I'd use raspberry pi v4 boxes and a tiny OS specifically created for the system. No way would I run a full desktop. Don't make it easy for the crackers.
mpv for video playback. Plenty of controls.
For management, the safest way would be to swap in a new microSD card with OS updates and new data, but if you must have it networked, I'd use ssh-only with keys (never passwords) and ansible. Install fail2ban if you are unwilling to lock down the firewall to prevent 99.999999999% of the internet from any access. Only allow your management IPs access, not the world. Budget for new microSD media every year, though it won't be needed THAT often if you buy high endurance microSD storage. Expect to replace the Raspberry Pis every 3 yrs. budget for 1/3 every year to be safe.
But only you know the real requirements. I keep thinking of a huge sign in my metro area about 10 yrs ago showing an "inappropriate" image for about 5 hrs on one of the busiest streets here. They had poor security. A few years ago, the electronic speed-limit signs were cracked here too. Again, poor security.
Bookmarks