TwinHaelix

My recollection is that Fail2Ban has some default settings, but is mostly reactionary in terms of blacklisting things that it observes trying to get in. Crowdsec behaves in a similar vein but, as the name implies, includes a lot of crowdsourced rules and preventative measures.

Now that you have a working setup, make a backup. Then, experiment with either starting over and only doing a few of the steps OR experiment with removing some of those parameters. Find your minimum set of working parameters this way, then you can look them up to find out more about what each parameter does that you discovered to be essential.

I can for sure tell you that passing the render device is required for hardware transcoding, but I'm not sure what else is required. The iommu and vfio parameters are related to passing the entire gpu device into a container, but I don't know anything about Proxmox so I can't comment on whether that would be required for your situation.

Same here! 10gb free is more than enough for the volumes I mount on my containers with config, etc

Arch on my home server, Zorin on my laptop

It is 100% the support. Corporations pay big money to have experts on call to fix things fast when they break, and there's basically no other player for that kind of model in the Linux space.