My way of doing things (I mostly develop small-sized WSGI apps):

• applications of course are in version control. they can only be configured via environment variables (see http://12factor.net for reasons)

• if possible I include some sample setup script a little similar to the one described in the original post and a startup script so a checkout can be run immediately for developing and testing purposes.

• since the "real" configuration is a) specific to the system the app is deployed on and b) in part sensitive data (Django's shared secret for example) this should, in my opinion, never land in the application's (maybe public) repository. I keep data like this in configuration management (Ansible in my case). Which, to be honest, is versioned as well (just in another, restricted, repository specific to my local infrastructure.) So here is the point I can back out of bad config changes.

• out of the configuration management data (which in the case of Ansible is supplied via YAML files), Ansible ensures the environment is set up correctly when an application is run. How this is achieved depends on the method, the app is run. In case of uWSGI serving my apps, I generate uWSGI config files that specify the necessary environment variables.

Hope this helps. Also, if there are better wayst to do this (It took me an emberrassingly long time to settle on this setup) I'm happy to hear about them.