docs: update Netgrimoire/Pocket/Deployment_Guide

2026-02-20 04:54:42 +00:00 · 2026-02-20 04:54:42 +00:00 · a53db4ca77
commit a53db4ca77
parent 11344bc00e
1 changed files with 365 additions and 14 deletions
--- a/Netgrimoire/Pocket/Deployment_Guide.md
+++ b/Netgrimoire/Pocket/Deployment_Guide.md
@ -2,7 +2,7 @@
 title: Pocket Grimoire 
 description: 
 published: true
-date: 2026-02-20T04:44:39.249Z
+date: 2026-02-20T04:54:31.450Z
 tags: 
 editor: markdown
 dateCreated: 2026-02-20T04:41:35.122Z
@ -259,7 +259,13 @@ Headroom: 78W
    └── zfs_pull_ro                # ZFS replication key

 /srv/vaultpg/                      # Vault SSD ZFS mount
-└── (mirrors from Netgrimoire)
+├── veracrypt-containers/          # VeraCrypt container files (optional)
+│   └── vault.vc                   # Encrypted container
+└── (other mirrors from Netgrimoire)
+
+/mnt/veracrypt/                    # VeraCrypt mount points (optional)
+├── vault1/                        # Mounted container 1
+└── vault2/                        # Mounted container 2 (if needed)

 /srv/mediapg/                      # Media SSD ZFS mount (rotated)
 └── library/                       # H.264 encoded media
@ -268,7 +274,8 @@ Headroom: 78W

 /usr/local/sbin/                   # System scripts
 ├── pocketgrimoire-sync.sh         # Main sync script
-└── pocketgrimoire-zfs-pull.sh     # ZFS replication script
+├── pocketgrimoire-zfs-pull.sh     # ZFS replication script
+└── mount-veracrypt-vault.sh       # VeraCrypt mount script (optional)

