You’ve got it right. I appreciate the directiness of the forum moderator because it was a clear signal to me that the Arch community doesn’t value my experience at the level I would like.

Supporting iMacs for 8 years taught me Apple doesn’t value my experience either. I’m happy to upend my system and workflow if it means I’m a step closer to living in the world I want to exist. Most of my life is chosen for me so I want the decisions I have control over to be meaningful to me.

It feels like everything is a tradeoff and I think a setup like this reduces the complexity for people you share with.

If you added fail2ban along with alert email/notifications you could have a chance to react if you were ever targeted for a brute force attempt. Jellyfin docs talk about setting this up for anyone interested.

Blocking IP segments based on geography of countries you don’t expect connections from adds the cost of a VPN for malicious actors in those areas.

Giving Jellyfin its own VLAN on your network could help limit exposure to your other services and devices if you experience a 0day or are otherwise compromised.