Add hostname configuration for production deployment

Add environment variable configuration to support deployment on custom
domains like https://awards.dj7nt.de

## Changes
- Add .env.example with configuration template
- Update API client to use VITE_API_BASE_URL with fallback to /api
- Update SvelteKit config to use VITE_APP_URL for CSRF trusted origins
- Update backend CORS to use configurable allowed origins
- Add ALLOWED_ORIGINS environment variable for production
- Add build and preview scripts to package.json
- Update README with production deployment guide and nginx example

## Environment Variables
- VITE_APP_URL: Application hostname (e.g., https://awards.dj7nt.de)
- VITE_API_BASE_URL: API base URL (empty = relative paths)
- ALLOWED_ORIGINS: Comma-separated CORS origins
- JWT_SECRET: Strong secret for production
- NODE_ENV: development/production

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

.env.example

@@ -0,0 +1,22 @@
+# Application Configuration
+# Copy this file to .env and update with your values
+
+# Hostname for the application (e.g., https://awards.dj7nt.de)
+# Leave empty for development (uses localhost)
+VITE_APP_URL=
+
+# API Base URL (in production, can be same domain or separate)
+# Leave empty to use relative paths (recommended for same-domain deployment)
+VITE_API_BASE_URL=
+
+# Allowed CORS origins for backend (comma-separated)
+# Only needed for production if not using same domain
+# Example: https://awards.dj7nt.de,https://www.awards.dj7nt.de
+ALLOWED_ORIGINS=
+
+# JWT Secret (for production, use a strong random string)
+# Generate with: openssl rand -base64 32
+JWT_SECRET=change-this-in-production
+
+# Node Environment
+NODE_ENV=development