From a53db4ca77bbc9890cb8a5e94fe6f635f085969c Mon Sep 17 00:00:00 2001 From: Administrator Date: Fri, 20 Feb 2026 04:54:42 +0000 Subject: [PATCH] docs: update Netgrimoire/Pocket/Deployment_Guide --- Netgrimoire/Pocket/Deployment_Guide.md | 379 ++++++++++++++++++++++++- 1 file changed, 365 insertions(+), 14 deletions(-) diff --git a/Netgrimoire/Pocket/Deployment_Guide.md b/Netgrimoire/Pocket/Deployment_Guide.md index 1970692..5cc3ebb 100644 --- a/Netgrimoire/Pocket/Deployment_Guide.md +++ b/Netgrimoire/Pocket/Deployment_Guide.md @@ -2,7 +2,7 @@ title: Pocket Grimoire description: published: true -date: 2026-02-20T04:44:39.249Z +date: 2026-02-20T04:54:31.450Z tags: editor: markdown dateCreated: 2026-02-20T04:41:35.122Z @@ -259,7 +259,13 @@ Headroom: 78W └── zfs_pull_ro # ZFS replication key /srv/vaultpg/ # Vault SSD ZFS mount -└── (mirrors from Netgrimoire) +├── veracrypt-containers/ # VeraCrypt container files (optional) +│ └── vault.vc # Encrypted container +└── (other mirrors from Netgrimoire) + +/mnt/veracrypt/ # VeraCrypt mount points (optional) +├── vault1/ # Mounted container 1 +└── vault2/ # Mounted container 2 (if needed) /srv/mediapg/ # Media SSD ZFS mount (rotated) └── library/ # H.264 encoded media @@ -268,7 +274,8 @@ Headroom: 78W /usr/local/sbin/ # System scripts ├── pocketgrimoire-sync.sh # Main sync script -└── pocketgrimoire-zfs-pull.sh # ZFS replication script +├── pocketgrimoire-zfs-pull.sh # ZFS replication script +└── mount-veracrypt-vault.sh # VeraCrypt mount script (optional) /etc/ # Config files ├── pocketgrimoire-sync.env # Secrets (ntfy tokens) @@ -313,7 +320,179 @@ sudo raspi-config # System Options → Locale → en_US.UTF-8 ``` -### 2. Install ZFS +### 2. Install VeraCrypt (Optional - For Encrypted Container Files) + +**VeraCrypt** allows you to mount encrypted container files as virtual drives. This is useful for: +- Encrypted file containers synced from Netgrimoire +- Portable encrypted volumes that can be moved between systems +- Additional layer of encryption beyond ZFS + +**Installation:** + +```bash +# Install dependencies +sudo apt install -y wget libfuse2 + +# Download VeraCrypt (check for latest version at veracrypt.fr) +wget https://launchpad.net/veracrypt/trunk/1.25.9/+download/veracrypt-1.25.9-Debian-12-arm64.deb + +# Install VeraCrypt +sudo dpkg -i veracrypt-*.deb +sudo apt-get install -f # Fix any dependency issues + +# Verify installation +veracrypt --text --version +``` + +**Create Mount Point:** + +```bash +# Create directory for VeraCrypt volumes +sudo mkdir -p /mnt/veracrypt +sudo mkdir -p /mnt/veracrypt/vault1 +sudo mkdir -p /mnt/veracrypt/vault2 +``` + +**Mount VeraCrypt Container:** + +```bash +# Mount a VeraCrypt container file +sudo veracrypt --text \ + --mount /path/to/container.vc \ + /mnt/veracrypt/vault1 + +# You will be prompted for: +# - Container password +# - PIM (leave blank if not used) +# - Keyfiles (if any) + +# Verify mounted +mount | grep veracrypt +df -h /mnt/veracrypt/vault1 +``` + +**Auto-Mount on Boot (Optional):** + +Create systemd service to mount VeraCrypt on boot with manual password entry: + +```bash +sudo nano /etc/systemd/system/veracrypt-vault.service +``` + +```ini +[Unit] +Description=Mount VeraCrypt vault container +After=local-fs.target + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/bin/veracrypt --text --non-interactive \ + --password-stdin \ + --mount /srv/vaultpg/containers/vault.vc \ + /mnt/veracrypt/vault1 +ExecStop=/usr/bin/veracrypt --text --dismount /mnt/veracrypt/vault1 + +[Install] +WantedBy=multi-user.target +``` + +**Note:** For security, password should be entered manually at boot, not stored in files. + +**Better Approach - Manual Mount Script:** + +```bash +sudo nano /usr/local/sbin/mount-veracrypt-vault.sh +``` + +```bash +#!