44 lines
1.5 KiB
Markdown
44 lines
1.5 KiB
Markdown
---
|
|
title: Offsite Vault Architecture
|
|
description: Two Pi vault nodes — ZFS raw send, syncoid, Pocket Grimoire
|
|
published: true
|
|
date: 2026-04-12T00:00:00.000Z
|
|
tags: vault, offsite, zfs, kopia
|
|
editor: markdown
|
|
dateCreated: 2026-04-12T00:00:00.000Z
|
|
---
|
|
|
|
# Offsite Vault Architecture
|
|
|
|
## Overview
|
|
|
|
Two offsite nodes receive ZFS replication from `znas`:
|
|
|
|
| Node | Location | Role |
|
|
|------|----------|------|
|
|
| Vault Pi (dedicated) | Offsite / home shelf | Kopia offsite server, ZFS vault pool |
|
|
| Pocket Grimoire | Travel / portable | Portable vault + media, also a vault node |
|
|
|
|
## Replication Method
|
|
|
|
ZFS raw send via `syncoid` with `-w` flag (raw/encrypted mode):
|
|
|
|
```bash
|
|
# Dedicated vault Pi
|
|
syncoid -w znas:vault/data vault-pi:vault/data
|
|
|
|
# Pocket Grimoire pre-travel
|
|
syncoid znas:vault/Green/Pocket pocket:/srv/greenpg/Green
|
|
```
|
|
|
|
The `-w` flag sends encrypted ZFS streams. The receiving node stores data in its encrypted form — no decryption keys are needed on the vault nodes. Keys stay exclusively on `znas`.
|
|
|
|
## Kopia Offsite Server
|
|
|
|
The vault container (`vault.yaml`) runs a Kopia server on port 51516 that serves as the remote endpoint for the dedicated Pi vault. Accessible at `vault.netgrimoire.com`.
|
|
|
|
## Pocket Grimoire as Vault Node
|
|
|
|
Pocket Grimoire's ZFS pool (`pocket-green` at `/srv/greenpg/`) receives a `syncoid` push from `znas` before each trip. This makes Pocket Grimoire an offsite backup node whenever it leaves the house.
|
|
|
|
See [Pocket Grimoire Sync](/Pocket-Grimoire/Sync/Pre-Travel-Sync) for the pre-travel checklist.
|