Oh, this is very handy! I’ll be switching to the same ISP within a few weeks, and a working reference guide for how to get NixOS (also on a PCEngines APU) will make it easy.
If you’re running a complex routing setup or dealing with multiple VLANs, you might want to look into my zone-based-firewall script. While I still haven’t figured out a good interface for adding port forwarding rules, I’ve been using this code for the last year and it works very nicely.
For my current setup (VyOS + ansible to generate the rules) I just have a set of “custom rules” that don’t easily fit into any abstraction easily. I tried coming up with a good abstraction for this, but it’s so rare for my setup that I didn’t bother…
Part of the the zone firewall is a low-level way to add rules to an nftables firewall from different places, by adding to networking.nftables.tables.<table>.chains.<chain>. It was important to me to allow for different abstractions or even coexisting abstractions
Nice write-up! I’ve never tried to use NixOS as a router but now I’m tempted to try (-: