fix(homelab)!: use traefik middleware to restrict WAN access

nix/homelab/scripts/generate-chains.sh

@@ -0,0 +1,36 @@
+#!/usr/bin/env bash
+
+set -e
+
+NAMESPACES=(
+  "home"
+  "longhorn-system"
+  "pihole-system"
+)
+
+OUTPUT_FILE="kustomize/traefik/chains.yaml"
+
+> "$OUTPUT_FILE"
+
+for i in "${!NAMESPACES[@]}"; do
+  ns="${NAMESPACES[$i]}"
+  
+  if [[ $i -gt 0 ]]; then
+    echo "---" >> "$OUTPUT_FILE"
+  fi
+  
+  cat >> "$OUTPUT_FILE" <<EOF
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: private-networks 
+  namespace: ${ns}
+spec:
+  chain:
+    middlewares:
+      - name: private-networks
+        namespace: kube-system
+EOF
+done
+
+echo "Generated $OUTPUT_FILE with ${#NAMESPACES[@]} namespace chains"

nix/homelab/scripts/generate-restore-job.sh

@@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+set -e
+
+if [ "$#" -ne 2 ]; then
+  echo "Usage: $0 <server_name> <backup_file>" >&2
+  exit 1
+fi
+
+SERVER_NAME="$1"
+BACKUP_FILE="$2"
+
+cd kustomize
+
+kubectl scale deployment minecraft-$SERVER_NAME --replicas 0
+
+sed -e "s/{{SERVER_NAME}}/$SERVER_NAME/g" \
+    -e "s/{{BACKUP_FILE}}/$BACKUP_FILE/g" \
+    restore-job.yaml | kubectl apply -f -
+
+cd -

nix/homelab/scripts/update-node.sh

@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+
+set -e
+
+HOST="$1"
+if [ -z "$HOST" ]; then
+    echo "Usage: $0 <ip-or-hostname>"
+    exit 1
+fi
+
+ssh "$HOST" "cd ~/dotfiles && git pull && sudo nixos-rebuild switch --flake ~/dotfiles/nix/homelab --impure"