I have a Django application, that is served by uwsgi through a reverse-proxy nginx.

Plus, I want uwsgi to be started via systemd (systemctl enable uwsgi).

I used pipenv to set up the virtual environment and when I configure uwsgi to drop privileges to e.g. the www-data user, it can't find the virtual environment anymore in which uwsgi is installed (alongside Django and other packages).

So currently, uwsgi is running as a normal user with a /bin/bash login shell, defined in /etc/passwd.

From a security-perspective, this is bad, right? Or is the reverse-proxy via nginx (socket-file instead of shared port) good enough?

On the other hand, the www-data user has no shell (in /etc/passwd), so I can't use it to create the virtualenv.

Is there something, that I can do, to make this more secure, using virtual environments? Or do I have to globally install django/uwsgi, to make this run securely?