Simplify the docs site navigation (#45115)

Backports #44327

Provide a less overwhelming documentation experience for users by
condensing sidebar sections into five, organized loosely around
different audiences of the documentation:

- **Get Started:** new Teleport users, as well as users of all levels
  who want to quickly look up key, frequently changing information, such
  as the changelog and upcoming release information.
- **Admin Guides:** intermediate users completing a specific task. This
  includes all how-to guides in the docs except those in "Get Started"
  and "Enroll Resources".
- **Enroll Resources:** Admin Guides, but for our extensive library of
  how-to guides for protecting infrastructure resources with Teleport.
- **References:** Advanced users looking for comprehensive reference
  information and architecture guides. This includes all reference
  guides in the docs.
- **User Guides:** Guides for end users looking to access resources.

Related changes:
- **Move Helm reference partials**. Use the `docs/pages/includes`
  directory so we can generate the sidebar from `docs/pages/reference`.
- **Move the Architecture sidebar section** into "References", and move
  architecture guides across the documentation into "Architecture".
- **Remove "Documentation Overview"** as this is out of date. Now, top-level
  sidebar sections are more self explanatory.
- **Remove "Choose an Edition"**, since we want to elevate Teleport
  Enterprise (Cloud), making Teleport Enterprise (Self-Hosted) available
  for certain use cases.
- **Add an infrastructure as code section** to Admin Guides.

docs/pages/access-controls/introduction.mdx → docs/pages/admin-guides/access-controls/access-controls.mdx

@@ -1,10 +1,10 @@
 ---
-title: Manage Access to your Cluster
+title: Access Controls
 description: How to provide role-based access control (RBAC) for servers, databases, Kubernetes clusters, and other resources in your infrastructure
 layout: tocless-doc
 ---
 
-After [deploying a Teleport cluster](../deploy-a-cluster/introduction.mdx), the
+After [deploying a Teleport cluster](../../index.mdx), the
 next step is to manage the access that Teleport users have to resources in your
 infrastructure.
 
@@ -75,4 +75,4 @@ achieve compliance with:
 ## Find out more
 
 Find out more information on Teleport's RBAC features by reading the [Access
-Controls Reference](./reference.mdx).
+Controls Reference](../../reference/access-controls/roles.mdx).

docs/pages/admin-guides/access-controls/access-graph/access-graph.mdx

@@ -0,0 +1,8 @@
+---
+title: "Access Graph"
+description: Guides related to Access Graph, which visualizes relationships between RBAC policies in your infrastructure.
+---
+
+Access Graph visualizes relationships between RBAC policies and resources in your infrastructure.
+
+(!toc!)

docs/pages/access-controls/access-graph/aws-sync.mdx → docs/pages/admin-guides/access-controls/access-graph/aws-sync.mdx

@@ -66,7 +66,7 @@ graphical representation thereof.
 - A running Teleport Enterprise cluster v14.3.9/v15.2.0 or later.
 - For self-hosted clusters, an updated `license.pem` with Teleport Policy enabled.
 - For self-hosted clusters, a running Teleport Access Graph node v1.17.0 or later. 
-Check [Access Graph page](../access-graph.mdx) for details on
+Check [Access Graph page](self-hosted.mdx) for details on
 how to setup Teleport Access Graph.
 - The node running the Access Graph service must be reachable
 from Teleport Auth Service and Discovery Service. 

docs/pages/access-controls/access-graph/entra-id.mdx → docs/pages/admin-guides/access-controls/access-graph/entra-id.mdx

@@ -50,27 +50,27 @@ If enabled, the Access Graph menu item will appear in the Permission Management
 To start the onboarding process, access the Teleport Web UI,
 navigate to the "Access Management" tab, and choose "Enroll New Integration", then pick "Microsoft Entra ID".
 
-![Integration selection screen](../../../img/access-graph/entra-id/integrations-page.png)
+![Integration selection screen](../../../../img/access-graph/entra-id/integrations-page.png)
 
 In the onboarding wizard, choose a Teleport user that will be assigned as the default owner of Access Lists that are created for your Entra groups, and click "Next".
 
 <Figure width="600">
-![First step of the Entra ID integration onboarding](../../../img/access-graph/entra-id/integration-wizard-step-1.png)
+![First step of the Entra ID integration onboarding](../../../../img/access-graph/entra-id/integration-wizard-step-1.png)
 </Figure>
 
 ## Step 2/3. Grant permissions in Azure and finish onboarding
 
 The wizard will now provide you with a script that will set up the necessary permissions in Azure.
 
 <Figure width="600">
-![Second step of the Entra ID integration onboarding](../../../img/access-graph/entra-id/integration-wizard-step-2.png)
+![Second step of the Entra ID integration onboarding](../../../../img/access-graph/entra-id/integration-wizard-step-2.png)
 </Figure>
 
 Open Azure Cloud Shell by navigating to <a href="https://shell.azure.com">shell.azure.com</a>,
 or by clicking the Cloud Shell icon in the Azure Portal.
 
