New Grimoire

Vault-Grimoire/Offsite/Vault-Architecture.md

@@ -0,0 +1,44 @@
+---
+title: Offsite Vault Architecture
+description: Two Pi vault nodes — ZFS raw send, syncoid, Pocket Grimoire
+published: true
+date: 2026-04-12T00:00:00.000Z
+tags: vault, offsite, zfs, kopia
+editor: markdown
+dateCreated: 2026-04-12T00:00:00.000Z
+---
+
+# Offsite Vault Architecture
+
+## Overview
+
+Two offsite nodes receive ZFS replication from `znas`:
+
+| Node | Location | Role |
+|------|----------|------|
+| Vault Pi (dedicated) | Offsite / home shelf | Kopia offsite server, ZFS vault pool |
+| Pocket Grimoire | Travel / portable | Portable vault + media, also a vault node |
+
+## Replication Method
+
+ZFS raw send via `syncoid` with `-w` flag (raw/encrypted mode):
+
+```bash
+# Dedicated vault Pi
+syncoid -w znas:vault/data vault-pi:vault/data
+
+# Pocket Grimoire pre-travel
+syncoid znas:vault/Green/Pocket pocket:/srv/greenpg/Green
+```
+
+The `-w` flag sends encrypted ZFS streams. The receiving node stores data in its encrypted form — no decryption keys are needed on the vault nodes. Keys stay exclusively on `znas`.
+
+## Kopia Offsite Server
+
+The vault container (`vault.yaml`) runs a Kopia server on port 51516 that serves as the remote endpoint for the dedicated Pi vault. Accessible at `vault.netgrimoire.com`.
+
+## Pocket Grimoire as Vault Node
+
+Pocket Grimoire's ZFS pool (`pocket-green` at `/srv/greenpg/`) receives a `syncoid` push from `znas` before each trip. This makes Pocket Grimoire an offsite backup node whenever it leaves the house.
+
+See [Pocket Grimoire Sync](/Pocket-Grimoire/Sync/Pre-Travel-Sync) for the pre-travel checklist.