diff --git a/README.md b/README.md
index 1cee0942c3..20a87f5fef 100644
--- a/README.md
+++ b/README.md
@@ -118,7 +118,7 @@ Usage
 
 To see available commands and flags, run `ghostunnel --help`. You can get more
 information about a command by adding `--help` to the command, like `ghostunnel
-server --help` or `ghostunnel client --help`. There's also a [man page](docs/MANPAGE-linux.md).
+server --help` or `ghostunnel client --help`. There's also a [man page](docs/reference/manpage-linux.md).
 
 By default, Ghostunnel runs in the foreground and logs to stdout. You can set
 `--syslog` to log to syslog instead of stdout. If you want to run Ghostunnel
@@ -149,7 +149,7 @@ To set allowed clients, you must specify at least one of `--allow-all`,
 `--allow-cn`, `--allow-ou`, `--allow-dns`, `--allow-uri` or `--allow-policy`. All
 checks are made against the certificate of the client. Multiple flags are
 treated as a logical disjunction (OR), meaning clients can connect as long as
-any of the flags matches. See [ACCESS-FLAGS](docs/ACCESS-FLAGS.md) for more
+any of the flags matches. See [ACCESS-FLAGS](docs/security/access-flags.md) for more
 information. In this example, we assume that the CN of the client cert we want
 to accept connections from is `client`.
 
@@ -188,7 +188,7 @@ This is an example for how to launch Ghostunnel in client mode, listening on
 
 By default, Ghostunnel in client mode verifies targets based on the hostname.
 Various access control flags exist to perform additional verification on top of
-the regular hostname verification. See [ACCESS-FLAGS](docs/ACCESS-FLAGS.md) for
+the regular hostname verification. See [ACCESS-FLAGS](docs/security/access-flags.md) for
 more information.
 
 Start a backend TLS server:
@@ -275,7 +275,7 @@ also supports implementing authorization checks via [Open Policy Agent](https://
 (OPA) policies for maximum flexibility. Policies can be reloaded at runtime
 much like certificates.
 
-See [ACCESS-FLAGS](docs/ACCESS-FLAGS.md) for details.
+See [ACCESS-FLAGS](docs/security/access-flags.md) for details.
 
 [spiffe]: https://spiffe.io/
 [svid]: https://github.com/spiffe/spiffe/blob/main/standards/X509-SVID.md
@@ -323,7 +323,7 @@ obtaining and renewing a public certificate, assuming it's exposed publicly
 on tcp/443 and there are valid public DNS FQDN records that resolve to the
 listening interface IP.
 
-See [ACME](docs/ACME.md) for details.
+See [ACME](docs/certificates/acme.md) for details.
 
 ### Metrics & Profiling
 
@@ -332,7 +332,7 @@ be used to expose status and metrics information over HTTPS. The status port
 feature can be controlled via the `--status` flag. Profiling endpoints on the
 status port can be enabled with `--enable-pprof`.
 
-See [METRICS](docs/METRICS.md) for details.
+See [METRICS](docs/networking/metrics.md) for details.
 
 ### HSM/PKCS#11 support
 
@@ -340,7 +340,7 @@ Ghostunnel has support for loading private keys from PKCS#11 modules, which
 should work with any hardware security module that exposes a PKCS#11 interface,
 including YubiKeys (via the YKCS11 module).
 
-See [HSM-PKCS11](docs/HSM-PKCS11.md) for details, including a step-by-step
+See [HSM-PKCS11](docs/certificates/hsm-pkcs11.md) for details, including a step-by-step
 guide for using Ghostunnel with a YubiKey.
 
 ### Windows/macOS Keychain Support
@@ -350,14 +350,14 @@ This is useful if you have identities stored in your local keychain that you
 want to use with Ghostunnel, e.g. if you want your private key(s) to be backed
 by the Secure Enclave on newer Touch ID MacBooks.
 
-See [KEYCHAIN](docs/KEYCHAIN.md) for details.
+See [KEYCHAIN](docs/certificates/keychain.md) for details.
 
 ### SPIFFE Workload API
 
 Ghostunnel has support for maintaining up-to-date, frequently rotated
 identities and trusted CA certificates from the SPIFFE Workload API.
 
-See [SPIFFE-WORKLOAD-API](docs/SPIFFE-WORKLOAD-API.md) for details.
+See [SPIFFE-WORKLOAD-API](docs/certificates/spiffe-workload-api.md) for details.
 
 ### Socket Activation
 
@@ -367,7 +367,7 @@ flags, and can be used by passing an address of the form `systemd:<name>` or
 `launchd:<name>`, where `<name>` should be the name of the socket as defined in
 your systemd/launchd configuration.
 
-See [SOCKET-ACTIVATION](docs/SOCKET-ACTIVATION.md) for examples.
+See [SOCKET-ACTIVATION](docs/networking/socket-activation.md) for examples.
 
 ### PROXY Protocol Support
 
@@ -378,7 +378,7 @@ to also include TLS metadata and/or client certificate details. Note that the
 backend must support the PROXY protocol and must be configured to use it when
 setting this option.
 
-See [PROXY-PROTOCOL](docs/PROXY-PROTOCOL.md) for details on modes and TLV extensions.
+See [PROXY-PROTOCOL](docs/networking/proxy-protocol.md) for details on modes and TLV extensions.
 
 ### Landlock Support
 
diff --git a/docs/SECURITY.md b/docs/SECURITY.md
deleted file mode 100644
index 1f002268cf..0000000000
--- a/docs/SECURITY.md
+++ /dev/null
@@ -1,135 +0,0 @@
----
-title: Security & TLS Configuration
-description: TLS protocol settings, cipher suites, address restrictions, and Landlock sandboxing.
-weight: 15
----
-
-## TLS protocol
-
-### Protocol Versions
-
-Ghostunnel enforces a minimum TLS version of **TLS 1.2**. TLS 1.0 and 1.1 are
-not supported. TLS 1.3 is supported and will be negotiated when both sides
-support it.
-
-### Cipher Suites
-
-The following cipher suites are enabled by default, in order of preference:
-
-**AES-GCM:**
-- `TLS_AES_128_GCM_SHA256` (TLS 1.3)
-- `TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256`
-- `TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`
-- `TLS_AES_256_GCM_SHA384` (TLS 1.3)
-- `TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384`
-- `TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384`
-
-**ChaCha20-Poly1305:**
-- `TLS_CHACHA20_POLY1305_SHA256` (TLS 1.3)
-- `TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305`
-- `TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305`
-
-All suites use authenticated encryption (AEAD). CBC-mode ciphers are not
-enabled. ECDSA suites are listed before RSA to prefer ECDSA when both
-certificate types are available.
-
-To check which cipher suite and protocol version were negotiated for a
-connection:
-
-```bash
-openssl s_client -connect localhost:8443 \
-    -cert client-cert.pem -key client-key.pem -CAfile cacert.pem \
-    </dev/null 2>/dev/null | grep -E 'Protocol|Cipher'
-```
-
-In TLS 1.3, cipher suite selection is handled by Go's [`crypto/tls`][crypto-tls]
-and cannot be configured by the application. The TLS 1.3 suites listed above are always
-available when TLS 1.3 is negotiated. The configurable cipher suite list only
-affects TLS 1.2 connections.
-
-### Curve Preferences
-
-In server mode, key exchange prefers the following elliptic curves:
-
-1. **X25519**: fast, constant-time, widely supported
-2. **P-256 (secp256r1)**: hardware-accelerated on most platforms
-
-### Client Authentication
-
-In server mode, Ghostunnel requires and verifies client certificates by
-default (`RequireAndVerifyClientCert`). This can be disabled with
-`--disable-authentication`, in which case no client certificate is requested.
-
-The status port (`--status`) is optional and does not require client
-certificates. It is typically consumed by monitoring systems that may not
-have client certs. Like other addresses, it defaults to localhost and is not
-exposed to the network unless explicitly configured otherwise.
-
-## Address Restrictions
-
-Listen and target addresses are restricted to localhost and UNIX sockets by
-default, to prevent accidental exposure of plaintext traffic.
-
-### Server mode
-
-The `--target` address must be one of:
-- `localhost:PORT`
-- `127.0.0.1:PORT`
-- `[::1]:PORT`
-- `unix:PATH`
-
-To forward to a remote host, pass `--unsafe-target`. The connection between
-Ghostunnel and the backend is unencrypted, so exposing it beyond localhost
-risks leaking plaintext traffic.
-
-### Client mode
-
-The `--listen` address must be one of:
-- `localhost:PORT`
-- `127.0.0.1:PORT`
-- `[::1]:PORT`
-- `unix:PATH`
-- `systemd:NAME`
-- `launchd:NAME`
-
-To accept connections from remote hosts, pass `--unsafe-listen`. The listen
-side of client mode accepts plaintext connections, so exposing it beyond
-localhost risks unauthorized access to the proxied service.
-
-## Landlock sandboxing
-
-*Available since v1.8.0. Enabled by default since v1.9.0.*
-
-On Linux, Ghostunnel uses [Landlock][landlock] to restrict its own process
-privileges after startup. Landlock is a kernel-level access control mechanism
-that limits which files and network ports a process can access.
-
-### How It Works
-
-After parsing flags and loading certificates, Ghostunnel builds a minimal set
-of Landlock rules based on the flags it was given:
-
-- **File access**: Read-only access to certificate files, CA bundles, and OPA
-  policy bundles (and their parent directories, to support file rotation).
-  Read-write access to `/dev`, `/var/run`, `/tmp`, `/proc` for syslog and temp files.
-- **Network access**: Bind access for `--listen` and `--status` ports. Connect
-  access for `--target`, `--metrics-graphite`, `--metrics-url`, and SPIFFE
-  Workload API ports. DNS (TCP/53) is always allowed.
-
-### Best-Effort Mode
-
-Landlock is applied in best-effort mode. If the kernel does not support
-Landlock (network rules require Linux 6.7+), Ghostunnel logs a warning and
-continues without sandboxing.
-
-### Disabling Landlock
-
-*Available since v1.9.0.*
-
-Landlock can be disabled with `--disable-landlock` if it causes issues with
-your deployment. This is not recommended. Landlock is also automatically
-disabled when PKCS#11 is in use, since PKCS#11 modules are opaque shared
-libraries that may require access to arbitrary files and sockets.
-
-[crypto-tls]: https://pkg.go.dev/crypto/tls
-[landlock]: https://docs.kernel.org/userspace-api/landlock.html
diff --git a/docs/_index.md b/docs/_index.md
index 1a88170e1d..389444336d 100644
--- a/docs/_index.md
+++ b/docs/_index.md
@@ -3,6 +3,3 @@ title: Documentation
 description: Ghostunnel documentation
 weight: 10
 ---
-
-Documentation for Ghostunnel, covering access control, certificate management,
-metrics, and platform-specific features.
diff --git a/docs/certificates/_index.md b/docs/certificates/_index.md
new file mode 100644
index 0000000000..be6e939bce
--- /dev/null
+++ b/docs/certificates/_index.md
@@ -0,0 +1,8 @@
+---
+title: Certificates & Identity
+description: How Ghostunnel obtains, loads, and rotates certificates.
+weight: 20
+---
+
+Ghostunnel supports a variety of certificate sources, from plain PEM files on
+disk to hardware-backed keys and automatic certificate management protocols.
diff --git a/docs/ACME.md b/docs/certificates/acme.md
similarity index 98%
rename from docs/ACME.md
rename to docs/certificates/acme.md
index d4e271b17f..17513f4ce8 100644
--- a/docs/ACME.md
+++ b/docs/certificates/acme.md
@@ -1,7 +1,9 @@
 ---
 title: ACME Support
 description: Automatically obtain and renew public TLS certificates via Let's Encrypt or other ACME certificate authorities.
-weight: 30
+weight: 20
+aliases:
+  - /docs/acme/
 ---
 
