Question on linking multiple HA instances in a (somewhat) resilient setup involving an alarm panel

I just moved into a new place with a hardwired alarm system. I’m planning a HA setup that is somewhat resilient against power and internet outages to work with a Konnected pro alarm panel. I have the following requirements:

  1. My alarm panel should remain operational in case of a power outage,
  2. I should be able to get notifications from the system even if internet is out,
  3. The internet backup system should be minimal (only backup the essential services, not e.g. my Apple TV),
  4. I plan to use Zigbee keypads near the doors, which should also remain operational if power is out (to disarm the alarm),
  5. However, I want the system to integrate nicely with my regular network (e.g. for HomeKit integration for normal (not emergency) operation).

I think I’ve got a good solution for #1-4:
For #1 I can use battery backups for all essential services. For #2 and #3 I intend use a small MikroTik router with LTE failback that creates a safe inner network with a HA instance on a Rpi4 and my Konnected panel. #4 I can accomplish with battery powered keypads and a Conbee II attached to HA.

I have some issues coming up with a good solution for #5. I tried solving this with a single HA instance on the internal network, but haven’t been able to properly expose HA to for example HomeKit when sitting behind a physical router. I believe I have two possible solutions but have a hard time deciding if either of these solutions would be more optimal. Both solutions involve running two Rpi4s (I have a 2GB and 4GB model available), linked together with remote_homeassistant:

  • Solution A: Run a minimal HA instance on the safe network on the 2GB Rpi connected to the Conbee II and the Konnected panel. Run the main HA instance on the 4GB Rpi on my main network. This will require me to separate out essential and non-essential automations so things don’t break when the main instance goes offline.
  • Solution B: Run my main HA instance on the safe network on the 4GB Rpi, and run the 2GB Rpi as essentially a mirror on my main network to expose everything to HomeKit and handle integrations on the main network. The biggest advantage I can think of is that more services will work in case of a power interruption, and potentially for the system to be more responsive (haven’t tested this).

I lean towards Solution A, as it seems closest to a more ‘vanilla’ setup (a regular HA instance on my normal network, with the secondary instance effectively acting as a bridge to Konnected and Zigbee only). Does this make sense? Or would it be better to go for Solution B, or something completely different?