diff --git a/system/flake.nix b/system/flake.nix
index 850becb..2cbead3 100644
--- a/system/flake.nix
+++ b/system/flake.nix
@@ -69,6 +69,13 @@
           ./hosts/nixserver
         ] ++ common "nixserver";
       };
+      router = {
+        system = "aarch64-linux";
+        modules = [
+          ./hardware/bpi_r3.nix
+          ./hosts/router
+        ];
+      };
     };
   };
 }
diff --git a/system/hardware/bpi_r3.nix b/system/hardware/bpi_r3.nix
new file mode 100644
index 0000000..08ba4cd
--- /dev/null
+++ b/system/hardware/bpi_r3.nix
@@ -0,0 +1,35 @@
+{ pkgs
+, lib
+, ... }:
+
+# WIP
+{
+  boot.loader = {
+    grub.enable = false;
+    generic-extlinux-compatible.enable = true;
+  };
+
+  # https://github.com/frank-w/BPI-Router-Linux
+  boot.kernelPackages = pkgs.linuxPackagesFor ((pkgs.buildLinux ({
+    version = "6.3";
+    modDirVersion = "6.3.0";
+
+    src = pkgs.fetchFromGitHub {
+      owner = "frank-w";
+      repo = "BPI-Router-Linux";
+      rev = "6.3-main";
+      hash = lib.fakeHash;
+    };
+
+    defconfig = "mt7986a_bpi-r3";
+  })).overrideAttrs (old: {
+    postConfigure = ''
+      sed -i "$buildRoot/.config" -e 's/^CONFIG_LOCALVERSION=.*/CONFIG_LOCALVERSION=""/'
+      sed -i "$buildRoot/include/config/auto.conf" -e 's/^CONFIG_LOCALVERSION=.*/CONFIG_LOCALVERSION=""/'
+    '';
+  }));
+
+  hardware.deviceTree.enable = true;
+  hardware.deviceTree.filter = "mt7986a-bananapi-bpi-r3*.dtb";
+  hardware.enableRedistributableFirmware = true;
+}
diff --git a/system/hosts/nixserver/default.nix b/system/hosts/nixserver/default.nix
index 72c089b..27cb489 100644
--- a/system/hosts/nixserver/default.nix
+++ b/system/hosts/nixserver/default.nix
@@ -70,10 +70,10 @@ in {
     enable = true;
     path = /persist;
     directories = [
-      { directory = /var/www/${cfg.domainName}; }
-      { directory = /home/${config.common.mainUsername}; }
+      { directory = /home/${config.common.mainUsername}; user = config.common.mainUsername; group = config.common.mainUsername; mode = "0700"; }
       { directory = /root; }
       { directory = /nix; }
+      { directory = /var/www/${cfg.domainName}; }
     ];
   };
   services.beesd = {
diff --git a/system/hosts/router/default.nix b/system/hosts/router/default.nix
new file mode 100644
index 0000000..d2b1bf6
--- /dev/null
+++ b/system/hosts/router/default.nix
@@ -0,0 +1,28 @@
+{ config
+, ... }:
+
+let
+  rootUuid = "00000000-0000-0000-0000-000000000000";
+  rootPart = "/dev/disk/by-uuid/${rootUuid}";
+in {
+  system.stateVersion = "22.11";
+  # TODO
+  fileSystems = {
+    # mount root on tmpfs
+    "/" =     { device = "none"; fsType = "tmpfs"; neededForBoot = true;
+                options = [ "defaults" "size=2G" "mode=755" ]; };
+    "/persist" =
+              { device = rootPart; fsType = "btrfs"; neededForBoot = true;
+                options = [ ]; };
+  };
+  impermanence = {
+    enable = true;
+    path = /persist;
+    directories = [
+      { directory = /home/${config.common.mainUsername}; user = config.common.mainUsername; group = config.common.mainUsername; mode = "0700"; }
+      { directory = /root; mode = "0700"; }
+      /nix
+      /boot
+    ];
+  };
+}
diff --git a/system/modules/vfio.nix b/system/modules/vfio.nix
index 228d8cd..5a36fb3 100644
--- a/system/modules/vfio.nix
+++ b/system/modules/vfio.nix
@@ -12,7 +12,7 @@ in {
         enable = mkOption {
           type = types.bool;
           default = false;
-          description = "Enable GPU passthrough config (probably no intel/nvidia support since I can't test it)";
+          description = "Enable GPU passthrough + VM config (probably no intel/nvidia support since I can't test it)";
         };
         libvirtdGroup = mkOption {
           type = with types; listOf str;