Architecture: What I Actually Run
This is the real layout: three hosts, one router, one LAN, and a clear split of roles so that HA and services stay manageable.
Physical layout
- Router: MikroTik hEX. Single wired router: firewall, DHCP server, gateway. No VLANs; one flat subnet. Wi‑Fi is handled by APs, not the hEX.
- Switch: One unmanaged switch between the router and the rest (plus APs and hosts).
- Wi‑Fi: Four MikroTik hAP ac² access points, managed centrally via CAPsMAN from the router. One SSID (2.4 and 5 GHz); same LAN as everything else.
- Host 1 (daily driver + hypervisor): Windows PC, Intel i7-11700K, 64 GB RAM. My main desktop and also the first Hyper-V host. Runs three VMs: a Docker host (Ubuntu), the primary nginx + keepalived node (Ubuntu), and the first Pi-hole (Ubuntu). The Docker VM runs Bitwarden, Mealie, ConvertX, IT-Tools, Donetick, and Homepage.
- Host 2 (Plex + hypervisor): Windows PC, AMD Ryzen 5 5600G, 80 GB RAM. Plex runs on the host. Hyper-V runs two VMs: the secondary nginx node (Ubuntu) and the third Pi-hole (Ubuntu). The secondary nginx holds the VIP when the primary is down.
- Host 3 (storage + one more Pi-hole): TrueNAS Scale, AMD Ryzen 5 2600, 48 GB RAM, 4×8 TB in RAIDZ1. SMB shares for the Windows hosts and Plex media. One Pi-hole instance runs as a TrueNAS app (container), sharing the NAS IP on a different port.
So: two Windows Hyper-V hosts plus one TrueNAS; nginx and Pi-hole are spread across all three for redundancy.
Why this split?
- Daily driver on Host 1 — I use that machine every day and remote into Host 2 often; keeping “my PC” and “primary infra” on the same host is a tradeoff I’m fine with. The important VMs (Docker, nginx primary, Pi-hole) keep running when I’m not at the desk.
- Plex on Host 2 — Dedicated RAM and GPU for transcoding; media lives on TrueNAS and is mounted via SMB. The two nginx VMs on Host 1 and Host 2 are small so Plex has most of the resources.
- Three Pi-holes — Clients get three DNS servers from DHCP. If one host or VM is down, the other two still resolve. All three use the same blocklists and I manage them separately (no sync between Pi-holes).
- nginx on two hosts — The only thing the internet hits on 80/443 is the router; it forwards to a single virtual IP (VIP). keepalived runs on both nginx VMs; the primary holds the VIP, the secondary takes it on failover. One config and one cert (synced from primary to secondary) so both nodes can serve.
Diagram (conceptual)
Internet
│
▼
┌─────────────────────┐
│ MikroTik hEX │
│ DHCP, firewall, │
│ 80/443 → VIP │
└──────────┬──────────┘
│
┌────────────────┼────────────────┐
│ │ │
┌──────▼──────┐ ┌──────▼──────┐ ┌──────▼──────┐
│ Host 1 │ │ Switch │ │ Host 2 │
│ Win + HV │ │ + 4× AP │ │ Win + HV │
└──────┬──────┘ └──────┬──────┘ └──────┬──────┘
│ │ │
┌──────▼─────────────────────────┐ ┌──────▼─────────────────────────┐
│ VMs: │ │ Host: Plex │
│ • Docker (Bitwarden, Mealie, │ │ VMs: │
│ ConvertX, IT-Tools, Donetick, │ │ • nginx secondary │
│ Homepage) │ │ • Pi-hole 3 │
│ • nginx primary (VIP) │ └─────────────────────────────────┘
│ • Pi-hole 1 │
└─────────────────────────────────┘
┌─────────────────────────────────┐
│ Host 3: TrueNAS Scale │
│ • SMB (media, etc.) │
│ • Pi-hole 2 (app) │
└─────────────────────────────────┘Tech choices in one sentence
- Hyper-V — I’m on Windows anyway; VMs are isolated and easy to snapshot. No Proxmox/KVM here.
- TrueNAS Scale — ZFS, SMB, and apps (like Pi-hole) in one box. Media lives here; Plex and the rest mount it.
- MikroTik — Router and CAPsMAN in one place; CLI and Winbox; cheap and flexible. DHCP reservations live on the hEX.
- nginx + keepalived — One reverse proxy in front of everything; two nodes and a floating VIP so I only forward one address from the router. Certbot and config sync run on the primary.
If you want to go deeper on any of these, the links in the next sections point to official docs.