1.5 KiB
1.5 KiB
| title | description | published | date | tags | editor | dateCreated |
|---|---|---|---|---|---|---|
| Offsite Vault Architecture | Two Pi vault nodes — ZFS raw send, syncoid, Pocket Grimoire | true | 2026-04-12T00:00:00.000Z | vault, offsite, zfs, kopia | markdown | 2026-04-12T00:00:00.000Z |
Offsite Vault Architecture
Overview
Two offsite nodes receive ZFS replication from znas:
| Node | Location | Role |
|---|---|---|
| Vault Pi (dedicated) | Offsite / home shelf | Kopia offsite server, ZFS vault pool |
| Pocket Grimoire | Travel / portable | Portable vault + media, also a vault node |
Replication Method
ZFS raw send via syncoid with -w flag (raw/encrypted mode):
# Dedicated vault Pi
syncoid -w znas:vault/data vault-pi:vault/data
# Pocket Grimoire pre-travel
syncoid znas:vault/Green/Pocket pocket:/srv/greenpg/Green
The -w flag sends encrypted ZFS streams. The receiving node stores data in its encrypted form — no decryption keys are needed on the vault nodes. Keys stay exclusively on znas.
Kopia Offsite Server
The vault container (vault.yaml) runs a Kopia server on port 51516 that serves as the remote endpoint for the dedicated Pi vault. Accessible at vault.netgrimoire.com.
Pocket Grimoire as Vault Node
Pocket Grimoire's ZFS pool (pocket-green at /srv/greenpg/) receives a syncoid push from znas before each trip. This makes Pocket Grimoire an offsite backup node whenever it leaves the house.
See Pocket Grimoire Sync for the pre-travel checklist.