The only device that’s truly secure is one that’s turned off, disconnected from the network, encased in concrete, at the bottom of the ocean. Everything else is a tradeoff between convenience and security.

You can make that assumption at your own peril.

No, that would not be legal. I don’t know how they write the law exactly, but they account for that. Could be based on country of manufacture.

Civil disobedience involves the acceptance of consequences.

Right. If it’s signed by a CA, it’s not self signed. Self signed means signed by nobody but the server that generated it.

self-signed certificates are public key certificates that are not issued by a certificate authority (CA)

https://en.wikipedia.org/wiki/Self-signed_certificate

An internal CA whose signing certs you’ve manually installed is still a trusted CA.

If it’s signed by an intermediate CA, then it’s not self-signed.

It sounds like the clients do not have the ability to manually trust a self-signed cert.

Yeah, you shouldn’t, but OP seems determined to hamstring themselves and do everything as convoluted as possible.

Already answered in your previous post: https://lemm.ee/post/60855169/19569046

ProtonVPN in its free tier does not allow LAN connections

This is the limiting factor. In order to get around this, you’ll have to put your Jellyfin server on the Internet. Hopefully you can enable port forwarding. If not, you have painted yourself into a corner.

If you cannot use self-signed or internal CA certs, you will also need a domain name, and something like Let’s Encrypt to issue certs for that domain.

For that aspect, I would recommend changing to a provider that doesn’t have such ridiculous restrictions.

You don’t need a VPN for LAN connections. You’re already on the LAN. You’d only need it for access from the WAN.

If you’re using Let’s Encrypt, you should probably purchase a domain. I don’t think they support .internal domains. Or you could set up your own CA and run it however you want, even issuing certs to access by IP address if you wanted.

Just run it on the LAN and don’t expose it to the Internet. That’s 99% of the way there. HTTPS only secures the connection, and I doubt you’re sending any sensitive info to or from Jellyfin (but you can still run it in docker and use caddy or something with Let’s Encrypt).

The bigger target is making sure jellyfin itself and the host it runs on are updated and protected. You could use a WAF too.

Those who need single-core performance are not buying this.

It used to be a website, but now it’s an app!

It’s a full Linux VM, not Android.

I’m not sure what the use case is, though.

Internet2 too

Prices are absolutely going to go up. If you think you’ll want to buy in the next year or two, do it now.

What grounds would she have to sue?

So you’re just reimplementing the current model but with the extra layer of a browser in between. Installing a PWA is the same as installing a native app, except instead of running it directly you also have to have a browser installed to run it. It’s adding a significant amount of complexity for no good reason. Browsers are huge attack targets.