diff --git a/hosts/lab/default.nix b/hosts/lab/default.nix
index 247bf04..e1bfa2e 100644
--- a/hosts/lab/default.nix
+++ b/hosts/lab/default.nix
@@ -7,8 +7,6 @@
     ./dokuwiki.nix
     ./forgejo.nix
     ./wynne.nix
-    ./fail2ban.nix
-    ./uptime-kuma.nix
   ];
 
   networking.hostName = "lab";
diff --git a/hosts/lab/fail2ban.nix b/hosts/lab/fail2ban.nix
deleted file mode 100644
index 5ca03bd..0000000
--- a/hosts/lab/fail2ban.nix
+++ /dev/null
@@ -1,61 +0,0 @@
-{ ... }:
-{
-  services.fail2ban = {
-    enable = true;
-    maxretry = 5;
-    bantime = "1h";
-    bantime-increment = {
-      enable = true;
-      maxtime = "168h";
-      overalljails = true;
-    };
-    ignoreIP = [ "127.0.0.1/8" "::1" ];
-
-    jails = {
-      # SSH jail auto-created by NixOS — just tighten the limits
-      sshd.settings = {
-        maxretry = 3;
-        findtime = "15m";
-      };
-
-      forgejo.settings = {
-        enabled = true;
-        port = "http,https,4201";
-        filter = "forgejo";
-        backend = "systemd";
-        journalmatch = "_SYSTEMD_UNIT=forgejo.service";
-        maxretry = 5;
-        findtime = "10m";
-      };
-
-      caddy-status.settings = {
-        enabled = true;
-        port = "http,https";
-        filter = "caddy-status";
-        backend = "systemd";
-        journalmatch = "_SYSTEMD_UNIT=caddy.service";
-        maxretry = 10;
-        findtime = "10m";
-      };
-    };
-  };
-
-  # Enable Caddy access logging (to journal via stderr)
-  services.caddy.globalConfig = ''
-    servers {
-      logs
-    }
-  '';
-
-  environment.etc."fail2ban/filter.d/forgejo.conf".text = ''
-    [Definition]
-    failregex = ^.*Failed authentication attempt for .* from <HOST>
-    ignoreregex =
-  '';
-
-  environment.etc."fail2ban/filter.d/caddy-status.conf".text = ''
-    [Definition]
-    failregex = ^.*"client_ip":"<HOST>".*"status":\s*(401|403)
-    ignoreregex =
-  '';
-}
diff --git a/hosts/lab/uptime-kuma.nix b/hosts/lab/uptime-kuma.nix
deleted file mode 100644
index 6d6cce8..0000000
--- a/hosts/lab/uptime-kuma.nix
+++ /dev/null
@@ -1,27 +0,0 @@
-{ ... }:
-{
-  services.caddy.virtualHosts."status.ily.rs" = {
-    extraConfig = ''
-      reverse_proxy localhost:3001
-      encode zstd gzip
-    '';
-  };
-
-  services.caddy.virtualHosts."status.wynne.rs" = {
-    extraConfig = ''
-      redir https://status.ily.rs{uri} permanent
-    '';
-  };
-
-  virtualisation.oci-containers.containers.uptime-kuma = {
-    image = "louislam/uptime-kuma:1";
-    podman.user = "podman";
-    volumes = [
-      "/srv/uptime-kuma/data:/app/data"
-    ];
-    ports = [ "127.0.0.1:3001:3001" ];
-  };
-
-  # Workaround for NixOS/nixpkgs#410857 until backport of #475089 lands
-  systemd.services.podman-uptime-kuma.serviceConfig.Delegate = true;
-}