 In server mode, Ghostunnel can automatically obtain and renew a public TLS
diff --git a/docs/CERTIFICATES.md b/docs/certificates/formats.md
similarity index 98%
rename from docs/CERTIFICATES.md
rename to docs/certificates/formats.md
index 19ad1bfaea..b714e6d711 100644
--- a/docs/CERTIFICATES.md
+++ b/docs/certificates/formats.md
@@ -1,7 +1,7 @@
 ---
 title: Certificate Formats
 description: Supported certificate and key formats, how to prepare them, and how Ghostunnel selects the right loader.
-weight: 12
+weight: 10
 ---
 
 Ghostunnel supports several certificate and private key formats. The format
@@ -76,7 +76,7 @@ cat server-cert.pem intermediate.pem server-key.pem > server-combined.pem
 PKCS#12 (`.p12` / `.pfx`) bundles the certificate chain and private key into a
 single password-protected binary file. This is also the format used when
 importing into the macOS Keychain or Windows Certificate Store (see
-[Keychain Support]({{< ref "KEYCHAIN.md" >}})).
+[Keychain Support]({{< ref "keychain.md" >}})).
 
 ```bash
 ghostunnel server \
diff --git a/docs/HSM-PKCS11.md b/docs/certificates/hsm-pkcs11.md
similarity index 98%
rename from docs/HSM-PKCS11.md
rename to docs/certificates/hsm-pkcs11.md
index b3a84e2a30..3cc9fb06e0 100644
--- a/docs/HSM-PKCS11.md
+++ b/docs/certificates/hsm-pkcs11.md
@@ -2,6 +2,8 @@
 title: HSM/PKCS#11 Support
 description: Load private keys from hardware security modules via the PKCS#11 interface.
 weight: 40
+aliases:
+  - /docs/hsm-pkcs11/
 ---
 
 Ghostunnel has support for loading private keys from [PKCS#11][pkcs11-spec]
@@ -52,7 +54,7 @@ to use environment variables to set PKCS#11 options instead of flags (via
 Note that `--cert` needs to point to the certificate chain that corresponds
 to the private key in the PKCS#11 module, with the leaf certificate being the
 first certificate in the chain (see
-[Certificate Formats]({{< ref "CERTIFICATES.md" >}})). Ghostunnel currently
+[Certificate Formats]({{< ref "formats.md" >}})). Ghostunnel currently
 cannot read the certificate chain directly from the module.
 
 ## Using a YubiKey
diff --git a/docs/KEYCHAIN.md b/docs/certificates/keychain.md
similarity index 99%
rename from docs/KEYCHAIN.md
rename to docs/certificates/keychain.md
index 95d05dd312..9412f22334 100644
--- a/docs/KEYCHAIN.md
+++ b/docs/certificates/keychain.md
@@ -2,6 +2,8 @@
 title: Keychain Support
 description: Load certificates and private keys from the macOS Keychain or Windows Certificate Store, including hardware-backed keys.
 weight: 50
+aliases:
+  - /docs/keychain/
 ---
 
 Ghostunnel can load certificates and private keys directly from the macOS
diff --git a/docs/SPIFFE-WORKLOAD-API.md b/docs/certificates/spiffe-workload-api.md
similarity index 98%
rename from docs/SPIFFE-WORKLOAD-API.md
rename to docs/certificates/spiffe-workload-api.md
index 655ee58366..14b92572c7 100644
--- a/docs/SPIFFE-WORKLOAD-API.md
+++ b/docs/certificates/spiffe-workload-api.md
@@ -1,7 +1,9 @@
 ---
 title: SPIFFE Workload API
 description: Automatically manage certificates and trusted roots via SPIRE or other SPIFFE-compatible workload identity providers.
-weight: 60
+weight: 30
+aliases:
+  - /docs/spiffe-workload-api/
 ---
 
 Ghostunnel can obtain certificates and trusted roots from the
diff --git a/docs/deployment/_index.md b/docs/deployment/_index.md
new file mode 100644
index 0000000000..ac752259bd
--- /dev/null
+++ b/docs/deployment/_index.md
@@ -0,0 +1,8 @@
+---
+title: Deployment & Operations
+description: Running Ghostunnel as a container or as a supervised system service.
+weight: 50
+---
+
+Published container images and integration with systemd for running Ghostunnel
+as a long-lived service.
diff --git a/docs/DOCKER.md b/docs/deployment/docker.md
similarity index 97%
rename from docs/DOCKER.md
rename to docs/deployment/docker.md
index f49d1ac61e..a3192c9503 100644
--- a/docs/DOCKER.md
+++ b/docs/deployment/docker.md
@@ -1,7 +1,9 @@
 ---
 title: Docker Images
 description: Available Docker image variants and tags for running Ghostunnel in containers.
-weight: 85
+weight: 10
+aliases:
+  - /docs/docker/
 ---
 
 Docker images are published to [Docker Hub][hub] on each release. Three
diff --git a/docs/WATCHDOG.md b/docs/deployment/watchdog.md
similarity index 95%
rename from docs/WATCHDOG.md
rename to docs/deployment/watchdog.md
index 22514fdb75..d6f5598db4 100644
--- a/docs/WATCHDOG.md
+++ b/docs/deployment/watchdog.md
@@ -1,7 +1,9 @@
 ---
 title: Systemd Watchdog
