The OS needs access to the keys accepted by the bl. Pixels have that, so graphene can relock. Other vendors don't give this opportunity, so Roms like los which support many devices, better be safe than sorry.
Try relock on a xiaomi device and you have unrecoverable hard brick.
Not a bad take per-se, but a bit condescending. While I agree and like the KISS paradigm, remember that no solution works at a lower complexity level of the problem itself.
So, define your problem clearly, find the simplest possible solution. Don't overcomplicate, I agree, but don't be fooled by false hopes.
Is it really simpler? Yes. Will it scale if I need it to? Maybe not, but will I really need for it to scale?
I have a quite rich selfhosted stack, and DNS is indeed part of it.
For such a critical piece of infrastructure I didn't needed a container, just installed Unbound and did some setup for ad blocking and internal DNS rules.
There is no "write and forget" solution. There never has been.
Do you think we have ORIGINALS or Greek or roman written texts? No, we have only those that have been copied over and over in the course of the centuries. Historians knows too well. And 90% of anything ever written by humans in all history has been lost, all that was written on more durable media than ours.
The future will hold only those memories of us that our descendants will take the time to copy over and over. Nothing that we will do today to preserve our media will last 1000 years in any case.
(Will we as a specie survive 1000 more years?)
Still, it our duty to preserve for the future as much as we can. If today's historians are any guide, the most important bits will be those less valuable today: the ones nobody will care to actually preserve.
Citing Alessandro Barbero, a top notch Italian current historian, he would kill no know what a common passant had for breakfast in the tenth century. We know nothing about that, while we know a tiny little more about kings.
Well, here is the relevant part then, sorry if it was not clear:
Jellyfin will not play well with reverse proxy auth. While the web interface can be put behind it, the API endpoints will need to be excluded from the authentication (IIRC there are some examples on the web) but the web part will stil force you to double login and canot identify the proxy auth passed down to it.
Jellyfin do support OIDC providers such Authelia and it's perfectly possible to link the two, in this case as i was pointing out, Jellyfin will still use it's own authentication login window and user management, so the proxy does not need to be modified.
TLDR: proxy auth doesnt work with Jellyfin, OIDC yes and it bypassess proxy, so in both cases proxy will not be involved.
currently i don't use any proxy related authentication because i need to find the time to work with the plugins in Jellyfin. I don't have any chromecast, but i do regularly use the Android Jellyfin app just fine.
I expect, using the OIDC plugin in jellyfin, that Jellyfin will still manage the login via Authelia itself, so i do not expect much changes in NGINX config (except, maybe, adding the endpoints).
The OS needs access to the keys accepted by the bl. Pixels have that, so graphene can relock. Other vendors don't give this opportunity, so Roms like los which support many devices, better be safe than sorry.
Try relock on a xiaomi device and you have unrecoverable hard brick.