Question about these two router solutions

I received a FW6D from protectli and I want this machine can handle these services as a powerful router/server.

  1. Router
  2. Access Point
  3. Self host DNS (Pi-hole/Adguard Home w/unbound)
  4. Wireguard Server for my devices outside from local area network
  5. Wireguard client connect to Mullvad VPN server
  6. Nginx Proxy Manager to handle ssl certificate for my homelab.

And here’s my two solution I can think of:

  1. Forbidden Router: run all services as VM

  2. OpenWRT on bare metal and run docker/podman:

Which route should I choose/would you choose?

Edit 1: some extra thought
I’m thinking about, is the method 1 overpowered? Yes, with same level of proper configurations and administration, virtualization is better than containerization in terms of security, because of the level of compartmentalize is on hardware level. But will this setup being too much or complicated while I just host these services in my private network?