 description: Integrate with the systemd watchdog timer for automatic restart on failure.
-weight: 85
+weight: 20
+aliases:
+  - /docs/watchdog/
 ---
 
 *Available since v1.8.0.*
@@ -59,7 +61,7 @@ WantedBy=default.target
   platforms, use `Type=simple` and manage restarts via your service manager's
   native mechanisms.
 * For socket activation with systemd, see
-  [Socket Activation]({{< ref "SOCKET-ACTIVATION.md" >}}).
+  [Socket Activation]({{< ref "socket-activation.md" >}}).
 
 [sd-notify]: https://www.freedesktop.org/software/systemd/man/latest/sd_notify.html
 [systemd-service]: https://www.freedesktop.org/software/systemd/man/latest/systemd.service.html
diff --git a/docs/getting-started/_index.md b/docs/getting-started/_index.md
new file mode 100644
index 0000000000..df25ab17fd
--- /dev/null
+++ b/docs/getting-started/_index.md
@@ -0,0 +1,7 @@
+---
+title: Getting Started
+description: Quick start guide and flag overview.
+weight: 10
+---
+
+Quick start guide and flag overview.
diff --git a/docs/FLAGS.md b/docs/getting-started/flags.md
similarity index 88%
rename from docs/FLAGS.md
rename to docs/getting-started/flags.md
index 1f476c6c14..6446d886d1 100644
--- a/docs/FLAGS.md
+++ b/docs/getting-started/flags.md
@@ -1,7 +1,9 @@
 ---
 title: Command-Line Flags
 description: Quick reference for all Ghostunnel command-line flags, grouped by mode.
-weight: 10
+weight: 20
+aliases:
+  - /docs/flags/
 ---
 
 Quick reference for all Ghostunnel command-line flags, grouped by mode. For
@@ -13,7 +15,7 @@ These flags are available in both `server` and `client` modes.
 
 ### Certificate / Key
 
-See [Certificate Formats]({{< ref "CERTIFICATES.md" >}}) for details on
+See [Certificate Formats]({{< ref "formats.md" >}}) for details on
 supported file formats and chain ordering.
 
 | Flag | Description |
@@ -23,13 +25,13 @@ supported file formats and chain ordering.
 | `--key PATH` | Path to certificate private key (PEM with private key). |
 | `--storepass PASS` | Password for keystore (if using PKCS12 keystore, optional). |
 | `--cacert PATH` | Path to CA bundle file (PEM/X509). Uses system trust store by default. |
-| `--use-workload-api` | Certificate and root CAs are retrieved via the SPIFFE Workload API. See [SPIFFE]({{< ref "SPIFFE-WORKLOAD-API.md" >}}). |
-| `--use-workload-api-addr ADDR` | Retrieve certificates and root CAs via the SPIFFE Workload API at the specified address (implies `--use-workload-api`). See [SPIFFE]({{< ref "SPIFFE-WORKLOAD-API.md" >}}). |
+| `--use-workload-api` | Certificate and root CAs are retrieved via the SPIFFE Workload API. See [SPIFFE]({{< ref "spiffe-workload-api.md" >}}). |
+| `--use-workload-api-addr ADDR` | Retrieve certificates and root CAs via the SPIFFE Workload API at the specified address (implies `--use-workload-api`). See [SPIFFE]({{< ref "spiffe-workload-api.md" >}}). |
 
 ### Keychain
 
 These flags are only available on platforms with keychain support.
-See [Keychain]({{< ref "KEYCHAIN.md" >}}).
+See [Keychain]({{< ref "keychain.md" >}}).
 
 | Flag | Description | Availability |
 |------|-------------|--------------|
@@ -40,7 +42,7 @@ See [Keychain]({{< ref "KEYCHAIN.md" >}}).
 ### PKCS#11
 
 These flags require a build with CGO enabled.
-See [HSM/PKCS#11]({{< ref "HSM-PKCS11.md" >}}).
+See [HSM/PKCS#11]({{< ref "hsm-pkcs11.md" >}}).
 
 | Flag | Description | Availability |
 |------|-------------|--------------|
@@ -61,7 +63,7 @@ See [HSM/PKCS#11]({{< ref "HSM-PKCS11.md" >}}).
 
 ### Metrics
 
-See [Metrics]({{< ref "METRICS.md" >}}).
+See [Metrics]({{< ref "metrics.md" >}}).
 
 | Flag | Default | Description |
 |------|---------|-------------|
@@ -72,7 +74,7 @@ See [Metrics]({{< ref "METRICS.md" >}}).
 
 ### Status / Logging
 
-See [Metrics & Profiling]({{< ref "METRICS.md" >}}) for details on the status port,
+See [Metrics & Profiling]({{< ref "metrics.md" >}}) for details on the status port,
 metrics endpoints, and profiling.
 
 | Flag | Description | Availability |
@@ -86,7 +88,7 @@ metrics endpoints, and profiling.
 
 ### Landlock
 
-See [Security & TLS Configuration]({{< ref "SECURITY.md" >}}) for details on
+See [Security & TLS Configuration]({{< ref "tls.md" >}}) for details on
 Landlock sandboxing.
 
 | Flag | Description | Availability |
@@ -99,7 +101,7 @@ Flags specific to `ghostunnel server`.
 
 ### Required
 
-See [Socket Activation]({{< ref "SOCKET-ACTIVATION.md" >}}) for `systemd:NAME` and
+See [Socket Activation]({{< ref "socket-activation.md" >}}) for `systemd:NAME` and
 `launchd:NAME` addresses.
 
