security, reproducibility

.gitignore

@@ -0,0 +1,2 @@
+b2_env.sh
+b2_pw.txt

Makefile

@@ -3,7 +3,7 @@
 
 ### Macros ###
 SRCS_SCRIPTS	= $(filter-out %cron_mail, $(wildcard usr/local/sbin/*))
-SRCS_CONF	= $(wildcard etc/restic/*)
+SRCS_CONF	= $(filter-out %template, $(wildcard etc/restic/*))
 SRCS_EXCLUDE	= .backup_exclude
 SRCS_SYSTEMD	= $(wildcard etc/systemd/system/*)
 
@@ -30,12 +30,19 @@ install: install-scripts install-conf install-exclude install-systemd
 # target: install-scripts - Install executables.
 install-scripts:
 	install -d $(DEST_SCRIPTS)
-	install -m 744 $(SRCS_SCRIPTS) $(DEST_SCRIPTS)
+	install -m 0744 $(SRCS_SCRIPTS) $(DEST_SCRIPTS)
+
+etc/restic/b2_env.sh:
+	install -m 0600 etc/restic/b2_env.sh.template etc/restic/b2_env.sh
+
+etc/restic/b2_pw.txt:
+	install -m 0600 etc/restic/b2_pw.txt.template etc/restic/b2_pw.txt
 
 # target: install-conf - Install restic configuration files.
-install-conf:
-	install -d $(DEST_CONF) -m 700
-	install $(SRCS_CONF) $(DEST_CONF)
+# will create these files locally only if they don't already exist
+install-conf: | etc/restic/b2_env.sh etc/restic/b2_pw.txt
+	install -d $(DEST_CONF)
+	install -m 0600 $(SRCS_CONF) $(DEST_CONF)
 
 # target: install-exclude - Install backup exclude file.
 install-exclude:
@@ -44,4 +51,4 @@ install-exclude:
 # target: install-systemd - Install systemd timer and service files
 install-systemd:
 	install -d $(DEST_SYSTEMD)
-	install -m 0644 $(SRCS_SYSTEMD) $(DEST_SYSTEMD)
+	install $(SRCS_SYSTEMD) $(DEST_SYSTEMD)

usr/local/sbin/restic_check.sh

@@ -22,7 +22,7 @@ source /etc/restic/b2_env.sh
 B2_CONNECTIONS=50
 
 # Remove locks from other stale processes to keep the automated backup running.
-# NOTE nope, dont' unlock liek restic_backup.sh. restic_backup.sh should take preceedance over this script.
+# NOTE nope, don't unlock like restic_backup.sh. restic_backup.sh should take precedence over this script.
 #restic unlock &
 #wait $!