Added pipeline image scan

.gitea/workflows/deploy.yaml

@@ -1,43 +1,38 @@
 name: Build and Deploy Container
 
-env:
-  TARGET_HOST: host.containers.internal
-  #TARGET_HOST: www.valtrix.systems
-  TARGET_USER: traefik
-  APP_DIR: /home/traefik/valtrix-website
-  CONTAINER_NAME: valtrix-website
-  QUADLET_FILE: ./deploy/valtrix-website.container
-  SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
-  SSH_KNOWN_HOSTS: ${{ secrets.SSH_KNOWN_HOSTS }}
-
 on:
   push:
     branches:
       - main
       - develop
 
+env: # global: unkritische, strukturgebende Variablen
+  TARGET_HOST: host.containers.internal
+  TARGET_USER: traefik
+  APP_DIR: /home/traefik/valtrix-website
+  CONTAINER_NAME: valtrix-website
+  QUADLET_FILE: ./deploy/valtrix-website.container
+
 jobs:
   build_and_deploy:
     runs-on: ubuntu-latest
+    env: # Job-spezifisch: Secrets und sensible Werte
+      SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
+      SSH_KNOWN_HOSTS: ${{ secrets.SSH_KNOWN_HOSTS }}
+
     steps:
       - name: Pre-clean Git global config (avoid https→ssh rewrite)
         shell: bash
         run: |
           set -euo pipefail
-          git --version || true
-          echo "Global git config before:" || true
-          git config --global --list || true
-          # Remove any url.*.insteadof rules that force SSH for gitea.smb-corp.de
+          echo "Cleaning up global git config"
+          git config --global --unset-all core.sshCommand || true
           for key in $(git config --global --get-regexp '^url\\..*\\.insteadof$' 2>/dev/null | awk '{print $1}'); do
             if echo "$key" | grep -qi 'gitea\\.smb-corp\\.de'; then
-              echo "Removing global mapping: $key"
               git config --global --unset-all "$key" || true
             fi
           done
-          # Ensure no global sshCommand forces SSH
-          git config --global --unset-all core.sshCommand || true
-          echo "Global git config after:" || true
-          git config --global --list || true
+
       - name: Setup SSH for git/scp
         shell: bash
         run: |
@@ -46,48 +41,67 @@ jobs:
           chmod 600 ~/.ssh/id_ed25519
           printf "%s\n" "$SSH_KNOWN_HOSTS" > ~/.ssh/known_hosts || true
           chmod 644 ~/.ssh/known_hosts
-          # Ensure host keys are present to avoid interactive prompts
+          # Ensure host keys exist
           (ssh-keygen -F "$TARGET_HOST" >/dev/null || ssh-keyscan -H "$TARGET_HOST" >> ~/.ssh/known_hosts) || true
           (ssh-keygen -F gitea.smb-corp.de >/dev/null || ssh-keyscan -H gitea.smb-corp.de >> ~/.ssh/known_hosts) || true
 
       - name: Checkout Repository
         uses: actions/checkout@v4
-      - name: Copy entire repository to target host (scp -> atomic replace)
+
+      - name: Copy repository to target host (atomic replace)
         shell: bash
         run: |
           set -euo pipefail
-          # Work in a temp directory to avoid partial updates and handle ownership issues more clearly
           TMP_DIR="$APP_DIR.tmp.$(date +%s)"
-          echo "Creating remote temp dir $TMP_DIR"
-          ssh -o BatchMode=yes -i ~/.ssh/id_ed25519 $TARGET_USER@$TARGET_HOST "mkdir -p '$TMP_DIR'"
-
-          echo "Copying repository files to $TARGET_HOST:$TMP_DIR via scp (includes hidden files)"
-          # Enable dotglob so hidden files are included in the glob
-          shopt -s dotglob || true
-          # Copy all files and directories in the repo root to the remote temp dir
-          scp -r -o BatchMode=yes -i ~/.ssh/id_ed25519 ./* $TARGET_USER@$TARGET_HOST:$TMP_DIR/
-
-          echo "Attempting atomic replacement of $APP_DIR with $TMP_DIR"
-          # Try to remove existing dir and move temp into place. If removal fails due to permissions, leave temp and error.
-          ssh -o BatchMode=yes -i ~/.ssh/id_ed25519 $TARGET_USER@$TARGET_HOST "set -euo pipefail; if [ -d '$APP_DIR' ]; then rm -rf '$APP_DIR' || { echo 'ERROR: cannot remove existing $APP_DIR (permissions)'; exit 2; } fi; mv '$TMP_DIR' '$APP_DIR'"
-          echo "Copy and replace finished"
+          ssh -i ~/.ssh/id_ed25519 $TARGET_USER@$TARGET_HOST "mkdir -p '$TMP_DIR'"
+          scp -r -i ~/.ssh/id_ed25519 ./* $TARGET_USER@$TARGET_HOST:$TMP_DIR/
+          ssh -i ~/.ssh/id_ed25519 $TARGET_USER@$TARGET_HOST "
+            set -euo pipefail;
+            if [ -d '$APP_DIR' ]; then rm -rf '$APP_DIR'; fi;
+            mv '$TMP_DIR' '$APP_DIR'
+          "
 
