IPv6 support for docker

Works for all containers

Major downside is that all ipv6 adresses are logged as fd00::1

roles/matrix-base/defaults/main.yml

@@ -76,6 +76,8 @@ matrix_host_command_fusermount: "/usr/bin/env fusermount"
 matrix_host_command_openssl: "/usr/bin/env openssl"
 matrix_host_command_systemctl: "/usr/bin/env systemctl"
 matrix_host_command_sh: "/usr/bin/env sh"
+matrix_host_command_iptables: "/usr/bin/env iptables"
+matrix_host_command_ip6tables: "/usr/bin/env ip6tables"
 
 matrix_ntpd_package: "ntp"
 matrix_ntpd_service: "{{ 'ntpd' if ansible_os_family == 'RedHat' or ansible_distribution == 'Archlinux' else 'ntp' }}"
@@ -115,6 +117,9 @@ matrix_client_element_e2ee_secure_backup_setup_methods: []
 # The Docker network that all services would be put into
 matrix_docker_network: "matrix"
 
+# Controls whether we'll enable IPv6 in docker
+matrix_docker_ipv6_enabled: true
+
 # Controls whether we'll preserve the vars.yml file on the Matrix server.
 # If you have a differently organized inventory, you may wish to disable this feature,
 # or to repoint `matrix_vars_yml_snapshotting_src` to the file you'd like to preserve.

roles/matrix-base/tasks/server_base/docker_ipv6.yml

@@ -0,0 +1,47 @@
+---
+
+- block:
+  - name: Ensure matrix-ip6tables.service exists
+    template:
+      src: "{{ role_path }}/templates/{{ item }}.j2"
+      dest: "{{ matrix_systemd_path }}/{{ item }}"
+      owner: "root"
+      group: "root"
+      mode: 0644
+    with_items:
+      - matrix-ip6tables.service
+    register: matrix_ip6tables_systemd_service_result
+
+  - name: Ensure systemd reloaded after matrix-ip6tables.service installation
+    service:
+      daemon_reload: yes
+    when: "matrix_ip6tables_systemd_service_result.changed"
+  
+  - name: Ensure matrix-ip6tables.service is started and autoruns
+    service:
+      name: matrix-ip6tables
+      state: started
+      enabled: yes
+
+  when: "matrix_docker_ipv6_enabled|bool"
+
+
+- block:
+  - name: Check existence of matrix-ip6tables service
+    stat:
+      path: "{{ matrix_systemd_path }}/matrix-ip6tables.service"
+    register: matrix_ip6tables_service_stat
+  
+  - name: Ensure matrix-ip6tables.service doesn't exist
+    file:
+      path: "{{ matrix_systemd_path }}/matrix-ip6tables.service"
+      state: absent
+    when: "matrix_ip6tables_service_stat.stat.exists"
+  
+  - name: Ensure systemd reloaded after matrix-ip6tables.service removal
+    service:
+      daemon_reload: yes
+    when: "matrix_ip6tables_service_stat.stat.exists"
+    
+  when: "not matrix_docker_ipv6_enabled|bool"
+

roles/matrix-base/tasks/server_base/setup.yml

@@ -27,6 +27,8 @@
 - include_tasks: "{{ role_path }}/tasks/server_base/setup_archlinux.yml"
   when: ansible_distribution == 'Archlinux'
 
+- include_tasks: "{{ role_path }}/tasks/server_base/docker_ipv6.yml"
+
 - name: Ensure Docker is started and autoruns
   service:
     name: docker

roles/matrix-base/tasks/setup_matrix_base.yml

@@ -23,6 +23,10 @@
   docker_network:
     name: "{{ matrix_docker_network }}"
     driver: bridge
+    enable_ipv6: " {{ matrix_docker_ipv6_enabled|bool }}"
+    ipam_config:
+      - subnet: "fd00::/80"
+  register: matrix_docker_network_info
 
 - name: Ensure matrix-remove-all script created
   template:

roles/matrix-base/templates/matrix-ip6tables.service.j2

@@ -0,0 +1,16 @@
+#jinja2: lstrip_blocks: "True"
+[Unit]
+Description=Matrix ip6tables rule to enable IPv6 internet access from containers
+DefaultDependencies=no
+
+[Service]
+Type=oneshot
+Environment="HOME={{ matrix_systemd_unit_home_path }}"
+
+ExecStart={{ matrix_host_command_ip6tables }} -t nat -A POSTROUTING -s fd00::/80 ! -o docker0 -j MASQUERADE
+ExecStart={{ matrix_host_command_ip6tables }} -P FORWARD ACCEPT
+
+SyslogIdentifier=matrix-ip6tables
+
+[Install]
+WantedBy=multi-user.target