/bin/bash +# Mount VeraCrypt container with password prompt + +CONTAINER="/srv/vaultpg/containers/vault.vc" +MOUNT_POINT="/mnt/veracrypt/vault1" + +if mount | grep -q "$MOUNT_POINT"; then + echo "VeraCrypt volume already mounted at $MOUNT_POINT" + exit 0 +fi + +echo "Mounting VeraCrypt container..." +sudo veracrypt --text --mount "$CONTAINER" "$MOUNT_POINT" + +if [ $? -eq 0 ]; then + echo "Successfully mounted: $MOUNT_POINT" + df -h "$MOUNT_POINT" +else + echo "Failed to mount VeraCrypt container" + exit 1 +fi +``` + +```bash +sudo chmod +x /usr/local/sbin/mount-veracrypt-vault.sh +``` + +**Usage:** +```bash +# Mount manually after boot +sudo /usr/local/sbin/mount-veracrypt-vault.sh + +# Unmount +sudo veracrypt --text --dismount /mnt/veracrypt/vault1 + +# List mounted volumes +veracrypt --text --list +``` + +**VeraCrypt Container Creation (Do this on Netgrimoire first):** + +```bash +# Create a new VeraCrypt container (example: 10GB) +veracrypt --text --create /path/to/container.vc + +# Follow prompts: +# - Volume type: Normal +# - Encryption algorithm: AES +# - Hash algorithm: SHA-512 +# - Filesystem: Linux Ext4 +# - Size: 10GB (or desired size) +# - Password: (enter strong password) +# - Format volume: Yes +``` + +**Sync VeraCrypt Container via ZFS:** + +```bash +# Store container file in ZFS dataset +sudo zfs create vaultpg/veracrypt-containers + +# Container location: /srv/vaultpg/veracrypt-containers/vault.vc + +# This file syncs from Netgrimoire like any other file +# Then mount it after sync completes +``` + +**When to Use VeraCrypt vs ZFS Encryption:** + +**Use VeraCrypt when:** +- Need portable encrypted containers (can move to other systems) +- Want different passwords for different data sets +- Need compatibility with Windows/Mac (VeraCrypt is cross-platform) +- Want nested encryption (VeraCrypt inside ZFS) + +**Use ZFS encryption when:** +- Encrypting entire drives/pools +- Want transparent encryption (no manual mounting) +- Need better performance (native filesystem encryption) +- Don't need to move encrypted data to non-Linux systems + +**For Pocket Grimoire, recommended approach:** +- ZFS encryption for main vault and media SSDs (always) +- VeraCrypt for specific sensitive containers (optional) +- Example: Tax documents, personal files in VeraCrypt container on ZFS-encrypted drive + +### 3. Install ZFS ```bash # Install ZFS utilities @@ -323,7 +502,7 @@ sudo apt install -y zfsutils-linux sudo zpool list ``` -### 3. Configure ZFS Pools +### 4. Configure ZFS Pools **Important:** Replace `/dev/sdX` with your actual device identifiers. Use `lsblk` to identify drives. @@ -1140,9 +1319,25 @@ sudo umount /mnt/pocket-media ### 8. Document Passphrases - [ ] ZFS encryption passphrases (written down, secured) -- [ ] WiFi credentials for travel router +- [ ] VeraCrypt container passwords (if using, written down, secured) +- [ ] WiFi credentials for travel router (portapotty network) - [ ] Jellyfin admin password - [ ] Wiki.js admin password +- [ ] Keep all passphrases in secure location separate from device + +### 9. Test VeraCrypt Containers (If Using) +```bash +# Verify container can mount +sudo veracrypt --text --mount \ + /srv/vaultpg/veracrypt-containers/vault.vc \ + /mnt/veracrypt/vault1 + +# Access files +ls /mnt/veracrypt/vault1 + +# Unmount +sudo veracrypt --text --dismount /mnt/veracrypt/vault1 +``` --- @@ -1174,6 +1369,29 @@ sudo zfs mount -a zfs list ``` +### VeraCrypt Mount (Optional, 1 minute) +```bash +# If using VeraCrypt containers +# SSH into Pi (if not already) +ssh user@pocket-grimoire.local + +# Mount VeraCrypt container(s) +sudo /usr/local/sbin/mount-veracrypt-vault.sh +# Enter password when prompted + +# Verify mounted +df -h /mnt/veracrypt/vault1 +ls /mnt/veracrypt/vault1 + +# Or mount manually: +sudo veracrypt --text --mount \ + /srv/vaultpg/veracrypt-containers/vault.vc \ + /mnt/veracrypt/vault1 + +# List all mounted VeraCrypt volumes +veracrypt --text --list +``` + ### Verify Services (2 minutes) ```bash # Check Docker containers @@ -1313,6 +1531,70 @@ docker compose restart docker exec -it pocketgrimoire_db psql -U wikijs -d wikijs -c "\dt" ``` +### VeraCrypt Container Won't Mount + +**Check container exists:** +```bash +ls -lh /srv/vaultpg/veracrypt-containers/ +# Should show vault.vc file +``` + +**Verify VeraCrypt is installed:** +```bash +veracrypt --text --version +# Should show version number +``` + +**Try mounting with verbose output:** +```bash +sudo veracrypt --text --verbose \ + --mount /srv/vaultpg/veracrypt-containers/vault.vc \ + /mnt/veracrypt/vault1 +``` + +**Common issues:** +- **Wrong password:** Re-enter carefully (passwords are case-sensitive) +- **Container corrupted:** Try mounting read-only: + ```bash + sudo veracrypt --text --mount --protect-hidden=no \ + /srv/vaultpg/veracrypt-containers/vault.vc \ + /mnt/veracrypt/vault1 + ``` +- **Already mounted elsewhere:** Unmount first: + ```bash + sudo veracrypt --text --dismount /mnt/veracrypt/vault1 + ``` +- **FUSE not available:** + ```bash + sudo apt install -y fuse libfuse2 + sudo modprobe fuse + ``` + +**Check what's mounted:** +```bash +veracrypt --text --list +mount | grep veracrypt +``` + +**Force unmount (if stuck):** +```bash +sudo veracrypt --text --force --dismount /mnt/veracrypt/vault1 +# Or: +sudo umount -f /mnt/veracrypt/vault1 +``` + +**Verify container integrity:** +```bash +# Test mount without password (will fail but shows if container is valid) +sudo veracrypt --test /srv/vaultpg/veracrypt-containers/vault.vc +``` +cd /srv/pocket-grimoire/stacks/wikijs +docker compose restart + +# Check database +docker exec -it pocketgrimoire_db psql -U wikijs -d wikijs -c "\dt" +``` + ### Sync Failures ```bash # Check sync log @@ -1382,6 +1664,15 @@ docker compose down cd /srv/pocket-grimoire/stacks/filebrowser docker compose down +# Unmount VeraCrypt containers (if using) +sudo veracrypt --text --dismount /mnt/veracrypt/vault1 +# Or dismount all: +sudo veracrypt --text --dismount-all + +# Verify unmounted +veracrypt --text --list +# Should show "No volumes mounted" + # Unmount and export ZFS pools sudo zfs unmount -a sudo zpool export vaultpg @@ -1400,9 +1691,9 @@ sudo shutdown -h now 1. Unplug Ethernet cable from Pi (stops network activity) 2. Wait 10 seconds 3. Unplug power