       - name: Build container on target host
+        shell: bash
         run: |
-          # Expand $APP_DIR locally so the remote shell receives the concrete path
-          ssh $TARGET_USER@$TARGET_HOST "set -euo pipefail; cd '$APP_DIR' && echo 'PWD:' \$(pwd) && ls -la . && podman build -t $CONTAINER_NAME:latest ."
+          ssh -i ~/.ssh/id_ed25519 $TARGET_USER@$TARGET_HOST "
+            set -euo pipefail
+            export APP_DIR='$APP_DIR' CONTAINER_NAME='$CONTAINER_NAME'
+            cd \"\$APP_DIR\"
+            echo 'Building container: '\$CONTAINER_NAME 'in' \$APP_DIR
+            podman build -t \$CONTAINER_NAME:latest .
+          "
 
-      - name: Backup Quadlet file
+      - name: Backup existing Quadlet file
+        shell: bash
         run: |
-          ssh $TARGET_USER@$TARGET_HOST '
-            test -f ~/.config/containers/systemd/$CONTAINER_NAME.container && \
-            cp ~/.config/containers/systemd/$CONTAINER_NAME.container ~/.config/containers/systemd/$CONTAINER_NAME.container.bak || true
-          '
+          ssh -i ~/.ssh/id_ed25519 $TARGET_USER@$TARGET_HOST "
+            set -euo pipefail
+            export CONTAINER_NAME='$CONTAINER_NAME'
+            QFILE=~/.config/containers/systemd/\$CONTAINER_NAME.container
+            test -f \"\$QFILE\" && cp \"\$QFILE\" \"\$QFILE.bak\" || true
+          "
 
-      - name: Replace Quadlet file
+      - name: Replace Quadlet file and restart service
+        shell: bash
         run: |
-          scp ./$QUADLET_FILE $TARGET_USER@$TARGET_HOST:~/.config/containers/systemd/
-          ssh $TARGET_USER@$TARGET_HOST '
+          scp -i ~/.ssh/id_ed25519 "$QUADLET_FILE" $TARGET_USER@$TARGET_HOST:~/.config/containers/systemd/
+          ssh -i ~/.ssh/id_ed25519 $TARGET_USER@$TARGET_HOST "
+            set -euo pipefail
+            export CONTAINER_NAME='$CONTAINER_NAME'
             systemctl --user daemon-reload
-            systemctl --user restart $CONTAINER_NAME.service
-          '
+            systemctl --user restart \$CONTAINER_NAME.service
+            echo 'Service restarted: '\$CONTAINER_NAME
+          "
+
+      - name: Verify deployment
+        shell: bash
+        run: |
+          ssh -i ~/.ssh/id_ed25519 $TARGET_USER@$TARGET_HOST "
+            set -euo pipefail
+            export CONTAINER_NAME='$CONTAINER_NAME'
+            echo 'Running containers:'
+            podman ps --filter \"name=\$CONTAINER_NAME\" --format \"table {{.Names}}\t{{.Image}}\t{{.Status}}\"
+            echo '--- Last 20 log lines ---'
+            podman logs \$CONTAINER_NAME --tail 20 || echo 'No logs available'
+          "

.gitea/workflows/image-scan.yaml

@@ -0,0 +1,41 @@
+name: Scan Image for CVEs
+
+on:
+  push:
+    branches:
+      - main
+      - develop
+
+env: # global: unkritische, strukturgebende Variablen
+  TARGET_HOST: host.containers.internal
+  TARGET_USER: traefik
+  CONTAINER_NAME: localhost/valtrix-website
+
+jobs:
+  scan_image:
+    runs-on: ubuntu-latest
+    env: # Job-spezifisch: Secrets und sensible Werte
+      SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
+      SSH_KNOWN_HOSTS: ${{ secrets.SSH_KNOWN_HOSTS }}
+
+    steps:
+      - name: Setup SSH for git/scp
+        shell: bash
+        run: |
+          install -m 700 -d ~/.ssh
+          printf "%s\n" "$SSH_PRIVATE_KEY" > ~/.ssh/id_ed25519
+          chmod 600 ~/.ssh/id_ed25519
+          printf "%s\n" "$SSH_KNOWN_HOSTS" > ~/.ssh/known_hosts || true
+          chmod 644 ~/.ssh/known_hosts
+          # Ensure host keys exist
+          (ssh-keygen -F "$TARGET_HOST" >/dev/null || ssh-keyscan -H "$TARGET_HOST" >> ~/.ssh/known_hosts) || true
+          (ssh-keygen -F gitea.smb-corp.de >/dev/null || ssh-keyscan -H gitea.smb-corp.de >> ~/.ssh/known_hosts) || true
+          
+      - name: Scan container image with Trivy
+        shell: bash
+        run: |
+          ssh -i ~/.ssh/id_ed25519 $TARGET_USER@$TARGET_HOST "
+            set -euo pipefail
+            export CONTAINER_NAME='$CONTAINER_NAME'
+            trivy image localhost/valtrix-website:latest
+          "

