programs.rclone: use 'config update' to preserve tokens

[cdo256]

Description

This fixes an issue where the programs.rclone activation script unconditionally overwrote rclone.conf using install. This behavior caused minor data loss for remotes that rely on dynamic state, specifically OAuth tokens (e.g., Google Drive, OneDrive), forcing users to re-authenticate after every configuration change or system reboot.

Changes:

• Replaced the destructive install command with rclone config update.
• This creates a "smart merge" behavior: declarative settings from Nix are enforced, but existing dynamic keys in the file (like token) are preserved.
• Unified the static configuration and secret injection into a single loop, removing the need for pkgs.formats.ini.

Note on Drift:
This change introduces a minor trade-off: removing a setting from home.nix will no longer automatically remove it from rclone.conf (it must be manually deleted). This is necessary to preserve the authentication tokens that Nix cannot manage.

Closes #8334

Checklist

• Change is backwards compatible.

• Code formatted with nix fmt or
  nix-shell -p treefmt nixfmt deadnix keep-sorted --run treefmt.

• Code tested through nix run .#tests -- test-all or
  nix-shell --pure tests -A run.all.
  (Note: Existing build tests pass. The fix addresses a runtime behavior (file overwrite) that cannot be reproduced in the sandboxed test suite, but was verified manually via VM reproduction.)

• Test cases updated/added. See [example](f3fbb50#diff-b61a6d542f9036550ba9c401c80f00ef). -- Probably not desirable, it's not easy to construct a test for this as it requires a VM.

• Commit messages are formatted like

  {component}: {description}
  
  {long description}
  

  See [CONTRIBUTING](https://nix-community.github.io/home-manager/#sec-commit-style) for more information and [recent commit messages](https://github.com/nix-community/home-manager/commits/master) for examples.

• If this PR adds a new module (N/A)

• If this PR adds an exciting new feature or contains a breaking change. (N/A)

[jakob1379]

How come you don't use another config, as you can separate configs from secrets fairly easily

#justconfs.conf
[gdrive]
type = drive
scope = drive
team_drive =
root_folder_id =
vfs_cache_mode = writes

And then the secrets in another

#thesecrets.conf
[gdrive]
client_id = your_client_id.apps.googleusercontent.com
client_secret = your_client_secret
token = {"access_token":"ya29...","token_type":"Bearer","refresh_token":"1...","expiry":"2025-12-14T12:00:00Z"}

[ttrssreal]

Hi, this doesn't seem to build for me. Have you tried building it?

[ttrssreal]

How come you don't use another config, as you can separate configs from secrets fairly easily

#justconfs.conf
[gdrive]
type = drive
scope = drive
team_drive =
root_folder_id =
vfs_cache_mode = writes

And then the secrets in another

#thesecrets.conf
[gdrive]
client_id = your_client_id.apps.googleusercontent.com
client_secret = your_client_secret
token = {"access_token":"ya29...","token_type":"Bearer","refresh_token":"1...","expiry":"2025-12-14T12:00:00Z"}

How would this work? I don't think rclone supports multiple configs (yet). I might be wrong?

[cdo256]

Hi, this doesn't seem to build for me. Have you tried building it?

Hi thanks for testing it! I must apologise because I've got a lot of mental state open right now. Are you saying that the hm module doesn't build, or that the minimal example I provided doesn't build?

It did work when used as a flake input, and I could set the new options. But it's possible that I made a mistake. I'm going to have a proper look at this again at the weekend.

If you're able to share how you are testing it specifically (i.e., what command you ran), then that would be very helpful.

[jakob1379]

How come you don't use another config, as you can separate configs from secrets fairly easily

#justconfs.conf
[gdrive]
type = drive
scope = drive
team_drive =
root_folder_id =
vfs_cache_mode = writes

And then the secrets in another

#thesecrets.conf
[gdrive]
client_id = your_client_id.apps.googleusercontent.com
client_secret = your_client_secret
token = {"access_token":"ya29...","token_type":"Bearer","refresh_token":"1...","expiry":"2025-12-14T12:00:00Z"}

How would this work? I don't think rclone supports multiple configs (yet). I might be wrong?

Actually I thought you could do this, my bad. In nix, it is not hard to merge attribute sets, so using the native home-manager rclone-config is probably the way to go and then point the the secrets path to the secrets file. Not as elegant or clean :/

[ttrssreal]

Hi, this doesn't seem to build for me. Have you tried building it?

Hi thanks for testing it! I must apologise because I've got a lot of mental state open right now. Are you saying that the hm module doesn't build, or that the minimal example I provided doesn't build?

It did work when used as a flake input, and I could set the new options. But it's possible that I made a mistake. I'm going to have a proper look at this again at the weekend.

If you're able to share how you are testing it specifically (i.e., what command you ran), then that would be very helpful.

It doesn't seem to build due to some shellcheck failures. Heres the command to run the integration tests nix build ./tests#integration-test-rclone -L --reference-lock-file flake.lock --option sandbox false.