diff --git a/modules/dgn-web.nix b/modules/dgn-web.nix
index c3278eb..8b224b6 100644
--- a/modules/dgn-web.nix
+++ b/modules/dgn-web.nix
@@ -1,16 +1,61 @@
 { config, lib, ... }:
 
 let
-  inherit (lib) mkEnableOption mkIf;
+  inherit (lib)
+    attrsToList
+    concatStringsSep
+    filterAttrs
+    mkEnableOption
+    mkIf
+    mkOption
+    ;
+
+  inherit (lib.types) attrsOf port;
 
   cfg = config.dgn-web;
 in
 {
   options.dgn-web = {
     enable = mkEnableOption "sane defaults for web services.";
+
+    internalPorts = mkOption {
+      type = attrsOf port;
+      default = { };
+      description = ''
+        Map from the web services to their internal ports, it should avoid port clashes.
+      '';
+    };
   };
 
   config = mkIf cfg.enable {
+    assertions = [
+      (
+        let
+          duplicates = builtins.attrValues (
+            builtins.mapAttrs (p: serv: "${p}: ${concatStringsSep ", " serv}") (
+              filterAttrs (_: ls: builtins.length ls != 1) (
+                builtins.foldl' (
+                  rev:
+                  { name, value }:
+                  let
+                    str = builtins.toString value;
+                  in
+                  rev // { ${str} = (rev.${str} or [ ]) ++ [ name ]; }
+                ) { } (attrsToList cfg.internalPorts)
+              )
+            )
+          );
+        in
+        {
+          assertion = duplicates == [ ];
+          message = ''
+            Internal ports cannot be used for multiple services, the clashes are:
+              ${concatStringsSep "\n  " duplicates}
+          '';
+        }
+      )
+    ];
+
     services.nginx = {
       enable = true;