diff --git a/hosts/pinwheel/modules/waybar/default.nix b/hosts/pinwheel/modules/waybar/default.nix
index c396211..2b37bde 100644
--- a/hosts/pinwheel/modules/waybar/default.nix
+++ b/hosts/pinwheel/modules/waybar/default.nix
@@ -82,8 +82,11 @@ let
   '';
 
   work-vpn-status = pkgs.writeShellScript "work-vpn-status" ''
-    ON=$(ls /tmp | grep work-vpn-on | wc -l)
-    [ "$ON" -gt 0 ] && echo "WORK-VPN ON"
+    STAGING=$(systemctl is-active openvpn-work-staging.service)
+    [ "$STAGING" == "active" ] && echo "WORK-VPN STAGING ON" && exit 0
+
+    PRODUCTION=$(systemctl is-active openvpn-work-production.service)
+    [ "$PRODUCTION" == "active" ] && echo "WORK-VPN PRODUCTION ON" && exit 0
   '';
 
   toggle-bt-power = pkgs.writeShellScript "toggle-bt-power" ''
diff --git a/hosts/pinwheel/modules/work/default.nix b/hosts/pinwheel/modules/work/default.nix
index 55d02e9..3732582 100644
--- a/hosts/pinwheel/modules/work/default.nix
+++ b/hosts/pinwheel/modules/work/default.nix
@@ -1,79 +1,50 @@
-{ pkgs, lib, config, ... }:
+{ lib, config, ... }:
 let
   gitEnabled = config.mod.git.enable;
-  goEnabled = config.mod.go.enable;
   openvpnEnabled = config.mod.openvpn.enable;
-
-  work-vpn = let
-    ovpnconfig = config.age.secrets.work-ovpn.path;
-    userpass = config.age.secrets.work-ovpn-userpass.path;
-  in
-    pkgs.writeShellApplication {
-    name = "work-vpn";
-    text = ''
-        touch /tmp/work-vpn-on; \
-        sudo \
-        ${pkgs.openvpn}/bin/openvpn \
-        --script-security 2 \
-        --up ${pkgs.update-systemd-resolved}/libexec/openvpn/update-systemd-resolved \
-        --up-restart \
-        --down ${pkgs.update-systemd-resolved}/libexec/openvpn/update-systemd-resolved \
-        --down-pre \
-        --config ${ovpnconfig} \
-        --auth-user-pass ${userpass}; \
-        rm /tmp/work-vpn-on
-    '';
-  };
 in
 {
   home-manager.users.alex = {
     programs.git = lib.mkIf gitEnabled {
       includes = [
         {
-          path = ./work-gitconfig;
+          path = config.age.secrets.work-gitconfig.path;
           condition = "gitdir:~/code/work/";
         }
       ];
     };
 
-    programs.go = lib.mkIf goEnabled {
-      goPrivate = [ "gitlab.com/zebware/*" ];
-    };
-
     programs.ssh = {
       enable = true;
+    };
+  };
 
-      matchBlocks = {
-        "gitlab.com" = {
-          hostname = "gitlab.com";
-          identityFile = "/home/alex/.ssh/alex.pinwheel-work";
-        };
-      };
+  services.openvpn.servers = lib.mkIf openvpnEnabled {
+    work-staging = {
+      config = "config ${config.age.secrets.work-staging-ovpn.path}";
+      autoStart = false;
     };
 
-    home.sessionVariables = {
-      ZCENV_HOME = "/home/alex/code/work/zebware/zcenv";
+    work-production = {
+      config = "config ${config.age.secrets.work-production-ovpn.path}";
+      autoStart = false;
     };
-
-    home.packages = lib.mkIf openvpnEnabled [ work-vpn ];
   };
 
   age.secrets = {
-    "alex.pinwheel-work" = {
-       file = ../../../../secrets/pinwheel/alex.pinwheel-work.age;
-       path = "/home/alex/.ssh/alex.pinwheel-work";
-       owner = "alex";
-       group = "users";
-    };
-    "alex.pinwheel-work.pub" = {
-       file = ../../../../secrets/pinwheel/alex.pinwheel-work.pub.age;
-       path = "/home/alex/.ssh/alex.pinwheel-work.pub";
-       owner = "alex";
-       group = "users";
+    "work-gitconfig" = lib.mkIf gitEnabled {
+      file = ../../../../secrets/pinwheel/work-gitconfig.age;
+      path = "/home/alex/code/work/.work-gitconfig";
+      owner = "alex";
+      group = "users";
     };
 
