diff --git a/common.nix b/common.nix
index ec8e261..416895e 100644
--- a/common.nix
+++ b/common.nix
@@ -29,6 +29,7 @@
     ./services/jellyfin.nix
     ./services/bazarr.nix
     ./services/cloudflare-ddns.nix
+    ./services/crowdsec.nix
   ];
 
   ### Make build time quicker
diff --git a/services/crowdsec.nix b/services/crowdsec.nix
new file mode 100644
index 0000000..3e3c7e5
--- /dev/null
+++ b/services/crowdsec.nix
@@ -0,0 +1,27 @@
+{ config, lib, ... }:
+{
+  config = lib.mkIf (config.networking.hostName == "FredOS-Mediaserver") {
+    services.crowdsec = {
+      enable = true;
+      autoUpdateService = true;
+
+      localConfig.acquisitions = [
+        # SSH
+        {
+          source = "journalctl";
+          journalctl_filter = [ "-u" "sshd" ];
+          labels.type = "syslog";
+        }
+        # Nginx Proxy Manager (Docker logs via journald)
+        {
+          source = "journalctl";
+          journalctl_filter = [ "-u" "docker" "-t" "nginx-proxy-manager" ];
+          labels.type = "nginx";
+        }
+      ];
+    };
+
+    # Firewall bouncer — auto-registers to local CrowdSec API
+    services.crowdsec-firewall-bouncer.enable = true;
+  };
+}