This article was originally published on runaihome.com
Installing ComfyUI on a Linux box and running python main.py from your home directory works fine for an afternoon of experimenting. It does not work as your household image-generation server. The moment you reboot the machine, ssh out for the day, or hand a URL to your partner, the seams show: the process is gone, the port is unreachable, there's no auth, and http://192.168.1.50:8188 is not what you want to text a non-technical user.
This guide walks through a real production install of ComfyUI on Ubuntu 24.04—the kind that boots cleanly, survives reboots, exposes itself over HTTPS, and keeps the public internet out. ComfyUI v0.21.0 (May 11, 2026 release) is the target. Estimated setup time: 45 minutes if you have an NVIDIA driver already working.
What "Production" Actually Means Here
This is a home production setup, not an AWS-grade deployment. The bar is specific:
| Requirement | How this guide solves it | Out of scope |
|---|---|---|
| Survives reboots | systemd unit with Restart=on-failure
|
— |
| HTTPS, not HTTP | Caddy with automatic Let's Encrypt / Tailscale certs | — |
| Remote access without port forwarding | Tailscale mesh on the host | Cloudflare Tunnel, Wireguard hand-rolled |
| Access control | Caddy basicauth + shared password | SSO, per-user accounts, OAuth |
| Persistent model paths |
/opt/comfyui/app/models/ with optional symlinks |
Centralized model registry |
| Reproducible install | Plain apt, pip, and a Caddyfile |
Docker, NixOS, Ansible |
| Multi-tenant / per-user GPU | Not solved — covered in "Honest auth gap" section | comfy-multi, SaaS deployments |
What this is not: multi-tenant, SSO, isolated GPU per user, enterprise-grade RBAC. ComfyUI doesn't support those yet, and bolting them on is a different scope than what one home-lab box needs.
Step 0: Prerequisites
Before starting, you should have:
- Ubuntu 24.04 LTS installed, fully updated (
sudo apt update && sudo apt upgrade) - NVIDIA driver installed and working (
nvidia-smireturns your GPU) - Python 3.12 or 3.13 (3.13 is "very well supported" per ComfyUI's repo)
- 80+ GB free storage on the partition where models will live
- Sudo access on the box
- A Tailscale account (free tier is fine)
If your NVIDIA driver isn't installed: sudo ubuntu-drivers autoinstall && sudo reboot and verify with nvidia-smi.
Step 1: Create a Dedicated User
Running ComfyUI as your personal user account works but blurs the boundary between "things I'm experimenting with" and "things my house relies on." Create a service user:
sudo useradd -m -s /bin/bash -d /opt/comfyui comfyui
sudo usermod -aG video,render comfyui
The video and render groups give the service user access to the GPU device nodes. Without them, the service can't see the GPU and you'll get cryptic CUDA errors.
Step 2: Install ComfyUI
Switch to the service user and clone the repo:
sudo -u comfyui -i
cd /opt/comfyui
git clone https://github.com/comfyanonymous/ComfyUI.git app
cd app
python3 -m venv .venv
source .venv/bin/activate
pip install --upgrade pip
pip install torch torchvision --index-url https://download.pytorch.org/whl/cu124
pip install -r requirements.txt
The PyTorch CUDA 12.4 build matches the driver versions Ubuntu 24.04 ships with by default. If nvidia-smi reports a different CUDA version at the top right, match the cu suffix accordingly (e.g. cu121 for CUDA 12.1).
Verify the install:
python main.py --listen 127.0.0.1 --port 8188
You should see ComfyUI boot, detect your GPU, and listen on localhost:8188. Ctrl+C to stop—we'll start it the right way next.
Where models actually go
ComfyUI's model directory structure matters. Put SD/SDXL/Flux checkpoints in models/checkpoints/, VAEs in models/vae/, LoRAs in models/loras/. The full layout is documented in the official repo. If you already have models on another drive, symlink them rather than copying:
ln -s /mnt/storage/ai-models/checkpoints /opt/comfyui/app/models/checkpoints
Symlinks are cheaper than copies and let you upgrade ComfyUI without re-downloading 40 GB of weights every time.
Step 3: Create the systemd Unit
This is the part that converts "a script I ran once" into "a service my house runs on." Create /etc/systemd/system/comfyui.service:
[Unit]
Description=ComfyUI image generation server
After=network-online.target
Wants=network-online.target
[Service]
Type=simple
User=comfyui
Group=comfyui
WorkingDirectory=/opt/comfyui/app
Environment="PATH=/opt/comfyui/app/.venv/bin"
ExecStart=/opt/comfyui/app/.venv/bin/python /opt/comfyui/app/main.py \
--listen 127.0.0.1 \
--port 8188 \
--preview-method auto
Restart=on-failure
RestartSec=5
StandardOutput=append:/var/log/comfyui/comfyui.log
StandardError=append:/var/log/comfyui/comfyui.err
[Install]
WantedBy=multi-user.target
Create the log directory:
sudo mkdir -p /var/log/comfyui
sudo chown comfyui:comfyui /var/log/comfyui
Enable and start:
sudo systemctl daemon-reload
sudo systemctl enable --now comfyui.service
sudo systemctl status comfyui.service
Three things to note in the unit file: ComfyUI binds to 127.0.0.1, not 0.0.0.0. Direct network access is intentionally not allowed—Caddy will be the only thing that can reach it. Restart=on-failure brings the service back if a memory-hungry workflow OOMs. The log paths are separated from journald so you can tail -f workflow output without journalctl ceremony.
Step 4: Install Caddy as Reverse Proxy
Caddy is the right reverse proxy for this job specifically because it handles HTTPS certificates automatically and has a clean Caddyfile syntax. Install from the official repo:
sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https curl
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list
sudo apt update
sudo apt install caddy
Caddyfile for ComfyUI
Create /etc/caddy/Caddyfile:
comfy.your-tailnet.ts.net {
reverse_proxy 127.0.0.1:8188
basicauth /* {
yourname $2a$14$YOUR_BCRYPT_HASH_HERE
}
}
Generate the bcrypt hash with:
caddy hash-password
Type your password, paste the output into the Caddyfile. This protects ComfyUI from anyone on your Tailnet who isn't you—a small but real protection against a friend forwarding a Tailscale invite to someone you didn't intend to share with.
Reload Caddy:
sudo systemctl reload caddy
Step 5: Tailscale for Remote Access
Port-forwarding ComfyUI to the public internet is a bad idea. It's a Python web app with arbitrary code execution by design (custom nodes can run anything), no auth in v0.21.0, and a long history of finger-pointing about who's responsible for security (upstream feature request #10653 remains open as of May 2026).
Install Tailscale:
curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up
Follow the printed URL to authenticate. The host gets a *.ts.net MagicDNS name—use that in your Caddyfile (replace comfy.your-tailnet.ts.net with your actual hostname).
For TLS specifically, Tailscale issues HTTPS certs for *.ts.net names. Caddy will fetch them automatically if the host is in your Tailnet and HTTPS is enabled at the Tailscale admin panel under DNS settings.
Now you can hit https://comfy.your-tailnet.ts.net from any of your Tailscale-connected devices—laptop, phone, tablet—without any port-forwarding. Friends or family you want to share with: invite them to your Tailnet (Tailscale free tier supports up to 3 users / 100 devices).
Step 6: Verify the Stack
A worki
Top comments (0)