diff --git a/systems/router/default.nix b/systems/router/default.nix
new file mode 100644
index 0000000..d698879
--- /dev/null
+++ b/systems/router/default.nix
@@ -0,0 +1,147 @@
+# https://github.com/ghostbuster91/blogposts/blob/a2374f0039f8cdf4faddeaaa0347661ffc2ec7cf/router2023-part2/main.md
+# https://francis.begyn.be/blog/nixos-home-router
+{
+  imports = [
+    ../../users/richie
+    ../../common/global
+    ../../common/optional/zerotier.nix
+    ./docker
+    ./hardware.nix
+  ];
+
+  boot.kernel = {
+    sysctl = {
+      "net.ipv4.conf.all.forwarding" = true;
+      "net.ipv6.conf.all.forwarding" = false;
+    };
+  };
+  systemd.network = {
+    wait-online.anyInterface = true;
+    networks = {
+      "30-lan0" = {
+        matchConfig.Name = "lan0";
+        linkConfig.RequiredForOnline = "enslaved";
+        networkConfig = {
+          ConfigureWithoutCarrier = true;
+        };
+      };
+      # lan1 and lan2 look analogical
+      "30-lan3" = {
+        matchConfig.Name = "lan3";
+        linkConfig.RequiredForOnline = "enslaved";
+        networkConfig = {
+          ConfigureWithoutCarrier = true;
+        };
+      };
+      "10-wan" = {
+        matchConfig.Name = "wan";
+        networkConfig = {
+          # start a DHCP Client for IPv4 Addressing/Routing
+          DHCP = "ipv4";
+          DNSOverTLS = true;
+          DNSSEC = true;
+          IPv6PrivacyExtensions = false;
+          IPForward = true;
+        };
+        # make routing on this interface a dependency for network-online.target
+        linkConfig.RequiredForOnline = "routable";
+      };
+    };
+  };
+
+  networking = {
+    hostName = "surfer";
+    useNetworkd = true;
+    useDHCP = false;
+
+    # No local firewall.
+    nat.enable = false;
+    firewall.enable = false;
+
+    nftables = {
+      enable = true;
+      ruleset = ''
+        table inet filter {
+          chain input {
+            type filter hook input priority 0; policy drop;
+
+            iifname { "br-lan" } accept comment "Allow local network to access the router"
+            iifname "wan" ct state { established, related } accept comment "Allow established traffic"
+            iifname "wan" icmp type { echo-request, destination-unreachable, time-exceeded } counter accept comment "Allow select ICMP"
+            iifname "wan" counter drop comment "Drop all other unsolicited traffic from wan"
+            iifname "lo" accept comment "Accept everything from loopback interface"
+          }
+          chain forward {
+            type filter hook forward priority filter; policy drop;
+
+            iifname { "br-lan" } oifname { "wan" } accept comment "Allow trusted LAN to WAN"
+            iifname { "wan" } oifname { "br-lan" } ct state { established, related } accept comment "Allow established back to LANs"
+          }
+        }
+
+        table ip nat {
+          chain postrouting {
+            type nat hook postrouting priority 100; policy accept;
+            oifname "wan" masquerade
+          }
+        }
+      '';
+    };
+  };
+
+  services.dnsmasq = {
+    enable = true;
+    settings = {
+      # upstream DNS servers
+      server = [ "9.9.9.9" "8.8.8.8" "1.1.1.1" ];
+      # sensible behaviours
+      domain-needed = true;
+      bogus-priv = true;
+      no-resolv = true;
+
+      # Cache dns queries.
+      cache-size = 1000;
+
+      dhcp-range = [ "br-lan,192.168.10.50,192.168.10.254,24h" ];
+      interface = "br-lan";
+      dhcp-host = "192.168.10.1";
+
+      # local domains
+      local = "/lan/";
+      domain = "lan";
+      expand-hosts = true;
+
+      # don't use /etc/hosts as this would advertise surfer as localhost
+      no-hosts = true;
+      address = "/surfer.lan/192.168.10.1";
+    };
+  };
+
+  boot.kernel = {
+    sysctl = {
+      "net.ipv4.conf.default.rp_filter" = 1;
+      "net.ipv4.conf.wan.rp_filter" = 1;
+      "net.ipv4.conf.br-lan.rp_filter" = 0;
+    };
+  };
+
+  services = {
+    openssh.ports = [ 629 ];
+
+    smartd.enable = true;
+
+    snapshot_manager = {
+      enable = true;
+      path = ./snapshot_config.toml;
+    };
+
+    sysstat.enable = true;
+
+    zfs = {
+      trim.enable = true;
+      autoScrub.enable = true;
+    };
+  };
+
+  system.stateVersion = "24.05";
+}
diff --git a/systems/router/hardware.nix b/systems/router/hardware.nix
new file mode 100644
index 0000000..6d2c50c
--- /dev/null
+++ b/systems/router/hardware.nix
@@ -0,0 +1,67 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
+
+  boot = {
+    initrd = {
+      availableKernelModules = [
+        "nvme"
+        "xhci_pci"
+        "ahci"
+        "usbhid"
+        "usb_storage"
+        "sd_mod"
+      ];
+      kernelModules = [ ];
+      luks.devices."luks-root-pool-nvme-Samsung_SSD_990_PRO_with_Heatsink_1TB_S73JNJ0X114418B-part2" = {
+        device = "/dev/disk/by-id/nvme-Samsung_SSD_990_PRO_with_Heatsink_1TB_S73JNJ0X114418B-part2";
+        bypassWorkqueues = true;
+        allowDiscards = true;
+      };
+    };
+    kernelModules = [ "kvm-amd" ];
+    extraModulePackages = [ ];
+  };
+
+  fileSystems = {
+    "/" = lib.mkDefault {
+      device = "root_pool/root";
+      fsType = "zfs";
+    };
+
+    "/home" = {
+      device = "root_pool/home";
+      fsType = "zfs";
+    };
+
+    "/var" = {
+      device = "root_pool/var";
+      fsType = "zfs";
+    };
+
+    "/boot" = {
+      device = "/dev/disk/by-uuid/609D-FF29";
+      fsType = "vfat";
+      options = [
+        "fmask=0077"
+        "dmask=0077"
+      ];
+    };
+  };
+
+  swapDevices = [ ];
+
+  networking.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
\ No newline at end of file