On-prem: Initial docs for embedded cluster install

docs/docs.json

@@ -669,6 +669,15 @@
               }
             ]
           },
+          {
+            "group": "On-premises BloodHound Enterprise",
+            "pages": [
+              "on-premises/overview",
+              "on-premises/architecture",
+              "on-premises/system-requirements",
+              "on-premises/install"
+            ]
+          },
           {
             "group": "Resources",
             "pages": [

docs/get-started/quickstart/enterprise-quickstart.mdx

@@ -20,7 +20,7 @@ BloodHound Enterprise supports multiple data collection paths. Use the path that
 * Entra ID (formerly Azure AD) and Azure IaaS, collected by AzureHound Enterprise
 * Github, Jamf, and Okta, collected by OpenHound for BloodHound Enterprise
 
-You can run the two services from the same Windows system. AzureHound Enterprise also supports Docker and Kubernetes.
+You can run SharpHound Enterprise and AzureHound Enterprise from the same Windows system. AzureHound Enterprise also supports Docker and Kubernetes deployments.
 
 <OpengraphLibrary />
 
@@ -40,7 +40,7 @@ Install the SharpHound Enterprise collector service on a domain-joined Windows s
 
 ## Ingest with AzureHound Enterprise (Entra ID and Azure)
 
-Install and run the AzureHound Enterprise collector service on Windows, Docker, or Kubernetes.
+Install and run AzureHound Enterprise on Windows, Docker, or Kubernetes. When you deploy AzureHound Enterprise on Windows, it runs as a Windows service.
 
 1. Review the [AzureHound Enterprise System Requirements and Deployment Process](/install-data-collector/install-azurehound/system-requirements).
 2. [Configure Azure](/install-data-collector/install-azurehound/azure-configuration).

docs/install-data-collector/install-azurehound/system-requirements.mdx

@@ -5,17 +5,17 @@ import snip_system_reqs from '/snippets/hounds/system_reqs.mdx';
 
 <img noZoom src="/assets/enterprise-edition-pill-tag.svg" alt="Applies to BloodHound Enterprise only"/>
 
-The AzureHound Enterprise service is a critical element in your deployment that collects and uploads data about your Microsoft Entra ID and Azure environments to your BloodHound Enterprise tenant for processing and analysis.
+AzureHound Enterprise is a critical element in your deployment that collects and uploads data about your Microsoft Entra ID and Azure environments to your BloodHound Enterprise tenant for processing and analysis.
 
-AzureHound Enterprise is generally deployed as a service on a single Windows system per Entra ID tenant. You need to create (at least) a single AzureHound server for all the tenants in scope and one Entra ID Enterprise Application service instance for each tenant.
+AzureHound Enterprise supports Windows, Docker, and Kubernetes deployments. Many organizations deploy one AzureHound Enterprise instance per Entra ID tenant. If you deploy AzureHound Enterprise on Windows, it typically runs as a Windows service. You need at least one AzureHound deployment for the tenants in scope and one Entra ID Enterprise Application service instance for each tenant.
 
 Running multiple AzureHound collector instances on a single server requires the collectors to be installed as Scheduled Tasks instead of Windows Services. Installation instructions for such a configuration can be found at: [Setting up multiple AzureHound collectors on the same server with scheduled tasks](/install-data-collector/install-azurehound/multiple-collectors).
 
 While it is possible to run both AzureHound and SharpHound on the same machine, the hardware recommendations for each application persist.
 
 ## Deployment Process Overview
 
-To deploy a new AzureHound collector service:
+To deploy a new AzureHound collector:
 
 1. Configure Entra ID and Azure: [AzureHound Enterprise Azure Configuration](/install-data-collector/install-azurehound/azure-configuration)
 2. Create your AzureHound configuration: [Create an AzureHound Configuration](/install-data-collector/install-azurehound/create-configuration)

docs/on-premises/architecture.mdx

@@ -0,0 +1,59 @@
+---
+title: Architecture
+description: Understand the architecture, components, and data flow of on-premises deployments of BloodHound Enterprise.
+---
+
+<img noZoom src="/assets/enterprise-edition-pill-tag.svg" alt="Applies to BloodHound Enterprise only" />
+
+On-premises deployments of BloodHound Enterprise give you full control over your deployment infrastructure while maintaining the same powerful identity security capabilities as the SaaS version.
+
+## Deployment architecture
+
+On-premises deployments of BloodHound Enterprise consist of two primary parts:
+
+- **BloodHound Enterprise host** - Runs the BloodHound application, database, and supporting infrastructure
+- **Collector hosts** - Run lightweight collector services (SharpHound, AzureHound, or OpenHound) to gather data from your identity infrastructure
+
+### Core components
+
+All on-premises deployments include the following core application components:
+
+| Component | Purpose |
+|-----------|---------|
+| **BloodHound Enterprise API** | Application server, UI, graph analysis, and collector ingestion |
+| **PostgreSQL 18.x** | Database server for application data and graph storage |
+
+### Deployment-specific components
+
+Embedded cluster deployments include the following infrastructure and management components:
+
+| Component | Purpose |
+|-----------|---------|
+| **k0s Kubernetes distribution** | Bundled Kubernetes distribution that runs BloodHound Enterprise on your Linux host |
+| **Embedded ingress controller** | Exposes the BloodHound Enterprise application endpoint and terminates HTTPS for the configured FQDN by default |
+| **Installation Wizard** | Host-local web UI that completes configuration and runs <Tooltip tip="Automated checks that verify your Kubernetes cluster is ready for a BloodHound Enterprise installation or upgrade.">preflight checks</Tooltip> |
+| **SpecterOps - BloodHound Enterprise Portal** | Hosted portal that provides installer access, generates deployment-specific installation commands, and tracks online installations and updates |
+
+### Data collectors
+
+Collectors run separately from the BloodHound Enterprise host and gather configuration data from your identity infrastructure:
+
+| Collector | Target Environment | Data Collected |
+|-----------|-------------------|----------------|
+| **SharpHound Enterprise** | Active Directory | AD objects, relationships, ACLs, sessions |
+| **AzureHound Enterprise** | Azure / Entra ID | Azure AD objects, role assignments, resource relationships |
+| **OpenHound** | Other identity providers, platforms, and custom sources | Varies by source; data collected and converted into BloodHound Enterprise-compatible graphs |
+
+## Data flow
+
+Data flows through the system in the following sequence:
+
+1. **Collection** - Collectors gather configuration data from Active Directory, Entra ID, or other identity sources
+2. **Transmission** - Data is transmitted over encrypted HTTPS/TLS to the BloodHound Enterprise API
+3. **Processing** - The BloodHound Enterprise API processes and stores data in PostgreSQL
+4. **Analysis** - Graph analysis identifies privilege relationships and Attack Paths
+5. **Visualization** - Results are displayed in the BloodHound Enterprise UI
+
+<Note>
+  Collectors have zero local storage of collected data. All data is transmitted directly to the BloodHound Enterprise host and stored in PostgreSQL.
+</Note>