diff --git a/hosts/lab/default.nix b/hosts/lab/default.nix
index e1bfa2e..247bf04 100644
--- a/hosts/lab/default.nix
+++ b/hosts/lab/default.nix
@@ -7,6 +7,8 @@
     ./dokuwiki.nix
     ./forgejo.nix
     ./wynne.nix
+    ./fail2ban.nix
+    ./uptime-kuma.nix
   ];
 
   networking.hostName = "lab";
diff --git a/hosts/lab/fail2ban.nix b/hosts/lab/fail2ban.nix
new file mode 100644
index 0000000..5ca03bd
--- /dev/null
+++ b/hosts/lab/fail2ban.nix
@@ -0,0 +1,61 @@
+{ ... }:
+{
+  services.fail2ban = {
+    enable = true;
+    maxretry = 5;
+    bantime = "1h";
+    bantime-increment = {
+      enable = true;
+      maxtime = "168h";
+      overalljails = true;
+    };
+    ignoreIP = [ "127.0.0.1/8" "::1" ];
+
+    jails = {
+      # SSH jail auto-created by NixOS — just tighten the limits
+      sshd.settings = {
+        maxretry = 3;
+        findtime = "15m";
+      };
+
+      forgejo.settings = {
+        enabled = true;
+        port = "http,https,4201";
+        filter = "forgejo";
+        backend = "systemd";
+        journalmatch = "_SYSTEMD_UNIT=forgejo.service";
+        maxretry = 5;
+        findtime = "10m";
+      };
+
+      caddy-status.settings = {
+        enabled = true;
+        port = "http,https";
+        filter = "caddy-status";
+        backend = "systemd";
+        journalmatch = "_SYSTEMD_UNIT=caddy.service";
+        maxretry = 10;
+        findtime = "10m";
+      };
+    };
+  };
+
+  # Enable Caddy access logging (to journal via stderr)
+  services.caddy.globalConfig = ''
+    servers {
+      logs
+    }
+  '';
+
+  environment.etc."fail2ban/filter.d/forgejo.conf".text = ''
+    [Definition]
+    failregex = ^.*Failed authentication attempt for .* from <HOST>
+    ignoreregex =
+  '';
+
+  environment.etc."fail2ban/filter.d/caddy-status.conf".text = ''
+    [Definition]
+    failregex = ^.*"client_ip":"<HOST>".*"status":\s*(401|403)
+    ignoreregex =
+  '';
+}
diff --git a/hosts/lab/uptime-kuma.nix b/hosts/lab/uptime-kuma.nix
new file mode 100644
index 0000000..6d6cce8
--- /dev/null
+++ b/hosts/lab/uptime-kuma.nix
@@ -0,0 +1,27 @@
+{ ... }:
+{
+  services.caddy.virtualHosts."status.ily.rs" = {
+    extraConfig = ''
+      reverse_proxy localhost:3001
+      encode zstd gzip
+    '';
+  };
+
+  services.caddy.virtualHosts."status.wynne.rs" = {
+    extraConfig = ''
+      redir https://status.ily.rs{uri} permanent
+    '';
+  };
+
+  virtualisation.oci-containers.containers.uptime-kuma = {
+    image = "louislam/uptime-kuma:1";
+    podman.user = "podman";
+    volumes = [
+      "/srv/uptime-kuma/data:/app/data"
+    ];
+    ports = [ "127.0.0.1:3001:3001" ];
+  };
+
+  # Workaround for NixOS/nixpkgs#410857 until backport of #475089 lands
+  systemd.services.podman-uptime-kuma.serviceConfig.Delegate = true;
+}