Serve docs statically

Makefile

@@ -26,9 +26,4 @@ install-pull-config:
 	cd pull-config && bash install.sh
 
 install-docs:
-	cd mie-opensource-landing && npm install --production
-	cd mie-opensource-landing && npm run build
-	install -m644 -oroot -groot mie-opensource-landing/systemd/opensource-docs.service /etc/systemd/system/opensource-docs.service
-	systemctl daemon-reload || true
-	systemctl enable opensource-docs.service
-	systemctl start opensource-docs.service || true
+	cd mie-opensource-landing && uv run zensical build

create-a-container/views/nginx-conf.ejs

@@ -1,12 +1,13 @@
 user www-data;
 worker_processes auto;
 worker_cpu_affinity auto;
+worker_rlimit_nofile 65535;
 pid /run/nginx.pid;
 error_log /var/log/nginx/error.log notice;
 include /etc/nginx/modules-enabled/*.conf;
 
 events {
-  worker_connections  1024;
+  worker_connections  16384;
 }
 
 http {
@@ -22,6 +23,8 @@ http {
   sendfile        on;
   #tcp_nopush     on;
 
+  server_tokens off;
+
   keepalive_timeout  65;
 
   #gzip  on;
@@ -60,17 +63,17 @@ http {
   }
 
   server {
-    listen 80;
-    listen [::]:80;
+    listen 80 default_server;
+    listen [::]:80 default_server;
     server_name _;
     return 301 https://$host$request_uri;
   }
 
   server {
-    listen 443 ssl;
-    listen [::]:443 ssl;
-    listen 443 quic;
-    listen [::]:443 quic;
+    listen 443 ssl default_server;
+    listen [::]:443 ssl default_server;
+    listen 443 quic default_server reuseport;
+    listen [::]:443 quic default_server reuseport;
     http2 on;
     http3 on;
 
@@ -239,7 +242,9 @@ http {
     # contacts the auth server when credentials change.
     location = /.oss-auth-verify {
       internal;
-      proxy_pass <%= authServer %>/verify;
+      resolver 127.0.0.1;
+      set $auth_server <%= authServer %>;
+      proxy_pass $auth_server/verify;
       proxy_pass_request_body off;
       proxy_set_header Content-Length "";
       proxy_set_header X-Original-URI $request_uri;
@@ -435,34 +440,12 @@ http {
       proxy_pass http://error_pages;
     }
 
-    # Proxy to documentation site
+    # Serve documentation site statically
     location / {
-      proxy_pass http://localhost:2998;
-      proxy_http_version 1.1;
-
-      # Proxy headers
-      proxy_set_header Host $host;
-      proxy_set_header X-Real-IP $remote_addr;
-      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-      proxy_set_header X-Forwarded-Proto $scheme;
-      proxy_set_header X-Forwarded-Host $host;
-      proxy_set_header X-Forwarded-Port $server_port;
-
-      # WebSocket support
-      proxy_set_header Upgrade $http_upgrade;
-      proxy_set_header Connection "upgrade";
-
-      # Timeouts
-      proxy_connect_timeout 60s;
-      proxy_send_timeout 60s;
-      proxy_read_timeout 60s;
-
-      # Buffering (disable for SSE/streaming)
-      proxy_buffering off;
-      proxy_request_buffering off;
-
-      # Allow large uploads
-      client_max_body_size 2G;
+      root /opt/opensource-server/mie-opensource-landing/site;
+      index index.html;
+      try_files $uri $uri/ $uri.html /404.html =404;
+      open_file_cache max=1000 inactive=20s;
     }
   }
   <%_ }) _%>

images/agent/Dockerfile

@@ -38,6 +38,12 @@ RUN sed -i \
 RUN curl -fsSL https://get.acme.sh | sh \
     && /root/.acme.sh/acme.sh --upgrade --auto-upgrade
 
+# Install uv for building the docs
+ARG UV_VERSION=0.11.6
+RUN curl -fsSL "https://github.com/astral-sh/uv/releases/download/${UV_VERSION}/uv-x86_64-unknown-linux-gnu.tar.gz" \
+    | tar -xzf - --strip-components=1 -C /usr/local/bin \
+      uv-x86_64-unknown-linux-gnu/uv uv-x86_64-unknown-linux-gnu/uvx
+
 # Install the software. We include the .git directory so that the software can
 # update itself without replacing the entire container.
 COPY . /opt/opensource-server

images/docker-bake.hcl

@@ -17,7 +17,7 @@ target "docs" {
     context = "../"
     dockerfile = "images/docs/Dockerfile"
     contexts = {
-        nodejs = "target:nodejs"
+        base = "target:base"
     }
 }
 

images/docs/Dockerfile

@@ -1,12 +1,23 @@
-FROM nodejs
+FROM base
 
+# Install prerequisites
 RUN apt-get update && \
-    apt-get install -y make && \
+    apt-get install -y make nginx && \
     apt-get clean && \
     rm -rf /var/lib/apt/lists/*
 