 <Figure width="600">
-![Location of the Cloud Shell button in the Azure Portal](../../../img/access-graph/entra-id/azure-cloud-shell-button.png)
+![Location of the Cloud Shell button in the Azure Portal](../../../../img/access-graph/entra-id/azure-cloud-shell-button.png)
 </Figure>
 
 Make sure to use the Bash version of Cloud Shell.
@@ -81,12 +81,12 @@ and grants Teleport read-only permissions to read your directory's data (such as
 Once the script is done setting up the necessary permissions,
 it prints out the data required to finish the integration onboarding.
 
-![Output of the Entra ID onboarding script](../../../img/access-graph/entra-id/onboarding-script-output.png)
+![Output of the Entra ID onboarding script](../../../../img/access-graph/entra-id/onboarding-script-output.png)
 
 Back in the Teleport Web UI, fill out the required data and click "Finish".
 
 <Figure width="600">
-![Second step of the Entra ID integration onboarding with required fields filled in](../../../img/access-graph/entra-id/integration-wizard-step-2-filled.png)
+![Second step of the Entra ID integration onboarding with required fields filled in](../../../../img/access-graph/entra-id/integration-wizard-step-2-filled.png)
 </Figure>
 
 ## Step 3/3. Analyze Entra ID directory in Teleport Access Graph
@@ -102,4 +102,4 @@ In the following example, Bob is assigned to group `AWS-Engineers` in Entra ID.
 This allows him to use SSO to assume the AWS IAM role `Engineers`,
 which in turn allows Bob to access two S3 buckets.
 
-![Example of an Entra ID user's access paths](../../../img/access-graph/entra-id/entra-sso-path.png)
+![Example of an Entra ID user's access paths](../../../../img/access-graph/entra-id/entra-sso-path.png)

docs/pages/access-controls/access-graph/self-hosted-helm.mdx → docs/pages/admin-guides/access-controls/access-graph/self-hosted-helm.mdx

@@ -12,7 +12,7 @@ This guide will help you set up the TAG service
 in a Kubernetes cluster using a Helm Chart,
 and enable the Access Graph feature in your Teleport cluster.
 
-The full listing of supported parameters can be found in the [`teleport-access-graph` Helm chart reference](../../reference/helm-reference/teleport-access-graph.mdx).
+The full listing of supported parameters can be found in the [Helm chart reference](../../../reference/helm-reference/teleport-access-graph.mdx).
 
 Teleport Access Graph is a feature of the [Teleport
 Policy](https://goteleport.com/platform/policy/) product that is only available
@@ -153,7 +153,7 @@ the Auth Service configuration needs to be updated with:
 - The path to the CA which issued the TAG service TLS certificate.
   - This path must refer to a volume containing the CA, mounted on the Teleport pods.
   - Specifying the CA certificate file can be skipped if you are using a CA that is already trusted by the Teleport cluster
-    (e.g. via the [`tls.existingCASecretName` option](../../reference/helm-reference/teleport-cluster.mdx#tlsexistingcasecretname)),
+    (e.g. via the [`tls.existingCASecretName` option](../../../reference/helm-reference/teleport-cluster.mdx)),
     or if the certificate was issued by a CA included in the [Mozilla CA Certificate List](https://wiki.mozilla.org/CA/Included_Certificates).
 
 Create a ConfigMap containing the CA certificate as follows:
@@ -207,7 +207,7 @@ $ kubectl -n <Var name="teleport-cluster-namespace" /> rollout status deployment
 ## Step 4/4. View the Access Graph in the Web UI
 
 You can find the Access Graph in the "Access Management" tab in the Web UI.
-![Access Management menu item](../../../img/access-graph/menu-item.png)
+![Access Management menu item](../../../../img/access-graph/menu-item.png)
 
 To access the interface, your user must have a role that allows `list` and `read` verbs on the `access_graph` resource, e.g.:
 

docs/pages/access-controls/access-graph/self-hosted.mdx → docs/pages/admin-guides/access-controls/access-graph/self-hosted.mdx

@@ -123,7 +123,7 @@ Then, restart Auth Service instances, followed by Proxy Service instances.
 ## Step 3/3. View the Access Graph in the Web UI
 
 You can find Access Graph in the "Access Management" tab in the Web UI.
-![Access Management menu item](../../../img/access-graph/menu-item.png)
+![Access Management menu item](../../../../img/access-graph/menu-item.png)
 
 To access the interface, your user must have a role that allows `list` and `read` verbs on the `access_graph` resource, e.g.:
 

docs/pages/access-controls/access-lists.mdx → docs/pages/admin-guides/access-controls/access-lists.mdx

@@ -11,4 +11,4 @@ traits, which then tie easily back into Teleport's existing RBAC system.
 
 [Getting Started with Access Lists](./access-lists/guide.mdx)
 
-[Access List Reference](./access-lists/reference.mdx)
+[Access List Reference](../../reference/access-controls/access-lists.mdx)