Deduplicate unprotected service messages via mkUnprotectedMessage

lib/default.nix

@@ -12,4 +12,7 @@ lib: {
     path: path |> builtins.readDir |> lib.filterAttrs (_: type: type == "directory") |> lib.attrNames;
 
   genAttrs = f: names: lib.genAttrs names f;
+
+  mkUnprotectedMessage =
+    name: "${name} should only be exposed on private networks; access control isn't yet configured";
 }

modules/system/services/syncthing.nix

@@ -43,17 +43,13 @@ in
         assertion = config.custom.services.tailscale.enable;
         message = "Syncthing requires tailscale.";
       }
-      {
-        assertion = cfg.doBackups -> cfg.isServer;
-        message = "Syncthing backups should only be performed on a server.";
-      }
       {
         assertion = cfg.isServer -> (cfg.gui.domain != null);
         message = "Running syncthing on a server requires `gui.domain` to be set.";
       }
       {
         assertion = (cfg.gui.domain != null) -> (lib'.isTailscaleDomain cfg.gui.domain);
-        message = "The syncthing gui should only be exposed on a private network as it isn't yet configured with access controll.";
+        message = lib'.mkUnprotectedMessage "Syncthing-GUI";
       }
     ];
 

modules/system/web-services/filebrowser.nix

@@ -31,7 +31,7 @@ in
     assertions = [
       {
         assertion = lib'.isTailscaleDomain cfg.domain;
-        message = "Filebrowser isn't yet configured with access controll.";
+        message = lib'.mkUnprotectedMessage "Filebrowser";
       }
       {
         assertion = !lib.pathExists "${modulesPath}/services/web-apps/filebrowser.nix";

modules/system/web-services/freshrss.nix

@@ -25,7 +25,7 @@ in
   config = lib.mkIf cfg.enable {
     assertions = lib.singleton {
       assertion = lib'.isTailscaleDomain cfg.domain;
-      message = "FreshRSS isn't configured with access controll.";
+      message = lib'.mkUnprotectedMessage "FreshRSS";
     };
 
     meta = {