diff --git a/CHANGELOG.md b/CHANGELOG.md
index af0eb67c..1eba704f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -44,6 +44,7 @@ The **patch** part changes incrementally at each release.
 ### Fixed
 * bind: chroot-bind.sh must not be executed in check mode
 * evoacme: fix module detection in apache config
+* fail2ban: fix fail2ban_ignore_ips definition
 * mysql-oracle: fix configuration directory variable
 * php: fpm slowlog needs an absolute path
 * roundcube: add missing slash to https redirection
diff --git a/fail2ban/defaults/main.yml b/fail2ban/defaults/main.yml
index 45c2477a..4893e7ae 100644
--- a/fail2ban/defaults/main.yml
+++ b/fail2ban/defaults/main.yml
@@ -4,7 +4,6 @@ fail2ban_alert_email: Null
 
 fail2ban_default_ignore_ips: []
 fail2ban_additional_ignore_ips: []
-fail2ban_ignore_ips: "{{ fail2ban_default_ignore_ips | union(fail2ban_additional_ignore_ips) | unique }}"
 
 fail2ban_wordpress: False
 fail2ban_roundcube: False
diff --git a/fail2ban/tasks/main.yml b/fail2ban/tasks/main.yml
index 8e02f044..48b769db 100644
--- a/fail2ban/tasks/main.yml
+++ b/fail2ban/tasks/main.yml
@@ -15,6 +15,9 @@
   tags:
   - fail2ban
 
+- set_fact:
+    fail2ban_ignore_ips: "{{ fail2ban_default_ignore_ips | union(fail2ban_additional_ignore_ips) | unique }}"
+
 - name: local jail is installed
   template:
     src: jail.local.j2
diff --git a/fail2ban/templates/jail.local.j2 b/fail2ban/templates/jail.local.j2
index 73b5f21f..6adcef67 100644
--- a/fail2ban/templates/jail.local.j2
+++ b/fail2ban/templates/jail.local.j2
@@ -3,7 +3,7 @@
 [DEFAULT]
 
 # "ignoreip" can be an IP address, a CIDR mask or a DNS host
-ignoreip = {{ (['127.0.0.1/8'] + fail2ban_ignore_ips) | join(' ') }}
+ignoreip = {{ ['127.0.0.1/8'] union(fail2ban_ignore_ips) | unique | join(' ') }}
 
 bantime  = 600
 maxretry = 3