I have some beginner questions, for example: if I have the arr stack running in docker with a vpn, can I browse the internet non-anonymously on that same machine without compromising identifying details, assuming qbittorrent is configured to only move traffic through a VPN? (I’m wondering if I need a dedicated piece of hardware to run everything safely)
The answer to this question is you can setup a docker system (or podman) so that all the traffic in that pod (don’t know the docker term for this) will route through the vpn. A good image to accomplish this easily and successfully is gluetun – and it will only affect the traffic in the containers, not the rest of your computer.
Personally, my setup is much more like yours and it works fine for me, except I use a VM. So all the activity gets confined to the VM and that makes a bit idiot-proof. Using automatic management in the torrent client, completed torrents get put in the correct directory. You could combine this with Jellyfin if you desired.
My own problem with Jellyfin is if I ever use it for anything I want direct playback on all relevant devices, because my computer is not good enough for transcoding (and why waste the energy and time on on-demand transcoding, anyway?) so it requires some massaging of the data to get everything right. I only use it infrequently, practically on-demand. I don’t use Jellyfin for myself.
The VM is Debian Linux with a basic XFCE UI (for a system tray + notification widget) via QEMU/KVM which I run through virt-manager. Most unnecessary packages are removed or not installed in the first place. This is so that I can browse the sites, again, in a fool-proof manner. I share a directory from my host OS to the VM, which mounts it on boot in the fstab. This prevents me from downloading into the guest VM’s disk image and having to keep dealing with that file getting overly big. In the past I’ve done a Samba share but recently I’ve just been using direct shared memory/filesystem and that seems to work OK, too.
As a bonus to this setup, I can use Microsocks in the VM to also proxy a profile in Firefox to get VPN coverage in a specific Firefox profile. I use this when watching on streaming sites instead of trying to watch within the VM, since there is considerable overhead to doing that.
And that’s it, really. My VPN killswitches the VM if it ever experiences a connection interruption. And Qbittorrent is set up to use the VPN interface, as well. I use the aforementioned automatic torrents management feature to sort things when they’re done downloading.
I should state that there are some obvious downsides to this setup. The first is now I have to overcommit disk space and RAM to keep and run a guest VM. You want enough to be able to run updates and the software in the VM without running into a wall. The second is that there does seem to be a CPU penalty when downloading files (maybe it’s because of the way I’m sharing the downloads directory into the VM with virtiofs?)