 /etc/                              # Config files
 ├── pocketgrimoire-sync.env        # Secrets (ntfy tokens)
@ -313,7 +320,179 @@ sudo raspi-config
 # System Options → Locale → en_US.UTF-8
 ```

-### 2. Install ZFS
+### 2. Install VeraCrypt (Optional - For Encrypted Container Files)
+
+**VeraCrypt** allows you to mount encrypted container files as virtual drives. This is useful for:
+- Encrypted file containers synced from Netgrimoire
+- Portable encrypted volumes that can be moved between systems
+- Additional layer of encryption beyond ZFS
+
+**Installation:**
+
+```bash
+# Install dependencies
+sudo apt install -y wget libfuse2
+
+# Download VeraCrypt (check for latest version at veracrypt.fr)
+wget https://launchpad.net/veracrypt/trunk/1.25.9/+download/veracrypt-1.25.9-Debian-12-arm64.deb
+
+# Install VeraCrypt
+sudo dpkg -i veracrypt-*.deb
+sudo apt-get install -f  # Fix any dependency issues
+
+# Verify installation
+veracrypt --text --version
+```
+
+**Create Mount Point:**
+
+```bash
+# Create directory for VeraCrypt volumes
+sudo mkdir -p /mnt/veracrypt
+sudo mkdir -p /mnt/veracrypt/vault1
+sudo mkdir -p /mnt/veracrypt/vault2
+```
+
+**Mount VeraCrypt Container:**
+
+```bash
+# Mount a VeraCrypt container file
+sudo veracrypt --text \
+  --mount /path/to/container.vc \
+  /mnt/veracrypt/vault1
+
+# You will be prompted for:
+# - Container password
+# - PIM (leave blank if not used)
+# - Keyfiles (if any)
+
+# Verify mounted
+mount | grep veracrypt
+df -h /mnt/veracrypt/vault1
+```
+
+**Auto-Mount on Boot (Optional):**
+
+Create systemd service to mount VeraCrypt on boot with manual password entry:
+
+```bash
+sudo nano /etc/systemd/system/veracrypt-vault.service
+```
+
+```ini
+[Unit]
+Description=Mount VeraCrypt vault container
+After=local-fs.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/bin/veracrypt --text --non-interactive \
+  --password-stdin \
+  --mount /srv/vaultpg/containers/vault.vc \
+  /mnt/veracrypt/vault1
+ExecStop=/usr/bin/veracrypt --text --dismount /mnt/veracrypt/vault1
+
+[Install]
+WantedBy=multi-user.target
+```
+
+**Note:** For security, password should be entered manually at boot, not stored in files.
+
+**Better Approach - Manual Mount Script:**
+
+```bash
+sudo nano /usr/local/sbin/mount-veracrypt-vault.sh
+```
+
+```bash
+#!/bin/bash
+# Mount VeraCrypt container with password prompt
+
+CONTAINER="/srv/vaultpg/containers/vault.vc"
+MOUNT_POINT="/mnt/veracrypt/vault1"
+
+if mount | grep -q "$MOUNT_POINT"; then
+    echo "VeraCrypt volume already mounted at $MOUNT_POINT"
+    exit 0
+fi
+
+echo "Mounting VeraCrypt container..."
+sudo veracrypt --text --mount "$CONTAINER" "$MOUNT_POINT"
+
+if [ $? -eq 0 ]; then
+    echo "Successfully mounted: $MOUNT_POINT"
+    df -h "$MOUNT_POINT"
+else
+    echo "Failed to mount VeraCrypt container"
+    exit 1
+fi
+```
+
+```bash
+sudo chmod +x /usr/local/sbin/mount-veracrypt-vault.sh
+```
+
+**Usage:**
+```bash
+# Mount manually after boot
+sudo /usr/local/sbin/mount-veracrypt-vault.sh
+
+# Unmount
+sudo veracrypt --text --dismount /mnt/veracrypt/vault1
+
+# List mounted volumes
+veracrypt --text --list
+```
+
+**VeraCrypt Container Creation (Do this on Netgrimoire first):**
+
+```bash
+# Create a new VeraCrypt container (example: 10GB)
+veracrypt --text --create /path/to/container.vc
+
+# Follow prompts:
+# - Volume type: Normal
+# - Encryption algorithm: AES
+# - Hash algorithm: SHA-512
+# - Filesystem: Linux Ext4
+# - Size: 10GB (or desired size)
+# - Password: (enter strong password)
+# - Format volume: Yes
+```
+
+**Sync VeraCrypt Container via ZFS:**
+
+```bash
+# Store container file in ZFS dataset
+sudo zfs create vaultpg/veracrypt-containers
+
+# Container location: /srv/vaultpg/veracrypt-containers/vault.vc
+
+# This file syncs from Netgrimoire like any other file
+# Then mount it after sync completes
+```
+
+**When to Use VeraCrypt vs ZFS Encryption:**
+
+**Use VeraCrypt when:**
+- Need portable encrypted containers (can move to other systems)
+- Want different passwords for different data sets
+- Need compatibility with Windows/Mac (VeraCrypt is cross-platform)
+- Want nested encryption (VeraCrypt inside ZFS)
+
+**Use ZFS encryption when:**
+- Encrypting entire drives/pools
+- Want transparent encryption (no manual mounting)
+- Need better performance (native filesystem encryption)
+- Don't need to move encrypted data to non-Linux systems
+
+**For Pocket Grimoire, recommended approach:**
+- ZFS encryption for main vault and media SSDs (always)
+- VeraCrypt for specific sensitive containers (optional)
+- Example: Tax documents, personal files in VeraCrypt container on ZFS-encrypted drive
+
+### 3. Install ZFS

