From 0de1b76da763acaf7535a6088c79ba43c0d4eea5 Mon Sep 17 00:00:00 2001
From: Slavi Pantaleev <slavi@devture.com>
Date: Fri, 21 Feb 2025 18:34:39 +0200
Subject: [PATCH] Upgrade systemd_docker_base (v1.3.0-0 -> v1.4.0-0) and make
 use of the new
 `devture_systemd_docker_base_ipv6_daemon_options_changing_enabled` variable

---
 CHANGELOG.md              | 32 ++++++++++++++++++++++++++++++++
 group_vars/matrix_servers | 23 ++++++++++++-----------
 requirements.yml          |  2 +-
 3 files changed, 45 insertions(+), 12 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index cd3cd5735..d02bbc69c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,37 @@
 # 2025-02-21
 
+## Docker daemon options are no longer adjusted when IPv6 is enabled
+
+We landed [initial IPv6 support](#initial-work-on-ipv6-support) in the past via a `devture_systemd_docker_base_ipv6_enabled` variable that one had to toggle to `true`.
+
+This variable did **2 different things at once**:
+
+- ensured that container networks were created with IPv6 being enabled
+- adjusted the Docker daemon's configuration to set `experimental: true` and `ip6tables: true` (a necessary prerequisite for creating IPv6-enabled networks)
+
+Since Docker 27.0.1's [changes to how it handles IPv6](https://docs.docker.com/engine/release-notes/27/#ipv6), **adjusting the Docker daemon's configuration is no longer necessary**, because:
+- `ip6tables` defaults to `true` for everyone
+- `ip6tables` is out of the experimental phase, so `experimental` is no longer necessary
+
+In light of this, we're introducing a new variable (`devture_systemd_docker_base_ipv6_daemon_options_changing_enabled`) for controlling if IPv6 should be force-enabled in the Docker daemon's configuration options.
+Since most people should be on a modern enough Docker daemon version which doesn't require such changes, this variable defaults to `false`.
+
+This change affects you like this:
+
+- ✅ if you're **not explicitly enabling IPv6** (via `devture_systemd_docker_base_ipv6_enabled` in your configuration): you're unaffected
+- ❓ if you're **explicitly enabling IPv6** (via `devture_systemd_docker_base_ipv6_enabled` in your configuration):
+  - ✅ .. and you're on a modern enough Docker version (which you most likely are): the playbook will no longer mess with your Docker daemon options. You're unaffected.
+  - 🔧 .. and you're on an old Docker version, you **are affected** and need to use the following configuration to restore the old behavior:
+
+    ```yml
+    # Force-enable IPv6 by changing the Docker daemon's options.
+    # This is necessary for Docker < 27.0.1, but not for newer versions.
+    devture_systemd_docker_base_ipv6_daemon_options_changing_enabled: true
+
+    # Request that individual container networks are created with IPv6 enabled.
+    devture_systemd_docker_base_ipv6_enabled: true
+    ```
+
 ## Support for bridging to Bluesky via mautrix-bluesky
 
 Thanks to [Zepmann](https://github.com/Zepmann), the playbook now supports bridging to [Bluesky](https://bsky.app/) via [mautrix-bluesky](https://github.com/mautrix/bluesky).
diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers
index 832fe5df7..89b5253b3 100755
--- a/group_vars/matrix_servers
+++ b/group_vars/matrix_servers
@@ -21,17 +21,18 @@ matrix_playbook_docker_installation_enabled: true
 
 matrix_playbook_docker_installation_daemon_options: "{{ matrix_playbook_docker_installation_daemon_options_auto | combine(matrix_playbook_docker_installation_daemon_options_custom, recursive=True) }}"
 
-matrix_playbook_docker_installation_daemon_options_auto:
-  # Since Docker 27.0.1:
-  # - `experimental` is no longer required to enable `ip6tables`
-  # - `ip6tables` defaults to enabled
-  #
-  # See: https://docs.docker.com/engine/release-notes/27/#ipv6
-  #
-  # Still, we intend to keep these around a while longer to benefit people who are still on older versions.
-  # In the future, we won't be specifying any of these options by default.
-  experimental: "{{ devture_systemd_docker_base_ipv6_enabled }}"
-  ip6tables: "{{ devture_systemd_docker_base_ipv6_enabled }}"
+# Since Docker 27.0.1, Docker daemon options do not need to be changed to enable IPv6 support on the daemon side.
+# See: https://docs.docker.com/engine/release-notes/27/#ipv6
+# We only enable `ip6tables` and `experimental` for people who explicitly request it (perhaps due to running an old Docker version).
+#
+# Despite IPv6-enablement at the Docker level being a thing, for IPv6 to work for containers
+# networks need to be created with IPv6 explicitly enabled.
+# This is controlled by the `devture_systemd_docker_base_ipv6_enabled` variable and it's up to the various roles to
+# respect this variable when creating their networks.
+matrix_playbook_docker_installation_daemon_options_auto: |
+  {{
+    ({'experimental': true, 'ip6tables': true} if devture_systemd_docker_base_ipv6_daemon_options_changing_enabled else {})
+  }}
 
 matrix_playbook_docker_installation_daemon_options_custom: {}
 
diff --git a/requirements.yml b/requirements.yml
index fd7818cc4..202757e8f 100644
--- a/requirements.yml
+++ b/requirements.yml
@@ -55,7 +55,7 @@
   version: v0.14.0-6
   name: prometheus_postgres_exporter
 - src: git+https://github.com/devture/com.devture.ansible.role.systemd_docker_base.git
-  version: v1.3.0-0
+  version: v1.4.0-0
   name: systemd_docker_base
 - src: git+https://github.com/devture/com.devture.ansible.role.systemd_service_manager.git
   version: v1.0.0-4