From 9996a3370ff8d0cdc39cef9a62eb1a72263bc091 Mon Sep 17 00:00:00 2001
From: SebastianStork <sebastian.stork@pm.me>
Date: Sun, 12 Oct 2025 01:56:41 +0200
Subject: [PATCH] Assert proper private usage of syncthing and filebrowser

---
 modules/system/services/syncthing.nix       | 6 +++++-
 modules/system/web-services/filebrowser.nix | 7 +++++++
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/modules/system/services/syncthing.nix b/modules/system/services/syncthing.nix
index 5a5278f..6ee02c8 100644
--- a/modules/system/services/syncthing.nix
+++ b/modules/system/services/syncthing.nix
@@ -45,7 +45,11 @@ in
       }
       {
         assertion = cfg.doBackups -> cfg.isServer;
-        message = "Syncthing backups can only be performed on a server.";
+        message = "Syncthing backups should only be performed on a server.";
+      }
+      {
+        assertion = cfg.gui.domain |> lib.hasSuffix tailscaleCfg.domain;
+        message = "The syncthing gui isn't yet configured with access controll.";
       }
     ];
 
diff --git a/modules/system/web-services/filebrowser.nix b/modules/system/web-services/filebrowser.nix
index 4bc47b7..627de4c 100644
--- a/modules/system/web-services/filebrowser.nix
+++ b/modules/system/web-services/filebrowser.nix
@@ -27,6 +27,13 @@ in
   };
 
   config = lib.mkIf cfg.enable {
+    assertions = [
+      {
+        assertion = cfg.domain |> lib.hasSuffix config.custom.services.tailscale.domain;
+        message = "Filebrowser isn't yet configured with access controll.";
+      }
+    ];
+
     warnings = lib.optional (lib.pathExists "${modulesPath}/services/web-apps/filebrowser.nix") "TODO: Use filebrowser module from stable nixpkgs";
 
     meta = {