.gitignore

@@ -1,5 +1,4 @@
 node_modules
-package-lock.json
 dist
 .env
 .DS_Store

Containerfile.notworking

@@ -0,0 +1,36 @@
+# syntax=docker/dockerfile:1.7
+
+###########
+# BUILD STAGE
+###########
+FROM cgr.dev/chainguard/node:latest-dev AS build
+WORKDIR /app
+
+# Copy dependency manifests
+COPY package*.json ./
+
+# Install all deps (inkl. dev)
+RUN --mount=type=cache,target=/root/.npm npm ci
+
+# Copy app source and build
+COPY . .
+RUN npm run build
+
+###########
+# RUNTIME STAGE
+###########
+FROM cgr.dev/chainguard/node:latest
+ENV NODE_ENV=production
+WORKDIR /app
+
+# Copy only what’s needed to run
+COPY --from=build /app/package*.json ./
+COPY --from=build /app/node_modules ./node_modules
+COPY --from=build /app/dist ./dist
+COPY --from=build /app/server.mjs ./server.mjs
+
+# Chainguard runs as nonroot by default (user `nonroot`)
+USER node
+#EXPOSE 3000
+
+CMD ["node", "./server.mjs"]

deploy/valtrix-website.container

@@ -1,33 +1,30 @@
 [Unit]
 Description=Valtrix Website
-Requires=edge.network
-After=edge.network
 
 [Container]
 Image=localhost/valtrix-website
-ContainerName=valtrixwebsite
+ContainerName=valtrix-website
 Network=edge
 AutoUpdate=registry
 Environment=TZ=Europe/Berlin
 
 #Traefik Labels
-Label=traefik.enable=true
-Label=traefik.http.routers.wtw.rule=Host(`www.valtrix.systems`)
-Label=traefik.http.services.wtw.loadbalancer.server.port=3000
-Label=traefik.http.routers.wtw.entrypoints=websecure
-Label=traefik.http.routers.wtw.tls=true
-Label=traefik.http.routers.wtw.tls.certresolver=le
+Label="traefik.enable=true"
+Label="traefik.http.routers.wtw.rule=Host(`www.valtrix.systems`)"
+Label="traefik.http.services.wtw.loadbalancer.server.port=3000"
+Label="traefik.http.routers.wtw.entrypoints=websecure"
+Label="traefik.http.routers.wtw.tls=true"
+Label="traefik.http.routers.wtw.tls.certresolver=le"
 
-Label=traefik.http.routers.wtw-http.rule=Host(`www.valtrix.systems`)
-Label=traefik.http.routers.wtw-http.entrypoints=web
-Label=traefik.http.routers.wtw-http.middlewares=wtw-redirect
-Label=traefik.http.middlewares.wtw-redirect.redirectscheme.scheme=https
-Label=traefik.http.middlewares.wtw-redirect.redirectscheme.permanent=true
-Label=traefik.http.routers.wtw.middlewares=secure-headers@file
+Label="traefik.http.routers.wtw-http.rule=Host(`www.valtrix.systems`)"
+Label="traefik.http.routers.wtw-http.entrypoints=web"
+Label="traefik.http.routers.wtw-http.middlewares=wtw-redirect"
+Label="traefik.http.middlewares.wtw-redirect.redirectscheme.scheme=https"
+Label="traefik.http.middlewares.wtw-redirect.redirectscheme.permanent=true"
+Label="traefik.http.routers.wtw.middlewares=secure-headers@file"
 
 Label="traefik.http.middlewares.wtw-sec.headers.customResponseHeaders.Content-Security-Policy=default-src 'self'; base-uri 'self'; object-src 'none'; frame-ancestors 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; script-src 'self'; script-src-elem 'self' 'unsafe-inline'; connect-src 'self' wss: https:; font-src 'self' data:; worker-src 'self' blob:;"
-Label=traefik.http.routers.wtw.middlewares=wtw-sec@docker
-Label=traefik.http.routers.wtw.middlewares=wtw-sec@docker
+Label="traefik.http.routers.wtw.middlewares=wtw-sec@docker"
 Label="traefik.http.routers.wtw.middlewares=auth"
 Label="traefik.http.middlewares.auth.basicauth.users=smb:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
 

