I’ve worked with GUIs on python for a couple of years, we used PyQt, which is a python wrapper for Qt which is a C++ library for GUIs. It’s fairly straightforward and easy to get something up on the screen in no time.

However from parts of your comment it seems you want to implement your own graphics library, and that is a lot harder to do.

Also you mentioned legacy hardware, not sure how legacy it would be. Python should run on most things people would call legacy nowadays, but there’s definitely an overhead that could be felt if you’re trying to run this on an embebed system or a REALLY old (as in 90s/00s era) computer.

You also mentioned mobile, I don’t think PyQt can be compiled to mobile easily, nor do I think you should even if you manage to (been there, done that, not a happy time). Desktop and Mobile GUIs are very different, realistically if you want something that works well on both mobile and desktop with the same codebase the easiest approach is web UI.

Lots of questions, let’s take it one step at a time. You have a domain, now you can point it to your public IP, so that whenever someone tries to access example.com they ask their DNS server and it replies with 10.172.172.172 (which btw is not a valid public IP). Now that request will hit your router, you need to configure your router to redirect ports 80 and 443 to 192.168.200.101, that way the request to example.com gets to your local machine.

Ok, so now you need your local machine to reply on that port, I recommend using Caddy it’s very easy to setup, but NGIX is the more traditional approach. A simple Caddy config would look like:

example.com {
    respond "Hello"
}


jellyfin.example.com {
    handle {
        reverse_proxy http://192.168.200.101:1020/
    }
}

So after the request reaches Caddy it will see that the person tried to access, example.com and respond with a “Hello”.

If instead you had tried jellyfin.example.com the DNS would have sent you to 10.172.172.172, your router would send that to 192.168.200.101, Caddy would then send it to 192.168.200.101:1020, which is Jellyfin so that would get returned.

There are some improvements that can be made, for example if both caddy and Jellyfin are docker you can share a network between them so Jellyfin is only exposed through caddy. Another possibly good idea is to add some authentication service like Authelia or Authentik to harden stuff a little bit. Also as you might have noticed Caddy can forward stuff to other computers, so you can have one machine on your network exposing multiple services on multiple machines.

If you’re using jellyfin as the url, that’s an easily guessable name, however if you use random words not related to what’s being hosted chances are less, e.g. salmon.example.com . Also ideally your server should reply with a 200 to * subdomains so scrappers can’t tell valid from invalid domains. Also also, ideally it also sends some random data on each of those so they don’t look exactly the same. But that’s approaching paranoid levels of security.

They did that with most of my subdomains

I recently had a weird bug with Jellyfin, are you by chance using a domain name? Try accessing Jellyfin using direct IP, e.g. http://192.168.1.123:8096/

There are great apps that provides a way of organizing such libraries which you should do to have stuff organized regardless of problems with JF. They’re called Sonarr for tv shows and Radarr for movies, they also provide other features, but their media organization is great

For backups I don’t think full disk backups are ever needed or useful. Because if the system is running there’s always a chance of corruption. Besides 90% of what’s on your system is recoverable, so you should automate that part and backup what is not recoverable, i.e. personal documents. I use Borg, check out Pika or Vorta for some GUIs for it, and I use Borgbase for my remote, but you can also backup to some folder.

For the other two you need windows. Even if you managed to get vscode to compile and tested with wine, that’s not a guarantee that it will work on Windows. Same thing for excel, even if libre office had those features it’s not guaranteed that stuff that works there would work on excel.

If you need windows for work you need to find a way to have windows available, trying to circumvent this would be a source of pain.

I mean, he’s joking, but:

AMD Drivers: yeah, this one’s not a thing

Chrome: https://www.gnu.org/software/emacs/manual/html_node/emacs/EWW.html

Gmail: https://www.emacswiki.org/emacs/CategoryMail

Office 360: https://orgmode.org/

I-Tunes: https://www.emacswiki.org/emacs/itunes.el (although this one probably doesn’t work)

JBL: I have no idea what it is

Muse score: https://github.com/piercegwang/staff-mode

Anti-virus: I don’t know of any, but I wouldn’t be surprised if someone listed a plugin for checking files

PyCharm: This is the one he said to use Vim

Remote desktop: Emacs can natively open remote files or directories

Star citizen: obviously not

Steam: Obviously not, because it’s proprietary, I really wouldn’t be surprised if there’s a GOG plugin

VPN: https://github.com/anticomputer/ovpn-mode

There’s some truth to the joke that emacs is a very complete Operating system.

He said remote desktop to iOS not from iOS, that means he needs a client on his desktop to access the server on the phone. If it was android the answer is scrcpy but I’m not aware of any such tools for iOS (since I don’t own an iOS device).

AMD Drivers: if your GPU is new enough (which it probably is since you’re playing Star citizen) it should be just magic here since they come together with the kernel.

