diff --git a/modules/buildinfo.nix b/modules/buildinfo.nix
index 550d2be..c52b3cf 100644
--- a/modules/buildinfo.nix
+++ b/modules/buildinfo.nix
@@ -25,4 +25,5 @@ in
 
   # used by monit
   environment.etc."haccfiles-commit".text = self.rev or self.dirtyRev;
+  environment.etc."haccfiles-timestamp".text = builtins.toString self.lastModified;
 }
diff --git a/parsons/monit.nix b/parsons/monit.nix
index c671db8..bb1af96 100644
--- a/parsons/monit.nix
+++ b/parsons/monit.nix
@@ -22,6 +22,20 @@ let
       exit 1
     end
   '';
+
+  checkDeployAge = pkgs.writeScriptBin "check-deploy-age" ''
+    #!${lib.getExe pkgs.fish}
+
+    set date (date +%s)
+    # we do this indirection here so monit's config won't change on each deploy
+    set deploytimestamp (cat /etc/haccfiles-timestamp)
+    set age (expr $date - $deploytimestamp)
+
+    if test $age -ge (expr 3600 \* 24 \* 10)
+      echo "${config.networking.hostName} has not been deployed since 10 days, perhaps someone should do updates?"
+      exit 1
+    end
+  '';
 in
 {
   mailserver.monitoring = {
@@ -43,5 +57,8 @@ in
 
       check program is-system-running path ${pkgs.systemd}/bin/systemctl is-system-running
             if status != 0 then alert
+
+      check program check-deploy-age path ${lib.getExe checkDeployAge}
+            if status == 1 then alert
   '';
 }