I expose jellyfin to the internet, and some precautions I have taken that I don’t see mentioned in these answers are: 1) run jellyfin as a rootless container, and 2) use read-only storage where ever possible. If you have other tools managing things like subtitles and metadata files before jellyfin there’s no reason for jellyfin to have write access to the media it hosts. While this doesn’t directly address the documented security flaws with jellyfin, you may as well treat it like a diseased plague rat if you’re going to expose it. To me, that means worst case scenario is the thing is breached and the only thing for an attacker to do is exfiltrate things limited to jellyfin.

This really goes far in explaining all the autism in the pre industrial eras. Genius, really.

I did a 4 node Pi4 kubernetes cluster for about 5 years. The learning experience was priceless. I think most notable was learning to do proper multiarch container builds to support arm and x86_64. That being said, about half a year ago I decided to try condensing it all into two n100 nuc-like clones and keep one pi as the controller. For me and my apps and use cases there was no going back. Performance gains were substantial and in this regard I think I was hobbling myself after the educational aspect plateaued.