The trade off with Fedora is that has a support window of only a year

There are also Rocky and Alma

I honestly would use a headless Linux system with docker compose. You can find premade docker compose files.

Anything but Ubuntu for the most part

Mint, Fedora, Rocky or whatever else

I would start with a premade docker compose file. From there learn how to tweak it.

Docker has very little overhead

No, chroot is kind of its own thing

It is just a kernel namespace

That’s is absolutely true

Avoid exposing things unless you really need to and follow best practices.

It is a kernel API that allows user space to block USB devices from talking to the kernel. It is a security mechanism

Do you have a username and password for PPP? You could replace the device with something with a SPF port

Another option is that you could turn off masquerading (NAT) on the Asus router. This may not work but if you have different IP ranges on each device theoretically it would avoid double NAT

Is the ISP device a cable modem or is it fiber?

You may be able to replace it with your own stuff

You don’t want two routers as that creates a double NAT

Setup a service and them install Tailscale/Netbird on your devices. The reason double NAT is bad is that it can break NAT traversal used to allow you to directly remote access a device away from home.

I think this is a feature of the newer Linux kernels. I could be mistaken though.

Only if it is from a known bad IP

Also the vulnerability may be in something needed for client functionality.

I think it is a matter of time honestly.

Jellyfin has grown enough in popularity that it is likely a target for a state actor looking to create some minions. Just because there isn’t any known remote code execution vulnerabilities doesn’t mean there couldn’t be one in the future.

Maybe I’m being paranoid but it seems way safer to just not expose Jellyfin.

Your IP address is what they are after

They quietly compromise your system and then your IP gets used as a proxy for attacks against larger targets like government institutions.

How would you know that you were compromised?

I know this sounds far fetched but if you remember there was a Lastpass breach due to Plex. You need to very careful with the public internet.

The password is totally irrelevant for the most part. The worst case is that they get access to the dashboard

The problem is when major security vulnerabilities are found like remote code execution

That wouldn’t even be using TLS

Bad idea

Fine is a relative term

You probably are fine but the company who is getting attacked by your compromised machine isn’t

Crowdsec won’t protect against a security vulnerability

They could route it though a different device