Installing ComfyUI on a Linux box and running python main.py from your home directory works fine for an afternoon of experimenting. It does not work as your household image-generation server. The moment you reboot the machine, ssh out for the day, or hand a URL to your partner, the seams show: the process is gone, the port is unreachable, there’s no auth, and http://192.168.1.50:8188 is not what you want to text a non-technical user.

This guide walks through a real production install of ComfyUI on Ubuntu 24.04—the kind that boots cleanly, survives reboots, exposes itself over HTTPS, and keeps the public internet out. ComfyUI v0.21.0 (May 11, 2026 release) is the target. Estimated setup time: 45 minutes if you have an NVIDIA driver already working.

What “Production” Actually Means Here

This is a home production setup, not an AWS-grade deployment. The bar is specific:

Requirement	How this guide solves it	Out of scope
Survives reboots	systemd unit with Restart=on-failure	—
HTTPS, not HTTP	Caddy with automatic Let’s Encrypt / Tailscale certs	—
Remote access without port forwarding	Tailscale mesh on the host	Cloudflare Tunnel, Wireguard hand-rolled
Access control	Caddy basicauth + shared password	SSO, per-user accounts, OAuth
Persistent model paths	/opt/comfyui/app/models/ with optional symlinks	Centralized model registry
Reproducible install	Plain apt, pip, and a Caddyfile	Docker, NixOS, Ansible
Multi-tenant / per-user GPU	Not solved — covered in “Honest auth gap” section	comfy-multi, SaaS deployments

What this is not: multi-tenant, SSO, isolated GPU per user, enterprise-grade RBAC. ComfyUI doesn’t support those yet, and bolting them on is a different scope than what one home-lab box needs.

Step 0: Prerequisites

Before starting, you should have:

• Ubuntu 24.04 LTS installed, fully updated (sudo apt update && sudo apt upgrade)
• NVIDIA driver installed and working (nvidia-smi returns your GPU)
• Python 3.12 or 3.13 (3.13 is “very well supported” per ComfyUI’s repo)
• 80+ GB free storage on the partition where models will live
• Sudo access on the box
• A Tailscale account (free tier is fine)

If your NVIDIA driver isn’t installed: sudo ubuntu-drivers autoinstall && sudo reboot and verify with nvidia-smi.

Step 1: Create a Dedicated User

Running ComfyUI as your personal user account works but blurs the boundary between “things I’m experimenting with” and “things my house relies on.” Create a service user:

sudo useradd -m -s /bin/bash -d /opt/comfyui comfyui
sudo usermod -aG video,render comfyui

The video and render groups give the service user access to the GPU device nodes. Without them, the service can’t see the GPU and you’ll get cryptic CUDA errors.

Step 2: Install ComfyUI

Switch to the service user and clone the repo:

sudo -u comfyui -i
cd /opt/comfyui
git clone https://github.com/comfyanonymous/ComfyUI.git app
cd app
python3 -m venv .venv
source .venv/bin/activate
pip install --upgrade pip
pip install torch torchvision --index-url https://download.pytorch.org/whl/cu124
pip install -r requirements.txt

The PyTorch CUDA 12.4 build matches the driver versions Ubuntu 24.04 ships with by default. If nvidia-smi reports a different CUDA version at the top right, match the cu suffix accordingly (e.g. cu121 for CUDA 12.1).

Verify the install:

python main.py --listen 127.0.0.1 --port 8188

You should see ComfyUI boot, detect your GPU, and listen on localhost:8188. Ctrl+C to stop—we’ll start it the right way next.

Where models actually go

ComfyUI’s model directory structure matters. Put SD/SDXL/Flux checkpoints in models/checkpoints/, VAEs in models/vae/, LoRAs in models/loras/. The full layout is documented in the official repo. If you already have models on another drive, symlink them rather than copying:

ln -s /mnt/storage/ai-models/checkpoints /opt/comfyui/app/models/checkpoints

Symlinks are cheaper than copies and let you upgrade ComfyUI without re-downloading 40 GB of weights every time.

