Merge pull request #65 from privacyint/v6_only

EdGeraghty · web-flow · commit 29dd70d5f01f · 2025-11-26T11:49:55.000Z
Add an IPv6-only mode, defaulted off
diff --git a/scripts/container-entrypoint.sh b/scripts/container-entrypoint.sh
@@ -160,6 +160,23 @@ validate_extra_records() {
     fi
 }
 
+#######################################
+# Validate IP address settings
+#######################################
+check_ip_address_settings() {
+	check_env_var_or_set_default "IP_ALLOCATION" "${headscale_ip_allocation_default}" "^(sequential|random)$" "Invalid 'IP_ALLOCATION'. Must be either 'sequential' (default) or 'random'."
+	check_env_var_or_set_default "IPV6_ONLY" "${headscale_ipv6_only_default}" "^(true|false)$" "Invalid 'IPV6_ONLY'. Must be 'true' or 'false'."
+	check_env_var_or_set_default "IPV4_PREFIX" "${headscale_ipv4_prefix_default}"
+	check_env_var_or_set_default "IPV6_PREFIX" "${headscale_ipv6_prefix_default}"
+
+	if [[ "${IPV6_ONLY}" == "true" ]]; then
+		export IP_PREFIXES="v6: ${IPV6_PREFIX}"
+	else
+		export IP_PREFIXES="v4: ${IPV4_PREFIX}
+  v6: ${IPV6_PREFIX}"
+	fi
+}
+
 #######################################
 # Perform all Headscale environment variable checks
 #######################################
@@ -170,10 +187,8 @@ check_headscale_environment_vars() {
 	check_litestream_replica_url
 	validate_oidc_settings
 	validate_extra_records
+	check_ip_address_settings
 	check_env_var_or_set_default "HEADSCALE_OVERRIDE_LOCAL_DNS" "true" "^(true|false)$" "Invalid 'HEADSCALE_OVERRIDE_LOCAL_DNS'. Must be 'true' (default) or 'false'."
-	check_env_var_or_set_default "IP_ALLOCATION" "${headscale_ip_allocation_default}" "^(sequential|random)$" "Invalid 'IP_ALLOCATION'. Must be either 'sequential' (default) or 'random'."
-	check_env_var_or_set_default "IPV4_PREFIX" "${headscale_ipv4_prefix_default}"
-	check_env_var_or_set_default "IPV6_PREFIX" "${headscale_ipv6_prefix_default}"
 	check_env_var_or_set_default "MAGIC_DNS" "${headscale_magic_dns_default}" "^(true|false)$" "Invalid 'MAGIC_DNS'. Must be 'true' or 'false'."
 	require_env_var "PUBLIC_SERVER_URL"
 	require_env_var "HEADSCALE_DNS_BASE_DOMAIN"
@@ -193,8 +208,7 @@ create_headscale_config() {
         "HEADSCALE_DNS_BASE_DOMAIN"
         "HEADSCALE_OVERRIDE_LOCAL_DNS"
         "MAGIC_DNS"
-        "IPV6_PREFIX"
-        "IPV4_PREFIX"
+        "IP_PREFIXES"
         "IP_ALLOCATION"
         "HEADSCALE_EXTRA_RECORDS_PATH"
     )
@@ -437,7 +451,11 @@ display_configuration_summary() {
 	log_feature_status "Magic DNS" "${MAGIC_DNS}"
 
 	log_info "IP Allocation: ${IP_ALLOCATION}"
-	log_info "IPv4 Prefix: ${IPV4_PREFIX}"
+	if [[ "${IPV6_ONLY}" == "true" ]]; then
+		log_feature_status "IPv6 Only" true ""
+	else
+		log_info "IPv4 Prefix: ${IPV4_PREFIX}"
+	fi
 	log_info "IPv6 Prefix: ${IPV6_PREFIX}"
 
 	if env_var_is_defined "HEADSCALE_OIDC_ISSUER"; then
diff --git a/scripts/defaults.sh b/scripts/defaults.sh
@@ -4,6 +4,7 @@ public_listen_port_default=443
 
 headscale_extra_records_path_default="/data/headscale/extra-records.json"
 headscale_magic_dns_default="true"
+headscale_ipv6_only_default="false"
 headscale_ipv6_prefix_default="fd7a:115c:a1e0::/48"
 headscale_ipv4_prefix_default="100.64.0.0/10"
 headscale_ip_allocation_default="sequential"
diff --git a/templates/headscale.template.yaml b/templates/headscale.template.yaml
@@ -56,13 +56,12 @@ noise:
 # IPv4: https://github.com/tailscale/tailscale/blob/22ebb25e833264f58d7c3f534a8b166894a89536/net/tsaddr/tsaddr.go#L33
 # Any other range is NOT supported, and it will cause unexpected issues.
 prefixes:
-  v6: $IPV6_PREFIX
-  v4: $IPV4_PREFIX
+  $IP_PREFIXES
 
-  # Strategy used for allocation of IPs to nodes, available options:
-  # - sequential (default): assigns the next free IP from the previous given IP.
-  # - random: assigns the next free IP from a pseudo-random IP generator (crypto/rand).
-  allocation: $IP_ALLOCATION
+# Strategy used for allocation of IPs to nodes, available options:
+# - sequential (default): assigns the next free IP from the previous given IP.
+# - random: assigns the next free IP from a pseudo-random IP generator (crypto/rand).
+allocation: $IP_ALLOCATION
 
 # DERP is a relay system that Tailscale uses when a direct
 # connection cannot be established.
diff --git a/templates/secrets.template.env b/templates/secrets.template.env
@@ -24,6 +24,9 @@ HEADSCALE_DNS_BASE_DOMAIN=CHANGEME
 # IPV6_PREFIX="fd7a:115c:a1e0::/48"
 # IPV4_PREFIX="100.64.0.0/10"
 
+# Enable IPv6-only mode (disables IPv4 prefix allocation)
+# IPV6_ONLY=false
+
 # The following one can be set after first deployment
 # If not, it will require all Tailscale clients to restart on every deploy
 # HEADSCALE_NOISE_PRIVATE_KEY=CHANGEME
