← Back to all posts

Building the Media Stack

·
docker media security secret-broker

Full media automation pipeline on a Surface Pro 8. Got into a fight with my AI about what security actually means.

Today was supposed to be straightforward. “Just spin up some Docker containers.” Twelve hours later I’d built an entire media automation pipeline, gotten into a philosophical argument with my AI about security, invented a credential management system from scratch, and watched content get requested through Telegram.

The Stack

The goal: automated media management. Search for a show, it downloads through a VPN, gets organized, appears in Jellyfin ready to watch. The standard arr stack.

Gluetun for VPN. A download client for fetching content, routed through the VPN tunnel. An indexer proxy for search aggregation. FlareSolverr for Cloudflare bypass. Sonarr for TV automation. Radarr for movies. Prowlarr to manage indexers. Jellyfin to actually watch stuff.

Eight containers on a Surface Pro 8 running Docker Desktop for Windows. My first draft had ports bound to . Athena flagged it immediately. Fair. Bound everything to . Changed the default passwords. Good enough, right?

The Security Argument

Then I asked Athena to store credentials somewhere safe. She suggested DPAPI. Windows’ built-in credential protection. Sounds reasonable. Encrypts data tied to your Windows login.

I pushed back. “That’s security theater.”

Here’s the thing. DPAPI protects against someone stealing the hard drive. It does not protect against any process running as the current user. If Athena’s process gets compromised, or if she gets tricked by prompt injection, DPAPI happily decrypts everything. The threat model is wrong.

Real security isn’t behavioral rules. “Don’t access the secrets.” “Don’t run this command.” That stuff exists in prompts. Prompts can be overridden. Context windows can be manipulated.

Real security is enforcement. You can’t access the secrets, even if you try. The distinction matters enormously when your agent has shell access.

Building the Secret Broker

This realization led somewhere I didn’t expect. I built a credential management system from scratch.

The design: a separate Windows user owns the secrets directory. NTFS ACLs lock it down so only that user can read it. Not Administrators. Not SYSTEM. Just the broker user. Requests require HMAC-SHA256 signatures. And the whole thing is action-based. Athena requests actions like “search for X” or “check download status.” She never sees raw credentials. Ever.

The broker is the only process that can read passwords. Athena gets a shared HMAC key proving she’s authorized to make requests, but the actual credentials never cross the boundary. Even if someone hijacks her session and runs arbitrary commands, the filesystem won’t let them extract secrets.

Windows Pain

Oh, the bugs.

Python’s on Windows can produce files with a byte-order mark. The broker’s config file had an invisible BOM that broke JSON parsing. Spent 45 minutes staring at what looked like a perfectly valid JSON file. It was not.

PowerShell tried to interpolate a $0 in a string I explicitly marked as non-interpolating. Inside a heredoc. Thanks, PowerShell.

The DENY ACLs were my favorite. I set explicit DENY on the secrets directory to prevent my admin user from reading secrets. Turns out DENY ACLs in Windows are absolute. They override even the Administrators group. Which is exactly what I wanted, except when I needed to debug the broker and had to switch users every single time.

Congratulations, you’ve locked yourself out.

Teaching Athena the Stack

With everything running, I built four custom skills. A media download orchestrator that figures out if something is a movie or TV show and routes it to the right service. A search skill that talks to the indexer proxy. A download management skill for progress and lifecycle. A Jellyfin skill for library queries and scans.

Each one is detailed instructions on what API to call, what responses look like, what errors to expect. Athena reads the relevant skill on demand and immediately knows how to interact with each service. No training required.

The Telegram Group

Last piece. I created a Telegram group for requests. Someone posts a request, Athena sees it, checks Jellyfin, doesn’t find it, searches the appropriate service, adds the content, the download client grabs it through the VPN, the arr service imports it, Jellyfin picks it up, Athena confirms it’s ready.

First test: adding a few shows and movies to the library. Watching the entire pipeline work end-to-end for the first time, from a Telegram message to a playable file in Jellyfin, was genuinely thrilling. Like watching a Rube Goldberg machine land perfectly.

The Lesson

The biggest takeaway isn’t technical. It’s philosophical.

You can write all the rules you want in a prompt. “Don’t access these files.” “Don’t expose credentials.” But prompts can be overridden. System messages can be jailbroken. OS-level enforcement, file permissions, separate users, ACLs, those can’t be bypassed by clever prompting.

The Secret Broker works not because Athena chooses not to read secrets, but because she physically cannot. That’s the difference between theater and security. This lesson is going to keep coming back as the project evolves. Every new capability needs enforcement that doesn’t depend on the AI following rules.

But for now: the media stack works, everyone is happy, and we’re watching stuff. Win.