Add unified config system (issue #24)

Introduce timetracker/config.py with a single config() helper that resolves
settings from a fixed priority chain: NAME__FILE (opt-in secret) -> env var
-> .env -> settings.ini -> in-code default. Supports type casting
(bool/list/int/Path), file-based secrets with .strip(), and required_in_prod
validation.

Migrate settings.py off the previous ad-hoc idioms:
- DEBUG via config() (PROD kept as deprecated alias)
- SECRET_KEY required in prod, supports SECRET_KEY__FILE
- APP_URL derives ALLOWED_HOSTS and CSRF_TRUSTED_ORIGINS (kept separate,
  each independently overridable); ALLOWED_HOSTS is now configurable
- TZ and DATA_DIR via config()

Fix DATA_DIR inconsistency: entrypoint.sh now reads DATA_DIR (was hardcoded)
so the bash bootstrap and Django agree on the database directory.

Document the container/entrypoint-only flags (PUID/PGID/
CREATE_DEFAULT_SUPERUSER/STAGING/LOAD_SAMPLE_DATA) as bash concerns.

Update deployment configs to set APP_URL (and DEBUG), add docs/configuration.md,
settings.ini.example, regrouped .env.example, CLAUDE.md, and tests.

https://claude.ai/code/session_01FFn8BiGrQpEJarC8xGse8s

.env.example

@@ -1,24 +1,51 @@
-# Docker registry URL (used in docker-compose.yml)
-REGISTRY_URL=registry.kucharczyk.xyz
+# =============================================================================
+# Django application settings (read by timetracker/config.py)
+#
+# Resolution priority, highest first:
+#   SECRET_KEY__FILE  ->  env var  ->  .env  ->  settings.ini  ->  built-in default
+# See docs/configuration.md for the full reference.
+# =============================================================================
 
-# Container timezone
+# Turn DEBUG off in production. Defaults on for local development.
+# (The old PROD=1 variable still works but is deprecated; prefer DEBUG.)
+DEBUG=false
+
+# Secret key. Required in production; an insecure default is used in DEBUG.
+# For Docker/K8s secrets, point SECRET_KEY__FILE at a mounted file instead.
+SECRET_KEY=change-me-to-a-long-random-string
+# SECRET_KEY__FILE=/run/secrets/timetracker_secret_key
+
+# Public URL of the site. Derives ALLOWED_HOSTS and CSRF_TRUSTED_ORIGINS.
+APP_URL=https://tracker.kucharczyk.xyz
+
+# Optional explicit overrides (comma-separated). When set they win over APP_URL.
+# Useful behind a reverse proxy, e.g. ALLOWED_HOSTS=*
+# ALLOWED_HOSTS=*
+# CSRF_TRUSTED_ORIGINS=https://tracker.kucharczyk.xyz
+
+# Container timezone.
 TZ=Europe/Prague
 
-# User/group IDs for container (used in entrypoint.sh)
+# Directory holding the SQLite database (defaults to the project root).
+DATA_DIR=/home/timetracker/app/data
+
+# =============================================================================
+# Container / entrypoint-only settings (read by entrypoint.sh, NOT by Django)
+# =============================================================================
+
+# User/group IDs the container process runs as.
 PUID=1000
 PGID=100
 
-# External port mapping
-TIMETRACKER_EXTERNAL_PORT=8000
-
-# Django production mode (set to "1" for production)
-PROD=1
-
-# Database directory (defaults to project root)
-DATA_DIR=/home/timetracker/app/data
-
-# CSRF trusted origins
-CSRF_TRUSTED_ORIGINS=https://tracker.kucharczyk.xyz
-
-# Create a default admin/admin superuser on startup (for initial setup only)
+# Create an admin/admin superuser on startup (for initial setup only).
 CREATE_DEFAULT_SUPERUSER=false
+
+# =============================================================================
+# docker-compose-only settings (compose file substitution, not the app)
+# =============================================================================
+
+# Docker registry URL (used in docker-compose.yml).
+REGISTRY_URL=registry.kucharczyk.xyz
+
+# External port mapping.
+TIMETRACKER_EXTERNAL_PORT=8000