From 3455cc580f1af788c493017826f3a7b9f8b054c1 Mon Sep 17 00:00:00 2001
From: scyto <alex@alexbal.com>
Date: Fri, 15 Aug 2025 15:34:11 -0700
Subject: [PATCH] Enable IPv6 Flaf For Port 5000 and 8971

---
 .../usr/local/nginx/get_tls_settings.py       | 10 ++-
 .../usr/local/nginx/templates/listen.gotmpl   | 68 +++++++++++--------
 frigate/config/config.py                      |  4 ++
 frigate/config/ipv6.py                        |  9 +++
 4 files changed, 59 insertions(+), 32 deletions(-)
 create mode 100644 frigate/config/ipv6.py

diff --git a/docker/main/rootfs/usr/local/nginx/get_tls_settings.py b/docker/main/rootfs/usr/local/nginx/get_tls_settings.py
index d2e704056..927d6f7a5 100644
--- a/docker/main/rootfs/usr/local/nginx/get_tls_settings.py
+++ b/docker/main/rootfs/usr/local/nginx/get_tls_settings.py
@@ -26,6 +26,12 @@ try:
 except FileNotFoundError:
     config: dict[str, Any] = {}
 
-tls_config: dict[str, Any] = config.get("tls", {"enabled": True})
+tls_config: dict[str, any] = config.get("tls", {"enabled": True})
+ipv6_config: dict[str, any] = config.get("ipv6", {"enabled": False})
 
-print(json.dumps(tls_config))
+output = {
+    "tls": tls_config,
+    "ipv6": ipv6_config
+}
+
+print(json.dumps(output))
diff --git a/docker/main/rootfs/usr/local/nginx/templates/listen.gotmpl b/docker/main/rootfs/usr/local/nginx/templates/listen.gotmpl
index 19d7dc362..066f872cb 100644
--- a/docker/main/rootfs/usr/local/nginx/templates/listen.gotmpl
+++ b/docker/main/rootfs/usr/local/nginx/templates/listen.gotmpl
@@ -1,37 +1,45 @@
-# intended for internal traffic, not protected by auth
+
+# Internal (IPv4 always; IPv6 optional)
 listen 5000;
-listen [::]:5000;
+{{ if .ipv6 }}{{ if .ipv6.enabled }}listen [::]:5000;{{ end }}{{ end }}
+
 
-{{ if not .enabled }}
 # intended for external traffic, protected by auth
-listen 8971;
-listen [::]:8971;
+{{ if .tls }}
+    {{ if .tls.enabled }}
+        # external HTTPS (IPv4 always; IPv6 optional)
+        listen 8971 ssl;
+        {{ if .ipv6 }}{{ if .ipv6.enabled }}listen [::]:8971 ssl;{{ end }}{{ end }}
 
+        ssl_certificate /etc/letsencrypt/live/frigate/fullchain.pem;
+        ssl_certificate_key /etc/letsencrypt/live/frigate/privkey.pem;
+
+        # generated 2024-06-01, Mozilla Guideline v5.7, nginx 1.25.3, OpenSSL 1.1.1w, modern configuration, no OCSP
+        # https://ssl-config.mozilla.org/#server=nginx&version=1.25.3&config=modern&openssl=1.1.1w&ocsp=false&guideline=5.7
+        ssl_session_timeout 1d;
+        ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
+        ssl_session_tickets off;
+
+        # modern configuration
+        ssl_protocols TLSv1.3;
+        ssl_prefer_server_ciphers off;
+
+        # HSTS (ngx_http_headers_module is required) (63072000 seconds)
+        add_header Strict-Transport-Security "max-age=63072000" always;
+
+        # ACME challenge location
+        location /.well-known/acme-challenge/ {
+                default_type "text/plain";
+                root /etc/letsencrypt/www;
+        }
+    {{ else }}
+        # external HTTP (IPv4 always; IPv6 optional)
+        listen 8971;
+        {{ if .ipv6 }}{{ if .ipv6.enabled }}listen [::]:8971;{{ end }}{{ end }}
+    {{ end }}
 {{ else }}
-# intended for external traffic, protected by auth
-listen 8971 ssl;
-listen [::]:8971 ssl;
-
-ssl_certificate /etc/letsencrypt/live/frigate/fullchain.pem;
-ssl_certificate_key /etc/letsencrypt/live/frigate/privkey.pem;
-
-# generated 2024-06-01, Mozilla Guideline v5.7, nginx 1.25.3, OpenSSL 1.1.1w, modern configuration, no OCSP
-# https://ssl-config.mozilla.org/#server=nginx&version=1.25.3&config=modern&openssl=1.1.1w&ocsp=false&guideline=5.7
-ssl_session_timeout 1d;
-ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
-ssl_session_tickets off;
-
-# modern configuration
-ssl_protocols TLSv1.3;
-ssl_prefer_server_ciphers off;
-
-# HSTS (ngx_http_headers_module is required) (63072000 seconds)
-add_header Strict-Transport-Security "max-age=63072000" always;
-
-# ACME challenge location
-location /.well-known/acme-challenge/ {
-    default_type "text/plain";
-    root /etc/letsencrypt/www;
-}
+    # (No tls section) default to HTTP (IPv4 always; IPv6 optional)
+    listen 8971;
+    {{ if .ipv6 }}{{ if .ipv6.enabled }}listen [::]:8971;{{ end }}{{ end }}
 {{ end }}
 
diff --git a/frigate/config/config.py b/frigate/config/config.py
index 6ec048acd..bb34b139f 100644
--- a/frigate/config/config.py
+++ b/frigate/config/config.py
@@ -61,6 +61,7 @@ from .classification import (
 )
 from .database import DatabaseConfig
 from .env import EnvVars
+from .ipv6 import IPv6Config
 from .logger import LoggerConfig
 from .mqtt import MqttConfig
 from .proxy import ProxyConfig
@@ -353,6 +354,9 @@ class FrigateConfig(FrigateBaseModel):
     go2rtc: RestreamConfig = Field(
         default_factory=RestreamConfig, title="Global restream configuration."
     )
+    ipv6: IPv6Config = Field(
+        default_factory=IPv6Config, title="IPv6 configuration."
+    )  
     mqtt: MqttConfig = Field(title="MQTT configuration.")
     notifications: NotificationConfig = Field(
         default_factory=NotificationConfig, title="Global notification configuration."
diff --git a/frigate/config/ipv6.py b/frigate/config/ipv6.py
new file mode 100644
index 000000000..48a2883ac
--- /dev/null
+++ b/frigate/config/ipv6.py
@@ -0,0 +1,9 @@
+from pydantic import Field
+
+from .base import FrigateBaseModel
+
+__all__ = ["IPv6Config"]
+
+
+class IPv6Config(FrigateBaseModel):
+    enabled: bool = Field(default=False, title="Enable IPv6 for port 5000 and /or 8971")
\ No newline at end of file