V8.03.384.2025.06.03

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

docs/graphviz/ciss.debian.live.builder.dot

@@ -9,61 +9,60 @@ digraph CISS_debian_live_builder {
         nodesep=0.6,
         ranksep=0.8
     ];
-
     node [fontname="Helvetica"];
 
     // -----------------------------
-    // KNOTS: All hosts and auxiliary anchors
+    // KNOTS: Internet clouds (NOT in a cluster)
     // -----------------------------
-
-    // Internet (links)
     InternetLeft [shape=oval, style=filled, fillcolor=lightblue, label="Internet"];
+    InternetTLS  [shape=oval, style=filled, fillcolor=lightblue, label="TLS/HTTPS"];
 
-    // Jump Host
+    // -----------------------------
+    // KNOTS: Jump Host (integrated into cluster_overall)
+    // -----------------------------
     Jump_Host [shape=diamond, style=filled, fillcolor=green, label="Jump Host"];
 
-    // Hidden-Master
+    // -----------------------------
+    // KNOTS: Hidden master (in cluster_hm)
+    // -----------------------------
     Hidden_Master [shape=cylinder, style=filled, fillcolor=lavender, label="Hidden-Master"];
 
-    // Nameserver (Basis-Datenbankzylinder, hellgelb)
+    // -----------------------------
+    // KNOTS: Nameserver (in cluster_ns)
+    // -----------------------------
     ns00 [shape=cylinder, style=filled, fillcolor=lightyellow, label="ns00.eddns.eu"];
     ns01 [shape=cylinder, style=filled, fillcolor=lightyellow, label="ns01.eddns.eu"];
     ns02 [shape=cylinder, style=filled, fillcolor=lightyellow, label="ns02.eddns.de"];
     ns03 [shape=cylinder, style=filled, fillcolor=lightyellow, label="ns03.eddns.de"];
-
+    ns_anchor [shape=point, style=invis, width=0];  // unsichtbarer Anker für DNSSEC-Pfeile
-    // Hilfsanker für cluster_ns (unsichtbar, damit Kanten sauber aus dem Rechteck herausgeführt werden)
-    ns_anchor [shape=point, style=invis, width=0];
-
-    // B server (light red)
-    git [shape=cylinder, style=filled, fillcolor="#FFCCCC", label="git.coresecret.dev"];
-    lab [shape=cylinder, style=filled, fillcolor="#FFCCCC", label="lab.coresecret.dev"];
-    run [shape=cylinder, style=filled, fillcolor="#FFCCCC", label="run.coresecret.dev"];
-
-    // Auxiliary anchor for cluster_B_small (invisible)
-    b_small_anchor [shape=point, style=invis, width=0];
-    // Auxiliary anchor for cluster_B_big (invisible)
-    b_big_anchor [shape=point, style=invis, width=0];
-
-    // Database “cloud.e2ee.li” (light red)
-    cloud [shape=cylinder, style=filled, fillcolor="#FFCCCC", label="cloud.e2ee.li"];
-    // Auxiliary anchor for cluster_cloud (invisible)
-    cloud_anchor [shape=point, style=invis, width=0];
-
-    // Internet (right, for TLS/HTTPS)
-    InternetTLS [shape=oval, style=filled, fillcolor=lightblue, label="TLS/HTTPS"];
-    // Auxiliary anchor for cluster_tls_group (invisible)
-    tls_anchor [shape=point, style=invis, width=0];
-
 
     // -----------------------------
-    // CLUSTER: Entire system (everything except the two Internet clouds)
+    // KNOTS: B-Server (in cluster_B_small & cluster_B_big)
+    // -----------------------------
+    git [shape=cylinder, style=filled, fillcolor="#FFCCCC", label="git.coresecret.dev"];
+    run [shape=cylinder, style=filled, fillcolor="#FFCCCC", label="run.coresecret.dev"];
+    lab [shape=cylinder, style=filled, fillcolor="#FFCCCC", label="lab.coresecret.dev"];
+    b_small_anchor [shape=point, style=invis, width=0];  // Anker für kleines B-Cluster
+    b_big_anchor   [shape=point, style=invis, width=0];  // Anker für großes B-Cluster
+
+    // -----------------------------
+    // KNOTS: "cloud.e2ee.li" (in cluster_cloud)
+    // -----------------------------
+    cloud        [shape=cylinder, style=filled, fillcolor="#FFCCCC", label="cloud.e2ee.li"];
+    cloud_anchor [shape=point,    style=invis,  width=0];  // Anker für cloud-Cluster
+
+    // -----------------------------
+    // CLUSTER: Entire system (except Internet clouds)
     // -----------------------------
     subgraph cluster_overall {
-        label="SSH-Pub-Key, 2FA, No-Root-Login, aes256-gcm@openssh.com, (No ChaCha), only";
+        label="SSH-Pub-Key, 2FA, No-Root-Login, aes256-gcm@openssh.com, (No ChaCha) only";
         style=solid;
         color=red;
 