src/layouts/Base.astro

@@ -4,13 +4,15 @@ const { title = "Valtrix – Struktur schafft Wert", description = "Cloud, Secur
 // Language & routing helpers
 const pathname = Astro.url.pathname;
 const isEn = pathname.startsWith('/en');
+const isDe = pathname.startsWith('/de');
 const lang = isEn ? 'en' : 'de';
-const prefix = isEn ? '/en' : '';
-const stripEn = (p) => p.replace(/^\/en(?=\/|$)/, '');
-const altHref = isEn ? (stripEn(pathname) || '/') : ('/en' + (pathname === '/' ? '' : pathname));
+// Default to /de for links so navigation always points to language-prefixed routes
+const prefix = isEn ? '/en' : '/de';
+const stripLang = (p) => p.replace(/^\/(?:en|de)(?=\/|$)/, '');
+const altHref = isEn ? ('/de' + (stripLang(pathname) || '/')) : ('/en' + (stripLang(pathname) || '/'));
 // Canonical/alternate URLs (use provided path when present for og/link tags)
 const canonicalPath = path || pathname;
-const deHref = stripEn(canonicalPath) || '/';
+const deHref = canonicalPath.startsWith('/de') ? canonicalPath : ('/de' + (canonicalPath === '/' ? '' : canonicalPath));
 const enHref = canonicalPath.startsWith('/en') ? canonicalPath : ('/en' + (canonicalPath === '/' ? '' : canonicalPath));
 // Nav labels per language
 const labels = isEn ? {

src/pages/de/cases.astro

@@ -1,15 +1,15 @@
 ---
-import Base from "../layouts/Base.astro";
+import Base from "../../layouts/Base.astro";
 const items = [
   { slug: "cloud-migration", title: "Sichere Cloud-Migration (AWS/Azure)", summary: "Landing Zone, Zero-Trust, Pipeline & Observability in 6 Wochen." },
   { slug: "k8s-hardening", title: "Kubernetes Hardening & GitOps", summary: "CIS Benchmarks, OPA Policies-as-Code, ArgoCD Rollouts." }
 ];
 ---
-<Base path="/cases" title="Referenzen – Valtrix">
+<Base path="/de/cases" title="Referenzen – Valtrix">
   <h1 class="text-3xl font-bold mt-8">Referenzen</h1>
   <div class="grid md:grid-cols-2 gap-6 mt-6">
     {items.map(i => (
-      <a href={`/cases/${i.slug}`} class="p-6 border rounded-brand card hover:shadow-sm transition-shadow block">
+      <a href={`/de/cases/${i.slug}`} class="p-6 border rounded-brand card hover:shadow-sm transition-shadow block">
         <h2 class="font-semibold text-lg">{i.title}</h2>
         <p class="mt-2 text-textMuted">{i.summary}</p>
         <span class="mt-3 inline-block text-primary underline">Case ansehen</span>

src/pages/de/cases/cloud-migration.astro

@@ -0,0 +1,36 @@
+---
+import Base from "../../../layouts/Base.astro";
+---
+<Base path="/de/cases/cloud-migration" title="Case Study – Sichere Cloud-Migration">
+  <h1 class="text-3xl font-bold mt-8">Case Study: Sichere Cloud-Migration</h1>
+  <p class="mt-4 text-textMuted">Enterprise-Migration von On-Prem nach Cloud mit Fokus auf Sicherheit & Compliance.</p>
+
+  <section class="mt-8 grid md:grid-cols-3 gap-6">
+    <div class="p-6 border rounded-brand card">
+      <h3 class="font-semibold">Ziel</h3>
+      <p class="mt-2 text-textMuted">Sichere AWS/Azure Landing Zone, segmentiertes Netzwerk, zentralisiertes IAM.</p>
+    </div>
+    <div class="p-6 border rounded-brand card">
+      <h3 class="font-semibold">Vorgehen</h3>
+      <p class="mt-2 text-textMuted">Guardrails, IaC (Terraform/OpenTofu), GitOps, Observability, Cost Controls.</p>
+    </div>
+    <div class="p-6 border rounded-brand card">
+      <h3 class="font-semibold">Ergebnis</h3>
+      <p class="mt-2 text-textMuted">Schnelleres Deployment, Auditfähigkeit, reduzierte Risiken & Kosten.</p>
+    </div>
+  </section>
+
+  <section class="mt-10">
+  <h2 class="text-2xl font-bold mb-3">Kennzahlen</h2>
+    <ul class="list-disc pl-6 text-textMuted">
+      <li>6 Wochen bis produktionsreifer Basis</li>
+      <li>~40% weniger manuelle Deployments durch CI/CD</li>
+      <li>100% Infrastruktur als Code & Policies-as-Code</li>
+    </ul>
+  </section>
+
+  <div class="mt-12 rounded-brand p-6 bg-gradient-to-r from-accent to-primary text-white flex items-center justify-between">
+    <div class="text-lg font-semibold tracking-wide">Ähnliches Projekt geplant?</div>
+    <a href="/de/kontakt" class="px-5 py-3 rounded-brand bg-white text-primary font-medium">Jetzt anfragen</a>
+  </div>
+</Base>

