password-store: write secrets with read-only permission

Otherwise we are installing secrets with the wrong permissions on the
first install

pkgs/clan-cli/clan_cli/vars/secret_modules/password_store.py

@@ -113,5 +113,7 @@ class SecretStore(SecretStoreBase):
                 else:
                     # TODO: drop old format soon
                     secret_name = secret
-                (output_dir / secret_name).write_bytes(self.get(service, secret_name))
+                with (output_dir / secret_name).open("wb") as f:
+                    f.chmod(0o600)
+                    f.write(self.get(service, secret_name))
         (output_dir / ".pass_info").write_bytes(self.generate_hash())