Added example/dropin replacements for .env.example

Fixed the issue with PlainText (Complete Anon) posting
Need to fix device sign on issues.
Need to make it so that the non-signed in devices can only see their equalivant level of posts. (i.e. plaintext, public-encrypted, private-encrypted)

configs/shard.test.yaml

@@ -1,32 +1,32 @@
 shard_id: "gc-test-001"
 
 listen:
-  http: "0.0.0.0:9080"      # API for testers
-  https: ""                 # if you terminate TLS at a proxy, leave empty
-  ws:   "0.0.0.0:9081"      # reserved
+  http: "0.0.0.0:9080"
+  https: ""
+  ws:   "0.0.0.0:9081"
 
 tls:
-  enable: false             # set true only if serving HTTPS directly here
+  enable: false
   cert_file: "/etc/greencoast/tls/cert.pem"
-  key_file: "/etc/greencoast/tls/key.pem"
+  key_file:  "/etc/greencoast/tls/key.pem"
 
 federation:
   mtls_enable: false
   listen: "0.0.0.0:9443"
   cert_file: "/etc/greencoast/fed/cert.pem"
-  key_file: "/etc/greencoast/fed/key.pem"
+  key_file:  "/etc/greencoast/fed/key.pem"
   client_ca_file: "/etc/greencoast/fed/clients_ca.pem"
 
 ui:
   enable: true
   path: "./client"
   base_url: "/"
-  frontend_http: "0.0.0.0:9082"   # static client for testers
+  frontend_http: "0.0.0.0:9082"
 
 storage:
   backend: "fs"
   path: "/var/lib/greencoast/objects"
-  max_object_kb: 128              # lower if you want to constrain uploads
+  max_object_kb: 128
 
 security:
   zero_trust: true
@@ -38,27 +38,20 @@ privacy:
   retain_ip: "no"
   retain_user_agent: "no"
   retain_timestamps: "coarse"
+  allow_anon_plaintext: true
 
 auth:
-  # IMPORTANT: rotate this per environment (use `openssl rand -hex 32`)
-  signing_secret: "D941C4F91D0046D28CDBC3F425DE0B4EA26BD2A80434E0F160D1B7C813EB43F8"
+  # Choose either YAML OR env for the signing secret — not both.
+  # If you keep it here, make sure it's EXACTLY the same as the env value.
+  signing_secret: GC_SIGNING_SECRET_HEX
   sso:
     discord:
       enabled: true
-      client_id: "1408292766319906946"
-      client_secret: "zJ6GnUUykHbMFbWsPPneNxNK-PtOXYg1"
-      # must exactly match your Discord app's allowed redirect
-      redirect_uri: "https://greencoast.fullmooncyberworks.com/auth-callback.html"
-    google:
-      enabled: false
-      client_id: ""
-      client_secret: ""
-      redirect_uri: ""
-    facebook:
-      enabled: false
-      client_id: ""
-      client_secret: ""
-      redirect_uri: ""
+      client_id: GC_DISCORD_CLIENT_ID
+      client_secret: GC_DISCORD_CLIENT_SECRET
+      redirect_uri: GC_DISCORD_REDIRECT_URI
+    google:   { enabled: false, client_id: "", client_secret: "", redirect_uri: "" }
+    facebook: { enabled: false, client_id: "", client_secret: "", redirect_uri: "" }
   two_factor:
     webauthn_enabled: false
     totp_enabled: false
@@ -66,4 +59,4 @@ auth:
 limits:
   rate:
     burst: 20
-    per_minute: 60            # slightly tighter for external testing
+    per_minute: 60