diff --git a/ai/comfyui-nginx.conf b/ai/comfyui-nginx.conf
new file mode 100644
index 0000000..295d469
--- /dev/null
+++ b/ai/comfyui-nginx.conf
@@ -0,0 +1,50 @@
+events {
+    worker_connections 1024;
+}
+
+http {
+    # Proxy settings
+    proxy_http_version 1.1;
+    proxy_buffering off;
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+
+    # WebSocket support
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection "upgrade";
+
+    # Timeouts for long-running image generation
+    proxy_connect_timeout 300;
+    proxy_send_timeout 300;
+    proxy_read_timeout 300;
+    send_timeout 300;
+
+    server {
+        listen 80;
+        server_name _;
+
+        # Increase client body size for image uploads
+        client_max_body_size 100M;
+
+        location / {
+            # Proxy to ComfyUI on RunPod via Tailscale
+            proxy_pass http://100.121.199.88:8188;
+
+            # WebSocket upgrade
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "upgrade";
+
+            # Proxy headers
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+
+            # Disable buffering for real-time updates
+            proxy_buffering off;
+        }
+    }
+}
diff --git a/ai/compose.yaml b/ai/compose.yaml
index a2318bd..79a6a70 100644
--- a/ai/compose.yaml
+++ b/ai/compose.yaml
@@ -199,6 +199,36 @@ services:
       # Watchtower - disabled for custom local image
       - 'com.centurylinklabs.watchtower.enable=false'
 
+  # ComfyUI - Node-based UI for Flux image generation (proxies to RunPod GPU)
+  comfyui:
+    image: nginx:alpine
+    container_name: ${AI_COMPOSE_PROJECT_NAME}_comfyui
+    restart: unless-stopped
+    environment:
+      TZ: ${TIMEZONE:-Europe/Berlin}
+    volumes:
+      - ./comfyui-nginx.conf:/etc/nginx/nginx.conf:ro
+    networks:
+      - compose_network
+    labels:
+      - 'traefik.enable=${AI_COMFYUI_TRAEFIK_ENABLED:-true}'
+      # HTTP to HTTPS redirect
+      - 'traefik.http.middlewares.${AI_COMPOSE_PROJECT_NAME}-comfyui-redirect-web-secure.redirectscheme.scheme=https'
+      - 'traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-comfyui-web.middlewares=${AI_COMPOSE_PROJECT_NAME}-comfyui-redirect-web-secure'
+      - 'traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-comfyui-web.rule=Host(`${AI_COMFYUI_TRAEFIK_HOST:-comfy.ai.pivoine.art}`)'
+      - 'traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-comfyui-web.entrypoints=web'
+      # HTTPS router with Authelia SSO
+      - 'traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-comfyui-web-secure.rule=Host(`${AI_COMFYUI_TRAEFIK_HOST:-comfy.ai.pivoine.art}`)'
+      - 'traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-comfyui-web-secure.tls.certresolver=resolver'
+      - 'traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-comfyui-web-secure.entrypoints=web-secure'
+      - 'traefik.http.middlewares.${AI_COMPOSE_PROJECT_NAME}-comfyui-web-secure-compress.compress=true'
+      - 'traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-comfyui-web-secure.middlewares=${AI_COMPOSE_PROJECT_NAME}-comfyui-web-secure-compress,net-authelia,security-headers@file'
+      # Service
+      - 'traefik.http.services.${AI_COMPOSE_PROJECT_NAME}-comfyui-web-secure.loadbalancer.server.port=80'
+      - 'traefik.docker.network=${NETWORK_NAME}'
+      # Watchtower
+      - 'com.centurylinklabs.watchtower.enable=${WATCHTOWER_LABEL_ENABLE}'
+
 volumes:
   ai_postgres_data:
     name: ${AI_COMPOSE_PROJECT_NAME}_postgres_data