From bf7254ecc323d3fea08f6db01f495bde27ef4eef5eb684cdeb04542fe806ff77 Mon Sep 17 00:00:00 2001 From: "Marc S. Weidner" Date: Tue, 3 Jun 2025 01:35:49 +0200 Subject: [PATCH] V8.03.384.2025.06.03 Signed-off-by: Marc S. Weidner --- docs/graphviz/ciss.debian.live.builder.dot | 96 ++++++++++------------ 1 file changed, 42 insertions(+), 54 deletions(-) diff --git a/docs/graphviz/ciss.debian.live.builder.dot b/docs/graphviz/ciss.debian.live.builder.dot index 3d5eb53..bdc7646 100644 --- a/docs/graphviz/ciss.debian.live.builder.dot +++ b/docs/graphviz/ciss.debian.live.builder.dot @@ -9,61 +9,60 @@ digraph CISS_debian_live_builder { nodesep=0.6, ranksep=0.8 ]; - node [fontname="Helvetica"]; // ----------------------------- - // KNOTS: All hosts and auxiliary anchors + // KNOTS: Internet clouds (NOT in a cluster) // ----------------------------- - - // Internet (links) InternetLeft [shape=oval, style=filled, fillcolor=lightblue, label="Internet"]; + InternetTLS [shape=oval, style=filled, fillcolor=lightblue, label="TLS/HTTPS"]; - // Jump Host + // ----------------------------- + // KNOTS: Jump Host (integrated into cluster_overall) + // ----------------------------- Jump_Host [shape=diamond, style=filled, fillcolor=green, label="Jump Host"]; - // Hidden-Master + // ----------------------------- + // KNOTS: Hidden master (in cluster_hm) + // ----------------------------- Hidden_Master [shape=cylinder, style=filled, fillcolor=lavender, label="Hidden-Master"]; - // Nameserver (Basis-Datenbankzylinder, hellgelb) + // ----------------------------- + // KNOTS: Nameserver (in cluster_ns) + // ----------------------------- ns00 [shape=cylinder, style=filled, fillcolor=lightyellow, label="ns00.eddns.eu"]; ns01 [shape=cylinder, style=filled, fillcolor=lightyellow, label="ns01.eddns.eu"]; ns02 [shape=cylinder, style=filled, fillcolor=lightyellow, label="ns02.eddns.de"]; ns03 [shape=cylinder, style=filled, fillcolor=lightyellow, label="ns03.eddns.de"]; - - // Hilfsanker für cluster_ns (unsichtbar, damit Kanten sauber aus dem Rechteck herausgeführt werden) - ns_anchor [shape=point, style=invis, width=0]; - - // B server (light red) - git [shape=cylinder, style=filled, fillcolor="#FFCCCC", label="git.coresecret.dev"]; - lab [shape=cylinder, style=filled, fillcolor="#FFCCCC", label="lab.coresecret.dev"]; - run [shape=cylinder, style=filled, fillcolor="#FFCCCC", label="run.coresecret.dev"]; - - // Auxiliary anchor for cluster_B_small (invisible) - b_small_anchor [shape=point, style=invis, width=0]; - // Auxiliary anchor for cluster_B_big (invisible) - b_big_anchor [shape=point, style=invis, width=0]; - - // Database “cloud.e2ee.li” (light red) - cloud [shape=cylinder, style=filled, fillcolor="#FFCCCC", label="cloud.e2ee.li"]; - // Auxiliary anchor for cluster_cloud (invisible) - cloud_anchor [shape=point, style=invis, width=0]; - - // Internet (right, for TLS/HTTPS) - InternetTLS [shape=oval, style=filled, fillcolor=lightblue, label="TLS/HTTPS"]; - // Auxiliary anchor for cluster_tls_group (invisible) - tls_anchor [shape=point, style=invis, width=0]; - + ns_anchor [shape=point, style=invis, width=0]; // unsichtbarer Anker für DNSSEC-Pfeile // ----------------------------- - // CLUSTER: Entire system (everything except the two Internet clouds) + // KNOTS: B-Server (in cluster_B_small & cluster_B_big) + // ----------------------------- + git [shape=cylinder, style=filled, fillcolor="#FFCCCC", label="git.coresecret.dev"]; + run [shape=cylinder, style=filled, fillcolor="#FFCCCC", label="run.coresecret.dev"]; + lab [shape=cylinder, style=filled, fillcolor="#FFCCCC", label="lab.coresecret.dev"]; + b_small_anchor [shape=point, style=invis, width=0]; // Anker für kleines B-Cluster + b_big_anchor [shape=point, style=invis, width=0]; // Anker für großes B-Cluster + + // ----------------------------- + // KNOTS: "cloud.e2ee.li" (in cluster_cloud) + // ----------------------------- + cloud [shape=cylinder, style=filled, fillcolor="#FFCCCC", label="cloud.e2ee.li"]; + cloud_anchor [shape=point, style=invis, width=0]; // Anker für cloud-Cluster + + // ----------------------------- + // CLUSTER: Entire system (except Internet clouds) // ----------------------------- subgraph cluster_overall { - label="SSH-Pub-Key, 2FA, No-Root-Login, aes256-gcm@openssh.com, (No ChaCha), only"; + label="SSH-Pub-Key, 2FA, No-Root-Login, aes256-gcm@openssh.com, (No ChaCha) only"; style=solid; color=red; - // ----- Cluster: Name server group ----- + // ---- Integrate jump host into outer rectangle ---- + Jump_Host; + + // ---- Cluster: name server group ---- subgraph cluster_ns { label=""; style=dashed; @@ -75,7 +74,7 @@ digraph CISS_debian_live_builder { ns_anchor; } - // ----- Cluster: Hidden-Master ----- + // ---- Cluster: Hidden-Master ---- subgraph cluster_hm { label=""; style=dashed; @@ -83,22 +82,18 @@ digraph CISS_debian_live_builder { Hidden_Master; } - // ----- Cluster: TLS/HTTPS group (contains B-Server, cloud, and the TLS cloud) ----- + // ---- Cluster: TLS/HTTPS group (contains B-Cluster and cloud) ---- subgraph cluster_tls_group { - // The red dotted rectangle around B-Cluster, cloud, and the TLS cloud - label="TLS 1.2 || 1.3 AES256-GCM-SHA384 ECDH 448 AESGCM 256 only."; + label="TLSv1.2 || TLSv1.3 ECDHE-RSA-AES256-GCM-SHA384 ECDH 448 AESGCM 256 & ECDHE-RSA-CHACHA20-POLY1305 ECDH 448 ChaCha20 256"; style=dashed; color=red; - // ----- Cluster: Outer rectangle around all B nodes (lab + small rectangle) ----- + // ---- Cluster: Outer rectangle around all B nodes (lab + small rectangle) ---- subgraph cluster_B_big { label=""; style=dashed; color=red; - - // Direct node lab lab; - // Invisible anchor pointed to by DNSSEC arrows b_big_anchor; // ---- Cluster: B a) and c) (small rectangle around git and run) ---- @@ -112,7 +107,7 @@ digraph CISS_debian_live_builder { } } - // ----- Cluster: "cloud.e2ee.li" ----- + // ---- Cluster: "cloud.e2ee.li" ---- subgraph cluster_cloud { label="HA: LVM on RAID6 on dm-crypt incl. dm-integrity"; style=dashed; @@ -120,34 +115,27 @@ digraph CISS_debian_live_builder { cloud; cloud_anchor; } - - // ----- Node: TLS-Internet-Cloud ----- - InternetTLS; - tls_anchor; } } - // ----------------------------- // EDGES // ----------------------------- - - // Internet (left) → Jump Host + // Left: Internet → Jump Host InternetLeft -> Jump_Host [color=green]; // Jump Host → Hidden-Master Jump_Host -> Hidden_Master [color=green]; - // Hidden master → Name server (green with label “HMAC SHA512”) + // Hidden-Master → Name servers (each green with the label “HMAC SHA512”) Hidden_Master -> ns00 [color=green, label="HMAC SHA512"]; Hidden_Master -> ns01 [color=green, label="HMAC SHA512"]; Hidden_Master -> ns02 [color=green, label="HMAC SHA512"]; Hidden_Master -> ns03 [color=green, label="HMAC SHA512"]; - // Red arrow “DNSSEC”: from cluster nameserver (ns_anchor) → B cluster (b_big_anchor) + // Red arrows “DNSSEC” from name server cluster (ns_anchor) → B cluster (b_big_anchor) ns_anchor -> b_big_anchor [color=red, label="DNSSEC"]; - - // Red arrow “DNSSEC”: from cluster nameserver (ns_anchor) → cloud cluster (cloud_anchor) + // Red arrow “DNSSEC” from nameserver cluster (ns_anchor) → cloud cluster (cloud_anchor) ns_anchor -> cloud_anchor [color=red, label="DNSSEC"]; // Red arrows from TLS Internet → B-Cluster and cloud