Why do the "hardening" sysctls basically kill off IPv6 SLAAC and public IPv6?

[Prototyped]

https://raw.githubusercontent.com/drtyhlpr/rpi23-gen-image/master/files/sysctl.d/82-rpi-net-hardening.conf

This is super dodgy. It basically turns off consuming IPv6 router advertisements and limits the maximum number of IPv6 addresses to 1, which will generally just be the link-local address.

With more and more ISPs offering native IPv6 and the prospect of carrier-grade NAT being used very widely, it's valuable to have IPv6 prefixes delegated to Raspberry Pis.

I recommend nuking that set of sysctls from orbit. They should not be here by default.

[burnbabyburn]

Nothing dodgy here. Maybe just don't use ENABLE_HARDNET=true if you want ipv6 capability? The option does exactly what you proposed. One could argue, that it the ipv6 hardening settings should be moved to the ENABLE_IPV6 option, but we're grave digging a project with the last commit in 2020 here.