Chrome: it’s available for Linux, no need to switch. Although Firefox is very nice too.

Gmail: not sure what you mean, Gmail is a website, those are available on any platform. If you meant a desktop email client (which honestly I have never in my life used) there’s Thunderbird.

Office 360: Are you talking about Microsoft 365? Is that not a website too? In any case Libre office is a nice alternative to the classical Office desktop app too in case you want that.

I-Tunes: A quick search online reveals people use wine to run the Windows version of iTunes, although I would probably consider migrating. Spotify has a native client and there are some places where you can buy music and have it locally for playback.

JBL: not sure what this is other than a brand for speakers.

Anti-virus: You almost assuredly don’t need an anti-virus on Linux, as long as you install software through the proper channels (i.e. using the package manager) chances of virus are so small it’s not something to worry about. Most Linux anti-virus serve to check windows binaries in the system to avoid someone using the Linux machine to send virus to Windows users.

PyCharm: it’s available for Linux

Remote desktop to iOS: Not sure this is possible even on Windows, I use remmina for remote desktop, it supports several ways of connecting to the other device so maybe see if it works for you.

Star citizen: Never played it but it seems to be playable with Wine.

Steam: While steam is available not all games are compatible, check out https://www.protondb.com/ to see the status of any specific Steam game.

VPN: should be native on Linux, there’s a protocol caller OpenVPN which most VPN providers will give you a Config file for that you can use directly on the network applet on Linux.

PS: Next time share the list in text, it makes it easier to reply

First of all I agree with most of your a, b and c points, just would like to point out that while it’s true that Docker containers provide an extra level of security they’re not as closed down as people sometimes believe, but as a general rule I agree with everything you said.

But you’re wrong about the way Plex works, this is a quote from their documentation:

So, your Plex Media Server basically “relays” the media stream through our server so that your app can access it since the app can’t connect with your server directly.

If that’s not clear enough:

Your security and privacy is important to us. When you have enabled secure connections on your Plex Media Server, then your streaming will continue to be secure and encrypted even when using our Relay feature. (When using secure connections, the content is encrypted end-to-end and tunneled through our Relay. The connection is not terminated on our servers and only your Plex Media Server has the certificate.)

So it’s very clear data is streaming through their relay server, which goes back to my original point of I expect that to be a paid feature, it’s using bandwidth from their relay servers.

As for the security again you’re wrong, authentication happens on the Plex remote server, not on your local one, which is why you can’t use Plex without internet (part of my dislike for them). So you connect to Plex remote server and authenticate there, you then get a client that’s talking to the remote server, even if someone was able to bypass that login they would be inside a Plex owned server, not yours, they would need to then exploit whatever API exists between your home server and that one to jump to your machine, so it’s an extra jump needed, again similarly to having Authelia/Authentik in front of Jellyfin.

You are, authentication on the VPS, you’re relying on Jellyfin authentication against the internet. Correct me if I’m wrong, but this is your suggested setup: [home server] Jellyfin -> [remote server] Reverse Proxy -> [remote machine] users. Let’s imagine a scenario where Jellyfin has a bug that if you leave the password empty it logs you in (I know, it’s an exaggeration but just for the sake of argument, an SQL injection or other similar attacks would be more plausible but I’m trying to keep things simple), on your setup now anyone can log into your Jellyfin and from there it’s one jump to your home server. On Plex’s solution even if Plex authentication gets compromised the attacker only got access to the remote server, and would now need to find another vulnerability to jump to your Plex at home.

Putting something like Authelia/Authentik on a VPS in front of Jellyfin is a similar approach, but the Jellyfin client can’t handle third party authentication AFAIK

For remote streaming they do, here are their docs on it https://support.plex.tv/articles/216766168-accessing-a-server-through-relay/

From that documentation:

So, your Plex Media Server basically “relays” the media stream through our server so that your app can access it since the app can’t connect with your server directly.

No, the article only mentions the feature by name, the docs for the feature mentions the relay https://support.plex.tv/articles/216766168-accessing-a-server-through-relay/

Using a relay server to separate online from home connection

It’s not, not directly at least, and that’s what everyone is ignoring here. You probably understand the value on Authelia/Authentik but you’re failing to see that the Plex relay server is taking that same mantle here, so even if someone managed to compromise the relay server it’s still not on your home server, whereas exposing jellyfin directly to the internet only requires one service to be compromised.

In some way is different from directly, on Plex you’re behind a relay server so it’s akin to being behind a VPS running Authentik/Authelia in front of the service on your home. Compromising the relay server does not necessarily compromises your home server, so it’s not direct like putting Jellyfin on a reverse Proxy would be.

That exposes Jellyfin to the internet

That exposes Jellyfin to the internet, so it’s not the same feature

That exposes Jellyfin to the internet, so it’s my option 1.