switch to uwsgi service

flake.nix

@@ -34,6 +34,8 @@
           install -Dm755 ${./fragify.py} $out/bin/fragify
           mkdir -p $out/share/fragify
           cp -r ${./templates} $out/share/fragify/
+          # Provide a WSGI entry file for uWSGI to load
+          install -Dm644 ${./fragify.py} $out/share/fragify/fragify_wsgi.py
         '';
 
         meta.mainProgram = "fragify";

fragify.py

@@ -16,6 +16,11 @@ class BaseTemplateResource:
     
     def _get_template_dir(self):
         """Get the template directory path, handling both development and installed environments"""
+        # Allow overriding via environment variable (for packaged deployments)
+        env_dir = os.environ.get('FRAGIFY_TEMPLATES_DIR')
+        if env_dir and os.path.exists(env_dir):
+            return env_dir
+
         # Get the directory where this script is located
         script_dir = os.path.dirname(os.path.abspath(__file__))
         

module.nix

@@ -6,7 +6,7 @@
 }:
 let
 
-  cfg = config.services.mail-quota-warning;
+	cfg = config.services.fragify;
 
 in
 {
@@ -27,60 +27,36 @@ in
 
 	config = lib.mkIf cfg.enable {
 
-    systemd.services."fragify" = {
-      description = "fragify web application";
-      after = [ "network.target" ];
-      wants = [ "network-online.target" ];
-      environment = {
-        PYTHONUNBUFFERED = "1";
-      };
-      serviceConfig = {
-        Type = "simple";
-        ExecStart = "${lib.getExe pkgs.fragify}";
-        WorkingDirectory = "%S/fragify";
-        StateDirectory = "fragify";
-        User = "fragify";
-        Group = "fragify";
-
-        # hardening
-        AmbientCapabilities = "";
-        CapabilityBoundingSet = "";
-        DevicePolicy = "closed";
-        DynamicUser = false;
-        LockPersonality = true;
-        MemoryDenyWriteExecute = true;
-        NoNewPrivileges = true;
-        PrivateDevices = true;
-        PrivateTmp = true;
-        PrivateUsers = false;
-        ProcSubset = "pid";
-        ProtectClock = true;
-        ProtectControlGroups = true;
-        ProtectHome = true;
-        ProtectHostname = true;
-        ProtectKernelLogs = true;
-        ProtectKernelModules = true;
-        ProtectKernelTunables = true;
-        ProtectProc = "invisible";
-        ProtectSystem = "strict";
-        RemoveIPC = true;
-        RestrictAddressFamilies = [
-          "AF_INET"
-          "AF_INET6"
-        ];
-        RestrictNamespaces = true;
-        RestrictRealtime = true;
-        RestrictSUIDSGID = true;
-        SystemCallArchitectures = "native";
-        SystemCallFilter = [
-          "@system-service"
-          "~@privileged"
-        ];
-        UMask = "0077";
+		# uWSGI application definition for Fragify
+		services.uwsgi.enable = true;
+		services.uwsgi.user = "fragify";
+		services.uwsgi.group = "fragify";
+		services.uwsgi.plugins = [ "python3" ];
+		services.uwsgi.instance."fragify" = {
+			type = "normal";
+			chdir = "/";
+			# Load WSGI by file path from the packaged share dir
+			wsgi-file = "${pkgs.fragify}/share/fragify/fragify_wsgi.py";
+			module = "fragify:app";
+			pythonPackages = p: with p; [ falcon requests jinja2 ];
+			env = {
+				FRAGIFY_TEMPLATES_DIR = "${pkgs.fragify}/share/fragify/templates";
 			};
+			socket = "unix:${config.services.uwsgi.runDir}/fragify.sock";
+			chmod-socket = "660";
+			umask = "0077";
+			vacuum = true;
+			master = true;
+			processes = 2;
+			threads = 2;
+			harakiri = 60;
+			buffer-size = 65535;
+			# Security hardening
+			need-app = true;
+			no-orphans = true;
 		};
 
-    # Create fragify user and group
+		# Ensure fragify user and group exist
 		users.users.fragify = {
 			isSystemUser = true;
 			group = "fragify";
@@ -88,11 +64,9 @@ in
 		};
 
 		users.groups.fragify = {};
-
 	};
 
 	meta = {
 		maintainers = with lib.maintainers; [ onny ];
 	};
-
 }