 | Flag | Description |
@@ -109,18 +111,18 @@ See [Socket Activation]({{< ref "SOCKET-ACTIVATION.md" >}}) for `systemd:NAME` a
 
 ### Proxying
 
-See [PROXY Protocol]({{< ref "PROXY-PROTOCOL.md" >}}) for details on modes and TLV extensions.
+See [PROXY Protocol]({{< ref "proxy-protocol.md" >}}) for details on modes and TLV extensions.
 
 | Flag | Description |
 |------|-------------|
 | `--target-status URL` | Address to target for status checking downstream healthchecks. Defaults to TCP healthcheck if not passed. |
 | `--proxy-protocol` | Enable PROXY protocol v2 with connection info only (equivalent to `--proxy-protocol-mode=conn`). |
 | `--proxy-protocol-mode MODE` | PROXY protocol v2 mode: `conn`, `tls`, or `tls-full`. Mutually exclusive with `--proxy-protocol`. |
-| `--unsafe-target` | Do not limit target to localhost, `127.0.0.1`, `[::1]`, or UNIX sockets. See [Security]({{< ref "SECURITY.md" >}}). |
+| `--unsafe-target` | Do not limit target to localhost, `127.0.0.1`, `[::1]`, or UNIX sockets. See [Security]({{< ref "tls.md" >}}). |
 
 ### Access Control
 
-See [Access Control Flags]({{< ref "ACCESS-FLAGS.md" >}}).
+See [Access Control Flags]({{< ref "access-flags.md" >}}).
 
 | Flag | Description |
 |------|-------------|
@@ -133,7 +135,7 @@ See [Access Control Flags]({{< ref "ACCESS-FLAGS.md" >}}).
 
 ### ACME (Server)
 
-See [ACME Support]({{< ref "ACME.md" >}}).
+See [ACME Support]({{< ref "acme.md" >}}).
 
 | Flag | Description |
 |------|-------------|
@@ -145,7 +147,7 @@ See [ACME Support]({{< ref "ACME.md" >}}).
 
 ### OPA Policy (Server)
 
-See [Access Control Flags]({{< ref "ACCESS-FLAGS.md" >}}) for OPA/Rego policy details.
+See [Access Control Flags]({{< ref "access-flags.md" >}}) for OPA/Rego policy details.
 
 | Flag | Description |
 |------|-------------|
@@ -158,7 +160,7 @@ Flags specific to `ghostunnel client`.
 
 ### Required
 
-See [Socket Activation]({{< ref "SOCKET-ACTIVATION.md" >}}) for `systemd:NAME` and
+See [Socket Activation]({{< ref "socket-activation.md" >}}) for `systemd:NAME` and
 `launchd:NAME` addresses.
 
 | Flag | Description |
@@ -170,14 +172,14 @@ See [Socket Activation]({{< ref "SOCKET-ACTIVATION.md" >}}) for `systemd:NAME` a
 
 | Flag | Description |
 |------|-------------|
-| `--unsafe-listen` | Do not limit listen to localhost, `127.0.0.1`, `[::1]`, or UNIX sockets. See [Security]({{< ref "SECURITY.md" >}}). |
+| `--unsafe-listen` | Do not limit listen to localhost, `127.0.0.1`, `[::1]`, or UNIX sockets. See [Security]({{< ref "tls.md" >}}). |
 | `--override-server-name NAME` | Override the server name used for hostname verification. |
 | `--proxy URL` | Connect to target over given proxy (HTTP CONNECT or SOCKS5). Must be a proxy URL. |
 | `--disable-authentication` | Disable client authentication, no certificate will be provided to the server. |
 
 ### Server Verification
 
-See [Access Control Flags]({{< ref "ACCESS-FLAGS.md" >}}).
+See [Access Control Flags]({{< ref "access-flags.md" >}}).
 
 | Flag | Description |
 |------|-------------|
@@ -188,7 +190,7 @@ See [Access Control Flags]({{< ref "ACCESS-FLAGS.md" >}}).
 
 ### OPA Policy (Client)
 
-See [Access Control Flags]({{< ref "ACCESS-FLAGS.md" >}}) for OPA/Rego policy details.
+See [Access Control Flags]({{< ref "access-flags.md" >}}) for OPA/Rego policy details.
 
 | Flag | Description |
 |------|-------------|
diff --git a/docs/QUICKSTART.md b/docs/getting-started/quickstart.md
similarity index 85%
rename from docs/QUICKSTART.md
rename to docs/getting-started/quickstart.md
index 30d5194e65..93e21ee205 100644
--- a/docs/QUICKSTART.md
+++ b/docs/getting-started/quickstart.md
@@ -1,7 +1,9 @@
 ---
 title: Quick Start
 description: Get Ghostunnel running with mTLS in 5 minutes using a self-signed CA.
-weight: 5
+weight: 10
+aliases:
+  - /docs/quickstart/
 ---
 
 This guide walks through setting up a Ghostunnel server and client with mutual
@@ -19,7 +21,7 @@ docker pull ghostunnel/ghostunnel:latest-distroless
 
 Pre-built binaries are also available on the
 [GitHub releases](https://github.com/ghostunnel/ghostunnel/releases) page.
-See [Docker Images]({{< ref "DOCKER.md" >}}) for all available image variants.
+See [Docker Images]({{< ref "docker.md" >}}) for all available image variants.
 
 To build from source (requires [Go](https://go.dev/doc/install)):
 
@@ -129,10 +131,10 @@ forwarded the plaintext request to the backend.
 
 ## Next Steps
 
-- [Command-Line Flags]({{< ref "FLAGS.md" >}}): full flag reference