 ```bash
 # Install ZFS utilities
@ -323,7 +502,7 @@ sudo apt install -y zfsutils-linux
 sudo zpool list
 ```

-### 3. Configure ZFS Pools
+### 4. Configure ZFS Pools

 **Important:** Replace `/dev/sdX` with your actual device identifiers. Use `lsblk` to identify drives.

@ -1140,9 +1319,25 @@ sudo umount /mnt/pocket-media

 ### 8. Document Passphrases
 - [ ] ZFS encryption passphrases (written down, secured)
- [ ] WiFi credentials for travel router
+- [ ] VeraCrypt container passwords (if using, written down, secured)
+- [ ] WiFi credentials for travel router (portapotty network)
 - [ ] Jellyfin admin password
 - [ ] Wiki.js admin password
+- [ ] Keep all passphrases in secure location separate from device
+
+### 9. Test VeraCrypt Containers (If Using)
+```bash
+# Verify container can mount
+sudo veracrypt --text --mount \
+  /srv/vaultpg/veracrypt-containers/vault.vc \
+  /mnt/veracrypt/vault1
+
+# Access files
+ls /mnt/veracrypt/vault1
+
+# Unmount
+sudo veracrypt --text --dismount /mnt/veracrypt/vault1
+```

 ---

@ -1174,6 +1369,29 @@ sudo zfs mount -a
 zfs list
 ```

+### VeraCrypt Mount (Optional, 1 minute)
+```bash
+# If using VeraCrypt containers
+# SSH into Pi (if not already)
+ssh user@pocket-grimoire.local
+
+# Mount VeraCrypt container(s)
+sudo /usr/local/sbin/mount-veracrypt-vault.sh
+# Enter password when prompted
+
+# Verify mounted
+df -h /mnt/veracrypt/vault1
+ls /mnt/veracrypt/vault1
+
+# Or mount manually:
+sudo veracrypt --text --mount \
+  /srv/vaultpg/veracrypt-containers/vault.vc \
+  /mnt/veracrypt/vault1
+
+# List all mounted VeraCrypt volumes
+veracrypt --text --list
+```
+
 ### Verify Services (2 minutes)
 ```bash
 # Check Docker containers
@ -1313,6 +1531,70 @@ docker compose restart
 docker exec -it pocketgrimoire_db psql -U wikijs -d wikijs -c "\dt"
 ```

