Always run Singularity with `--cleanenv`

[luator]

Extracted from #68

I am wondering if it actually could make sense to always run Singularity with --cleanenv, in order to improve isolation by default, and prevent subtle bugs.

If some environment variables are actually needed at runtime, they should explicitly be listed in the config.
NOTE: Something to check first: Is it possible to use the variables config to simply pass on existing environment variables?