+# Install uv for building the docs
+ARG UV_VERSION=0.11.6
+RUN curl -fsSL "https://github.com/astral-sh/uv/releases/download/${UV_VERSION}/uv-x86_64-unknown-linux-gnu.tar.gz" \
+    | tar -xzf - --strip-components=1 -C /usr/local/bin \
+      uv-x86_64-unknown-linux-gnu/uv uv-x86_64-unknown-linux-gnu/uvx
+
+# Build docs
 COPY . /opt/opensource-server
 RUN cd /opt/opensource-server && make install-docs
 
-EXPOSE 2998
-LABEL org.mieweb.opensource-server.services.http.default-port=2998
+# Replace the default nginx site with our docs config
+COPY ./images/docs/docs-site.conf /etc/nginx/sites-enabled/default
+
+EXPOSE 80
+LABEL org.mieweb.opensource-server.services.http.default-port=80

images/docs/docs-site.conf

@@ -0,0 +1,16 @@
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+
+    root /opt/opensource-server/mie-opensource-landing/site;
+    index index.html;
+
+    # Security headers
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+
+    location / {
+        try_files $uri $uri/ $uri.html /404.html =404;
+    }
+}

mie-opensource-landing/.gitignore

@@ -1,21 +1,16 @@
-# Dependencies
-/node_modules
+# MkDocs build output
+site/
 
-# Production
-/build
+# Python
+__pycache__/
+*.py[cod]
+.venv/
 
-# Generated files
-.docusaurus
-.cache-loader
-
-# Misc
-.DS_Store
+# Environment
 .env
 .env.local
-.env.development.local
-.env.test.local
-.env.production.local
+.env.*.local
 
-npm-debug.log*
-yarn-debug.log*
-yarn-error.log*
+# Misc
+.DS_Store
+tmp/

mie-opensource-landing/.python-version

@@ -0,0 +1 @@
+3.13

mie-opensource-landing/README.md

@@ -1,27 +1,20 @@
-# MIE Open Source Landing Page
+# Opensource at MIE - Documentation
 
-A modern, responsive landing page showcasing MIE's open source initiatives, built with [Docusaurus](https://docusaurus.io/). Features container management tools, Proxmox Launchpad CI/CD integration, and comprehensive documentation.
+Documentation site for MIE's opensource Proxmox cluster, built with [Zensical](https://zensical.org/) and [Material for MkDocs](https://squidfunk.github.io/mkdocs-material/).
 
-## Configuration for Self-Hosted Deployments
-
-This documentation site is designed to work for both MIE's hosted deployment and self-hosted instances. URLs for Proxmox and container creation services are parameterized.
-
-### Environment Variables
-
-Copy `.env.example` to `.env` and update the URLs for your deployment:
+## Quick Start
 
 ```bash
-cp .env.example .env
+uv sync
+uv run zensical serve
 ```
 
-Then edit `.env` with your instance URLs:
+Open http://localhost:8000 to preview the site.
 
-```env
-# Your Proxmox Web GUI URL
-PROXMOX_URL=https://your-proxmox-server:8006
+## Build
 