+### VeraCrypt Container Won't Mount
+
+**Check container exists:**
+```bash
+ls -lh /srv/vaultpg/veracrypt-containers/
+# Should show vault.vc file
+```
+
+**Verify VeraCrypt is installed:**
+```bash
+veracrypt --text --version
+# Should show version number
+```
+
+**Try mounting with verbose output:**
+```bash
+sudo veracrypt --text --verbose \
+  --mount /srv/vaultpg/veracrypt-containers/vault.vc \
+  /mnt/veracrypt/vault1
+```
+
+**Common issues:**
+- **Wrong password:** Re-enter carefully (passwords are case-sensitive)
+- **Container corrupted:** Try mounting read-only:
+  ```bash
+  sudo veracrypt --text --mount --protect-hidden=no \
+    /srv/vaultpg/veracrypt-containers/vault.vc \
+    /mnt/veracrypt/vault1
+  ```
+- **Already mounted elsewhere:** Unmount first:
+  ```bash
+  sudo veracrypt --text --dismount /mnt/veracrypt/vault1
+  ```
+- **FUSE not available:**
+  ```bash
+  sudo apt install -y fuse libfuse2
+  sudo modprobe fuse
+  ```
+
+**Check what's mounted:**
+```bash
+veracrypt --text --list
+mount | grep veracrypt
+```
+
+**Force unmount (if stuck):**
+```bash
+sudo veracrypt --text --force --dismount /mnt/veracrypt/vault1
+# Or:
+sudo umount -f /mnt/veracrypt/vault1
+```
+
+**Verify container integrity:**
+```bash
+# Test mount without password (will fail but shows if container is valid)
+sudo veracrypt --test /srv/vaultpg/veracrypt-containers/vault.vc
+```
+cd /srv/pocket-grimoire/stacks/wikijs
+docker compose restart
+
+# Check database
+docker exec -it pocketgrimoire_db psql -U wikijs -d wikijs -c "\dt"
+```
+
 ### Sync Failures
 ```bash
 # Check sync log
@ -1382,6 +1664,15 @@ docker compose down
 cd /srv/pocket-grimoire/stacks/filebrowser
 docker compose down

+# Unmount VeraCrypt containers (if using)
+sudo veracrypt --text --dismount /mnt/veracrypt/vault1
+# Or dismount all:
+sudo veracrypt --text --dismount-all
+
+# Verify unmounted
+veracrypt --text --list
+# Should show "No volumes mounted"
+
 # Unmount and export ZFS pools
 sudo zfs unmount -a
 sudo zpool export vaultpg
@ -1400,9 +1691,9 @@ sudo shutdown -h now
 1. Unplug Ethernet cable from Pi (stops network activity)
 2. Wait 10 seconds
 3. Unplug power from Anker Prime
-4. ZFS pools may need recovery on next boot (usually auto-repairs)
+4. ZFS pools and VeraCrypt containers may need recovery on next boot (usually auto-repairs)

-**Note:** ZFS is resilient, but proper shutdown is always better.
+**Note:** ZFS is resilient, but proper shutdown is always better. VeraCrypt containers are generally safe with sudden unmount.

 ---

@ -1521,10 +1812,15 @@ Temperature: Cool (<65°C)
 ## Security Notes

 ### Encryption
- Both SSDs use native ZFS encryption
- Passphrases required on boot (manual unlock)
- Family media SSD is unencrypted (for portability/sharing)
- SSH keys are stored on encrypted Vault SSD
+- **ZFS Encryption:** Both SSDs use native ZFS encryption
+  - Passphrases required on boot (manual unlock)
+  - Family media SSD is unencrypted (for portability/sharing)
+  - SSH keys are stored on encrypted Vault SSD
+- **VeraCrypt Containers (Optional):** Additional encryption layer
+  - Encrypted file containers within ZFS-encrypted drives (nested encryption)
+  - Separate passwords for different data sets
+  - Portable containers can be moved to other systems
+  - Cross-platform compatibility (Windows, Mac, Linux)

 ### Network Security
 - All services bound to LAN only (not exposed to WAN)
@ -1535,15 +1831,24 @@ Temperature: Cool (<65°C)
 ### Physical Security
 - Pocket Grimoire is a physical device - keep secure
 - Encrypted SSDs protect data at rest
- Require passphrase on boot (prevents unauthorized access)
- Keep ZFS passphrases separate from device
+- ZFS and/or VeraCrypt passphrases required on boot (prevents unauthorized access)
+- Keep all encryption passphrases separate from device
+- Consider: Write passphrases on paper, store in secure location

 ### Backup Strategy
 - Pocket Grimoire is a mirror, not primary storage
 - All data originates from Netgrimoire (source of truth)
 - ZFS replication provides redundancy
+- VeraCrypt containers sync like any other file
 - Can rebuild Pocket Grimoire from Netgrimoire if needed

+### Encryption Best Practices
+- **Use strong passphrases:** 20+ characters, mix of types
+- **Don't reuse passwords:** ZFS ≠ VeraCrypt ≠ services
+- **Document recovery:** Write down passphrases (paper, not digital)
+- **Test recovery:** Verify you can unlock before traveling
+- **Secure storage:** Keep passphrase backup separate from device
+
 ---

 ## Appendix A: System Specifications
@ -1601,6 +1906,52 @@ docker ps
 htop
 ```

+### VeraCrypt Operations
+```bash
+# Mount VeraCrypt container
+sudo veracrypt --text --mount \
+  /srv/vaultpg/veracrypt-containers/vault.vc \
+  /mnt/veracrypt/vault1
+
+# Or use helper script
+sudo /usr/local/sbin/mount-veracrypt-vault.sh
+
+# List mounted volumes
+veracrypt --text --list
+
+# Check what's in mounted container
+ls -lh /mnt/veracrypt/vault1
+
+# Unmount specific volume
+sudo veracrypt --text --dismount /mnt/veracrypt/vault1
+
+# Unmount all VeraCrypt volumes
+sudo veracrypt --text --dismount-all
+
+# Force unmount (if stuck)
+sudo veracrypt --text --force --dismount /mnt/veracrypt/vault1
+
+# Check VeraCrypt version
+veracrypt --text --version
+```
+sudo zpool status
+
+# Check mounted filesystems
+df -h
+
+# Check memory usage
+free -h
+
+# Check temperature
+vcgencmd measure_temp
+
+# Check Docker containers
+docker ps
+
+# Check system load
+htop
+```
+
 ### Service Management
 ```bash
 # Restart Wiki.js