Recommendations for preferred virtualization type for specific use-case?

[IDtheTarget]

Hello!

I am building a new home server, and I want it to perform several duties:

• First and foremost, I want it to be a NAS. I will be storing raw MKV rips of DVD and BluRay that I purchase, as well as music and family photos and documents.
• Second, I want to host a media server that can live-transcode my media to my Roku boxes and my Android tablet, all on my home network. I selected a CPU with QuickSync that I'll want to pass into the media server (build is listed at the bottom).

Requirements for the media server:

1. It needs to be able to see the QuickSync capabilities of the CPU so that it can transcode 4k video in real time.
2. It needs to be easily updated. If there's a security patch released in either Plex or Jellyfin (whichever I settle on), I want to be able to immediately update the media server. When I was running Plex in a jail on FreeNAS 11, it was almost impossible to keep the Plex instance updated.
3. And obviously, it needs to be able to see the media, but I think I get the options there.

Please understand that my experience with virtualization is pretty much VMWare esxi, VMWare Workstation, and some work with FreeNAS jails that I don't remember much of. I haven't worked with kubernetes, docker, or KVM. I've been reading the docs on www.truenas.com/docs/scale, but there are confusing sections and some things aren't clear.

I haven't decided yet whether to run Plex or Jellyfin, for reasons that don't belong here. As I understand it, the following are my options:

1. I can install an "App", which I *think* is really a Docker image?
   1. Pro: an "App" can apparently access my media library in the pool, even if it's in a separate dataset (again, I think. it's not clear from the TrueNAS documentation on datasets).
   2. Pro: As I understand it, I can easily pass-through the Quicksync feature to Plex (official) or jellyfin (truecharts)
   3. Con: If apps are docker containers, it restricts me from updating the media server. I can't download patches, I have to wait for the app maintainer to update the container, then update TrueNAS and the container.
2. I can install a KVM VM.
   1. Pro: as soon as the media server developer (either plex or jellyfin) releases an update, I can update the media server itself, apart from the TrueNAS host OS.
   2. Con: I read somewhere (though I can't find it again) that I will have to create a virtual CPU with the features I want to pass through to the VM.
   3. Con: I believe I'll have to set up SMB shares for my media, create user accounts and then grant access to those accounts on the KVM.
   4. Con: I have to ensure that I keep the OS on the KVM up to date as a separate task than keeping the TrueNAS host up to date (though these days, most OSs have an auto-update feature).

So, #1 seems easier, but less secure as there's got to be lag between when plex or jellyfin releases an update and when the container maintainer applies that patch and then it's picked up by the container repository. #2 seems more secure, but more work, both initially and as an ongoing set of tasks.

Any recommendations?

Thanks!

If you're interested, I'm putting a Xeon E-2356g on a SuperMicro X12STH-LN4F with 64GB of UDIMM RAM with 8 - 14TB Seagate Exos X16 drives in a RaidZ2, all housed in a Fractal Design Node 804. Powered by a Seasonic FOCUS PX-750. I haven't started building it yet, the last of the parts is arriving today.