Clearly you know of lot about this.

Nah, that is the problem. It all got so dynamic and easy I don’t really know how the hundreds of active modules on my desktop are loaded, why or in what order anymore. The days when I could list a handful of modules to load at boot are long gone I think unless its an embedded device or perhaps a simple server.

Setting modules_disabled might be viable for a relatively static system. I have seen that one when looking at hardening servers in the past but thought it was a bit extreme. Perhaps not.

In the 90s I compiled all my kernels at home from source with just the drivers I needed. Only installed the packages I needed. Only enabled the services I needed. The Unix way. When the kernel added modules I was still only compiling a subset and generally loading them manually.

Obviously that doesn’t work for most users and distros sensibly started shipping with modules compiled for practically every need. Usually when I view distro security alerts they are for packages I don’t install. But I have all these damn kernel modules just waiting to automatically load. I know I can blacklist them individually but I wonder if there is a way to profile the modules I use and use a deny all/whitelist approach instead?

I always used my retired PCs and parts but then my kids all wanted gaming rigs so spare PCs and parts do not exist in my world anymore and they tended to be too big, noisy and inefficient.

I would go for used ex-corporate desktop mini PCs from the likes of Dell, HP, Lenovo. Perhaps don’t go for the smallest ones if you want to be able to get into them and add stuff. They tend to have reasonably good idle power and noise and its common to find ones supporting two nvme ssds. Intel cpu with quicksync for jellyfin video decode if you aren’t adding discrete gpu - check supported codecs. Codec support varies across generations I think.

I would stay well away from laptops: bad thermals, power limits, limited expandability and SBCs like RPi which have poor io for servers.

I picked up an old HP Elitedesk off ebay a few years ago. I added a few TB of SSD and another stick of DDR4 when that stuff was cheap. It supports two nvme ssds as well as space for sata drives. Apart from media storage I can’t see any compelling reason to want to upgrade it.