enable IP forwarding via entrypoint (fixes IPv6 subnet routes)

tailscaled does not reliably enable IPv6 forwarding inside a container
network namespace ('IPv6 forwarding is disabled'), so advertised IPv6
subnet routes silently fail. Add a tiny entrypoint.sh that sets
net.ipv4.ip_forward and net.ipv6.conf.all.forwarding (writable inside a
RouterOS container netns), then exec's tailscaled. Built in the builder
stage so it stays in the single /usr/local/bin COPY layer.

Verified: privileged run flips v6 forwarding 0->1 and exec's tailscaled
with CMD args intact.

.woodpecker/renovate.yaml

@@ -46,7 +46,7 @@ steps:
       - bao kv get -mount secret -field GITHUB_COM_TOKEN renovate > /woodpecker/github_com_token
   - name: renovate
     # Renovate's built-in "woodpecker" manager tracks this image automatically.
-    image: renovate/renovate:43.209.1
+    image: renovate/renovate:43.205.3
     environment:
       # --- platform / target ---
       RENOVATE_PLATFORM: gitea

Dockerfile

@@ -21,8 +21,8 @@
 # =============================================================================
 FROM --platform=$BUILDPLATFORM golang:1.26.3-alpine@sha256:91eda9776261207ea25fd06b5b7fed8d397dd2c0a283e77f2ab6e91bfa71079d AS builder
 
-# renovate: datasource=github-releases depName=tailscale packageName=tailscale/tailscale versioning=semver
+# renovate: datasource=github-releases depName=tailscale packageName=tailscale/tailscale
-ARG TAILSCALE_VERSION=v1.98.5
+ARG TAILSCALE_VERSION=v1.98.3
 
 # Provided automatically by buildx for the target platform.
 ARG TARGETOS
@@ -166,7 +166,8 @@ RUN mkdir -p /out/usrlocalbin && \
 # overlayfs single-copy property). `exec` keeps tailscaled as PID 1.
 RUN printf '%s\n' \
       '#!/bin/sh' \
-      '# Enable IPv4/IPv6 forwarding. Required for advertised subnet routes and' \
+      '# Enable IPv4/IPv6 forwarding (best-effort; sysctls are writable inside' \
+      '# a RouterOS container netns). Required for advertised subnet routes and' \
       '# exit-node functionality.' \
       'for f in /proc/sys/net/ipv4/ip_forward /proc/sys/net/ipv6/conf/all/forwarding; do' \
       '  if [ -w "$f" ]; then echo 1 > "$f" 2>/dev/null || echo "warn: could not write $f"; fi' \

docs/USAGE.md

@@ -120,6 +120,12 @@ The node now appears in your Tailscale admin console. Approve the advertised
 routes / exit node there. Because the auth state is written to the persisted
 `tailscaled.state`, you only do this once — it survives reboots and updates.
 
+> **IP forwarding** (IPv4 and IPv6) is enabled automatically by the container's
+> entrypoint, so advertised subnet routes and exit-node traffic work without any
+> extra `sysctl`/`/container` configuration. (IPv6 forwarding in particular is
+> not reliably enabled by `tailscaled` itself inside a container network
+> namespace, so the entrypoint sets it explicitly.)
+
 ### 6. Enable automatic updates
 
 First, edit the `CONFIG` block at the top of `routeros/update-tailscale.rsc` if

renovate.json

@@ -7,17 +7,6 @@
   ],
   "labels": ["dependencies"],
   "rebaseWhen": "behind-base-branch",
-  "customManagers": [
-    {
-      "customType": "regex",
-      "description": "Update version ARGs annotated with a `# renovate:` comment (the dockerfile manager only handles FROM/image lines, not ARG values).",
-      "managerFilePatterns": ["/(^|/)Dockerfile$/"],
-      "matchStrings": [
-        "#\\s*renovate:\\s*datasource=(?<datasource>\\S+)\\s+depName=(?<depName>\\S+)(?:\\s+packageName=(?<packageName>\\S+))?(?:\\s+versioning=(?<versioning>\\S+))?\\s+ARG \\w+=(?<currentValue>\\S+)"
-      ],
-      "matchStringsStrategy": "any"
-    }
-  ],
   "packageRules": [
     {
       "matchManagers": ["dockerfile"],
@@ -27,8 +16,9 @@
     {
       "matchDatasources": ["github-releases"],
       "matchPackageNames": ["tailscale/tailscale"],
-      "description": "TAILSCALE_VERSION ARG: only stable releases. Tailscale uses EVEN minor versions for stable (v1.98.x); ODD minors (v1.99.x) are unstable, so filter to even minors and ignore pre-releases. The `v` prefix is kept (no extractVersion) so the ARG value stays v-prefixed to match the git tags cloned in the Dockerfile.",
+      "description": "TAILSCALE_VERSION ARG: only stable releases. Tailscale uses EVEN minor versions for stable (v1.98.x); ODD minors (v1.99.x) are unstable, so filter to even minors and ignore pre-releases.",
-      "allowedVersions": "/^v\\d+\\.\\d*[02468]\\.\\d+$/",
+      "extractVersion": "^v(?<version>\\d+\\.\\d+\\.\\d+)$",
+      "allowedVersions": "/^\\d+\\.\\d*[02468]\\.\\d+$/",
       "ignoreUnstable": true
     },
     {
@@ -40,15 +30,8 @@
     },
     {
       "matchManagers": ["dockerfile"],
-      "matchPackageNames": ["golang", "alpine"],
+      "matchPackageNames": ["golang", "alpine", "busybox"],
-      "description": "Automerge PATCH-only bumps of build components (Go/Alpine) once the PR build passes; review minor/major manually.",
+      "description": "Automerge PATCH-only bumps of build components (Go/Alpine/busybox) once the PR build passes; review minor/major manually.",
-      "matchUpdateTypes": ["patch"],
-      "automerge": true
-    },
-    {
-      "matchDatasources": ["docker"],
-      "matchPackageNames": ["busybox"],
-      "description": "busybox ARG (custom manager): automerge PATCH bumps once the PR build passes; review minor/major manually.",
       "matchUpdateTypes": ["patch"],
       "automerge": true
     },