diff --git a/README.md b/README.md
index 1e42df4..7cc5be2 100644
--- a/README.md
+++ b/README.md
@@ -9,34 +9,43 @@ Infrastructure-as-Code for a 3-machine homelab running K3s.
 | 0 | Backup configs, init repo | ✅ Done |
 | 1 | Bootstrap Minisforum — K3s server + Traefik | ✅ Done |
 | 2 | Join Debian as K3s agent, SMB setup | ⏳ Next |
-| 3 | Deploy core infra — Gitea, Pi-hole, DDNS | 🔜 Planned |
-| 4 | Deploy app services — Jellyfin, qBittorrent, etc. | 🔜 Planned |
-| 5 | Networking cutover | 🔜 Planned |
+| 3 | Deploy core infra — Gitea, Pi-hole, DDNS | 🔧 In progress |
+| 4 | Deploy app services — Jellyfin, qBittorrent, JDownloader, Dashy, Glances | 🔜 Planned |
+| 5 | Networking cutover — router, Traefik ingress, DNS | 🔜 Planned |
 | 6 | Cleanup legacy Debian services | 🔜 Planned |
 
 ## Architecture
 
 | Machine | IP | SSH Port | Role | Status |
 |---|---|---|---|---|
-| Minisforum UM780 XTX | 192.168.7.77 | 430 | K3s server | ✅ Running — K3s + Traefik |
-| Debian Server (HP ProDesk) | TBD | — | K3s agent | ⏳ Phase 2 |
-| Mac Mini M2 | TBD | — | Standalone | ⏳ Phase 3+ |
+| Minisforum UM780 XTX | 192.168.7.77 | 430 | K3s server, main gateway | ✅ Running — K3s + Traefik |
+| Debian Server (HP ProDesk) | TBD | — | K3s agent, SMB storage | ⏳ Phase 2 |
+| Mac Mini M2 | TBD | — | Standalone (outside cluster) | ⏳ Phase 3+ |
+
+## Internal Services (Minisforum)
+
+| Service | URL | Notes |
+|---|---|---|
+| Traefik | — | Ingress controller, Let's Encrypt |
+| Gitea | `https://gitea.home.arpa` | Git + Docker registry, SSH on port 2222 |
+| Pi-hole | `https://pihole.home.arpa/admin` | Primary DNS, resolves `*.home.arpa` → 192.168.7.77 |
 
 ## Repo Structure
 
 ```
 ansible/
-  inventory.yml            # host definitions
-  playbooks/               # top-level playbooks
+  inventory.yml              # host definitions
+  playbooks/
+    bootstrap-minisforum.yml # OS hardening, packages, UFW, /data dirs
+    setup-k3s.yml            # K3s server install, Helm, kubeconfig
   roles/
-    common/                # base OS setup (users, SSH, UFW, packages)
-    k3s-server/            # K3s server install + Helm
-    k3s-agent/             # K3s agent join (Phase 2)
-    smb/                   # Samba on Debian (Phase 2)
-helm/                      # custom Helm charts (if needed; most use upstream charts)
-values/                    # Helm values files per service
-scripts/                   # deploy-all.sh, porkbun-ddns.sh
-old.debian-data/           # gitignored — backup of pre-migration configs
+    common/                  # user, SSH hardening, UFW, base packages
+    k3s-server/              # K3s server install + Helm
+values/
+  traefik.yml                ✅ deployed
+  gitea.yml                  🔧 in progress
+  pihole.yml                 🔧 in progress
+old.debian-data/             # gitignored — backup of pre-migration configs
 ```
 
 ## Prerequisites
@@ -66,10 +75,23 @@ ansible-playbook -i ansible/inventory.yml ansible/playbooks/bootstrap-minisforum
 # Re-run K3s setup (idempotent)
 ansible-playbook -i ansible/inventory.yml ansible/playbooks/setup-k3s.yml
 
-# Upgrade Traefik
+# Traefik
+helm repo add traefik https://helm.traefik.io/traefik && helm repo update
 helm upgrade --install traefik traefik/traefik \
   --namespace traefik --create-namespace \
   -f values/traefik.yml
+
+# Gitea
+helm repo add gitea-charts https://dl.gitea.com/charts/ && helm repo update
+helm upgrade --install gitea gitea-charts/gitea \
+  --namespace gitea --create-namespace \
+  -f values/gitea.yml
+
+# Pi-hole
+helm repo add mojo2600 https://mojo2600.github.io/pihole-kubernetes/ && helm repo update
+helm upgrade --install pihole mojo2600/pihole \
+  --namespace pihole --create-namespace \
+  -f values/pihole.yml
 ```
 
 ## See Also