fix(restic): fix restic path handling

Generating a list of paths for restic to backup introduces some issues:
- restic matches incremental backups by paths, changing paths cause new
  backups
- logs and a lot of restic commands print all the paths, which makes it
  basically unusable

Thus I've reverted to using static `paths` and excluding patterns via
the `--exclude-file` argument.
To reduce files to backup from `~/dev`, a preStart job was added to the
systemd service: It clones the directory via `rsync` with `.gitignore`
files being respected.

services/restic/home-pc.nix

@@ -14,7 +14,6 @@ in {
 
   services.restic.backups.full = resticLib.resticConfig {
     name = "home-pc";
-    ripgrep = true;
     paths = [ "/etc/nixos" "/var/lib" "/home" ];
     ignorePatterns = [
       "/var/lib/systemd"
@@ -40,8 +39,23 @@ in {
       "/home/felschr/media"
       "/home/felschr/sync"
       "/home/felschr/keybase"
+      "/home/felschr/dev" # backup ~/dev-backup instead
     ];
     timerConfig.OnCalendar = "0/4:00:00";
     extraPruneOpts = [ "--keep-last 6" ];
   };
+
+  # extra handling for dev folder to respect .gitignore files:
+  systemd.services."restic-backups-full" = {
+    preStart = ''
+      rm -rf /home/felschr/dev-backup
+      ${pkgs.rsync}/bin/rsync -a \
+        --filter=':- .gitignore' \
+        --exclude 'nixpkgs' \
+        /home/felschr/dev/* /home/felschr/dev-backup
+    '';
+    postStart = ''
+      rm -rf /home/felschr/dev-backup
+    '';
+  };
 }

services/restic/lib.nix

@@ -1,15 +1,15 @@
 { config, lib, pkgs, ... }:
 
 # using the restic cli:
-# load credentials into shell via: export $(cat /path/to/credentials/file | xargs)
+# load credentials into shell by adding B2 secrets to .env (see .env.example).
 # useful commands for analysing restic stats [snapshot-id], restic diff [s1] [s2],
 
 with lib;
 with builtins;
 let hasAnyAttr = flip (attrset: any (flip hasAttr attrset));
 in {
-  resticConfig = args@{ name, ripgrep ? false, paths ? [ ], ignorePatterns ? [ ]
+  resticConfig = args@{ name, paths ? [ ], ignorePatterns ? [ ]
-    , extraPruneOpts ? [ ], ... }:
+    , extraBackupArgs ? [ ], extraPruneOpts ? [ ], ... }:
     assert !hasAnyAttr [
       "initialize"
       "repository"
@@ -18,28 +18,17 @@ in {
       "pruneOpts"
     ] args;
     assert (args ? paths);
-    assert (ripgrep || (!ripgrep && !(args ? ignorePatterns)));
     {
       initialize = true;
       repository = "b2:felschr-backups:/${name}";
       environmentFile = config.age.secrets.restic-b2.path;
       passwordFile = config.age.secrets.restic-password.path;
       timerConfig.OnCalendar = "daily";
-      paths = if ripgrep then null else paths;
+      paths = paths;
-      dynamicFilesFrom = if ripgrep then
+      extraBackupArgs = let
-        let
-          files = foldl (a: b: "${a} ${b}") "" paths;
         ignoreFile = builtins.toFile "ignore"
           (foldl (a: b: a + "\n" + b) "" ignorePatterns);
-        in ''
+      in [ "--exclude-file=${ignoreFile}" ] ++ extraBackupArgs;
-          ${pkgs.fd}/bin/fd \
-            --hidden \
-            --ignore-file ${ignoreFile} \
-            . ${files} \
-            | sed "s/\[/\\\[/" | sed "s/\]/\\\]/"
-        ''
-      else
-        null;
       pruneOpts = [
         "--keep-daily 7"
         "--keep-weekly 4"
@@ -48,9 +37,9 @@ in {
       ] ++ extraPruneOpts;
     } // (removeAttrs args [
       "name"
-      "ripgrep"
       "paths"
       "ignorePatterns"
+      "extraBackupArgs"
       "extraPruneOpts"
     ]);
 }