I am working on improving my site-to-site VPN config for my assortment of endpoints.
For the hub I have a RB1000 at my personal colocation facility with a static IP managing it's own internal /16 (multiple /24 VLANs).
For each spoke, I have multiple Mikrotiks (and eventually a Ubiquity Edgerouter & a pfSense appliance), each coming from an unknown DHCP address managing it's own assigned /16 address as well. (yes, my friends and I coordinate our private IP subnets)

As of this point, I have 3 spokes (my house, my parents and a mAP that I carry around with me when I need to do something more than a software VPN).
While I have been able to set up an IPsec site-to-site using PSK from a single spoke to the hub (via the IPsec site-to-site tunnel example on the wiki), I encountered some difficulty in adding a second spoke (aka it didn't work and broke and then I had to drive to my parents house to disable whatever I set).

Ultimately I want to switch away from PSK to certificate authentication (I have a Microsoft AD CS instance configured and have manually issued certificates to most of the routers), utilize IKE v2, and tidy up the configs (for example, I can't connect to my hub's public IPs from my spoke) into good reproduceable config snippets.
I have attempted to combine the various guides and examples and config snippets and have only resulted in further visits to disable faulty rules.

Is anyone aware of a good guide or pointers that can help me get this figured out?
Thanks!