src/pages/de/cases/k8s-hardening.astro

@@ -0,0 +1,48 @@
+---
+import Base from "../../../layouts/Base.astro";
+---
+<Base path="/de/cases/k8s-hardening" title="Case Study – Kubernetes Hardening & GitOps">
+  <h1 class="text-3xl font-bold mt-8">Case Study: Kubernetes Hardening & GitOps</h1>
+  <p class="mt-4 text-textMuted">Produktionsreifes K8s‑Setup mit Härtung nach CIS, durchgängigen Policies‑as‑Code und GitOps‑Deployments.</p>
+
+  <section class="mt-8 grid md:grid-cols-3 gap-6">
+    <div class="p-6 border rounded-brand card">
+      <h3 class="font-semibold">Ziel</h3>
+      <p class="mt-2 text-textMuted">Sicheres Cluster‑Baseline: identitätszentrierte Zugriffe, Netzwerk‑Segmentierung, saubere Supply Chain.</p>
+    </div>
+    <div class="p-6 border rounded-brand card">
+      <h3 class="font-semibold">Vorgehen</h3>
+      <p class="mt-2 text-textMuted">CIS Benchmarks, OPA/Gatekeeper oder Kyverno Policies, Pod Security Standards, signierte Artefakte & GitOps (Argo CD).</p>
+    </div>
+    <div class="p-6 border rounded-brand card">
+      <h3 class="font-semibold">Ergebnis</h3>
+      <p class="mt-2 text-textMuted">Reproduzierbare Deployments, Policy‑konforme Releases, Auditfähigkeit und reduzierte Angriffsfläche.</p>
+    </div>
+  </section>
+
+  <section class="mt-10">
+    <h2 class="text-2xl font-bold mb-3">Kennzahlen</h2>
+    <ul class="list-disc pl-6 text-textMuted">
+      <li>100% deklarative Deployments (GitOps, Pull‑basiert)</li>
+      <li>~80% der CIS‑Kontrollen automatisiert überprüfbar</li>
+      <li>Policy‑Breaks verhindern riskante Manifeste vor dem Rollout</li>
+      <li>Signierte Container‑Images & SBOM für Kernservices</li>
+    </ul>
+  </section>
+
+  <section class="mt-10 grid md:grid-cols-2 gap-6">
+    <div class="p-6 border rounded-brand card">
+      <h3 class="font-semibold">GitOps Setup</h3>
+      <p class="mt-2 text-textMuted">Mehrstufige Environments (dev/stage/prod) mit Branch/Tag‑Strategie, Kustomize‑Overlays und PR‑basierten Changes.</p>
+    </div>
+    <div class="p-6 border rounded-brand card">
+      <h3 class="font-semibold">Cluster Hardening</h3>
+      <p class="mt-2 text-textMuted">RBAC Least‑Privilege, NetworkPolicies default‑deny, Pod Security, Image‑Scanning, Secrets‑Management.</p>
+    </div>
+  </section>
+
+  <div class="mt-12 rounded-brand p-6 bg-gradient-to-r from-accent to-primary text-white flex items-center justify-between">
+    <div class="text-lg font-semibold tracking-wide">Ähnliches Projekt geplant?</div>
+    <a href="/de/kontakt" class="px-5 py-3 rounded-brand bg-white text-primary font-medium">Jetzt anfragen</a>
+  </div>
+</Base>

src/pages/de/datenschutz.astro

@@ -1,15 +1,15 @@
 ---
-import Base from "../layouts/Base.astro";
+import Base from "../../layouts/Base.astro";
 const updated = new Date().toLocaleDateString('de-DE', { year: 'numeric', month: 'long', day: '2-digit' });
 ---
-<Base path="/datenschutz" title="Datenschutz – Valtrix">
+<Base path="/de/datenschutz" title="Datenschutz – Valtrix">
   <h1 class="text-2xl font-bold mt-8">Datenschutzhinweise</h1>
 
   <p class="mt-4 text-textMuted">Diese Hinweise informieren darüber, wie wir personenbezogene Daten beim Besuch dieser Website verarbeiten. Die Website ist als statische Seite umgesetzt; es werden keine Tracking‑ oder Marketing‑Cookies eingesetzt und keine externen Ressourcen (z. B. Google Fonts, Analytics, Formdienste) geladen.</p>
 
   <section class="mt-8 grid gap-2">
     <h2 class="text-xl font-semibold">1. Verantwortlicher</h2>
-    <p>Verantwortlicher im Sinne der DSGVO ist: <strong>Valtrix</strong>. Anschrift siehe <a class="underline text-primary" href="/impressum">Impressum</a>. E‑Mail: <a class="underline text-primary" href="mailto:kontakt@valtrix.systems">kontakt@valtrix.systems</a></p>
+    <p>Verantwortlicher im Sinne der DSGVO ist: <strong>Valtrix</strong>. Anschrift siehe <a class="underline text-primary" href="/de/impressum">Impressum</a>. E‑Mail: <a class="underline text-primary" href="mailto:kontakt@valtrix.systems">kontakt@valtrix.systems</a></p>
   </section>
 
