digraph CISS_debian_live_builder {
    // -----------------------------
    // General settings
    // -----------------------------
    graph [
        fontsize=10,
        splines=ortho,
        rankdir=LR,
        nodesep=0.6,
        ranksep=0.8
    ];

    node [fontname="Helvetica"];

    // -----------------------------
    // KNOTS: All hosts and auxiliary anchors
    // -----------------------------

    // Internet (links)
    InternetLeft [shape=oval, style=filled, fillcolor=lightblue, label="Internet"];

    // Jump Host
    Jump_Host [shape=diamond, style=filled, fillcolor=green, label="Jump Host"];

    // Hidden-Master
    Hidden_Master [shape=cylinder, style=filled, fillcolor=lavender, label="Hidden-Master"];

    // Nameserver (Basis-Datenbankzylinder, hellgelb)
    ns00 [shape=cylinder, style=filled, fillcolor=lightyellow, label="ns00.eddns.eu"];
    ns01 [shape=cylinder, style=filled, fillcolor=lightyellow, label="ns01.eddns.eu"];
    ns02 [shape=cylinder, style=filled, fillcolor=lightyellow, label="ns02.eddns.de"];
    ns03 [shape=cylinder, style=filled, fillcolor=lightyellow, label="ns03.eddns.de"];

    // Hilfsanker für cluster_ns (unsichtbar, damit Kanten sauber aus dem Rechteck herausgeführt werden)
    ns_anchor [shape=point, style=invis, width=0];

    // B server (light red)
    git [shape=cylinder, style=filled, fillcolor="#FFCCCC", label="git.coresecret.dev"];
    lab [shape=cylinder, style=filled, fillcolor="#FFCCCC", label="lab.coresecret.dev"];
    run [shape=cylinder, style=filled, fillcolor="#FFCCCC", label="run.coresecret.dev"];

    // Auxiliary anchor for cluster_B_small (invisible)
    b_small_anchor [shape=point, style=invis, width=0];
    // Auxiliary anchor for cluster_B_big (invisible)
    b_big_anchor [shape=point, style=invis, width=0];

    // Database “cloud.e2ee.li” (light red)
    cloud [shape=cylinder, style=filled, fillcolor="#FFCCCC", label="cloud.e2ee.li"];
    // Auxiliary anchor for cluster_cloud (invisible)
    cloud_anchor [shape=point, style=invis, width=0];

    // Internet (right, for TLS/HTTPS)
    InternetTLS [shape=oval, style=filled, fillcolor=lightblue, label="TLS/HTTPS"];
    // Auxiliary anchor for cluster_tls_group (invisible)
    tls_anchor [shape=point, style=invis, width=0];


    // -----------------------------
    // CLUSTER: Entire system (everything except the two Internet clouds)
    // -----------------------------
    subgraph cluster_overall {
        label="SSH-Pub-Key, 2FA, No-Root-Login, aes256-gcm@openssh.com, (No ChaCha), only";
        style=solid;
        color=red;

        // ----- Cluster: Name server group -----
        subgraph cluster_ns {
            label="";
            style=dashed;
            color=red;
            ns00;
            ns01;
            ns02;
            ns03;
            ns_anchor;
        }

        // ----- Cluster: Hidden-Master -----
        subgraph cluster_hm {
            label="";
            style=dashed;
            color=red;
            Hidden_Master;
        }

        // ----- Cluster: TLS/HTTPS group (contains B-Server, cloud, and the TLS cloud) -----
        subgraph cluster_tls_group {
            // The red dotted rectangle around B-Cluster, cloud, and the TLS cloud
            label="TLS 1.2 || 1.3 AES256-GCM-SHA384 ECDH 448 AESGCM 256 only.";
            style=dashed;
            color=red;

            // ----- Cluster: Outer rectangle around all B nodes (lab + small rectangle) -----
            subgraph cluster_B_big {
                label="";
                style=dashed;
                color=red;

                // Direct node lab
                lab;
                // Invisible anchor pointed to by DNSSEC arrows
                b_big_anchor;

                // ---- Cluster: B a) and c) (small rectangle around git and run) ----
                subgraph cluster_B_small {
                    label="";
                    style=dashed;
                    color=red;
                    git;
                    run;
                    b_small_anchor;
                }
            }

            // ----- Cluster: "cloud.e2ee.li" -----
            subgraph cluster_cloud {
                label="HA: LVM on RAID6 on dm-crypt incl. dm-integrity";
                style=dashed;
                color=red;
                cloud;
                cloud_anchor;
            }

            // ----- Node: TLS-Internet-Cloud -----
            InternetTLS;
            tls_anchor;
        }
    }


    // -----------------------------
    // EDGES
    // -----------------------------

    // Internet (left) → Jump Host
    InternetLeft -> Jump_Host [color=green];

    // Jump Host → Hidden-Master
    Jump_Host -> Hidden_Master [color=green];

    // Hidden master → Name server (green with label “HMAC SHA512”)
    Hidden_Master -> ns00 [color=green, label="HMAC SHA512"];
    Hidden_Master -> ns01 [color=green, label="HMAC SHA512"];
    Hidden_Master -> ns02 [color=green, label="HMAC SHA512"];
    Hidden_Master -> ns03 [color=green, label="HMAC SHA512"];

    // Red arrow “DNSSEC”: from cluster nameserver (ns_anchor) → B cluster (b_big_anchor)
    ns_anchor -> b_big_anchor [color=red, label="DNSSEC"];

    // Red arrow “DNSSEC”: from cluster nameserver (ns_anchor) → cloud cluster (cloud_anchor)
    ns_anchor -> cloud_anchor [color=red, label="DNSSEC"];

    // Red arrows from TLS Internet → B-Cluster and cloud
    InternetTLS -> b_big_anchor [color=red];
    InternetTLS -> cloud_anchor [color=red];
}