Step 3: Create the systemd Unit

This is the part that converts “a script I ran once” into “a service my house runs on.” Create /etc/systemd/system/comfyui.service:

[Unit]
Description=ComfyUI image generation server
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
User=comfyui
Group=comfyui
WorkingDirectory=/opt/comfyui/app
Environment="PATH=/opt/comfyui/app/.venv/bin"
ExecStart=/opt/comfyui/app/.venv/bin/python /opt/comfyui/app/main.py \
  --listen 127.0.0.1 \
  --port 8188 \
  --preview-method auto
Restart=on-failure
RestartSec=5
StandardOutput=append:/var/log/comfyui/comfyui.log
StandardError=append:/var/log/comfyui/comfyui.err

[Install]
WantedBy=multi-user.target

Create the log directory:

sudo mkdir -p /var/log/comfyui
sudo chown comfyui:comfyui /var/log/comfyui

Enable and start:

sudo systemctl daemon-reload
sudo systemctl enable --now comfyui.service
sudo systemctl status comfyui.service

Three things to note in the unit file: ComfyUI binds to 127.0.0.1, not 0.0.0.0. Direct network access is intentionally not allowed—Caddy will be the only thing that can reach it. Restart=on-failure brings the service back if a memory-hungry workflow OOMs. The log paths are separated from journald so you can tail -f workflow output without journalctl ceremony.

Step 4: Install Caddy as Reverse Proxy

Caddy is the right reverse proxy for this job specifically because it handles HTTPS certificates automatically and has a clean Caddyfile syntax. Install from the official repo:

sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https curl
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list
sudo apt update
sudo apt install caddy

Caddyfile for ComfyUI

Create /etc/caddy/Caddyfile:

comfy.your-tailnet.ts.net {
  reverse_proxy 127.0.0.1:8188

  basicauth /* {
    yourname $2a$14$YOUR_BCRYPT_HASH_HERE
  }
}

Generate the bcrypt hash with:

caddy hash-password

Type your password, paste the output into the Caddyfile. This protects ComfyUI from anyone on your Tailnet who isn’t you—a small but real protection against a friend forwarding a Tailscale invite to someone you didn’t intend to share with.

Reload Caddy:

sudo systemctl reload caddy

Step 5: Tailscale for Remote Access

Port-forwarding ComfyUI to the public internet is a bad idea. It’s a Python web app with arbitrary code execution by design (custom nodes can run anything), no auth in v0.21.0, and a long history of finger-pointing about who’s responsible for security (upstream feature request #10653 remains open as of May 2026).

Install Tailscale:

curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up

Follow the printed URL to authenticate. The host gets a *.ts.net MagicDNS name—use that in your Caddyfile (replace comfy.your-tailnet.ts.net with your actual hostname).

For TLS specifically, Tailscale issues HTTPS certs for *.ts.net names. Caddy will fetch them automatically if the host is in your Tailnet and HTTPS is enabled at the Tailscale admin panel under DNS settings.

Now you can hit https://comfy.your-tailnet.ts.net from any of your Tailscale-connected devices—laptop, phone, tablet—without any port-forwarding. Friends or family you want to share with: invite them to your Tailnet (Tailscale free tier supports up to 3 users / 100 devices).

Step 6: Verify the Stack

A working production install should pass these checks:

1. sudo systemctl status comfyui → active (running), green
2. sudo systemctl status caddy → active (running), green
3. tailscale status → online, has 100.x.y.z IP
4. From a Tailscale-connected device: open https://comfy.your-tailnet.ts.net → HTTPS green padlock, basic auth prompt, then ComfyUI UI
5. Reboot the host: sudo reboot. Wait 60 seconds. Reload the browser. ComfyUI should still be reachable.

If any of these fails, the journalctl -u comfyui.service and journalctl -u caddy.service logs will tell you what’s wrong—usually a permissions issue on the model directory or a typo in the Caddyfile.