-- [Certificate Formats]({{< ref "CERTIFICATES.md" >}}): PEM, PKCS#12, JCEKS, and chain ordering
-- [Access Control Flags]({{< ref "ACCESS-FLAGS.md" >}}): control who can connect (CN, OU, DNS/URI SAN, OPA)
-- [ACME Support]({{< ref "ACME.md" >}}): automatic certificates from Let's Encrypt
-- [Metrics & Profiling]({{< ref "METRICS.md" >}}): status port, Prometheus metrics, pprof
-- [PROXY Protocol]({{< ref "PROXY-PROTOCOL.md" >}}): pass client connection metadata to backends
-- [Socket Activation]({{< ref "SOCKET-ACTIVATION.md" >}}) and [Systemd Watchdog]({{< ref "WATCHDOG.md" >}}): run Ghostunnel as a service
+- [Command-Line Flags]({{< ref "flags.md" >}}): full flag reference
+- [Certificate Formats]({{< ref "formats.md" >}}): PEM, PKCS#12, JCEKS, and chain ordering
+- [Access Control Flags]({{< ref "access-flags.md" >}}): control who can connect (CN, OU, DNS/URI SAN, OPA)
+- [ACME Support]({{< ref "acme.md" >}}): automatic certificates from Let's Encrypt
+- [Metrics & Profiling]({{< ref "metrics.md" >}}): status port, Prometheus metrics, pprof
+- [PROXY Protocol]({{< ref "proxy-protocol.md" >}}): pass client connection metadata to backends
+- [Socket Activation]({{< ref "socket-activation.md" >}}) and [Systemd Watchdog]({{< ref "watchdog.md" >}}): run Ghostunnel as a service
diff --git a/docs/networking/_index.md b/docs/networking/_index.md
new file mode 100644
index 0000000000..0ea13f2e0c
--- /dev/null
+++ b/docs/networking/_index.md
@@ -0,0 +1,8 @@
+---
+title: Networking & Integration
+description: Connection metadata, socket activation, graceful draining, and metrics.
+weight: 40
+---
+
+How connections flow through Ghostunnel, how the process integrates with its
+environment, and how to observe it in production.
diff --git a/docs/GRACEFUL-SHUTDOWN.md b/docs/networking/graceful-shutdown.md
similarity index 94%
rename from docs/GRACEFUL-SHUTDOWN.md
rename to docs/networking/graceful-shutdown.md
index ac7043d3f1..c0ba1815c3 100644
--- a/docs/GRACEFUL-SHUTDOWN.md
+++ b/docs/networking/graceful-shutdown.md
@@ -1,7 +1,9 @@
 ---
 title: Graceful Shutdown
 description: How Ghostunnel handles shutdown signals, drains in-flight connections, and force-exits after a timeout.
-weight: 87
+weight: 30
+aliases:
+  - /docs/graceful-shutdown/
 ---
 
 Ghostunnel supports graceful shutdown: when a shutdown is triggered, it stops
@@ -71,7 +73,7 @@ When a shutdown is triggered, the following happens in order:
 | `--enable-shutdown` | `false` | Enable the `/_shutdown` HTTP endpoint on the status port. Requires `--status`. |
 | `--status` | *(none)* | HOST:PORT (or `unix:SOCKET`) for the status listener. Required for `/_shutdown`. |
 
-See [Command-Line Flags]({{< ref "FLAGS.md" >}}) for the full flag reference.
+See [Command-Line Flags]({{< ref "flags.md" >}}) for the full flag reference.
 
 ## Choosing a Shutdown Timeout
 
@@ -90,7 +92,7 @@ workload when tuning this value:
 
 Other flags like `--connect-timeout` and `--max-conn-lifetime` also influence
 connection behavior and may be relevant when tuning shutdown. See
-[Command-Line Flags]({{< ref "FLAGS.md" >}}) for the full list.
+[Command-Line Flags]({{< ref "flags.md" >}}) for the full list.
 
 ## Integration with systemd
 
@@ -99,5 +101,5 @@ connection behavior and may be relevant when tuning shutdown. See
 When running as a systemd service with `Type=notify-reload`, Ghostunnel
 notifies systemd of its state transitions (ready, reloading, stopping). The
 graceful shutdown sequence integrates naturally with systemd's service
-lifecycle. See [Systemd Watchdog]({{< ref "WATCHDOG.md" >}}) for unit file
+lifecycle. See [Systemd Watchdog]({{< ref "watchdog.md" >}}) for unit file
 examples and configuration details.
diff --git a/docs/METRICS.md b/docs/networking/metrics.md
similarity index 98%
rename from docs/METRICS.md
rename to docs/networking/metrics.md
index 575bf5353c..d5e5b348e9 100644
--- a/docs/METRICS.md
+++ b/docs/networking/metrics.md
@@ -1,7 +1,9 @@
 ---
 title: Metrics & Profiling
 description: Expose status, health checks, and metrics in JSON or Prometheus format via the built-in status port.
-weight: 70
+weight: 40
+aliases:
+  - /docs/metrics/
 ---
 
 Ghostunnel has a notion of "status port", a TCP port (or UNIX socket) that can
@@ -73,7 +75,7 @@ graceful shutdown of the Ghostunnel process. Any other HTTP method returns 405
 Method Not Allowed. For details on what happens after shutdown is triggered,
 including signal handling, connection draining, and the `--shutdown-timeout`
 flag, see
