graph TB
    %% External Users and Services
    subgraph "Internet"
        User[👤 Users]
        Dev[👨‍💻 Developers with Tailscale]
    end
    
    %% Cloudflare Infrastructure
    subgraph "Cloudflare Infrastructure"
        subgraph "Cloudflare Edge"
            CDN[🌐 Cloudflare CDN<br/>Global Edge Network]
            ZT[🔒 Zero Trust Tunnels<br/>Secure Gateway]
        end
        
        subgraph "CDN Endpoints"
            CDN_PX[📸 pm.keyboardvagabond.com<br/>Pixelfed CDN]
            CDN_PF[📋 pfm.keyboardvagabond.com<br/>PieFed CDN]
            CDN_M[🐦 mm.keyboardvagabond.com<br/>Mastodon CDN]
        end
        
        subgraph "Zero Trust Domains"
            ZT_AUTH[🔐 auth.keyboardvagabond.com<br/>Authentik SSO]
            ZT_REG[📦 <YOUR_REGISTRY_URL><br/>Harbor Registry]
            ZT_OBS[📊 obs.keyboardvagabond.com<br/>OpenObserve]
            ZT_MAST[🐦 mastodon.keyboardvagabond.com<br/>Mastodon Web]
            ZT_STREAM[📡 streamingmastodon.keyboardvagabond.com<br/>Mastodon Streaming]
            ZT_PX[📸 pixelfed.keyboardvagabond.com<br/>Pixelfed]
            ZT_PF[📋 piefed.keyboardvagabond.com<br/>PieFed]
            ZT_PIC[🖼️ picsur.keyboardvagabond.com<br/>Picsur]
        end
    end
    
    %% Tailscale Infrastructure
    subgraph "Tailscale Network (100.64.0.0/10)"
        TS_CONTROL[🎛️ Tailscale Control Plane<br/>tailscale.com]
        TS_CLIENT[💻 Client IP: <TAILSCALE_CLIENT_IP><br/>kubectl context]
    end
    
    %% Backblaze B2 Storage
    subgraph "Backblaze B2 Storage"
        B2_PX[📦 pixelfed-bucket]
        B2_PF[📦 piefed-bucket] 
        B2_M[📦 mastodon-bucket]
        B2_BACKUP[💾 Longhorn Backups]
    end
    
    %% NetCup Cloud Infrastructure
    subgraph "NetCup Cloud - VLAN 1004963 (10.132.0.0/24)"
        subgraph "Node n1 (<NODE_1_EXTERNAL_IP>)"
            subgraph "Control Plane + Worker"
                API[🎯 Kubernetes API<br/>:6443]
                TALOS1[⚙️ Talos API<br/>:50000/50001]
                
                subgraph "Infrastructure Pods"
                    NGINX[🌐 NGINX Ingress<br/>hostNetwork mode]
                    CILIUM1[🛡️ Cilium CNI<br/>Host Firewall]
                    LONGHORN1[💽 Longhorn Storage]
                    CLOUDFLARED[☁️ Cloudflared<br/>Zero Trust Client]
                    TS_ROUTER[🔗 Tailscale Subnet Router<br/>keyboardvagabond-cluster]
                end
                
                subgraph "Application Pods"
                    POSTGRES[🗄️ PostgreSQL Cluster<br/>CloudNativePG]
                    REDIS[📋 Redis]
                    HARBOR[📦 Harbor Registry]
                    OPENOBS[📊 OpenObserve]
                    AUTHENTIK[🔐 Authentik SSO]
                end
            end
        end
        
        subgraph "Node n2 (<NODE_2_EXTERNAL_IP>)"
            subgraph "Worker Node"
                TALOS2[⚙️ Talos API<br/>:50000/50001]
                
                subgraph "Infrastructure Pods n2"
                    CILIUM2[🛡️ Cilium CNI<br/>Host Firewall]
                    LONGHORN2[💽 Longhorn Storage<br/>2-replica]
                end
                
                subgraph "Application Pods n2"
                    MASTODON[🐦 Mastodon]
                    PIXELFED[📸 Pixelfed]
                    PIEFED[📋 PieFed]
                    PICSUR[🖼️ Picsur]
                end
            end
        end
    end
    
