12-factorize application a little

snikket_web can now be fully configured via the environment alone,
no extra files needed. It is still supported to inject a python
file to generate environment variables though, which may be
useful for generating and reloading a secret key.

example.env

@@ -0,0 +1,43 @@
+# REQUIRED SETTINGS
+# =================
+
+# Secret key used to guard forms and sessions.
+#
+# This must be both reasonably constant and secret. If the secret gets
+# compromised, you can change it (without having to worry about the "constant"
+# requirement).
+#
+# if not constant:
+# - sessions will be lost on each server restart
+#
+# if not secret:
+# - users may be able to forge sessions
+# - attackers may be able to execute things on a properly authenticated user’s
+#   behalf.
+# - other bad things.
+SNIKKET_WEB_SECRET_KEY=
+
+# URL (without trailing /) of the prosody HTTP server.
+#
+# This must be set for anything to work correctly.
+#
+# NOTE: If this does not point at localhost, it MUST use https. Otherwise,
+# passwords will be transmitted in plaintext through insecure channels.
+SNIKKET_WEB_PROSODY_ENDPOINT='http://localhost:5280'
+
+# The domain name of the Snikket server
+#
+# This must be set for login to work correctly.
+SNIKKET_WEB_DOMAIN='localhost'
+
+
+# OPTIONAL SETTINGS
+# =================
+
+# How long browers may cache avatars
+#
+# Setting this to zero forces browsers to check if their locally cached copy
+# of an avatar is still up-to-date on every request; if it is, the avatar is
+# not re-transferred.
+#
+# SNIKKET_WEB_AVATAR_CACHE_TTL = 1800