From 66d5263aca34da573560c84142233f3e5f269b5e Mon Sep 17 00:00:00 2001
From: SebastianStork <sebastian.stork@pm.me>
Date: Tue, 21 Oct 2025 22:52:44 +0200
Subject: [PATCH] Deduplicate unprotected service messages via
 `mkUnprotectedMessage`

---
 lib/default.nix                             | 3 +++
 modules/system/services/syncthing.nix       | 6 +-----
 modules/system/web-services/filebrowser.nix | 2 +-
 modules/system/web-services/freshrss.nix    | 2 +-
 4 files changed, 6 insertions(+), 7 deletions(-)

diff --git a/lib/default.nix b/lib/default.nix
index 7c325d3..6df27b9 100644
--- a/lib/default.nix
+++ b/lib/default.nix
@@ -12,4 +12,7 @@ lib: {
     path: path |> builtins.readDir |> lib.filterAttrs (_: type: type == "directory") |> lib.attrNames;
 
   genAttrs = f: names: lib.genAttrs names f;
+
+  mkUnprotectedMessage =
+    name: "${name} should only be exposed on private networks; access control isn't yet configured";
 }
diff --git a/modules/system/services/syncthing.nix b/modules/system/services/syncthing.nix
index 77d83f9..c6a37e0 100644
--- a/modules/system/services/syncthing.nix
+++ b/modules/system/services/syncthing.nix
@@ -43,17 +43,13 @@ in
         assertion = config.custom.services.tailscale.enable;
         message = "Syncthing requires tailscale.";
       }
-      {
-        assertion = cfg.doBackups -> cfg.isServer;
-        message = "Syncthing backups should only be performed on a server.";
-      }
       {
         assertion = cfg.isServer -> (cfg.gui.domain != null);
         message = "Running syncthing on a server requires `gui.domain` to be set.";
       }
       {
         assertion = (cfg.gui.domain != null) -> (lib'.isTailscaleDomain cfg.gui.domain);
-        message = "The syncthing gui should only be exposed on a private network as it isn't yet configured with access controll.";
+        message = lib'.mkUnprotectedMessage "Syncthing-GUI";
       }
     ];
 
diff --git a/modules/system/web-services/filebrowser.nix b/modules/system/web-services/filebrowser.nix
index 1dcd009..a9a9b1a 100644
--- a/modules/system/web-services/filebrowser.nix
+++ b/modules/system/web-services/filebrowser.nix
@@ -31,7 +31,7 @@ in
     assertions = [
       {
         assertion = lib'.isTailscaleDomain cfg.domain;
-        message = "Filebrowser isn't yet configured with access controll.";
+        message = lib'.mkUnprotectedMessage "Filebrowser";
       }
       {
         assertion = !lib.pathExists "${modulesPath}/services/web-apps/filebrowser.nix";
diff --git a/modules/system/web-services/freshrss.nix b/modules/system/web-services/freshrss.nix
index c27374c..0539f07 100644
--- a/modules/system/web-services/freshrss.nix
+++ b/modules/system/web-services/freshrss.nix
@@ -25,7 +25,7 @@ in
   config = lib.mkIf cfg.enable {
     assertions = lib.singleton {
       assertion = lib'.isTailscaleDomain cfg.domain;
-      message = "FreshRSS isn't configured with access controll.";
+      message = lib'.mkUnprotectedMessage "FreshRSS";
     };
 
     meta = {