diff --git a/hosts/nixos-laptop/default.nix b/hosts/nixos-laptop/default.nix
index dedaf80..e682ab2 100644
--- a/hosts/nixos-laptop/default.nix
+++ b/hosts/nixos-laptop/default.nix
@@ -15,6 +15,7 @@
     profiles = {
       desktop.enable = true;
       personal.enable = true;
+      webis.enable = true;
     };
   };
 
diff --git a/modules/profiles/personal.nix b/modules/profiles/personal.nix
index 37cca50..e1cb308 100644
--- a/modules/profiles/personal.nix
+++ b/modules/profiles/personal.nix
@@ -18,7 +18,7 @@ in
           synology-drive.enable = true;
         };
         programs = {
-          ssh.includeSecrets = mkDefault [ ../../secrets/ssh-home.age ];
+          ssh.includeSecrets = [ ../../secrets/ssh-home.age ];
           git.signing = mkDefault true;
           hub.enable = mkDefault true;
           firefox.arkenfox = {
diff --git a/modules/profiles/webis.nix b/modules/profiles/webis.nix
new file mode 100644
index 0000000..bded073
--- /dev/null
+++ b/modules/profiles/webis.nix
@@ -0,0 +1,28 @@
+{ lib
+, config
+, ...
+}:
+
+with lib;
+let
+  cfg = config.my.profiles.webis;
+in
+
+{
+  options.my.profiles.webis.enable = mkEnableOption "webis profile";
+
+  config = mkIf cfg.enable {
+    my.programs.ssh.includeSecrets = [ ../../secrets/webis-ssh.age ];
+    age.secrets.webis = {
+      file = ../../secrets/webis.age;
+      name = "webis.ovpn";
+    };
+    services.openvpn.servers = {
+      webis = {
+        config = "config /run/agenix/webis.ovpn";
+        autoStart = false;
+        updateResolvConf = true;
+      };
+    };
+  };
+}
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 179ef3a..723b0a8 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -6,7 +6,8 @@ let
   nixos-laptop = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDhtwHDGAZshiQWKkCcPWV9tC83b+bKBgjDcjP/N2CKO";
   nixos-desktop = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKl8gMhwSf1NsP5gp14xbbyjqQLZzcHLb/XKRMoHdXgI";
   nixos-work = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGQdruRBgcS3JbX+8DP4GE+28M/ZnxqxhoaMM5EVUkrD";
-  hosts = [ nixos-laptop nixos-desktop nixos-work ];
+  hosts-personal = [ nixos-laptop nixos-desktop ];
+  hosts = hosts-personal ++ [ nixos-work ];
 
   all = users ++ hosts;
 in
@@ -18,4 +19,6 @@ in
   "uni-vpn.age".publicKeys = all;
   "wireguard-preshared-key.age".publicKeys = all;
   "wireguard-private-key.age".publicKeys = all;
+  "webis.age".publicKeys = hosts-personal ++ [ moritz ];
+  "webis-ssh.age".publicKeys = hosts-personal ++ [ moritz ];
 }
diff --git a/secrets/webis-ssh.age b/secrets/webis-ssh.age
new file mode 100644
index 0000000..f5ddae0
Binary files /dev/null and b/secrets/webis-ssh.age differ
diff --git a/secrets/webis.age b/secrets/webis.age
new file mode 100644
index 0000000..c7e921a
Binary files /dev/null and b/secrets/webis.age differ