diff --git a/modules/nixos-modules/server/fail2ban.nix b/modules/nixos-modules/server/fail2ban.nix
index 1851e33..d19aeeb 100644
--- a/modules/nixos-modules/server/fail2ban.nix
+++ b/modules/nixos-modules/server/fail2ban.nix
@@ -16,20 +16,6 @@ in {
             failregex = "limiting requests, excess:.* by zone.*client: <HOST>"
           '')
         );
-        # "fail2ban/filter.d/hass.local".text = lib.mkIf config.services.home-assistant.enable (
-        #   pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
-        #     [INCLUDES]
-        #     before = common.conf
-
-        #     [Definition]
-        #     failregex = ^%(__prefix_line)s.*Login attempt or request with invalid authentication from <HOST>.*$
-
-        #     ignoreregex =
-
-        #     [Init]
-        #     datepattern = ^%%Y-%%m-%%d %%H:%%M:%%S
-        #   '')
-        # );
       };
 
       services.fail2ban = {
@@ -61,16 +47,6 @@ in {
             bantime = 600;
             maxretry = 5;
           };
-          home-assistant-iptables.settings = lib.mkIf config.services.home-assistant.enable {
-            enabled = true;
-            filter = "hass";
-            action = ''iptables-multiport[name=HTTP, port="http,https"]'';
-            logpath = "${config.services.home-assistant.configDir}/*.log";
-            backend = "auto";
-            findtime = 600;
-            bantime = 600;
-            maxretry = 5;
-          };
           # TODO; figure out if there is any fail2ban things we can do on searx
           # searx-iptables.settings = lib.mkIf config.services.searx.enable {};
         };
diff --git a/modules/nixos-modules/server/home-assistant.nix b/modules/nixos-modules/server/home-assistant.nix
index 07dcc03..3e225ff 100644
--- a/modules/nixos-modules/server/home-assistant.nix
+++ b/modules/nixos-modules/server/home-assistant.nix
@@ -1,5 +1,6 @@
 {
   lib,
+  pkgs,
   config,
   ...
 }: let
@@ -155,6 +156,39 @@ in {
         ];
       };
     })
+    (lib.mkIf config.services.fail2ban.enable {
+      environment.etc = {
+        "fail2ban/filter.d/hass.local".text = lib.mkIf config.services.home-assistant.enable (
+          pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
+            [INCLUDES]
+            before = common.conf
+
+            [Definition]
+            failregex = ^%(__prefix_line)s.*Login attempt or request with invalid authentication from <HOST>.*$
+
+            ignoreregex =
+
+            [Init]
+            datepattern = ^%%Y-%%m-%%d %%H:%%M:%%S
+          '')
+        );
+      };
+
+      services.fail2ban = {
+        jails = {
+          home-assistant-iptables.settings = lib.mkIf config.services.home-assistant.enable {
+            enabled = true;
+            filter = "hass";
+            action = ''iptables-multiport[name=HTTP, port="http,https"]'';
+            logpath = "${config.services.home-assistant.configDir}/*.log";
+            backend = "auto";
+            findtime = 600;
+            bantime = 600;
+            maxretry = 5;
+          };
+        };
+      };
+    })
     (lib.mkIf config.host.impermanence.enable {
       assertions = [
         {