diff --git a/modules/secrets.nix b/modules/secrets.nix
index f0509ed..2f98d10 100755
--- a/modules/secrets.nix
+++ b/modules/secrets.nix
@@ -2,7 +2,7 @@
 with lib;
 with types;
 let
-  password-store = "/home/balsoft/.local/share/password-store";
+  password-store = config.secretsConfig.password-store;
   secret = { name, ... }: {
     options = {
       encrypted = mkOption {
@@ -121,6 +121,10 @@ in {
   };
 
   options.secretsConfig = {
+    password-store = lib.mkOption {
+      type = lib.types.path;
+      default = "/home/balsoft/.local/share/password-store";
+    };
     repo = lib.mkOption {
       type = str;
       default = "ssh://git@github.com/balsoft/pass";
diff --git a/profiles/workspace/openvpn.nix b/profiles/workspace/openvpn.nix
new file mode 100644
index 0000000..36b355a
--- /dev/null
+++ b/profiles/workspace/openvpn.nix
@@ -0,0 +1,15 @@
+{ config, pkgs, ... }: let password-store = config.secretsConfig.password-store; in {
+  secrets.tawasal_eu1 = {
+    encrypted = "${password-store}/openvpn/tawasal_eu1.gpg";
+    services = [ "openvpn-tawasal-eu1.service" ];
+  };
+  secrets.tawasal_eu2 = {
+    encrypted = "${password-store}/openvpn/tawasal_eu2.gpg";
+    services = [ "openvpn-tawasal-eu2.service" ];
+  };
+
+  services.openvpn.servers = {
+    tawasal-eu1.config = "config ${config.secrets.tawasal_eu1.decrypted}";
+    tawasal-eu2.config = "config ${config.secrets.tawasal_eu2.decrypted}";
+  };
+}
diff --git a/roles/desktop.nix b/roles/desktop.nix
index 4bf3a3f..d4f5ae2 100644
--- a/roles/desktop.nix
+++ b/roles/desktop.nix
@@ -41,6 +41,7 @@
     light
     mako
     # mopidy
+    openvpn
     simple-osd-daemons
     sway
     yubikey-touch-detector