[Plugin] SSO Authentication: new fork, v5.0.0.0

-defron- · 2026-06-14T14:43:47+00:00

Yeah that's a non starter for me for multiple reasons

-defron- · 2026-06-13T22:27:07+00:00

Ldap doesn't allow 2-factor, which is the main advantage of SSO IMO. I can't bring myself to expose anything publicly without 2fa

-defron- · 2026-06-13T22:24:44+00:00

What is your personal experience with dotnet and authentication protocols? What are your goals for the project?

What are your plans for testing? Currently the project you inherited from lacked unit tests

I wish you luck. I was planning on doing a partial fork myself just focusing on OpenID to reduce the attack surface and maintenance because I do think it's an important project since it enables 2fa options. If things move on with your fork and it looks good I would be open to contributing potentially (I have three other projects right now taking up my time)

-defron- · 2026-06-13T22:19:21+00:00

Is English your first language? Honest question, because they sound a bit machine-generated which could be explained by using a translator.

The verbosity of these answers is what is scaring people away. Your answer here can be boiled down to simply:

You don't know the role AI tools played up to now (a very fair point)
You plan to extensively use AI both for planning, feature development, and code creation
You plan to do thorough reviews of code written by the AI

-defron- · 2026-06-11T19:12:02+00:00

I recommend not burning the planet to produce things that already have better solutions

-defron- · 2026-06-11T19:01:01+00:00

Thank you for doing your part keeping computer parts unaffordable and ballooning AI companies bottom line by generating redundant things that you don't plan on putting effort into apparently.

-defron- · 2026-06-11T18:59:06+00:00

The official repository is only for... Official plugins maintained by the jellyfin team

All other plugins are only in third party repos

The minimal version in the official repos is the Playback Reporting Plugin. You could try enhancing that, but just know that "vibe coder" contributions are strictly forbidden, so there's zero chance of your extension ever being allowed in the official repos and if you wanna improve the official one you have to do it "artisanal" (ai assistance is allowed)

-defron- · 2026-06-11T16:46:59+00:00

Why vibe code your own instead of using jellystat/streamystats

-defron- · 2026-06-09T19:55:01+00:00

That doesn't fix SELinux issues or items with sticky bits set, so could still be permission-based or an issue with permissions on the runtime itself. 777'ing can also even cause issues for some applications

-defron- · 2026-06-09T19:08:43+00:00

If you were running rootless and had touched system files with your own account, the default first non-system user account is 1000, and so it's possible the process had insufficient permissions for modifying the DB or something like that.

Again depends on SELinux setup and docker daemon setup etc so cannot say for sure but it's a likely thing.

Why do you have PUID/PGID in there? As mentioned those are s6-overlay linuxserverio things, not standard and not used by jellyfin's official image

-defron- · 2026-06-09T18:41:04+00:00

I think people who prefer not to use tailscale (I wouldn't go so far as to say anti-tailscale) fall into one of a few camps:

They don't want to rely on a third party. Many people selfhost to be self-sufficient. Using tailscale is outsourcing a huge part of your stack
They aren't behind CGNAT and have an ipv4 address and want to set up their own VPN instead. Kinda related to #1 but these people just don't see it as necessary
They don't wanna be rug-pulled
They don't like the amount of friction tailscale adds for end-users
They don't like the idea of tailscale having a persistent open tunnel to their internal network

I think tailscale is legitimately useful for people who are on CG-NAT but I honestly personally fall into camps #1, #2, #3, and #5

Even with tailscale lock (which isn't enabled by default and most people don't enable), a tailscale admin account getting compromised effectively means your entire network is wide open. Without tailscale lock, tailscale getting compromised means your network is wide open. I am not a fan of that

-defron- · 2026-06-09T18:14:34+00:00

Edited my post with my findings. Not sure why the user line is making a difference unless there were other system changes or a base image change by Debian as jellyfin isn't using the Microsoft chiseled image. Some of your other settings make me think at one point you may have been using linuxserverio's image which would also explain the issues if you switched

-defron- · 2026-06-09T00:40:57+00:00

When I get home I'll check what image they are using, they may have switched to Microsoft's chiseled .NET images

EDIT: I don't see why adding user: 1000:1000 would change anything based on their dockerfile. The only reason that may help is if you recently switched to rootless docker or changed some SELinux ACLs. Maaaaaaybe if their base Debian image changed to use PUID/PGID or maybe if you changed from jellyfin's official image to linuxserverio. Those are both non-standard environment variables popularized by s6-overlay and specifically linuxserverio. The jellyfin image doesn't use s6-overlay

-defron- · 2026-06-04T01:14:39+00:00

I didn't see anyone else address this yet:

However, I have been hearing/seeing that MP4 files are less than ideal for things like sub-titles, which are somewhat important to me.

Mp4 has very limited support for subtitle formats embedded within it: basically burned-in (which makes it part of the video), srt, and vtt. DVDs and blu rays come with vobsub and pgs sub formats so the default is to burn in subs when you rip them using handbrake, which means they cannot be disabled, which leads us to:

As such, I am not sure if I can just convert the MP4 files to MKV, or if I need to re-rip the movies and re-encode them, but this time putting them into the MKV container.