-        // ----- Cluster: Name server group -----
+        // ---- Integrate jump host into outer rectangle ----
+        Jump_Host;
+
+        // ---- Cluster: name server group ----
         subgraph cluster_ns {
             label="";
             style=dashed;
@@ -75,7 +74,7 @@ digraph CISS_debian_live_builder {
             ns_anchor;
         }
 
-        // ----- Cluster: Hidden-Master -----
+        // ---- Cluster: Hidden-Master ----
         subgraph cluster_hm {
             label="";
             style=dashed;
@@ -83,22 +82,18 @@ digraph CISS_debian_live_builder {
             Hidden_Master;
         }
 
-        // ----- Cluster: TLS/HTTPS group (contains B-Server, cloud, and the TLS cloud) -----
+        // ---- Cluster: TLS/HTTPS group (contains B-Cluster and cloud) ----
         subgraph cluster_tls_group {
-            // The red dotted rectangle around B-Cluster, cloud, and the TLS cloud
+            label="TLSv1.2 || TLSv1.3 ECDHE-RSA-AES256-GCM-SHA384 ECDH 448 AESGCM 256 & ECDHE-RSA-CHACHA20-POLY1305 ECDH 448 ChaCha20 256";
-            label="TLS 1.2 || 1.3 AES256-GCM-SHA384 ECDH 448 AESGCM 256 only.";
             style=dashed;
             color=red;
 
-            // ----- Cluster: Outer rectangle around all B nodes (lab + small rectangle) -----
+            // ---- Cluster: Outer rectangle around all B nodes (lab + small rectangle) ----
             subgraph cluster_B_big {
                 label="";
                 style=dashed;
                 color=red;
-
-                // Direct node lab
                 lab;
-                // Invisible anchor pointed to by DNSSEC arrows
                 b_big_anchor;
 
                 // ---- Cluster: B a) and c) (small rectangle around git and run) ----
@@ -112,7 +107,7 @@ digraph CISS_debian_live_builder {
                 }
             }
 
-            // ----- Cluster: "cloud.e2ee.li" -----
+            // ---- Cluster: "cloud.e2ee.li" ----
             subgraph cluster_cloud {
                 label="HA: LVM on RAID6 on dm-crypt incl. dm-integrity";
                 style=dashed;
@@ -120,34 +115,27 @@ digraph CISS_debian_live_builder {
                 cloud;
                 cloud_anchor;
             }
-
-            // ----- Node: TLS-Internet-Cloud -----
-            InternetTLS;
-            tls_anchor;
         }
     }
 
-
     // -----------------------------
     // EDGES
     // -----------------------------
-
+    // Left: Internet → Jump Host
-    // Internet (left) → Jump Host
     InternetLeft -> Jump_Host [color=green];
 
     // Jump Host → Hidden-Master
     Jump_Host -> Hidden_Master [color=green];
 
-    // Hidden master → Name server (green with label “HMAC SHA512”)
+    // Hidden-Master → Name servers (each green with the label “HMAC SHA512”)
     Hidden_Master -> ns00 [color=green, label="HMAC SHA512"];
     Hidden_Master -> ns01 [color=green, label="HMAC SHA512"];
     Hidden_Master -> ns02 [color=green, label="HMAC SHA512"];
     Hidden_Master -> ns03 [color=green, label="HMAC SHA512"];
 
-    // Red arrow “DNSSEC”: from cluster nameserver (ns_anchor) → B cluster (b_big_anchor)
+    // Red arrows “DNSSEC” from name server cluster (ns_anchor) → B cluster (b_big_anchor)
     ns_anchor -> b_big_anchor [color=red, label="DNSSEC"];
-
+    // Red arrow “DNSSEC” from nameserver cluster (ns_anchor) → cloud cluster (cloud_anchor)
-    // Red arrow “DNSSEC”: from cluster nameserver (ns_anchor) → cloud cluster (cloud_anchor)
     ns_anchor -> cloud_anchor [color=red, label="DNSSEC"];
 
     // Red arrows from TLS Internet → B-Cluster and cloud