You probably need to realise that this is advanced self hosting here.
I might suggest you start off with something a bit simpler.
Run an application, do DNS, point Nginx to it, get certbot and follow the instructions on their site to implement it. Read logs. Update stuff. Break stuff.
You need to build up to it, because Authentication is a compilation of 5-6 different basic tasks that you need to be across. And if you mess up any of them, it won’t work and you need to work out why.
Simplest would be Authelia and Swag.
Swag comes with prewritten config files and all you really need to do is uncomment a few lines and make sure it’s pointed to your service.
Linuxserver.io guides are good for this.
I ended up landing on Keycloak and I believe I set mine up using the ansible script, again it’s a matter of plugging in some details.
This has been exceptionally done to death on Reddit but I’ll say it here since Reddit is dead.
Authentication -
If what you’re looking for is a login front end you could check out paper merge - personally I’ve got Keycloak and Nginx running so I can just make my own login page anyway and put paperless behind it.
Stuff with sensitive documents should probably not be on the internet anyway unless you’re a really advanced user.
Encryption -
In app encryption offers no security because the encryption key is stored in RAM and likely a database entry that must be unencrypted.
So the Devs are 100% correct in stating that it gives people a false sense of security to offer it as a feature.
Best bet is to have an encrypted filesystem or alternative encrypted storage buuuut, also understand that encryption key is also stored in RAM.
TLDR: There is no point in Devs offering in app encryption when you should already be encrypting the filesystem.
There’s absolutely zero way that is going to get pulled into the actual Jellyfin project, hence a fork is unnecessary.
It’s unreasonable to take responsibility for apps a user runs on their server.
But when you all of a sudden see a heap of Plex IP addresses hitting your provider with mass media sharing rings you’ve got problems.
Jellyfin however is just serving HTTP/S. Thats it. You can’t ban Nginx or Apache.
The framework is called AdminLTE, it’s bootstrap.