diff --git a/configs.yml b/configs.yml
index 23075f3..f00f649 100644
--- a/configs.yml
+++ b/configs.yml
@@ -36,23 +36,6 @@ repos:
     - include:
         - repos.yml
 
-protonvpn:
-    - install:
-        - openvpn
-    - clone:
-        url: https://aur.archlinux.org/openvpn-update-systemd-resolved.git
-        dest: ~/builds/openvpn-update-systemd-resolved
-        condition: arch
-    - run:
-        command: cd ~/builds/openvpn-update-systemd-resolved && makepkg -cirs --needed
-        condition: arch
-    - run:
-        - sudo cp ~/src/secrets/setup-cockpit/protonvpn_confs/*.conf /etc/openvpn/client/
-    - run:
-        - sudo cp ~/src/secrets/setup-cockpit/protonvpn_confs/pvpn.auth /etc/openvpn/client/
-    - run:
-        - sudo systemctl enable openvpn-client@fr.protonvpn.com.udp.service
-
 mariadb:
     - install:
         - mariadb
diff --git a/playbook.yml b/playbook.yml
index 545f594..e0d8601 100644
--- a/playbook.yml
+++ b/playbook.yml
@@ -37,3 +37,5 @@
       tags: lilypond
     - role: latex
       tags: latex
+    - role: protonvpn
+      tags: protonvpn
diff --git a/roles/protonvpn/meta/main.yml b/roles/protonvpn/meta/main.yml
new file mode 100644
index 0000000..4e53766
--- /dev/null
+++ b/roles/protonvpn/meta/main.yml
@@ -0,0 +1,3 @@
+---
+dependencies:
+  - role: git
diff --git a/roles/protonvpn/tasks/main.yml b/roles/protonvpn/tasks/main.yml
new file mode 100644
index 0000000..18c7932
--- /dev/null
+++ b/roles/protonvpn/tasks/main.yml
@@ -0,0 +1,42 @@
+---
+- name: Install packages (Archlinux)
+  become: true
+  pacman:
+    name:
+      - openvpn
+  when: ansible_distribution == 'Archlinux'
+
+- name: Install packages (Debian)
+  become: true
+  apt:
+    name:
+      - openvpn
+  when: ansible_distribution == 'Debian'
+
+- name: Clone openvpn-update-systemd-resolved
+  git:
+    repo: https://aur.archlinux.org/openvpn-update-systemd-resolved.git
+    dest: ~/builds/openvpn-update-systemd-resolved
+    clone: yes
+  when: ansible_distribution == 'Archlinux'
+
+- name: Make and install openvpn-update-systemd-resolved
+  command:
+    cmd: makepkg -cirs --needed
+    chdir: ~/builds/openvpn-update-systemd-resolved
+  when: ansible_distribution == 'Archlinux'
+
+- name: Copy client confs
+  become: true
+  copy:
+    src: "{{ ansible_facts.user_dir }}/src/secrets/setup-cockpit/protonvpn_confs/"
+    dest: /etc/openvpn/client/
+    mode: 0644
+    owner: root
+    group: root
+    remote_src: yes
+
+- name: Enable protonvpn service
+  systemd:
+    name: openvpn-client@fr.protonvpn.com.udp
+    enabled: true