Honestly I’m not sure, or maybe I knew but forgot. Since working out my needs I wrote it to ansible and never looked back. Worth trying the more secure way for sure.

I do this on the minimal Debian release which is essentially coming from the same place, you’re left to get things configured with a root user or maybe a privileged user after install. There’s a few things to tweak for rootless podman and it will vary based on the distro. The gist for me and Debian is:

1. make an unprivileged account for running podman containers
2. enable linger so i can use systemd with this account and the running of the containers
3. allow lower ports for podman rootless in sysctl (for example, 80 if you’re running basic http services rootless), net.ipv4.ip_unprivileged_port_start=<start of lower range of ports rootless containers will use>
4. run containers with the appropriate --userns flags. This can vary a lot depending on the container. Some maintainers are nice and ensure the internal uid/gid is something expected like 1000, sometimes not and you have to fire it up and figure out the app account name, uid/gid. An example I’ll put here is a podman run snippet for running jenkins (official image from cloudbees) rootless:

podman run --name jenkins --user jenkins --userns=keep-id:uid=1000,gid=1000 ...

Again, that’s just Debian, never tried MicroOS, but if MicroOS isn’t doing anything special to accommodate rootless podman I imagine these steps are somewhat applicable. One issue I ran into was with an older version of Podman, whatever comes with Ubuntu 22: That version of podman requires you to set the namespace mappings; Debian 12’s version does not and the --userns=keep… flag just works.

I expose jellyfin to the internet, and some precautions I have taken that I don’t see mentioned in these answers are: 1) run jellyfin as a rootless container, and 2) use read-only storage where ever possible. If you have other tools managing things like subtitles and metadata files before jellyfin there’s no reason for jellyfin to have write access to the media it hosts. While this doesn’t directly address the documented security flaws with jellyfin, you may as well treat it like a diseased plague rat if you’re going to expose it. To me, that means worst case scenario is the thing is breached and the only thing for an attacker to do is exfiltrate things limited to jellyfin.

If you’re looking for more tinkering on the music around the house front, Lyrion music server + squeezelite players can be a very fun endeavor. I think it gets a little sketchy if you’re favoring automation and casting, but as a network of players that will utilize a wide swath of hardware, it shines. I had a bunch of pi4s laying around and eventually repurposed them all into a multiroom audio gang.

Startmail (from the Startpage folks) has been fine for me. You pay for it, you can put your domain on it, you can do alias addresses, works with any IMAP client since it’s just IMAP ran by a (so far) competent company. Their web ui is fine, but ive only used it for initial setup. Besides Thunderbird on mobile I use Snappymail within Nextcloud and this works just fine as well. All I can say is it does what it says on the tin.

This isn’t a complete solution, but trakt.tv covers a lot of ground. I started using it for getting a consistent history of watched shows between jellyfin on the road and kodi at home. It works okay enough for this, though at times it does seem that one or both of the plugins can fail to log a watched show. I would guesstimate a 90% success rate.

My favorite open secret of the internet. It’s crazy to think how long that network has been running. I think I stumbled on it around 2003. Thanks for pointing out this client. I’ve been relying on a rickety container build that uses novnc and nicotine+ to give a quasi-portable experience. It will be nice to ditch that, hopefully.

If you have the time to spare (a few weeks perhaps, if coming from zero) to experiment and read, Prometheus and Grafana offers a lot and can be really flexible. I use a pretty simple bash script that scrapes my desired https endpoints and writes out the results to a file Prometheus (node-exporter) understands, and from there I can write alert rules in Grafana to fire off notices by email or slack.

I did a 4 node Pi4 kubernetes cluster for about 5 years. The learning experience was priceless. I think most notable was learning to do proper multiarch container builds to support arm and x86_64. That being said, about half a year ago I decided to try condensing it all into two n100 nuc-like clones and keep one pi as the controller. For me and my apps and use cases there was no going back. Performance gains were substantial and in this regard I think I was hobbling myself after the educational aspect plateaued.

You might check out wiim stuff. They seem to be the darling of budget streaming for the moment.

There have been a few mentions of Navidrome. I find it works well for sharing at an album or even artist level. It can do playlists as well. But you must explicitly choose what to share, at which point it’s generates a unique URL and will generate a web player and zip if you enable the option to download.

You can, of course, just make user accounts and distribute credentials.

If you’re needing to offer browsable folders to easily copy, basically a filesystem-like experience, it’s probably not the best tool.

Edit: one more thing to point out is that navidrome, jellyfin, and airsonic all construct music libraries differently. Navidrome is using tags, jellyfin uses file names, airsonic uses directory structure. Not sure about Plex.

Sounds like you don’t smoke cigarettes, so not that dumb!

I’ve had a good experience so far with two minipcs, mele quieter 4c for kodi, and a morefine m9 (I think this one is branded as mipowcat in the EU). They’re both n100, the m9 can go up to 32gb of ram although it is picky about what modules it will accept. I use the m9 for jellyfin and about 10 other services. Quick sync works great as far as I’ve tested it. For jellyfin I’m relying mostly on direct streaming, but I tried a few episodes with forcing some transcoding by using Firefox for playback and it worked fine.

I think they’re suggesting the BMW comment reads like an ad by responding like an ad.

I don’t think it’s actually still popular, but I’m just talking out of my ass here. I remember it made some waves a few months ago about finally having a new release after so long, and my feeling was a shitload of nostalgia brought it back into the internet spotlight, regardless of how many people are actually using it.

I gave it a spin again, purely for nostalgia. I could find no compelling reason to use it over my actual preferred player, foobar

I feel like the argument for using a nonstandard ssh port these days is that you dodge the low tier automation/bots that are endlessly scanning IPs and port 22 and trying obvious usernames and passwords. I do also question how much it is worth dodging these since presumably you’d have already done the other basics like key only and no root login before this. Maybe there’s some value if you want a clean auth.log or equivalent

To add to this, there’s even the capacity to add usb dacs if the underlying distribution supports it. Picoreplayer was my introduction to these tools and I’m pretty sure it’s my final destination. Can’t recommend it enough if they have the time and curiosity to get it set up.

I would also add that if the person OP is asking on behalf of is not so inclined to get into the technical parts and okay with possibly throwing money at the project, volumio is there. I tried this first and appreciated it for what it was, but I wanted features behind the pay wall which are readily available for free with pCP.

Thanks, I was wondering why the s3 prefixes were used. If my memory serves, b2 is especially better on the billing rates for retrieval, so a better choice if large disaster recovery is on your mind.

Backblaze B2, which I’m pretty sure is a repackaged S3 provider, or you can just skip them and go directly to AWS S3; though, both aren’t drag and drop user friendly like onedrive or gdrive. But both work well if you invest a little time with something like rclone.