   <section class="mt-6 grid gap-2">

src/pages/de/impressum.astro

@@ -1,7 +1,7 @@
 ---
-import Base from "../layouts/Base.astro";
+import Base from "../../layouts/Base.astro";
 ---
-<Base path="/impressum" title="Impressum – Valtrix">
+<Base path="/de/impressum" title="Impressum – Valtrix">
   <h1 class="text-2xl font-bold mt-8">Impressum</h1>
   <p><strong>VALTRIX</strong> GmbH i.G.</p>
   <p>Am Wassergraben 4, 10179 Berlin</p>

src/pages/de/index.astro

@@ -0,0 +1,82 @@
+---
+import Base from "../../layouts/Base.astro";
+const benefits = [
+  { title: "Zero-Trust & Härtung", text: "Security-by-Design, CIS/BSI-Richtlinien, automatisierte Policies." },
+  { title: "Cloud Foundations", text: "Landing Zones, Identity, Observability – sauber & skalierbar." },
+  { title: "Automatisierung", text: "IaC, CI/CD, GitOps, wiederholbar & auditfähig." }
+];
+const approach = [
+  { title: 'Assess', text: 'Risiko- und Reifegradanalyse: schneller Quick-Scan, klare Prioritäten.' },
+  { title: 'Design', text: 'Zielarchitektur & Guardrails: sichere, skalierbare Blueprint-Entwürfe.' },
+  { title: 'Build', text: 'IaC, Pipelines & Policies-as-Code: reproduzierbar und überprüfbar.' },
+  { title: 'Run', text: 'Monitoring, Audits & Kostentransparenz: nachhaltig betreibbar.' }
+];
+---
+<Base path="/de">
+  <section class="py-16 grid lg:grid-cols-2 gap-12 items-center">
+    <div class="fade-in">
+      <h1 class="text-4xl md:text-5xl font-bold leading-tight">
+        Security-first Cloud Consulting.
+      </h1>
+      <p class="mt-4 text-lg text-textMuted">
+        Wir verbinden <strong>Struktur</strong> und <strong>Wert</strong>: sichere Cloud-Architekturen, Automatisierung und Compliance – pragmatisch und messbar.
+      </p>
+      <div class="mt-8 flex gap-4">
+        <a href="/de/leistungen" class="px-5 py-3 rounded-brand bg-primary text-white hover:opacity-90">Leistungen</a>
+        <a href="/de/kontakt" class="px-5 py-3 rounded-brand border border-primary text-primary hover:bg-graybg">Kontakt</a>
+      </div>
+      <div class="mt-8 grid grid-cols-3 gap-4 text-sm text-textMuted">
+        <div class="p-3 border rounded-brand card">DSGVO / EU-Hosting</div>
+        <div class="p-3 border rounded-brand card">BSI/ISO-orientiert</div>
+        <div class="p-3 border rounded-brand card">Auditfähig</div>
+      </div>
+    </div>
+  </section>
+
+  <section class="py-10 grid md:grid-cols-3 gap-6">
+    {benefits.map(b => (
+      <div class="p-6 border rounded-brand hover:shadow-sm transition-shadow card">
+        <h3 class="font-semibold text-lg">{b.title}</h3>
+        <p class="mt-2 text-textMuted">{b.text}</p>
+      </div>
+    ))}
+  </section>
+
+  <section class="py-12">
+    <h2 class="text-2xl font-bold mb-6">Leistungen</h2>
+    <div class="grid md:grid-cols-3 gap-6">
+      <div class="p-6 border rounded-brand card">
+        <h3 class="font-semibold text-lg">Cloud & DevSecOps</h3>
+        <p class="mt-2 text-textMuted">Plan, Build & Run – effizient, sicher, skalierbar.</p>
+        <a href="/de/leistungen" class="mt-3 inline-block text-primary underline">Mehr erfahren</a>
+      </div>
+      <div class="p-6 border rounded-brand card">
+        <h3 class="font-semibold text-lg">Security & Compliance</h3>
+        <p class="mt-2 text-textMuted">Zero-Trust, IAM, Hardening, Audits, BSI/ISO‑orientierte Prozesse.</p>
+      </div>
+      <div class="p-6 border rounded-brand card">
+        <h3 class="font-semibold text-lg">AI & Automation</h3>
+        <p class="mt-2 text-textMuted">RAG/Agenten, Automatisierung von Betriebsprozessen, sichere Integration.</p>
+      </div>
+    </div>
+  </section>
+
+  <section class="py-14">
+    <h2 class="text-2xl font-bold mb-6">Unser Ansatz</h2>
+    <div class="grid md:grid-cols-4 gap-6">
+      {approach.map((a, i) => (
+        <div class="p-6 border rounded-brand card">
+          <div class="text-xl font-semibold">{i+1}. {a.title}</div>
+          <p class="mt-2 text-textMuted">{a.text}</p>
+        </div>
+      ))}
+    </div>
+  </section>
+
+  <section class="py-12">
+    <div class="rounded-brand p-8 bg-gradient-to-r from-accent to-primary text-white flex flex-col md:flex-row items-center justify-between gap-6">
+      <div class="text-xl font-semibold tracking-wide">Sichere Cloud – pragmatisch umgesetzt.</div>
+      <a href="/de/kontakt" class="px-6 py-3 rounded-brand bg-white text-primary font-medium">Projekt anfragen</a>
+    </div>
+  </section>
+</Base>

