infra.md: full topology map, .env: all server credentials

2026-03-03 03:11:11 +08:00
parent dfd64112dd
commit 1389c848b2
1 changed files with 56 additions and 11 deletions
--- a/.pi/infra.md
+++ b/.pi/infra.md
@@ -1,15 +1,60 @@
 # Infrastructure Access
-# Connection details reference. All values live in `.env` (gitignored).
+# All values live in `.env` (gitignored). This file maps the topology.
-## Servers
+## Server
-| Name       | Host Var       | User Var       | Port Var       | Notes        |
+| Var | Purpose |
-|------------|----------------|----------------|----------------|--------------|
+|-----|---------|
-| primary    | `SSH_HOST`     | `SSH_USER`     | `SSH_PORT`     | main server  |
+| `SSH_USER`, `SSH_HOST`, `SSH_PORT` | Primary server SSH access |
-## SSH Quick Reference
+## Incus Containers (on primary server)
-```
+| Container       | Internal IP     | Status  | Purpose       |
-ssh $SSH_USER@$SSH_HOST -p $SSH_PORT
+|-----------------|-----------------|---------|---------------|
-```
+| cr-server-new   | 10.213.16.224   | RUNNING | CharityRight  |
 | qc-server-new   | 10.213.16.234   | RUNNING | QuikCue       |
 | qc-server        | —               | STOPPED | legacy        |
-## Secrets
+## HAProxy (on primary server)
-All values live in `.env` — never hardcode credentials in this file.
+| Domain pattern       | Backend              |
 |----------------------|----------------------|
 | charityright domains | → cr-server-new:443/80 |
 | quikcue domains      | → qc-server-new:443/80 |
 | antivirus.quikcue.com| → localhost:8877     |
 | SSH (gitea)          | → qc-server-new:2224 |
 ## Databases
 | Var | Type | Purpose |
 |-----|------|---------|
 | `DATABASE_URL` | Postgres | donation_warehouse (port 5000 on primary) |
 | `MYSQL_HOST`, `MYSQL_PORT`, `MYSQL_DATABASE`, `MYSQL_USER`, `MYSQL_PASSWORD` | MySQL | CharityRight legacy (DigitalOcean managed) |
 | `REDIS_HOST`, `REDIS_PASSWORD`, `REDIS_PORT` | Redis | CharityRight sessions/cache |
 ## Services on Server
 | Path | Service | Key Vars |
 |------|---------|----------|
 | `/opt/ayn-antivirus` | AYN Antivirus scanner + dashboard | `ANTHROPIC_API_KEY` |
 | `/opt/enthuse-db-sync-v2` | Enthuse donation sync | `ENTHUSE_EMAIL`, `TOTP_SECRET`, `GOOGLE_CLIENT_*` |
 | `/opt/launchgood-sync` | LaunchGood donation sync | `LG_EMAIL`, `LG_PASSWORD` |
 | `/root/legacy-donation-system-laravel` | CharityRight Laravel app | `STRIPE_*`, `PAYPAL_*`, `GOCARDLESS_*`, `POSTMARK_TOKEN` |
 | `/root/redis-v2` | Redis instance | `REDIS_PASSWORD` |
 ## Payment Providers
 | Var prefix | Provider |
 |------------|----------|
 | `STRIPE_*` | Stripe (live) |
 | `PAYPAL_*` | PayPal (live) |
 | `GOCARDLESS_*` | GoCardless (live) |
 ## Mail
 | Var | Provider |
 |-----|----------|
 | `SENDGRID_TX_API_KEY` | SendGrid |
 | `POSTMARK_TOKEN` | Postmark (active mailer) |
 ## Third-party Integrations
 | Var | Service |
 |-----|---------|
 | `N3O_*_ENDPOINT` | N3O/Engage donation import hooks |
 | `ZAPIER_WEBHOOK_ENDPOINT` | Zapier automation |
 | `GOOGLE_PLACES_API_KEY` | Google Places autocomplete |
 | `CT_STRAVA_*` | Strava challenge tracker |
 | `WORDPRESS_URL`, `WORDPRESS_KEY` | WordPress (Cloudways) |