Doing some testing to make sure that Cloudflare works with the app

configs/shard.test.yaml

@@ -0,0 +1,69 @@
+shard_id: "gc-test-001"
+
+listen:
+  http: "0.0.0.0:9080"      # API for testers
+  https: ""                 # if you terminate TLS at a proxy, leave empty
+  ws:   "0.0.0.0:9081"      # reserved
+
+tls:
+  enable: false             # set true only if serving HTTPS directly here
+  cert_file: "/etc/greencoast/tls/cert.pem"
+  key_file: "/etc/greencoast/tls/key.pem"
+
+federation:
+  mtls_enable: false
+  listen: "0.0.0.0:9443"
+  cert_file: "/etc/greencoast/fed/cert.pem"
+  key_file: "/etc/greencoast/fed/key.pem"
+  client_ca_file: "/etc/greencoast/fed/clients_ca.pem"
+
+ui:
+  enable: true
+  path: "./client"
+  base_url: "/"
+  frontend_http: "0.0.0.0:9082"   # static client for testers
+
+storage:
+  backend: "fs"
+  path: "/var/lib/greencoast/objects"
+  max_object_kb: 128              # lower if you want to constrain uploads
+
+security:
+  zero_trust: true
+  require_mtls_for_federation: true
+  accept_client_signed_tokens: true
+  log_level: "warn"
+
+privacy:
+  retain_ip: "no"
+  retain_user_agent: "no"
+  retain_timestamps: "coarse"
+
+auth:
+  # IMPORTANT: rotate this per environment (use `openssl rand -hex 32`)
+  signing_secret: "D941C4F91D0046D28CDBC3F425DE0B4EA26BD2A80434E0F160D1B7C813EB43F8"
+  sso:
+    discord:
+      enabled: true
+      client_id: "REPLACE"
+      client_secret: "REPLACE"
+      # must exactly match your Discord app's allowed redirect
+      redirect_uri: "https://greencoast.fullmooncyberworks.com/auth-callback.html"
+    google:
+      enabled: false
+      client_id: ""
+      client_secret: ""
+      redirect_uri: ""
+    facebook:
+      enabled: false
+      client_id: ""
+      client_secret: ""
+      redirect_uri: ""
+  two_factor:
+    webauthn_enabled: false
+    totp_enabled: false
+
+limits:
+  rate:
+    burst: 20
+    per_minute: 60            # slightly tighter for external testing