diff --git a/roles/base/tasks/firewall.yml b/roles/base/tasks/firewall.yml
index 1d51846..a43553b 100644
--- a/roles/base/tasks/firewall.yml
+++ b/roles/base/tasks/firewall.yml
@@ -34,6 +34,13 @@
     dest: /etc/fail2ban/jail.d/sshd.conf
   notify: restart_fail2ban
 
+- name: Install Fail2ban IP allow list
+  template:
+    src: fail2ban-allowlist.conf.j2
+    dest: /etc/fail2ban/jail.d/allowlist.conf
+  when: fail2ban_ignoreip is defined
+  notify: restart_fail2ban
+
 - name: Enable firewall
   ufw:
     state: enabled
diff --git a/roles/base/templates/fail2ban-allowlist.conf.j2 b/roles/base/templates/fail2ban-allowlist.conf.j2
new file mode 100644
index 0000000..cc2256e
--- /dev/null
+++ b/roles/base/templates/fail2ban-allowlist.conf.j2
@@ -0,0 +1,2 @@
+[DEFAULT]
+ignoreip = {% for host in fail2ban_ignoreip %}{{ host }}{% if not loop.last %} {% endif %}{% endfor %}