{
  config,
  pkgs,
  flake,
  ...
}:

let
  inherit (flake.config.services.instances) comfyui web;
  service = comfyui;
  localhost = web.localhost.address1;
  host = service.domains.url0;
in
{
  nixpkgs.overlays = [
    flake.inputs.nix-comfyui.overlays.default
  ];

  services = {
    comfyui = {
      enable = true;
      openFirewall = true;
      host = localhost;
      package = pkgs.comfyuiPackages.comfyui.override {
        extensions = with pkgs.comfyuiPackages.extensions; [
          acly-inpaint
          acly-tooling
          cubiq-ipadapter-plus
          fannovel16-controlnet-aux
        ];
        commandLineArgs = [
          "--preview-method"
          "auto"
        ];
      };
    };
    caddy = {
      environmentFile = config.sops.secrets."caddy/${service.name}-auth".path;

      virtualHosts = {
        "${host}" = {
          extraConfig = ''
            basicauth {
              {$CADDY_AUTH_USER} {$CADDY_AUTH_PASSWORD_HASH}
            }
            root * ${service.paths.path0}
            file_server
            encode gzip
            try_files {path} /index.html
            tls ${service.ssl.cert} ${service.ssl.key}
          '';
        };
      };
    };
  };

  sops =
    let
      sopsPath = secret: {
        path = "${service.sops.path0}/${service.name}-${secret}.env";
        owner = "caddy";
        mode = "0400";
      };
    in
    {
      secrets = {
        "caddy/${service.name}-auth" = sopsPath "auth";
      };
    };

  systemd.tmpfiles.rules = [
    "Z ${service.sops.path0} 755 caddy caddy -"
  ];

  users.users.${service.name}.extraGroups = [
    "users"
  ];

  networking = {
    firewall = {
      allowedTCPPorts = [
        service.ports.port0
      ];
    };
  };
}