-[Graceful Shutdown]({{< ref "GRACEFUL-SHUTDOWN.md" >}}).
+[Graceful Shutdown]({{< ref "graceful-shutdown.md" >}}).
 
 ## Backend Healthchecks
 
diff --git a/docs/PROXY-PROTOCOL.md b/docs/networking/proxy-protocol.md
similarity index 96%
rename from docs/PROXY-PROTOCOL.md
rename to docs/networking/proxy-protocol.md
index eb6d4e58a9..ff2ce7b926 100644
--- a/docs/PROXY-PROTOCOL.md
+++ b/docs/networking/proxy-protocol.md
@@ -1,7 +1,9 @@
 ---
 title: PROXY Protocol
 description: Pass original client connection metadata (IP, TLS version, client certificate) through to plaintext backends using HAProxy's PROXY protocol v2.
-weight: 55
+weight: 10
+aliases:
+  - /docs/proxy-protocol/
 ---
 
 When Ghostunnel terminates TLS, the backend only sees a plaintext connection
@@ -14,7 +16,7 @@ needing their own TLS stack.
 
 ## Enabling
 
-See [Command-Line Flags]({{< ref "FLAGS.md" >}}) for the full flag reference.
+See [Command-Line Flags]({{< ref "flags.md" >}}) for the full flag reference.
 
 Pass `--proxy-protocol` in server mode to enable PROXY protocol v2 with
 connection info (source/destination IP and port):
@@ -104,7 +106,7 @@ sub-TLVs:
 
 The `tls-full` mode is useful when backends need to perform their own access
 control or auditing based on client certificate identity. See [Access Control
-Flags]({{< ref "ACCESS-FLAGS.md" >}}) for how Ghostunnel itself verifies
+Flags]({{< ref "access-flags.md" >}}) for how Ghostunnel itself verifies
 client certificates before forwarding.
 
 Note: `PP2_SUBTYPE_SSL_CLIENT_CERT` (`0x28`) is not part of the original
diff --git a/docs/SOCKET-ACTIVATION.md b/docs/networking/socket-activation.md
similarity index 97%
rename from docs/SOCKET-ACTIVATION.md
rename to docs/networking/socket-activation.md
index c64b57c698..1391f97d29 100644
--- a/docs/SOCKET-ACTIVATION.md
+++ b/docs/networking/socket-activation.md
@@ -1,7 +1,9 @@
 ---
 title: Socket Activation
 description: Use systemd (Linux) or launchd (macOS) socket activation for on-demand startup.
-weight: 80
+weight: 20
+aliases:
+  - /docs/socket-activation/
 ---
 
 Ghostunnel supports socket activation via both systemd (on Linux) and launchd
@@ -152,7 +154,7 @@ systemd will start `ghostunnel.service` on demand when a connection arrives
 on the socket.
 
 Ghostunnel also supports systemd notify and watchdog functionality. See
-[WATCHDOG]({{< ref "WATCHDOG.md" >}}) for details on configuring `Type=notify-reload` services.
+[WATCHDOG]({{< ref "watchdog.md" >}}) for details on configuring `Type=notify-reload` services.
 
 [launchd-guide]: https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html
 [systemd-socket]: https://www.freedesktop.org/software/systemd/man/latest/systemd.socket.html
diff --git a/docs/reference/_index.md b/docs/reference/_index.md
new file mode 100644
index 0000000000..1a4de92fab
--- /dev/null
+++ b/docs/reference/_index.md
@@ -0,0 +1,9 @@
+---
+title: Reference
+description: Platform-specific man pages with every flag and mode documented.
+weight: 60
+---
+
+Generated man pages for each supported platform. These duplicate some material
+from [Command-Line Flags]({{< ref "flags.md" >}}) but include every flag and
+sub-command in exhaustive form.
diff --git a/docs/MANPAGE-darwin.md b/docs/reference/manpage-darwin.md
similarity index 99%
rename from docs/MANPAGE-darwin.md
rename to docs/reference/manpage-darwin.md
index b11915cf66..4b8245f9de 100644
--- a/docs/MANPAGE-darwin.md
+++ b/docs/reference/manpage-darwin.md
@@ -1,7 +1,9 @@
 ---
 title: Man Page (macOS)
 description: Complete command-line reference with all flags, modes, and examples.
-weight: 91
+weight: 20
+aliases:
+  - /docs/manpage-darwin/
 ---
 
 > This man page was generated from the macOS binary. Some flags may differ on other platforms.
diff --git a/docs/MANPAGE-linux.md b/docs/reference/manpage-linux.md
similarity index 99%
rename from docs/MANPAGE-linux.md
rename to docs/reference/manpage-linux.md
index 396f5e8608..f6fc0ae7d4 100644
--- a/docs/MANPAGE-linux.md
+++ b/docs/reference/manpage-linux.md
@@ -1,7 +1,9 @@
 ---
 title: Man Page (Linux)
 description: Complete command-line reference with all flags, modes, and examples.
-weight: 90
+weight: 10
+aliases:
+  - /docs/manpage-linux/
 ---
 
 > This man page was generated from the Linux binary. Some flags may differ on other platforms.
diff --git a/docs/security/_index.md b/docs/security/_index.md
new file mode 100644
index 0000000000..7dc7bba4a5
--- /dev/null
+++ b/docs/security/_index.md
@@ -0,0 +1,9 @@
+---