from Anker Prime -4. ZFS pools may need recovery on next boot (usually auto-repairs) +4. ZFS pools and VeraCrypt containers may need recovery on next boot (usually auto-repairs) -**Note:** ZFS is resilient, but proper shutdown is always better. +**Note:** ZFS is resilient, but proper shutdown is always better. VeraCrypt containers are generally safe with sudden unmount. --- @@ -1521,10 +1812,15 @@ Temperature: Cool (<65°C) ## Security Notes ### Encryption -- Both SSDs use native ZFS encryption -- Passphrases required on boot (manual unlock) -- Family media SSD is unencrypted (for portability/sharing) -- SSH keys are stored on encrypted Vault SSD +- **ZFS Encryption:** Both SSDs use native ZFS encryption + - Passphrases required on boot (manual unlock) + - Family media SSD is unencrypted (for portability/sharing) + - SSH keys are stored on encrypted Vault SSD +- **VeraCrypt Containers (Optional):** Additional encryption layer + - Encrypted file containers within ZFS-encrypted drives (nested encryption) + - Separate passwords for different data sets + - Portable containers can be moved to other systems + - Cross-platform compatibility (Windows, Mac, Linux) ### Network Security - All services bound to LAN only (not exposed to WAN) @@ -1535,15 +1831,24 @@ Temperature: Cool (<65°C) ### Physical Security - Pocket Grimoire is a physical device - keep secure - Encrypted SSDs protect data at rest -- Require passphrase on boot (prevents unauthorized access) -- Keep ZFS passphrases separate from device +- ZFS and/or VeraCrypt passphrases required on boot (prevents unauthorized access) +- Keep all encryption passphrases separate from device +- Consider: Write passphrases on paper, store in secure location ### Backup Strategy - Pocket Grimoire is a mirror, not primary storage - All data originates from Netgrimoire (source of truth) - ZFS replication provides redundancy +- VeraCrypt containers sync like any other file - Can rebuild Pocket Grimoire from Netgrimoire if needed +### Encryption Best Practices +- **Use strong passphrases:** 20+ characters, mix of types +- **Don't reuse passwords:** ZFS ≠ VeraCrypt ≠ services +- **Document recovery:** Write down passphrases (paper, not digital) +- **Test recovery:** Verify you can unlock before traveling +- **Secure storage:** Keep passphrase backup separate from device + --- ## Appendix A: System Specifications @@ -1601,6 +1906,52 @@ docker ps htop ``` +### VeraCrypt Operations +```bash +# Mount VeraCrypt container +sudo veracrypt --text --mount \ + /srv/vaultpg/veracrypt-containers/vault.vc \ + /mnt/veracrypt/vault1 + +# Or use helper script +sudo /usr/local/sbin/mount-veracrypt-vault.sh + +# List mounted volumes +veracrypt --text --list + +# Check what's in mounted container +ls -lh /mnt/veracrypt/vault1 + +# Unmount specific volume +sudo veracrypt --text --dismount /mnt/veracrypt/vault1 + +# Unmount all VeraCrypt volumes +sudo veracrypt --text --dismount-all + +# Force unmount (if stuck) +sudo veracrypt --text --force --dismount /mnt/veracrypt/vault1 + +# Check VeraCrypt version +veracrypt --text --version +``` +sudo zpool status + +# Check mounted filesystems +df -h + +# Check memory usage +free -h + +# Check temperature +vcgencmd measure_temp + +# Check Docker containers +docker ps + +# Check system load +htop +``` + ### Service Management ```bash # Restart Wiki.js