src/pages/de/kontakt.astro

@@ -1,7 +1,7 @@
 ---
-import Base from "../layouts/Base.astro";
+import Base from "../../layouts/Base.astro";
 ---
-<Base path="/kontakt" title="Kontakt – Valtrix">
+<Base path="/de/kontakt" title="Kontakt – Valtrix">
   <h1 class="text-3xl font-bold mt-8">Kontakt</h1>
   <form id="contactForm" class="mt-6 grid gap-4 max-w-xl">
     <input class="border rounded-brand p-3" name="name" placeholder="Ihr Name" required>

src/pages/de/leistungen.astro

@@ -1,7 +1,7 @@
 ---
-import Base from "../layouts/Base.astro";
+import Base from "../../layouts/Base.astro";
 ---
-<Base path="/leistungen" title="Leistungen – Valtrix">
+<Base path="/de/leistungen" title="Leistungen – Valtrix">
   <h1 class="text-3xl font-bold font-bold mt-8">Leistungen</h1>
   <div class="grid md:grid-cols-3 gap-6 mt-6">
     <div class="p-6 border rounded-brand card">

src/pages/de/sicherheit.astro

@@ -1,7 +1,7 @@
 ---
-import Base from "../layouts/Base.astro";
+import Base from "../../layouts/Base.astro";
 ---
-<Base path="/sicherheit" title="Sicherheit & Compliance – Valtrix">
+<Base path="/de/sicherheit" title="Sicherheit & Compliance – Valtrix">
   <h1 class="text-3xl font-bold mt-8">Sicherheit & Compliance</h1>
   <ul class="list-disc pl-6 mt-4 text-textMuted">
     <li>Datensouverän: EU-Hosting, DSGVO-konform</li>

src/pages/de/ueber-uns.astro

@@ -1,7 +1,7 @@
 ---
-import Base from "../layouts/Base.astro";
+import Base from "../../layouts/Base.astro";
 ---
-<Base path="/ueber-uns" title="Über uns – Valtrix">
+<Base path="/de/ueber-uns" title="Über uns – Valtrix">
   <h1 class="text-3xl font-bold mt-8">Über uns</h1>
   <p class="mt-4 text-textMuted max-w-2xl">Wir sind ein Team aus Cloud-, Security- und AI-Engineers. Wir bauen robuste Systeme – pragmatisch und messbar.</p>
 </Base>

src/pages/en/index.astro

@@ -3,10 +3,10 @@ import Base from "../../layouts/Base.astro";
 const benefits = [
   { title: "Zero-Trust & Hardening", text: "Security-by-Design, CIS/BSI guidelines, automated policies." },
   { title: "Cloud Foundations", text: "Landing zones, identity, observability – clean & scalable." },
-  { title: "Automation", text: "IaC/CI/CD, GitOps, reproducible & auditable." }
+  { title: "Automation", text: "IaC, CI/CD, GitOps, reproducible & auditable." }
 ];
 const features = [
-  { title: "Cloud & DevOps", text: "Plan, Build & Run – efficient, secure, scalable." },
+  { title: "Cloud & SecOps", text: "Plan, Build & Run – efficient, secure, scalable." },
   { title: "Security & Compliance", text: "BSI/ISO-aligned, Zero-Trust, audits, policies-as-code." },
   { title: "AI & Automation", text: "RAG, agents & process automation with measurable outcome." }
 ];
@@ -56,12 +56,24 @@ const features = [
 
   <section class="py-14">
   <h2 class="text-2xl font-bold mb-6">Our approach</h2>
-    <ol class="grid md:grid-cols-4 gap-6 list-decimal pl-5">
-      <li class="p-5 border rounded-brand card"><strong>Assess:</strong> Risk & maturity → quick scan.</li>
-      <li class="p-5 border rounded-brand card"><strong>Design:</strong> Target architecture & guardrails.</li>
-      <li class="p-5 border rounded-brand card"><strong>Build:</strong> IaC, pipelines, policies-as-code.</li>
-      <li class="p-5 border rounded-brand card"><strong>Run:</strong> Monitoring, audits, cost transparency.</li>
-    </ol>
+    <div class="grid md:grid-cols-4 gap-6">
+      <div class="p-6 border rounded-brand card">
+        <div class="text-xl font-semibold">1. Assess</div>
+        <p class="mt-2 text-textMuted">Risk & maturity analysis: quick-scan, clear priorities.</p>
+      </div>
+      <div class="p-6 border rounded-brand card">
+        <div class="text-xl font-semibold">2. Design</div>
+        <p class="mt-2 text-textMuted">Target architecture & guardrails: secure, scalable blueprints.</p>
+      </div>
+      <div class="p-6 border rounded-brand card">
+        <div class="text-xl font-semibold">3. Build</div>
+        <p class="mt-2 text-textMuted">IaC, pipelines & policies-as-code: reproducible & testable.</p>
+      </div>
+      <div class="p-6 border rounded-brand card">
+        <div class="text-xl font-semibold">4. Run</div>
+        <p class="mt-2 text-textMuted">Monitoring, audits & cost transparency for sustainable operations.</p>
+      </div>
+    </div>
   </section>
 
