Just to add some clarification. Client side encryption basically means that all of the content on the server is always encrypted (or at least it is once it’s been saved on a client using client side encryption).

The whole point is that the server is entirely unable to decrypt the data - there’s no possibility of some cached credentials being used to decrypt the data when you aren’t logged in, there’s no risk of accidental decryption keys being saved in log files. All the decryption takes place on the client and any bad actors would need to compromise your local PC to get access to your data.

Done right this is the best solution for what you are looking for.

This is one of the cases where there’s a real practical advantage to having a reverse proxy in front of your site/software. The proxy could be configured very easily to drop any access to that specific URL .

I’ve three rPi4 8Gb models running K3S with each node being both worker and control plane - works very well and I use keepalived and HAproxy to ensure the control plane remains available if any of the raspberry PIs need to reboot.

I’ve a Helios NAS running NFS for shared storage across all of the nodes.

It’s all reasonably low power but it has enough capacity to run a bunch of containers for media handling etcetera.