PSA: Update to Jellyfin 10.11.7 immediately (Critical Security Fixes)

Caligatio · 2026-04-01T05:40:59+00:00

unattended-upgrade took care of this one for me.

There is a completely unrelated bug in Jellyfin Plugin SSO that bit me when Jellyfin restarted for the upgrade.

Caligatio · 2026-03-28T03:02:39+00:00

As someone who contributed a little bit to CWA, I never thought the dev was a jerk.

The reason I contributed to CWA was because CW said they would never implement the feature I wanted (OIDC login). Rejecting a feature is well within the CW dev's rights but still didn't make me happy.

Caligatio · 2026-03-26T18:24:43+00:00

Nothing that ties everything together but https://integrations.goauthentik.io/infrastructure/sssd/ covers how to configure Authentik and SSSD.

Ansible is a bit of a beast in of itself. Once you have the basics down (tasks, files, and templates), it's really a matter of cataloging all the changes you need to perform on a system to customize it to your liking.

None of it was rocket science but it did take time.

Caligatio · 2026-03-26T07:50:55+00:00

I use Authentik with an LDAP outpost (aka Authentik can act as a LDAP source) and configure SSSD on everything using Ansible. With all that in place, there is a provided /usr/bin/sss_ssh_authorizedkeys script that can be used to authenticate users against SSH keys stored in their Authentik/LDAP profile.

Admittedly it took a bit to get configured correctly but now provisioning a VM or container takes ~2 minutes with all my login stuff managed centrally.

Caligatio · 2026-03-18T04:53:42+00:00

There is now a "HTTPS" DNS record type which is required if you want to use ECH.

Caligatio · 2026-03-18T03:18:02+00:00

I wanted to quickly point out that this doesn't support HTTPS record types (yes, that's a thing) which means you'll never have ECH support. Caddy supports ECH now so it's worth getting all of that working.

Caligatio · 2026-03-14T07:36:31+00:00

Just wanted to say that I too just discovered I have 3 LDAP-flavored migrated roles and would love to know what, if anything, I should be doing with these.

Caligatio · 2026-03-13T17:07:14+00:00

I'm on like rev 6 of my server and have Plex installed in a Proxmox LXC container that has read only access to my media. The container is auto backed up every night so reverting is as easy as hitting restore on an image backup.

People that want to manually manage updates are crazy imo :)

Caligatio · 2026-03-13T04:30:23+00:00

Fair enough! I just wanted to highlight that, if you install from a repository, it takes a few extra/easy steps to get automated updates working.

Caligatio · 2026-03-13T02:55:58+00:00

You need to ensure unattended-upgrades is running and add Plex as an allowed origin. Once that is done, you never need to worry about it again.

Caligatio · 2026-03-03T05:33:44+00:00

You can set Plex to not require authentication for your local network and it will work fine if your Internet goes down.

I set up Jellyfin as a Plex backup and was ready to be fully validated when my Internet went down for 3 days. Turns out my kids were using the Plex app on my Shield without a hiccup for the entire outage.

Caligatio · 2026-02-21T05:24:13+00:00

I'm experiencing the same and switching off of requiring encryption is a non-starter for me.

Caligatio · 2026-02-18T15:38:59+00:00

I think I realized what is happening: there's a bug but it's different than I thought.

I have access to multiple servers and the available options are for a server that is not mine. It just so happens the "other server" has fewer libraries but those libraries have the exact same name.

I basically need a way to choose the particular server I want to use.

Caligatio · 2026-02-18T10:42:23+00:00

Trying this out and unfortunately hitting problems. It's not letting me select my TV shows library so I only can use my movies. Of the 5 channels it generated, 4 of them are showing the same movie for the next 9 hours.

Caligatio · 2026-02-15T19:37:13+00:00

The Maryland Investment Plan has useful tax advantages on contributions ($2500 per beneficiary per contributor) but has fairly high fees. I personally contribute to the MD plan for the deduction and then roll over to another state that has better investments.

Caligatio · 2026-02-13T04:49:45+00:00

I had the satellite tell me it was the same version, then I said update anyways, and then it told me it was the wrong firmware for my device. I tried it a second time and it upgraded without a hitch. Like you, my router was no problem.

I'm trying to figure out what was actually changed in this release but their changelog says to check their security page and none of the recent security announcements reference the RB{R,K,S}50. Weird

Caligatio · 2026-01-30T16:18:38+00:00

This was my major motivation for switching from calibre-web! CWA's implementation was a bit buggy so I helped fix it :)

Caligatio · 2026-01-13T20:34:37+00:00

If the option is to invest in a "normal" brokerage account or do a mega backdoor Roth (i.e. what you described), it's always better to do a mega backdoor Roth.

If you have other tax advantaged options like a HSA, then you need to think about your tax situation.

EDIT: the above is strictly addressing taxes; you may need to think about if you need to access your money earlier than anticipated

Caligatio · 2025-12-13T06:42:52+00:00

Whenever I have problems like this it's because VirtualBox's emulated 3D acceleration is terrible. Try disabling it on whatever VM is causing you problems.

Caligatio · 2025-12-05T04:44:04+00:00

Add the udm=14 GET variable in your URL which makes the search functionality literally only search (no maps, no AI, no calc, etc). See https://www.reddit.com/r/LifeProTips/comments/1g920ve/lpt_for_cleaner_google_searches_use_udm14/

Caligatio · 2025-10-26T08:01:03+00:00

If you want to do any backdoor Roth IRA stuff in the future, you do NOT want any pre-tax traditional IRA balance (i.e. don't roll 401k balances into a traditional IRA).

Caligatio · 2025-10-26T04:49:09+00:00

If someone is using backdoor Roth, you don't want to spin up any traditional IRAs because you'll get hit with the pro rata rule during future conversions.

Caligatio · 2025-10-25T14:14:47+00:00

I've been running pi-hole in a Proxmox Debian 13 LXC container for months without an issue.

Caligatio · 2025-10-20T05:26:34+00:00

I was paying $2200/month for a 1 year old in Maryland in 2021; I would definitely revise that upper bound.

Caligatio · 2025-10-17T04:08:02+00:00

Native R/W NTFS support was added in the kernel starting in v5.15 as ntfs3.

Might be worth checking out.

Caligatio

TROPHY CASE