-# Your Container Creation Web GUI URL
-CONTAINER_CREATION_URL=https://your-container-creation-url.com
+```bash
+uv run zensical build
 ```
 
-These URLs will be used throughout the documentation and site interface automatically.
+Output is in the `site/` directory.

mie-opensource-landing/docs/admins/core-concepts/containers.md

@@ -1,10 +1,7 @@
----
-sidebar_position: 7
----
 
 # Containers
 
-Containers are LXC instances running on Proxmox nodes. For creating and managing containers, see the [Web GUI Guide](/docs/users/creating-containers/web-gui) or [Command Line Guide](/docs/users/creating-containers/command-line).
+Containers are LXC instances running on Proxmox nodes. For creating and managing containers, see the [Web GUI Guide](../../users/creating-containers/web-gui.md) or [Command Line Guide](../../users/creating-containers/command-line.md).
 
 ## LDAP Authentication
 
@@ -21,7 +18,7 @@ Users in the **ldapusers** group can SSH into any container using their cluster
 
 ## Service Exposure
 
-Users can expose HTTP services from containers using [external domains](external-domains). Services are automatically configured with SSL/TLS certificates, reverse proxy routing, and DNS records.
+Users can expose HTTP services from containers using [external domains](external-domains.md). Services are automatically configured with SSL/TLS certificates, reverse proxy routing, and DNS records.
 
-HTTP services can optionally require authentication via the **Require auth** checkbox. When enabled, NGINX authenticates requests against the domain's [auth server](external-domains#authentication) before proxying. Authenticated requests include identity headers (`X-User-ID`, `X-Username`, etc.) forwarded to the backend. See [External Domains — Authentication](external-domains#authentication) for configuration details.
+HTTP services can optionally require authentication via the **Require auth** checkbox. When enabled, NGINX authenticates requests against the domain's [auth server](external-domains.md#authentication) before proxying. Authenticated requests include identity headers (`X-User-ID`, `X-Username`, etc.) forwarded to the backend. See [External Domains — Authentication](external-domains.md#authentication) for configuration details.
 

mie-opensource-landing/docs/admins/core-concepts/external-domains.md

@@ -1,6 +1,3 @@
----
-sidebar_position: 5
----
 
 # External Domains
 
@@ -22,9 +19,8 @@ External domains expose container HTTP services to the internet. Domains are glo
 | **Cloudflare API Token** | For DNS-01 challenge authentication and cross-site DNS record management |
 | **Auth Server URL** | Optional — URL of an authentication server for NGINX `auth_request`. See [Authentication](#authentication) |
 
-:::tip
-Use Let's Encrypt **Staging** for testing — it has higher rate limits. Switch to **Production** once verified.
-:::
+!!! tip
+    Use Let's Encrypt **Staging** for testing — it has higher rate limits. Switch to **Production** once verified.
 
 ## Setup
 
@@ -104,7 +100,7 @@ On container or service deletion, cross-site A records are cleaned up automatica
 
 ## Using with Services
 
-When creating a container service, users select an external domain and specify a subdomain (e.g., `app` for `app.example.com`). All external domains are available regardless of which site the container is on. See the [Web GUI guide](/docs/users/creating-containers/web-gui) for details.
+When creating a container service, users select an external domain and specify a subdomain (e.g., `app` for `app.example.com`). All external domains are available regardless of which site the container is on. See the [Web GUI guide](../../users/creating-containers/web-gui.md) for details.
 
 ## Security
 

mie-opensource-landing/docs/admins/core-concepts/index.md

@@ -1,15 +1,12 @@
----
-sidebar_position: 0
----
 
 # Core Concepts
 
 The cluster is organized: **Sites** → **Nodes** → **Containers**
 
-- **[Users & Groups](users-and-groups)** — Accounts, groups, LDAP authentication
-- **[Sites](sites)** — Network configuration, DHCP, DNS
-- **[External Domains](external-domains)** — Public domains with automatic SSL/TLS
-- **[Nodes](nodes)** — Proxmox VE servers within a site
-- **[Containers](containers)** — LXC instances on nodes ([user guide](/docs/users/creating-containers/web-gui))
+- **[Users & Groups](users-and-groups.md)** — Accounts, groups, LDAP authentication
+- **[Sites](sites.md)** — Network configuration, DHCP, DNS
+- **[External Domains](external-domains.md)** — Public domains with automatic SSL/TLS
+- **[Nodes](nodes.md)** — Proxmox VE servers within a site
+- **[Containers](containers.md)** — LXC instances on nodes ([user guide](../../users/creating-containers/web-gui.md))
 
 **Setup order:** Users & Groups → Sites → External Domains (optional) → Nodes → Containers

mie-opensource-landing/docs/admins/core-concepts/nodes.md

@@ -1,6 +1,3 @@
----
-sidebar_position: 6
----
 
 # Nodes
 
@@ -26,18 +23,16 @@ Discovers all nodes in a Proxmox cluster automatically:
 2. Enter API URL of any node, credentials, and TLS setting
 3. Click **Import** — all cluster nodes are discovered and imported
 
-:::tip
-Import only needs credentials for one node. It discovers all other nodes in the same cluster.
-:::
+!!! tip
+    Import only needs credentials for one node. It discovers all other nodes in the same cluster.
 
 ### Manual Node Creation
 
 1. Navigate to **Nodes** → select site → **Create New Node**
 2. Enter name (must match Proxmox hostname exactly), IP, API URL, and credentials
 
-:::important
-Name mismatches cause API communication failures.
-:::
+!!! warning "Important"
+    Name mismatches cause API communication failures.
 
 ## Authentication
 

mie-opensource-landing/docs/admins/core-concepts/sites.md

@@ -1,6 +1,3 @@
----
-sidebar_position: 4
----
 
 # Sites
 
@@ -24,9 +21,8 @@ A site groups Proxmox nodes, defines network configuration, and manages containe
 3. Configure DHCP range, subnet mask, gateway, and DNS forwarders
 4. Save
 
-:::important
-Ensure the DHCP range doesn't conflict with static IPs (Proxmox nodes, management container, infrastructure devices).
-:::
+!!! warning "Important"
+    Ensure the DHCP range doesn't conflict with static IPs (Proxmox nodes, management container, infrastructure devices).
 
 ## DHCP and DNS