-    "work-ovpn" = lib.mkIf openvpnEnabled {
-      file = ../../../../secrets/pinwheel/work-ovpn.age;
+    "work-staging-ovpn" = lib.mkIf openvpnEnabled {
+      file = ../../../../secrets/pinwheel/work-staging-ovpn.age;
+    };
+
+    "work-production-ovpn" = lib.mkIf openvpnEnabled {
+      file = ../../../../secrets/pinwheel/work-production-ovpn.age;
     };
   };
 }
diff --git a/hosts/pinwheel/modules/work/work-gitconfig b/hosts/pinwheel/modules/work/work-gitconfig
deleted file mode 100644
index 0da30fb..0000000
--- a/hosts/pinwheel/modules/work/work-gitconfig
+++ /dev/null
@@ -1,3 +0,0 @@
-[user]
-name = Alexander Heldt
-email = alexander.heldt@zebware.com
\ No newline at end of file
diff --git a/secrets/pinwheel/alex.pinwheel-work.age b/secrets/pinwheel/alex.pinwheel-work.age
deleted file mode 100644
index bb570a1..0000000
Binary files a/secrets/pinwheel/alex.pinwheel-work.age and /dev/null differ
diff --git a/secrets/pinwheel/alex.pinwheel-work.pub.age b/secrets/pinwheel/alex.pinwheel-work.pub.age
deleted file mode 100644
index 8a62e4d..0000000
Binary files a/secrets/pinwheel/alex.pinwheel-work.pub.age and /dev/null differ
diff --git a/secrets/pinwheel/work-gitconfig.age b/secrets/pinwheel/work-gitconfig.age
new file mode 100644
index 0000000..f3a69f1
--- /dev/null
+++ b/secrets/pinwheel/work-gitconfig.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 vxPbZg ns/Hd7mkx1YbuUfP8AUzFLMy8Zps531/kL+1LsyDmzY
+8UIeOcgDWqW7h2rQFVZB1DuAi2rxY141VQgfIyJqfmQ
+-> ssh-ed25519 ek+b7Q KBS99VZ03/1C35EZtWoo96+NZFZhW/TESyXwhOkR924
+qG5bq6hkrcU0fX3mbb787A/cy4VCkytjDsD5EXHowR4
+--- FGygGCVoZ2LWY5guhe/LOjihpJTYk0neLqMSwZnoI0k
+5�rDM��X��A�Q��OC1l��\�9q�7Xw�/�b���u�9��zp~��`�W:U�B ,^�v��Vq�m�à�IJ�g�`���"l������Q�M��
\ No newline at end of file
diff --git a/secrets/pinwheel/work-ovpn.age b/secrets/pinwheel/work-ovpn.age
deleted file mode 100644
index cd843fa..0000000
Binary files a/secrets/pinwheel/work-ovpn.age and /dev/null differ
diff --git a/secrets/pinwheel/work-production-ovpn.age b/secrets/pinwheel/work-production-ovpn.age
new file mode 100644
index 0000000..efd3f2c
Binary files /dev/null and b/secrets/pinwheel/work-production-ovpn.age differ
diff --git a/secrets/pinwheel/work-staging-ovpn.age b/secrets/pinwheel/work-staging-ovpn.age
new file mode 100644
index 0000000..2b34a5c
Binary files /dev/null and b/secrets/pinwheel/work-staging-ovpn.age differ
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 4b095f9..5871eaf 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -12,11 +12,12 @@ in {
   "pinwheel/alex.pinwheel-github.com.pub.age".publicKeys = [ pinwheel alex ];
   "pinwheel/alex.pinwheel-andromeda.age".publicKeys = [ pinwheel alex ];
   "pinwheel/alex.pinwheel-andromeda.pub.age".publicKeys = [ pinwheel alex ];
-  "pinwheel/alex.pinwheel-work.age".publicKeys = [ pinwheel alex ];
-  "pinwheel/alex.pinwheel-work.pub.age".publicKeys = [ pinwheel alex ];
   "pinwheel/alex.pinwheel-codeberg.org.age".publicKeys = [ pinwheel alex ];
   "pinwheel/alex.pinwheel-codeberg.org.pub.age".publicKeys = [ pinwheel alex ];
-  "pinwheel/work-ovpn.age".publicKeys = [ pinwheel alex ];
+
+  "pinwheel/work-gitconfig.age".publicKeys = [ pinwheel alex ];
+  "pinwheel/work-staging-ovpn.age".publicKeys = [ pinwheel alex ];
+  "pinwheel/work-production-ovpn.age".publicKeys = [ pinwheel alex ];
 
   "sombrero/syncthing-cert.age".publicKeys = [ sombrero alex ];
   "sombrero/syncthing-key.age".publicKeys = [ sombrero alex ];