diff --git a/modules/services/security/fail2ban.nix b/modules/services/security/fail2ban.nix
index ee57a41888b..2b2a54ef409 100644
--- a/modules/services/security/fail2ban.nix
+++ b/modules/services/security/fail2ban.nix
@@ -98,22 +98,20 @@ in
         }
       ];
 
+    system.activationScripts.fail2ban =
+      ''
+        mkdir -p /var/run/fail2ban -m 0755
+      '';
+
     systemd.services.fail2ban =
       { description = "Fail2ban intrusion prevention system";
 
         wantedBy = [ "multi-user.target" ];
         after = [ "network.target" ];
       
+        restartTriggers = [ fail2banConf jailConf ];
         path = [ pkgs.fail2ban pkgs.iptables ];
         
-        preStart =
-          ''
-            # FIXME: this won't detect changes to
-            # /etc/fail2ban/{filter.d,action.d}.
-            # ${fail2banConf} ${jailConf}
-            mkdir -p /var/run/fail2ban -m 0755
-          '';
-          
         serviceConfig =
           { ExecStart = "${pkgs.fail2ban}/bin/fail2ban-server -f";
             ReadOnlyDirectories = "/";