diff --git a/modules/services/security/fail2ban.nix b/modules/services/security/fail2ban.nix
index d90cf8d4471..258a2d79163 100644
--- a/modules/services/security/fail2ban.nix
+++ b/modules/services/security/fail2ban.nix
@@ -114,7 +114,11 @@ in
             mkdir -p /var/run/fail2ban -m 0755
           '';
           
-        serviceConfig.ExecStart = "${pkgs.fail2ban}/bin/fail2ban-server -f";
+        serviceConfig =
+          { ExecStart = "${pkgs.fail2ban}/bin/fail2ban-server -f";
+            ReadOnlyDirectories = "/";
+            ReadWriteDirectories = "/var/run/fail2ban";
+          };
 
         postStart =
           ''