From 47dd4e52e549202bfe3b26167b95d7f973013496 Mon Sep 17 00:00:00 2001
From: Nick <nickjhiebert@proton.me>
Date: Fri, 18 Jul 2025 18:17:26 -0500
Subject: [PATCH] feat: added comfy ui

---
 modules/config/instances/config/comfyui.nix | 33 +++++++++++++++++
 systems/ceres/config/comfyui.nix            | 41 ++++++++++++++++++++-
 2 files changed, 73 insertions(+), 1 deletion(-)
 create mode 100644 modules/config/instances/config/comfyui.nix

diff --git a/modules/config/instances/config/comfyui.nix b/modules/config/instances/config/comfyui.nix
new file mode 100644
index 0000000..b476b6f
--- /dev/null
+++ b/modules/config/instances/config/comfyui.nix
@@ -0,0 +1,33 @@
+{ moduleFunctions }:
+let
+  inherit (moduleFunctions.instancesFunctions)
+    domain3
+    servicePath
+    sslPath
+    sopsPath
+    ;
+
+  label = "ComfyUI";
+  name = "comfyui";
+in
+{
+  label = label;
+  name = name;
+  short = label;
+
+  sops = {
+    path0 = "${sopsPath}/${name}";
+  };
+  tags = [
+    name
+    "comfy"
+    "ui"
+  ];
+  paths = {
+    path0 = "${servicePath}/${label}";
+  };
+  ports = {
+    port0 = 8188;
+  };
+
+}
diff --git a/systems/ceres/config/comfyui.nix b/systems/ceres/config/comfyui.nix
index a652cc8..3083753 100644
--- a/systems/ceres/config/comfyui.nix
+++ b/systems/ceres/config/comfyui.nix
@@ -4,6 +4,17 @@
   flake,
   ...
 }:
+let
+  inherit (flake.config.machines.devices)
+    ceres
+    ;
+  inherit (flake.config.services.instances)
+    comfyui
+    web
+    ;
+  service = comfyui;
+  localhost = web.localhost.address1;
+in
 {
   nixpkgs.overlays = [
     flake.inputs.nix-comfyui.overlays.default
@@ -12,7 +23,7 @@
   services.comfyui = {
     enable = true;
     openFirewall = true;
-    host = "0.0.0.0"; # Allow external connections
+    host = localhost;
     package = pkgs.comfyuiPackages.comfyui.override {
       extensions = with pkgs.comfyuiPackages.extensions; [
         acly-inpaint
@@ -26,4 +37,32 @@
       ];
     };
   };
+  fileSystems."/var/lib/${service.name}" = {
+    device = service.paths.path0;
+    fsType = "none";
+    options = [
+      "bind"
+    ];
+    depends = [
+      ceres.storage0.mount
+    ];
+  };
+
+  systemd.tmpfiles.rules = [
+    "Z ${service.paths.path0} 755 ${service.name} ${service.name} -"
+    "Z ${service.sops.path0} 755 ${service.name} ${service.name} -"
+  ];
+
+  users.users.${service.name}.extraGroups = [
+    "nginx"
+    "caddy"
+  ];
+
+  networking = {
+    firewall = {
+      allowedTCPPorts = [
+        service.ports.port0
+      ];
+    };
+  };
 }