The Honest Auth Gap

ComfyUI has no built-in user authentication as of v0.21.0. The basic auth in the Caddyfile is shared—everyone you give the password to is the “same” user from ComfyUI’s perspective. If two users are on the UI simultaneously, they see each other’s workflows.

For a household of 2-4 people who trust each other, this is fine. For wider sharing—say, a community of artists using your GPU—it’s not. The current state of the art for multi-user ComfyUI is community projects like comfy-multi, which split the per-user UI from a shared GPU worker pool. That’s a separate project and a bigger lift than this guide. The official feature request is tracked at issue #10653.

If you’re at the “I have a workshop or class to host” scale, plan for the multi-user solution before you invest in the single-instance setup. If you’re at the “household + maybe a few friends” scale, this single-instance setup with shared basic auth is the right scope.

Common Failures and How to Read Them

After helping a few homelab folks set this up, the same failure modes repeat:

“CUDA out of memory” on first generation. ComfyUI loaded the model into VRAM but you don’t have headroom for the workflow. Either pick a smaller checkpoint (SD 1.5 vs SDXL vs Flux Dev), enable --lowvram in the systemd unit ExecStart, or move to a card with more VRAM. The Best Local AI Models by VRAM guide covers the per-card limits.

Caddy returns 502 Bad Gateway. ComfyUI service isn’t running, or it’s running but bound to a different port. Check sudo systemctl status comfyui and verify the --port flag in the ExecStart matches what’s in the Caddyfile.

Tailscale URL works on phone but not laptop. Both devices need to be on the Tailnet and online. tailscale status on the laptop should show the host as online. If not, sudo tailscale up again on the laptop.

Service runs but hangs after 5 minutes. Often a GPU thermal throttle on a long-running workflow. Check nvidia-smi --query-gpu=temperature.gpu,power.draw --format=csv -l 5 while a workflow runs. If temp >85°C, improve case airflow. The PSU Sizing for AI Workstations guide also covers thermal headroom.

Models loading slowly. Check what disk they live on. NVMe Gen 4 loads a 40 GB model in <15 seconds; SATA SSD takes 70+ seconds. See SSD for Local AI in 2026 for the breakdown.

Honest Take

The single biggest mistake I see is people skipping straight to “expose ComfyUI on port 8188 to the internet” because it’s the path of least resistance. Don’t. The cost of doing this right—systemd unit, Caddy with HTTPS, Tailscale instead of port forwarding—is maybe 30 minutes of typing. The cost of doing it wrong is a Python web app with arbitrary code execution sitting on the public internet, which is the kind of thing that ends up in someone else’s botnet.

If you’re already running Open WebUI for your family’s local LLM, the same Tailscale + Caddy pattern in this guide stacks naturally—same Tailnet, second Caddy site block, second basic auth. You can run both image generation and LLM chat on the same host if you have the VRAM. For whether your hardware can handle it, the buyer’s guide walks through capacity by VRAM tier.

For the desktop-friendly variant of this on Windows (drag-and-drop installer, no systemd ceremony), the ComfyUI on Windows Setup Guide is the right starting point. Switch to Linux when you outgrow “ComfyUI is open whenever I have my laptop open.”

Sources

• ComfyUI official repository — Comfyanonymous (GitHub)
• ComfyUI on Ubuntu 24.04 with systemd auto start — CloudBlast
• Caddy reverse proxy and basicauth — Caddy official docs
• Caddy certificates on Tailscale — Tailscale official docs
• ComfyUI authentication feature request (open) — GitHub issue #10653
• ComfyUI Tailscale serving discussion — ComfyUI-Manager #2729
• Multi-user ComfyUI platform — comfy-multi project
• Install ComfyUI on Ubuntu — Marc Qualie

Last updated May 11, 2026. ComfyUI v0.21.0 is the latest at time of writing; flags and install steps move with the project—verify against the upstream repo before relying on specifics.