diff --git a/services/photoprism.nix b/services/photoprism.nix
index e971968..bb2c87a 100644
--- a/services/photoprism.nix
+++ b/services/photoprism.nix
@@ -91,5 +91,23 @@ in {
         "${cfg.home}/storage"
       ];
     };
+
+    services.fail2ban.jails = {
+      photoprism = ''
+        enabled = true
+        filter = vaultwarden
+        port = http,https
+        maxretry = 3
+        logpath = /var/log/nginx/photoprism_access.log
+      '';
+    };
+
+    environment.etc = {
+      "fail2ban/filter.d/photoprism.conf".text = ''
+        [Definition]
+        failregex = ^<HOST> -.*"POST \/api\/v1\/session HTTP[^"]*" 400 .*$
+        ignoreregex =
+      '';
+    };
   };
 }