I don’t disagree, and I am one of the VPN advocates you mention. Generally there is no issue with exposing jellyfin via proxy to the internet.

The original question seemed to imply an over-secure solution so a lot of over-secure solutions exist. There is good cause to operate services, like jellyfin, via some permanent VPN.

I would not publicly expose ssh. Your home IP will get scanned all the time and external machines will try to connect to your ssh port.

Over the top for security would be to setup a personal VPN and only watch it over the VPN. If you are enabling other users and you don’t want them on your network; using a proxy like nginx is the way.

Being new to this I would look into how to set these things up in docker using docker-compose.

Set aside a few weekends and mess around distro hopping. Think of it as a small scientific study. Use what you determine to be the most comfortable with.

I suggest being clever in your partitioning keeping /home and any other areas personal to their own partition if not their own disks. If you want to experiment you lose nothing by wiping / and installing something else. Also, you should decide on an effective backup strategy.

If you wanted to go overboard, don’t even make the server accessible publicly. Distribute keys to a Wireguard network that is accessible publicly. Mandate your players obtain keys from you to play.

I transcode to ramdisk.