--- title: Vault Grimoire description: Storage and backup — the dragon guards the data hoard published: true date: 2026-04-12T00:00:00.000Z tags: vault, storage, backup editor: markdown dateCreated: 2026-04-12T00:00:00.000Z --- # Vault Grimoire ![vault-badge](/images/vault-badge.png) The Vault Grimoire covers all storage and backup infrastructure. Data starts at `znas`, is deduplicated and encrypted by Kopia, and replicates offsite to two Pi vault nodes — one dedicated vault Pi and one inside Pocket Grimoire. --- ## Sections | Section | Contents | |---------|----------| | [ZFS](/Vault-Grimoire/ZFS/Storage-Layout) | ZFS pools, datasets, NFS exports, commands reference | | [Kopia](/Vault-Grimoire/Kopia/Kopia-Overview) | Backup repos, retention, restore, two-repo architecture | | [Backups](/Vault-Grimoire/Backups/Services-Backup) | Per-service backup runbooks (Immich, MailCow, Nextcloud, Wiki, services) | | [Offsite](/Vault-Grimoire/Offsite/Vault-Architecture) | Pi vault nodes, ZFS raw send, syncoid workflow | --- ## Offsite Vault Architecture ``` znas (primary) └── ZFS pool → Kopia dedup → encrypted repo ├── syncoid -w → Pi Vault (dedicated offsite) └── syncoid → Pocket Grimoire (portable vault node) ``` Both offsite nodes receive ZFS raw send with the `-w` flag. Encryption keys stay on `znas`. The vault nodes store encrypted data only — no keys needed there. --- ## Two-Repo Architecture Kopia uses two separate containers on different ports: | Container | Repo | URL | Purpose | |-----------|------|-----|---------| | kopia | Primary vault | `kopia.netgrimoire.com` | Main backup, dedup, retention | | vault | Offsite server | `vault.netgrimoire.com` (port 51516) | Replication target for Pi vaults | One Kopia server instance per repository. They cannot share. --- ## Key Rules - ZFS encryption cannot be done in-place. Migration requires `rsync` to a new encrypted dataset, then ZFS raw send with `-w` to vaults (no key exposure on vault side). - ZFS must fully mount before NFS starts on znas. Systemd override required: `After=zfs-import.target zfs-mount.service`. - Loopback NFS mount needs `x-systemd.after=nfs-server.service` in fstab.