    %% Connections - External User Access
    User --> CDN
    User --> ZT
    
    %% CDN to Storage
    CDN_PX --> B2_PX
    CDN_PF --> B2_PF
    CDN_M --> B2_M
    
    %% Zero Trust Tunnels (Secure)
    ZT_AUTH -.->|"🔒 Secure Tunnel"| AUTHENTIK
    ZT_REG -.->|"🔒 Secure Tunnel"| HARBOR
    ZT_OBS -.->|"🔒 Secure Tunnel"| OPENOBS
    ZT_MAST -.->|"🔒 Secure Tunnel"| MASTODON
    ZT_STREAM -.->|"🔒 Secure Tunnel"| MASTODON
    ZT_PX -.->|"🔒 Secure Tunnel"| PIXELFED
    ZT_PF -.->|"🔒 Secure Tunnel"| PIEFED
    ZT_PIC -.->|"🔒 Secure Tunnel"| PICSUR
    
    %% Tailscale Connections
    Dev --> TS_CONTROL
    TS_CLIENT --> TS_CONTROL
    TS_CONTROL -.->|"🔗 Mesh VPN"| TS_ROUTER
    
    %% Tailscale Administrative Access
    TS_CLIENT -.->|"🔗 kubectl via <NODE_1_IP>:6443"| API
    TS_CLIENT -.->|"🔗 talosctl"| TALOS1
    TS_CLIENT -.->|"🔗 talosctl"| TALOS2
    
    %% Internal Cluster Networking
    NGINX --> MASTODON
    NGINX --> PIXELFED
    NGINX --> PIEFED
    NGINX --> PICSUR
    NGINX --> HARBOR
    NGINX --> OPENOBS
    NGINX --> AUTHENTIK
    
    %% Database Connections
    MASTODON --> POSTGRES
    PIXELFED --> POSTGRES
    PIEFED --> POSTGRES
    PICSUR --> POSTGRES
    AUTHENTIK --> POSTGRES
    PIEFED --> REDIS
    
    %% Storage Connections
    MASTODON --> B2_M
    PIXELFED --> B2_PX
    PIEFED --> B2_PF
    LONGHORN1 --> B2_BACKUP
    LONGHORN2 --> B2_BACKUP
    
    %% Cilium Host Firewall Rules
    CILIUM1 -.->|"🛡️ Firewall Rules"| API
    CILIUM1 -.->|"🛡️ Firewall Rules"| TALOS1
    CILIUM2 -.->|"🛡️ Firewall Rules"| TALOS2
    
    %% Network Labels
    classDef external fill:#e1f5fe
    classDef cloudflare fill:#ff9800,color:#fff
    classDef tailscale fill:#4caf50,color:#fff
    classDef secure fill:#f44336,color:#fff
    classDef storage fill:#9c27b0,color:#fff
    classDef node fill:#2196f3,color:#fff
    classDef blocked fill:#757575,color:#fff,stroke-dasharray: 5 5
    
    class User,Dev external
    class CDN,ZT,CDN_PX,CDN_PF,CDN_M,ZT_AUTH,ZT_REG,ZT_OBS,ZT_MAST,ZT_STREAM,ZT_PX,ZT_PF,ZT_PIC cloudflare
    class TS_CONTROL,TS_CLIENT,TS_ROUTER tailscale
    class CILIUM1,CILIUM2,API,TALOS1,TALOS2 secure
    class B2_PX,B2_PF,B2_M,B2_BACKUP,LONGHORN1,LONGHORN2 storage
    class NGINX,POSTGRES,REDIS,MASTODON,PIXELFED,PIEFED,PICSUR,HARBOR,OPENOBS,AUTHENTIK,CLOUDFLARED node