diff --git a/.pi/infra.md b/.pi/infra.md
index 097a6a5..0c05456 100644
--- a/.pi/infra.md
+++ b/.pi/infra.md
@@ -1,15 +1,60 @@
 # Infrastructure Access
-# Connection details reference. All values live in `.env` (gitignored).
+# All values live in `.env` (gitignored). This file maps the topology.
 
-## Servers
-| Name       | Host Var       | User Var       | Port Var       | Notes        |
-|------------|----------------|----------------|----------------|--------------|
-| primary    | `SSH_HOST`     | `SSH_USER`     | `SSH_PORT`     | main server  |
+## Server
+| Var | Purpose |
+|-----|---------|
+| `SSH_USER`, `SSH_HOST`, `SSH_PORT` | Primary server SSH access |
 
-## SSH Quick Reference
-```
-ssh $SSH_USER@$SSH_HOST -p $SSH_PORT
-```
+## Incus Containers (on primary server)
+| Container       | Internal IP     | Status  | Purpose       |
+|-----------------|-----------------|---------|---------------|
+| cr-server-new   | 10.213.16.224   | RUNNING | CharityRight  |
+| qc-server-new   | 10.213.16.234   | RUNNING | QuikCue       |
+| qc-server        | —               | STOPPED | legacy        |
 
-## Secrets
-All values live in `.env` — never hardcode credentials in this file.
+## HAProxy (on primary server)
+| Domain pattern       | Backend              |
+|----------------------|----------------------|
+| charityright domains | → cr-server-new:443/80 |
+| quikcue domains      | → qc-server-new:443/80 |
+| antivirus.quikcue.com| → localhost:8877     |
+| SSH (gitea)          | → qc-server-new:2224 |
+
+## Databases
+| Var | Type | Purpose |
+|-----|------|---------|
+| `DATABASE_URL` | Postgres | donation_warehouse (port 5000 on primary) |
+| `MYSQL_HOST`, `MYSQL_PORT`, `MYSQL_DATABASE`, `MYSQL_USER`, `MYSQL_PASSWORD` | MySQL | CharityRight legacy (DigitalOcean managed) |
+| `REDIS_HOST`, `REDIS_PASSWORD`, `REDIS_PORT` | Redis | CharityRight sessions/cache |
+
+## Services on Server
+| Path | Service | Key Vars |
+|------|---------|----------|
+| `/opt/ayn-antivirus` | AYN Antivirus scanner + dashboard | `ANTHROPIC_API_KEY` |
+| `/opt/enthuse-db-sync-v2` | Enthuse donation sync | `ENTHUSE_EMAIL`, `TOTP_SECRET`, `GOOGLE_CLIENT_*` |
+| `/opt/launchgood-sync` | LaunchGood donation sync | `LG_EMAIL`, `LG_PASSWORD` |
+| `/root/legacy-donation-system-laravel` | CharityRight Laravel app | `STRIPE_*`, `PAYPAL_*`, `GOCARDLESS_*`, `POSTMARK_TOKEN` |
+| `/root/redis-v2` | Redis instance | `REDIS_PASSWORD` |
+
+## Payment Providers
+| Var prefix | Provider |
+|------------|----------|
+| `STRIPE_*` | Stripe (live) |
+| `PAYPAL_*` | PayPal (live) |
+| `GOCARDLESS_*` | GoCardless (live) |
+
+## Mail
+| Var | Provider |
+|-----|----------|
+| `SENDGRID_TX_API_KEY` | SendGrid |
+| `POSTMARK_TOKEN` | Postmark (active mailer) |
+
+## Third-party Integrations
+| Var | Service |
+|-----|---------|
+| `N3O_*_ENDPOINT` | N3O/Engage donation import hooks |
+| `ZAPIER_WEBHOOK_ENDPOINT` | Zapier automation |
+| `GOOGLE_PLACES_API_KEY` | Google Places autocomplete |
+| `CT_STRAVA_*` | Strava challenge tracker |
+| `WORDPRESS_URL`, `WORDPRESS_KEY` | WordPress (Cloudways) |