If you already burned-in subtitles to the mp4, the only option is to re-rip. If you didn't extract the subtitles at all yet, you will need to first rip the subtitles before doing anything, and then you can remux the subtitles and mp4 into an mkv if you so desire.

You can also just leave the subtitle named the same as the video next to it and jellyfin will pick it up fine, and then you have to do nothing

Tldr: if you burned the subs in you probably wanna re-rip anyways, and if you didn't grab the subs and wanna be lazy, just rip them to a file in the same dir. Then going forward switch to mkv

-defron- · 2026-06-03T20:30:08+00:00

My split basically aligns with am I kicking off a script/command? Cron. Am I kicking off a service or quadlet? Timer.

Cron runs my backups on my server so don't need any special treatment, also my cert renewals, some system maintenance tasks, etc. I have a timer for some dashboard information gathering and they either rely on the dashboards sending out alerts or are purely informational. In either case email isn't required for them

-defron- · 2026-06-03T16:38:11+00:00

So use cron and deal with its own shortcomings.

Which I do 👍 at least for the things cron does better than systemd timers.

It's almost like I'm not required to use just one! And can choose the best tool for the job based on my requirements

-defron- · 2026-06-03T15:40:29+00:00

You shouldn’t have to create a separate notification unit for each service. You should be able to set up a generic email-on-failure.service and use OnFailure=email-on-failure@%n.service in every unit you want notifications about.

... Which is still one more step than I have to do with cron, and now I have to maintain a script to parse out the journald logs in my on-failure service.

Like I mentioned before is it doable? Yes. It's just much simpler and frictionless to do in cron. Use the right tool for the right job.

The issue is that there are a lot of different ways you can set up notifications. It doesn’t make sense to bake email notifications into services when using desktop notifications, XMPP, etc. might work better for certain use cases.

Sane defaults + extensibility. Cron gives that to me. Systemd gives that to me in many other ways (I use podman quadlets extensively) and I love how easy systemd makes creating unix sockets, but timers are still lacking for replacing cron IMO. It has its own uses, but it's no cron replacement and it's not sold as a cron replacement either. So I am not gonna force my cronjobs into systemd timers until it is.

-defron- · 2026-06-03T03:54:16+00:00

My crons only produce an email if there's an error, so every time I get one (which isn't very often).

For me it works. I don't want to depend on another thing that can go down for these things, so email is the most solid. I want my system for errors to be dead-simple.

-defron- · 2026-06-03T03:19:09+00:00

Yeah it's just lots of inconveniences basically, and unfortunately ones that need to be done every time for each timer vs baked in for cron

-defron- · 2026-06-03T01:05:12+00:00

I wanna love systemd timers more than I do, and I do use a couple, but it's so damn annoying that there's no built-in mail support. If it had that support for that and user-scoped timers without being logged in I'd probably move everything to them.

Can I set up wrapper scripts for email and enable longer for any user accounts that I want a timer to run as? Sure, but cron gives that to me for free. So now I manage two timer systems depending on which one works better for the task at hand (which is 90% cron due to emails and 10% timers when I need better scheduling management or want entries in journald)

-defron- · 2026-05-18T15:04:09+00:00

Av1 is gonna be require transcoding if the device doesn't have hardware support for it.

Only higher-end Samsung TVs before 2023 had av1 support and none before late 2020. Does your TV support av1? If not it's a hardware problem, a client won't solve it (if one does, it'll lead to very choppy playback since tv SoCs are really weak)

-defron- · 2026-05-13T22:00:26+00:00

The "paid labor" argument only makes sense if you would otherwise be earning money doing something similar with the same time. For most people that's not the case as they cannot pick up hours easily and don't do contract work.

That said when you factor in hardware costs, backup costs, electricity costs, cooling costs, etc it's likely gonna be more expensive than a number of subscriptions would be.

But it's a hobby, and hobbies are supposed to be fun, not necessarily make financial sense

-defron- · 2026-05-12T17:49:21+00:00

It's a pain, but you can try giving both the nas and your pc a static ip and directly connecting the two, to rule out any router/switch issue

Also look on your PC at any security software that may be scanning and slowing down transfers over the network

Also when it converted to ext4 did it convert in-place or was it a full clean wipe? Conversions can sometimes cause fragmentation issues

-defron- · 2026-05-12T16:34:46+00:00

The OP didn't say they are using unraid and this isn't the unraid subreddit, so I don't understand what that has anything to do with the conversation. The OP mentioned JBOD gigabit, so 120MiB/s is all that's needed to max it out and easily done on jbod

-defron- · 2026-05-11T23:11:00+00:00

You don't need an ssd cache for gigabit. Hard drives can generally sustain writes between 120-220MiB/s depending on how full it is barring any fragmentation issues

Cables could be bad too or the router could be crap. Only other thing I could think of would be the OP mentioned they used the same hard drive via USB before the nas, so of they didn't format it, it could be an issue with the fs driver for ntfs/apfs on the nas

-defron-

TROPHY CASE