I am not sure what you are trying to achieve here. Why the emphasis on security? Most people use a HTPC within their own private LAN and security is not usually a major consideration. Virtualisation seems an unnecessary complication. I am a believer in KISS.
While a valid viewpoint, it is not a universal viewpoint. Depends on the use model. I suppose I can shed some light on it so at least my intended goals are clear.
Eventually I hope to run a secure server on the Internet and access it for remote playback through MythTV or Kodi or whatever is required. I want to share it with relatives and friends and that means I have to learn basically everything there is to know about securing a server for casual use. I also want remote access routed via a high-performance OTF transcoding proxy to insulate it from direct attack and keep the bandwidth manageable. Basically I want Xfinity-style remote access to all my media without having to rely on anything but open source software, mostly obsolete hardware, and a reasonable data link speed. Why? Primarily because I am bored and this stuff is interesting to me, but also because I would rather do it all myself and understand what is involved to keep it running than just pay a subscription fee and spend months on hold when it crashes, or when I am overbilled for something I did not intentionally subscribe to.
Security emphasis is combination learning experience and future-proofing my skillset. Never done a secured system install. Never even did a Linux/posix install until a couple of years ago. I suppose that knowing the difference between a file allocation table and a password list and a disc quota is a prerequisite to any future IT-related position I may be interested in, and my current situation does not afford me any such learning opportunities anywhere but in my home. I am wandering far out of my specialization (such as it is).
Also, security is in the news with revelations of multi-state-sponsored spying on private citizens via advanced firmware infiltration of hard disks, USB sticks, BIOS, phone, boot sector etc. and I guess I am just not as sanguine about the panopticon as some. The current tech situation literally frightens me when I learn that the microphone and camera and GPS on my portable phone can be activated at any time by an appropriately skilled attacker if the battery is in.
To me the whole situation is like being a sheep in a flock surrounded by hungry wolves. Safety in numbers only works if A) you happen to be solidly hidden from view by row upon row of sacrificial lambs and B) the wolf population is under control. These days attackers can single us out at will with no problem and the number of threats is multiplying daily. I would rather trade in my wool for porcupine spines than just sit idly by grazing and waiting to be served for lunch.
Figured I would get ahead of the curve and see if I can learn how to secure a system from the ground up to the point where I can at least possibly detect if I have been hacked. I can access all the applications I need to do this for free with open source Linux tools. Only investment is my time.
Secure log-in and virtualized sandboxing of the Internet browser is a minimum level of security for in-home server/HTPC under the assumption that my router firewall is no defense against a router or wireless hack that is known to exist for many consumer access points or commercial routers, and could conceivably be created in days by people way smarter than me, if it does not exist already for my hardware. Separating the server from the HTPC is simply a matter of disconnecting the server HDMI from the Onkyo receiver. The home network has to be Internet capable for streaming so no matter what I do the server is exposed. I figure I should at least understand how to add some form of firewall that will protect my server data. Running NFS with root access is a really bad idea and I still have no clue how to do it any other way.
The most disturbing part of the recent revelations is that for every state-sponsored attack on a target, there are thousands of wannabe hackers and script kiddies just waiting for an opportunity to wipe my server or turn it into a spambot and now they have a somewhat comprehensive blueprint of how to do it courtesy of the US NSA. Plain fact of the matter is this tech is vulnerable right down to the microcontrollers and if we do nothing at all beyond antivirus scans we are all sitting ducks waiting for a shotgun blast whenever someone with evil intent takes an interest in us.
I already lost two CRT monitors to viruses that scrambled the video sync signals in the early 2000s and burned them out plus had to reinstall Windows every year for ten years due to rootkits and registry corruption until I finally stopped using MS entirely. If I can run Netflix and Amazon from Kodi that is great but as far as I know, current version of Flash is required for Xfinity and Adobe stopped supporting Flash on Linux years ago. Virtualization of Windows is only option for Flash that I know of unless I multi-boot and then I have to do the whole Windows antivirus thing that will cost me more money and grind my Core2 HTPC to a standstill. Rather just re-install a virtualized image if it gets corrupted and avoid all the reboots to watch Xfinity.
Ubuntu install is the first OS I have been able to keep running for years on end with only a reboot when I upgrade the kernel. I like it.
Not looking forward to waking up to a blank server after investing all this time transferring my discs onto it. RAID is only a first step. Backup is impossible with the data size I am using so I am also using script to automatically lock down data directories with access control permissions that require manual root commands to alter anything at all, just in case I fall asleep on the delete key some evening. Disabling Unity lens ad/spyware, browser plugins to remove tracking cookies and LSOs and disable Javascript until I manually let a site run it, WOT, OpenDNS etc. are all good ways to secure a system but ultimately such bandaids may be worthless if the system is not secure installation by design too.
Some of my source discs are already unrecoverably damaged plus lots of analog recordings that I digitized over a period of years including vinyl, VHS, cassette, and reel to reel, some that is now unplayable and the playback devices failed and trashed. I have also lost some material that I created myself when discs crashed or got lost. If I want to keep my data in perpetuity I am going to have to defend it.
I guess I am just the kind of person who reflexively cringes inside when informed that multiple national governments plus untold hackers have the tools to walk in through my router and pull my data any time they want to. I have some brains and some time and wasting it on Linux security has at least the potential to secure me an IT job in the future if nothing else plus the frustration is a great cure for boredom.
Now that my system is running I want to learn how to drive it properly, that is all. Not planning on having a secure server as my home theater PC indefinitely, rather hoping some day to have very simple setup that I can re-image any time off whole disc backup file from a separate secure server, but as long as my file server, HTPC, Internet browser, and main LCD display all connect directly to my Onkyo receiver, I pretty much have no choice but to integrate it all in one.
I know I am overthinking all this and it is doomed to fail at least once but I would rather try and fail than never try at all. If I gave up easily I would have quit at GPT on legacy BIOS and hardware video decoding. The learning curve on those two was painful enough to deter any less persistent person. Doing it all on a shoestring is sort of my Slack solution to boredom.
You might like to know that kodi can run as a frontend to mythtv. I have a mythtv backend machine in a cupboard, and four small kodi machines running kodi as frontends. I prefer kodi because most of the use is playing ripped DVD/Bluray material rather than recorded TV, and kodi is so much nicer than mythfrontend for that (IMHO). Kodi also has a huge number of addons, including youtube, vimeo, netflix.
Happy to help more if I can.
Regards, Nick.
Thanks for that info and offer of help. I just hope you never regret that offer!
So is the Kodi frontend going to directly access the MythTV MySQL database, or is it going to run through a web browser interface instead? Is it capable of running the recording scheduler etc? What native MythTV functionality is lost in Kodi?
Better yet, is there a link describing this capability? (on Kodi web site of course, isn't it?)
Gotta run, thanks for the info and I will get back to you once I progress past the current roadblock (backing up/migrating MythTV database on old server drives to latest Ubuntu LTS backend).
Regarding 7.1 audio it seems the only way is through Kodi so I will definitely be exploring that, and thanks again for the info.