ADR 0003: Custom OAuth 2.0 Credentials for Off-site Backups

Status

Accepted

Context

The VPS off-site backup system uses Restic with an rclone bridge to Google Drive. Historically, rclone used its default shared Client ID for authentication.

As the backup repository size and frequency increased, the system frequently encountered 403 Quota exceeded errors from Google Drive. These errors were often masked by script logic (missing pipefail), leading to silent backup failures or incomplete verification reports.

Decision

We decided to switch from rclone's default shared credentials to a Custom Google Cloud OAuth 2.0 Client ID and Secret.

Additionally, we implemented set -o pipefail in all backup scripts to ensure that errors in the restic/rclone pipeline are correctly detected and trigger failure alerts.

Consequences

• Pros:

  • High reliability: The system now has a dedicated API quota, eliminating 403 errors.
  • Improved Observability: pipefail ensures that failures during upload or verification are no longer ignored.
  • Security: The credentials are now project-specific and managed within the CFS Google Cloud Console.

• Cons:

  • Manual Setup: Requires a manual OAuth "handshake" during initial setup or if tokens expire (mitigated by setting the Google Cloud App to "Production" status).
  • Maintenance: The Client Secret must be rotated or updated if compromised.