Architecture: What I Actually Run
This is the real layout: three hosts, one router, one LAN, and a clear split of roles so that services stay manageable.
Physical layout
- Router: MikroTik hEX. Single wired router: firewall, DHCP server, gateway. No VLANs; one flat subnet. Wi‑Fi is handled by APs, not the hEX.
- Switch: One unmanaged switch between the router and the rest (plus APs and hosts).
- Wi‑Fi: Four MikroTik hAP ac² access points, managed centrally via CAPsMAN on the hEX. Two SSIDs (2.4 GHz and 5 GHz names); same security for seamless roaming. Per-AP fixed channels on 5 GHz (and tuned 2.4 / TX power) so neighbors on wired backhaul do not stomp the same spectrum—see internal
docs/network/capsman-config.md. Same LAN as everything else. - Host 1 (daily driver + hypervisor): Windows PC, Intel i7-11700K, 128 GB RAM (64 GB added from Host 2 after decommission). My main desktop and the first Hyper-V host. Plex Media Server and Ollama run on the Windows host (not in a VM); media libraries live on Host 3 over SMB. Five VMs: Docker host (Ubuntu), primary nginx + keepalived (Ubuntu), first Pi-hole (Ubuntu), dedicated Minecraft server (Ubuntu), and Stoat Chat (Ubuntu). The Docker VM runs Bitwarden, Mealie, ConvertX, IT-Tools, Donetick, Homepage, and OpenWebUI (LLM chat UI backed by Ollama on the Host 1 GPU). Stoat runs on its own dedicated VM with 15 containers (chat, voice, file storage, etc.).
- Host 2 (hypervisor): Windows PC, AMD Ryzen 5 5600G — permanently offline as of 2026-04-11. Secondary nginx and Pi-hole 3 were here and remain unavailable. Plex was here; it was moved to Host 1 after decommission.
- Host 3 (storage + one more Pi-hole): TrueNAS Scale, AMD Ryzen 5 2600, 48 GB RAM, 4×8 TB in RAIDZ1. SMB shares for the Windows hosts and Plex media libraries. One Pi-hole instance runs as a TrueNAS app (container), sharing the NAS IP on a different port.
So: one active Windows Hyper-V host (Host 1) with five VMs, plus one TrueNAS; nginx and Pi-hole spread across two hosts. Host 2 is permanently offline.
Why this split?
- Daily driver on Host 1 — I use that machine every day. The important VMs (Docker, nginx primary, Pi-hole) keep running when I’m not at the desk.
- Plex on Host 1 — Plex runs on the Host 1 Windows install (same machine as Hyper-V). Libraries stay on TrueNAS (Host 3) via SMB;
plex.detellem.comhits nginx on the VIP, then the Plex port on Host 1. - Pi-holes — Two active instances (Host 1 VM and TrueNAS app); Pi-hole 3 was on Host 2 (offline). Clients receive two Pi-holes plus Google DNS fallbacks via DHCP. If one fails, clients use the next.
- nginx on one active host — The internet hits the router on 80/443; it forwards to a single virtual IP (VIP) held by the primary nginx VM. Secondary nginx was on Host 2 (offline); keepalived runs in degraded mode. Cert and config sync to secondary are disabled until a replacement secondary is provisioned.
Diagram (conceptual)
Internet
│
▼
┌─────────────────────┐
│ MikroTik hEX │
│ DHCP, firewall, │
│ 80/443 → VIP │
└──────────┬──────────┘
│
┌────────────────┼────────────────┐
│ │ │
┌──────▼──────┐ ┌──────▼──────┐ ┌──────▼──────┐
│ Host 1 │ │ Switch │ │ Host 2 │
│ Win + HV │ │ + 4× AP │ │ Win + HV │
└──────┬──────┘ └──────┬──────┘ └──────┬──────┘
│ │ │
┌──────▼─────────────────────────┐ ┌──────▼─────────────────────────┐
│ Win: Plex, Ollama │ │ Host 2 OFFLINE 2026-04-11 │
│ VMs: │ │ (was nginx 2, Pi-hole 3) │
│ • Docker (Bitwarden, Mealie, │ └─────────────────────────────────┘
│ ConvertX, IT-Tools, Donetick, │
│ Homepage, OpenWebUI) │
│ • nginx primary (VIP) │
│ • Pi-hole 1 │
│ • Minecraft (dedicated VM) │
│ • Stoat Chat (dedicated VM) │
└─────────────────────────────────┘
┌─────────────────────────────────┐
│ Host 3: TrueNAS Scale │
│ • SMB (media, etc.) │
│ • Pi-hole 2 (app) │
└─────────────────────────────────┘Tech choices in one sentence
- Hyper-V — I’m on Windows anyway; VMs are isolated and easy to snapshot. No Proxmox/KVM here.
- TrueNAS Scale — ZFS, SMB, and apps (like Pi-hole) in one box. Media lives here; Plex and the rest mount it.
- MikroTik — Router and CAPsMAN in one place; CLI and Winbox; cheap and flexible. DHCP reservations live on the hEX.
- nginx + keepalived — One reverse proxy in front of everything; two nodes and a floating VIP so I only forward one address from the router. Certbot and config sync run on the primary.
If you want to go deeper on any of these, the links in the next sections point to official docs.