# Infrastructure Access
# All values live in `.env` (gitignored). This file maps the topology.

## Servers
| Var | Purpose |
|-----|---------|
| `SSH_USER`, `SSH_HOST`, `SSH_PORT` | Primary server SSH (159.195.60.33) |
| `CR_LIVE_HOST`, `CR_LIVE_USER`, `CR_LIVE_SSH_KEY` | CR owned live server (161.35.173.174) — Laravel app |
| `MARKETING_HOST`, `MARKETING_USER`, `MARKETING_SSH_KEY` | Marketing site (178.128.169.175) — not yet accessible |
| `WP_HOST` | WordPress production (157.245.43.50) — www.charityright.org.uk |

### SSH Commands
```bash
# Primary server
ssh root@159.195.60.33

# CR owned live server
ssh -i ~/.ssh/id_ed25519_charity root@161.35.173.174

# Marketing site (not yet accessible)
ssh -i ~/.ssh/id_ed25519_charity root@178.128.169.175

# WordPress production (www.charityright.org.uk)
ssh root@157.245.43.50
```

## Incus Containers (on primary server)
| Container       | Internal IP     | Status  | Purpose       |
|-----------------|-----------------|---------|---------------|
| cr-server-new   | 10.213.16.224   | RUNNING | CharityRight  |
| qc-server-new   | 10.213.16.234   | RUNNING | QuikCue       |
| qc-server        | —               | STOPPED | legacy        |

## HAProxy (on primary server)
| Domain pattern       | Backend              |
|----------------------|----------------------|
| charityright domains | → cr-server-new:443/80 |
| quikcue domains      | → qc-server-new:443/80 |
| antivirus.quikcue.com| → localhost:8877     |
| SSH (gitea)          | → qc-server-new:2224 |

## Databases
| Var | Type | Purpose |
|-----|------|---------|
| `DATABASE_URL` | Postgres | donation_warehouse (port 5000 on primary) |
| `MYSQL_HOST`, `MYSQL_PORT`, `MYSQL_DATABASE`, `MYSQL_USER`, `MYSQL_PASSWORD` | MySQL | CharityRight legacy (DigitalOcean managed) |
| `REDIS_HOST`, `REDIS_PASSWORD`, `REDIS_PORT` | Redis | CharityRight sessions/cache |

## Services on Server
| Path | Service | Key Vars |
|------|---------|----------|
| `/opt/ayn-antivirus` | AYN Antivirus scanner + dashboard | `ANTHROPIC_API_KEY` |
| `/opt/enthuse-db-sync-v2` | Enthuse donation sync | `ENTHUSE_EMAIL`, `TOTP_SECRET`, `GOOGLE_CLIENT_*` |
| `/opt/launchgood-sync` | LaunchGood donation sync | `LG_EMAIL`, `LG_PASSWORD` |
| `/root/legacy-donation-system-laravel` | CharityRight Laravel app | `STRIPE_*`, `PAYPAL_*`, `GOCARDLESS_*`, `POSTMARK_TOKEN` |
| `/root/redis-v2` | Redis instance | `REDIS_PASSWORD` |

## Payment Providers
| Var prefix | Provider |
|------------|----------|
| `STRIPE_*` | Stripe (live) |
| `PAYPAL_*` | PayPal (live) |
| `GOCARDLESS_*` | GoCardless (live) |

## Mail
| Var | Provider |
|-----|----------|
| `SENDGRID_TX_API_KEY` | SendGrid |
| `POSTMARK_TOKEN` | Postmark (active mailer) |

## Third-party Integrations
| Var | Service |
|-----|---------|
| `N3O_*_ENDPOINT` | N3O/Engage donation import hooks |
| `ZAPIER_WEBHOOK_ENDPOINT` | Zapier automation |
| `GOOGLE_PLACES_API_KEY` | Google Places autocomplete |
| `CT_STRAVA_*` | Strava challenge tracker |
| `WORDPRESS_URL`, `WORDPRESS_KEY` | WordPress (Cloudways) |

## CharityRight n8n
- **URL**: https://n8n.charityright.org.uk
- **API Key**: stored in .env as N8N_CR_API_KEY