   <section class="py-12">

src/pages/index.astro

@@ -1,73 +1,10 @@
 ---
 import Base from "../layouts/Base.astro";
-const benefits = [
-  { title: "Zero-Trust & Hardening", text: "Security-by-Design, CIS/BSI-Guidelines, automatisierte Policies." },
-  { title: "Cloud Foundations", text: "Landing Zones, Identity, Observability – sauber & skalierbar." },
-  { title: "Automatisierung", text: "IaC/CI/CD, GitOps, wiederholbar & auditfähig." }
-];
-const features = [
-  { title: "Cloud & DevOps", text: "Plan, Build & Run – effizient, sicher, skalierbar." },
-  { title: "Security & Compliance", text: "BSI/ISO-aligned, Zero-Trust, Audits, Policies-as-Code." },
-  { title: "AI & Automation", text: "RAG, Agenten & Process Automation mit messbarem Outcome." }
-];
 ---
 <Base path="/">
-  <section class="py-16 grid lg:grid-cols-2 gap-12 items-center">
-    <div class="fade-in">
-      <h1 class="text-4xl md:text-5xl font-bold leading-tight">
-        Security-first Cloud Consulting.
-      </h1>
-      <p class="mt-4 text-lg text-textMuted">
-        Wir verbinden <strong>Struktur</strong> und <strong>Wert</strong>: sichere Cloud-Architekturen, Automatisierung und Compliance – pragmatisch und messbar.
-      </p>
-      <div class="mt-8 flex gap-4">
-        <a href="/leistungen" class="px-5 py-3 rounded-brand bg-primary text-white hover:opacity-90">Leistungen</a>
-        <a href="/kontakt" class="px-5 py-3 rounded-brand border border-primary text-primary hover:bg-graybg">Kontakt</a>
-      </div>
-      <div class="mt-8 grid grid-cols-3 gap-4 text-sm text-textMuted">
-        <div class="p-3 border rounded-brand card">DSGVO / EU-Hosting</div>
-        <div class="p-3 border rounded-brand card">BSI/ISO-orientiert</div>
-        <div class="p-3 border rounded-brand card">Auditfähig</div>
-      </div>
-    </div>
-  </section>
-
-  <section class="py-10 grid md:grid-cols-3 gap-6">
-    {benefits.map(b => (
-      <div class="p-6 border rounded-brand hover:shadow-sm transition-shadow card">
-        <h3 class="font-semibold text-lg">{b.title}</h3>
-        <p class="mt-2 text-textMuted">{b.text}</p>
-      </div>
-    ))}
-  </section>
-
-  <section class="py-12">
-  <h2 class="text-2xl font-bold mb-6">Leistungen</h2>
-    <div class="grid md:grid-cols-3 gap-6">
-      {features.map(f => (
-        <div class="p-6 border rounded-brand hover:-translate-y-0.5 transition card">
-          <h3 class="font-semibold text-lg">{f.title}</h3>
-          <p class="mt-2 text-textMuted">{f.text}</p>
-          <a href="/leistungen" class="mt-3 inline-block text-primary underline">Mehr erfahren</a>
-        </div>
-      ))}
-    </div>
-  </section>
-
-  <section class="py-14">
-  <h2 class="text-2xl font-bold mb-6">Unser Ansatz</h2>
-    <ol class="grid md:grid-cols-4 gap-6 list-decimal pl-5">
-      <li class="p-5 border rounded-brand card"><strong>Assess:</strong> Risiko & Reifegrad → Quick-Scan.</li>
-      <li class="p-5 border rounded-brand card"><strong>Design:</strong> Zielarchitektur & Guardrails.</li>
-      <li class="p-5 border rounded-brand card"><strong>Build:</strong> IaC, Pipelines, Policies-as-Code.</li>
-      <li class="p-5 border rounded-brand card"><strong>Run:</strong> Monitoring, Audits, Kostentransparenz.</li>
-    </ol>
-  </section>
-
-  <section class="py-12">
-      <div class="rounded-brand p-8 bg-gradient-to-r from-accent to-primary text-white flex flex-col md:flex-row items-center justify-between gap-6">
-      <div class="text-xl font-semibold tracking-wide">Sichere Cloud – pragmatisch umgesetzt.</div>
-      <a href="/kontakt" class="px-6 py-3 rounded-brand bg-white text-primary font-medium">Projekt anfragen</a>
-    </div>
-  </section>
+  <meta http-equiv="refresh" content="0;url=/de/" />
+  <main class="max-w-7xl mx-auto px-6 py-12">
+    <h1 class="text-2xl font-bold">Weiterleitung</h1>
+    <p class="mt-4">Die Seite wurde verschoben nach <a href="/de/" class="underline">/de/</a>. Sollte die automatische Weiterleitung fehlschlagen, klicke den Link.</p>
+  </main>
 </Base>