Linux How to harden a Jellyfin Server

I have installed Jellyfin on a spare Ubuntu 22.04 machine. Thinking of sharing access with a couple of relatives living abroad. What are the best practices to keep my devices and home network safe? It will not be running 24x7, sharing access only when required / requested.

I have Tailscale. People at the other end are not comfortable with Tailscale like setup though. They will mostly install Jellyfin on their TV and continue using as it is a YouTube app.
Will list a few approaches here
1. Use Zerotier instead of Tailsacle since it's just a matter of the relatives joining the network string through their client devices instead of the usual Google auth/SSO.
2. You can setup a VPS on nearest cloud provider and port forward only the 8089 port using ssh tunneling.
3. Get static/public IP from your ISP and host your server with decent firewall rules.
4. VPS with a Wireguard tunnel and Nginx reverse proxy for LetsEncrypt SSL cert for your domain is a complicated but doable solution too.

On a side note if the sharing is with people abroad/far routing is always going to be an issue.
So no matter your home-server and client bandwidth the actual throughput is going to be fluctuate with high and variable latency.

For security
1. If possible use separate VLANS for the the exposed server and rest of your network.
2. Use unprivileged containers or services when deploying the server.
3. If you plan to use VPS use firewall rules to limit access based on country, IP ranges etc.
4. Session limit your users.
5. Monitor logs for abnormal stuff.