diff --git a/hosts/pinwheel/modules/default.nix b/hosts/pinwheel/modules/default.nix
index 4721bcb..29fc882 100644
--- a/hosts/pinwheel/modules/default.nix
+++ b/hosts/pinwheel/modules/default.nix
@@ -21,7 +21,9 @@ in
 
       git.enable = true;
       zsh.enable = true;
+
       openvpn.enable = true;
+      mullvad.enable = true;
 
       c.enable = true;
       go.enable = true;
diff --git a/hosts/pinwheel/modules/mullvad/default.nix b/hosts/pinwheel/modules/mullvad/default.nix
index 621b676..2130c29 100644
--- a/hosts/pinwheel/modules/mullvad/default.nix
+++ b/hosts/pinwheel/modules/mullvad/default.nix
@@ -1,19 +1,30 @@
-{ pkgs, ... }:
+{ pkgs, lib, config, ... }:
+let
+  enabled = config.mod.mullvad.enable;
+in
 {
-  services.mullvad-vpn = {
-    enable = true;
-    package = pkgs.mullvad-vpn;
+  options = {
+    mod.mullvad = {
+      enable = lib.mkEnableOption "enable mullvad module";
+    };
   };
 
-  age.secrets = {
-    "mullvad-device" = {
-      file = ../../../../secrets/pinwheel/mullvad-device.age;
-      path = "/etc/mullvad-vpn/device.json";
+  config = lib.mkIf enabled {
+    services.mullvad-vpn = {
+      enable = true;
+      package = pkgs.mullvad-vpn;
     };
 
-    "mullvad-account-history" = {
-      file = ../../../../secrets/pinwheel/mullvad-account-history.age;
-      path = "/etc/mullvad-vpn/account-history.json";
+    age.secrets = {
+      "mullvad-device" = {
+        file = ../../../../secrets/pinwheel/mullvad-device.age;
+        path = "/etc/mullvad-vpn/device.json";
+      };
+
+      "mullvad-account-history" = {
+        file = ../../../../secrets/pinwheel/mullvad-account-history.age;
+        path = "/etc/mullvad-vpn/account-history.json";
+      };
     };
   };
 }