Hi, I'm not sure why there is a tmpfiles entry at all. Admittedly I'm not a systemd expert but wouldn't putting
RuntimeDirectory=fail2ban in the unit file do what is needed? This creates /run/fail2ban on dameon start and removes it on daemon stop. See the sandboxing section of systemd.exec(5) - Craig