Realistically you shouldn’t depend on a single place for backups

Remember 3-2-1. Three places, two mediums and one offsite

Those are Apples and Oranges

It is ok to admit you are wrong. Fedora wasn’t always the project it is today and at one point it was purely for testing. I get the impression that you’ve either never used Fedora or haven’t used it in a very long time.

https://docs.fedoraproject.org/en-US/project/

Not everyone needs the latest stable of everything. That’s ok but I also didn’t just list Fedora. It is just a option to consider if you want a up to date system that’s well tested.

Have you even used Fedora recently? It is well tested and focused on being beginner friendly. That wasn’t always the case but it changed a few years ago.

Fedora better than Ubuntu in a lot of ways

Also with Fedora 42 there is a entirely new installer so it is much easier to setup.

The trade off with Fedora is that has a support window of only a year

There are also Rocky and Alma

I honestly would use a headless Linux system with docker compose. You can find premade docker compose files.

Anything but Ubuntu for the most part

Mint, Fedora, Rocky or whatever else

I would start with a premade docker compose file. From there learn how to tweak it.

Docker has very little overhead

No, chroot is kind of its own thing

It is just a kernel namespace

That’s is absolutely true

Avoid exposing things unless you really need to and follow best practices.

Do you have a username and password for PPP? You could replace the device with something with a SPF port

Another option is that you could turn off masquerading (NAT) on the Asus router. This may not work but if you have different IP ranges on each device theoretically it would avoid double NAT

Is the ISP device a cable modem or is it fiber?

You may be able to replace it with your own stuff

You don’t want two routers as that creates a double NAT

Setup a service and them install Tailscale/Netbird on your devices. The reason double NAT is bad is that it can break NAT traversal used to allow you to directly remote access a device away from home.

Only if it is from a known bad IP

Also the vulnerability may be in something needed for client functionality.

I think it is a matter of time honestly.

Jellyfin has grown enough in popularity that it is likely a target for a state actor looking to create some minions. Just because there isn’t any known remote code execution vulnerabilities doesn’t mean there couldn’t be one in the future.

Maybe I’m being paranoid but it seems way safer to just not expose Jellyfin.

Your IP address is what they are after

They quietly compromise your system and then your IP gets used as a proxy for attacks against larger targets like government institutions.

How would you know that you were compromised?

I know this sounds far fetched but if you remember there was a Lastpass breach due to Plex. You need to very careful with the public internet.

The password is totally irrelevant for the most part. The worst case is that they get access to the dashboard

The problem is when major security vulnerabilities are found like remote code execution

That wouldn’t even be using TLS

Bad idea