We use Appspace at work. Or Azulle HDMI stick PCs if we want something with a full OS.

Buy the new one, sell the old one. I’m sure that will even out if you account for the convenience of vPro.

Incidentally, do you know of any documentation about how to use it? I’m sure I have devices that support it, but I’ve never even tried.

Several red flags here, but I put it in a vm and started it up with no external connection and I didn’t see any unusual traffic, though I didn’t decrypt TLS, just watched IPs and DNS.

https://github.com/jellyfin/jellyfin/issues/5415#issuecomment-2825369811

Doesn’t matter. Any exposure risks compromise. From there, an attacker could pivot to read your data, mine cryptocurrency on your device(s), serve objectionable material, or other unsavory activities.

Even if you have authentication enabled, not all APIs require authentication. Jellyfin in particular is not designed to be internet-facing. And even if it does require authentication, authentication bypass attacks are a thing.

I am once again recommending that you not expose any services to the internet except a VPN

mTLS is mutual TLS, more commonly known as client cert authentication (alongside the modern standard server authentication), for anyone else who has never heard of it by that name

Sure, big orgs do it all the time. A pair of load balancers with virtual IPs that route traffic, either to a reverse proxy or right to the endpoint.

But your router is still a SPOF, as is your ISP.

How much availability is worth the time spend setting up and maintaining this, though?

Sure, I do side work sometimes. $180/hr, 3h minimum up front.

Sounds like that adblock is implemented as a proxying DNS server? In that case, NOTIMP makes sense, if they haven’t implemented forwarding those type of requests.

OP is using SAS, but it’s not too far from SATA.

Not necessarily. I would shut the system down completely and check the drive connectors. If it’s on a backplane, try swapping slots, or if it’s breakout connector, swap it with another drive (and clear the zpool errors). If the errors start happening on the other drive, it’s a cable problem. If they continue on the same drive, it’s a drive problem. If they stop happening, it was a bad connection and it ought to be fine now.

That’s kind of a short output from smartctl -a, though. Shouldn’t it include the attribute data? I’d run a smart test (after doing the swap above) and see what it says.

On a raidz2, I wouldn’t be too concerned about losing a drive, but you should always be prepared to order a replacement if you value your data.

Depends on the company and the system. Some of them need to be done off-hours while people aren’t using them. Some are HA and/or insignificant enough that you can do them any time without interruption.

I would recommend not exposing a bunch of services to the internet. Ideally you would expose only a VPN and connect to everything that way.

12gb, whole Internet? You would be horrified at the capacity of some data hoarders.

Yes, those are the known vulnerabilities. We don’t know how many unknown vulnerabilities could be discovered in the future.

I still don’t recommend putting jellyfin on the Internet. It’s not designed for it. There are some API endpoints you can access without authentication, not to mention potential authentication bypass vulnerabilities.

5 minutes is also probably too frequent. Leases are usually significantly longer. You might hit a rate limit and get blocked.