+title: Security & Access Control
+description: Protocol configuration and AuthZ to decide who is allowed to connect.
+weight: 30
+---
+
+Ghostunnel enforces mutual TLS by default. This section covers the TLS settings
+(protocol versions, cipher suites, sandboxing) and shows how to configure
+access control rules to determine which peers are permitted.
diff --git a/docs/ACCESS-FLAGS.md b/docs/security/access-flags.md
similarity index 99%
rename from docs/ACCESS-FLAGS.md
rename to docs/security/access-flags.md
index 40c67d566f..131c7ddc35 100644
--- a/docs/ACCESS-FLAGS.md
+++ b/docs/security/access-flags.md
@@ -2,6 +2,8 @@
 title: Access Control Flags
 description: Control which clients or servers are allowed to connect based on certificate fields (CN, OU, DNS/URI SAN) or OPA policies.
 weight: 20
+aliases:
+  - /docs/access-flags/
 ---
 
 Ghostunnel uses TLS with mutual authentication for authentication and access
@@ -73,7 +75,7 @@ Ghostunnel verifies client certificates before forwarding connections, but
 backends may also need to know the client's identity for their own access
 control, logging, or auditing. Use `--proxy-protocol-mode=tls-full` (available
 since v1.10.0) to forward the client certificate (CN, full DER-encoded cert) to
-the backend via [PROXY protocol v2]({{< ref "PROXY-PROTOCOL.md" >}}) TLV
+the backend via [PROXY protocol v2]({{< ref "proxy-protocol.md" >}}) TLV
 extensions.
 
 ## Client mode
diff --git a/website/layouts/_default/list.html b/website/layouts/_default/list.html
index 98ad3967e0..4457d6ff44 100644
--- a/website/layouts/_default/list.html
+++ b/website/layouts/_default/list.html
@@ -5,14 +5,31 @@
   <article class="content">
     <h1>{{ .Title }}</h1>
     {{ .Content }}
+    {{ if .Sections }}
+    {{ range .Sections.ByWeight }}
+    <section class="docs-section">
+      <h2><a href="{{ .RelPermalink }}">{{ .Title }}</a></h2>
+      {{ with .Description }}<p>{{ . }}</p>{{ end }}
+      <div class="docs-list">
+        {{ range .RegularPages.ByWeight }}
+        <div class="docs-card">
+          <h3><a href="{{ .RelPermalink }}">{{ .Title }}</a></h3>
+          {{ with .Description }}<p>{{ . }}</p>{{ end }}
+        </div>
+        {{ end }}
+      </div>
+    </section>
+    {{ end }}
+    {{ else }}
     <div class="docs-list">
-      {{ range .Pages.ByWeight }}
+      {{ range .RegularPages.ByWeight }}
       <div class="docs-card">
         <h3><a href="{{ .RelPermalink }}">{{ .Title }}</a></h3>
         {{ with .Description }}<p>{{ . }}</p>{{ end }}
       </div>
       {{ end }}
     </div>
+    {{ end }}
   </article>
 </div>
 {{ else if eq .Section "releases" }}
diff --git a/website/layouts/partials/sidebar.html b/website/layouts/partials/sidebar.html
index 2f48ce8dc9..32ec060970 100644
--- a/website/layouts/partials/sidebar.html
+++ b/website/layouts/partials/sidebar.html
@@ -1,11 +1,15 @@
 <aside class="sidebar">
   <h3><a href="{{ "docs/" | relURL }}">Documentation</a></h3>
+  {{ $current := . }}
+  {{ $docs := .Site.GetPage "/docs" }}
+  {{ range $docs.Sections.ByWeight }}
+  <h4><a href="{{ .RelPermalink }}">{{ .Title }}</a></h4>
   <ul>
-    {{ $current := . }}
-    {{ range (where .Site.RegularPages "Section" "docs").ByWeight }}
+    {{ range .RegularPages.ByWeight }}
     <li{{ if eq .RelPermalink $current.RelPermalink }} class="active"{{ end }}>
       <a href="{{ .RelPermalink }}">{{ .Title }}</a>
     </li>
     {{ end }}
   </ul>
+  {{ end }}
 </aside>
diff --git a/website/static/css/style.css b/website/static/css/style.css
index 5c9d5d3fc2..6511002d9d 100644
--- a/website/static/css/style.css
+++ b/website/static/css/style.css
@@ -357,21 +357,21 @@ a:hover {
 
 .content h1 {
   font-size: 2rem;
-  margin-bottom: 1rem;
-  padding-bottom: 0.5rem;
+  margin-bottom: 0.75rem;
+  padding-bottom: 0.4rem;
   border-bottom: 1px solid var(--border);
 }
 
 .content h2 {
   font-size: 1.5rem;
-  margin-top: 2.25rem;
-  margin-bottom: 0.75rem;
+  margin-top: 1.5rem;
+  margin-bottom: 0.5rem;
 }
 
 .content h3 {
   font-size: 1.2rem;
-  margin-top: 1.5rem;
-  margin-bottom: 0.5rem;
+  margin-top: 1.25rem;
+  margin-bottom: 0.35rem;
 }
 
 .content p {
@@ -494,6 +494,20 @@ a:hover {
   font-weight: 600;
 }
 
+.sidebar h4 {
+  font-size: 0.82rem;
+  text-transform: uppercase;
+  letter-spacing: 0.06em;
+  color: var(--text-heading);
+  margin-top: 1.25rem;
+  margin-bottom: 0.35rem;
+  font-weight: 600;
+}
+
+.sidebar h4:first-of-type {
+  margin-top: 0;
+}
+
 .sidebar ul {
   list-style: none;
 }