I'm trying to give my proxmox server some media library capabilities and struggling to get some of the details right.

My intent is to lock down file permissions as tightly as reasonably possible to prevent other issues down the road (such as accidental deletion of media or conflicts from jellyfin and Arr each trying to constantly fix the other's metadata). What I would like is for Arr suite to fetch and update metadata for media that I own across separate libraries for music, video, etc. To minimize crosstalk and user errors, I was thinking it would be nice to give Jellyfin read-only group access to each.

For example, lidarr unpriviliged LXC gets /data/music as lxc.mount.entry from the host, chowned as lidarr:lidarr. A separate Jellyfin unpriviliged LXC gets the same mount, and the jellyfin user is a member of group Lidarr. I would hope to replicate across other ARRs as well, for the same jellyfin instance. In my docker compose, I specified uid:gid corresponding to jellyfin:jellyfin.

In practice, this simply did not work. Jellyfin was not able to scan the library until I chowned the library to jellyfin:jellyfin - after which it worked immediately and my media started populating into the Jellyfin library, but it messed up things for my other LXCs, including lidarr and the samba share I use to manage files.

Do any of you have a setup similar to what I'm trying to achieve, or some insight into where I've gone wrong?

Does anyone know how to prevent unauthorized access to these services and their traffic on a local network?