{
  config,
  pkgs,
  flake,
  ...
}:

let
  inherit (flake.config.machines.devices) ceres;
  inherit (flake.config.services.instances) comfyui web;
  service = comfyui;
  localhost = web.localhost.address1;
  host = service.domains.url0;
in
{
  nixpkgs.overlays = [
    flake.inputs.nix-comfyui.overlays.default
  ];

  services = {
    comfyui = {
      enable = true;
      openFirewall = true;
      host = localhost;
      # package = pkgs.comfyuiPackages.comfyui.override {
      #   extensions = with pkgs.comfyuiPackages.extensions; [
      #     acly-inpaint
      #     acly-tooling
      #     kosinkadink-advanced-controlnet
      #     kosinkadink-animatediff-evolved
      #     kosinkadink-video-helper-suite
      #     lev145-images-grid
      #     ssitu-ultimate-sd-upscale
      #   ];
      #   commandLineArgs = [
      #     "--preview-method"
      #     "auto"
      #   ];
      # };
    };
    caddy = {
      virtualHosts = {
        "${host}" = {
          extraConfig = ''
            basicauth {
              {$CADDY_AUTH_USER} {$CADDY_AUTH_PASSWORD_HASH}
            }

            reverse_proxy ${localhost}:${toString service.ports.port0}

            tls ${service.ssl.cert} ${service.ssl.key}
          '';
        };
      };
    };
  };

  fileSystems."/var/lib/${service.name}/models" = {
    device = "${service.paths.path0}/models";
    fsType = "none";
    options = [
      "bind"
    ];
    depends = [
      ceres.storage0.mount
    ];
  };
  systemd.tmpfiles.rules = [
    # "d /var/lib/${service.name}/custom_nodes 755 ${service.name} ${service.name} -"
    "Z ${service.paths.path0}/models 755 root root -"
    "Z ${service.sops.path0} 755 caddy caddy -"
  ];

  users.users.${service.name}.extraGroups = [
    "users"
    "caddy"
  ];

  networking = {
    firewall = {
      allowedTCPPorts = [
        service.ports.port0
      ];
    };
  };
}