diff --git a/CHANGES.md b/CHANGES.md
index 05346225e9..f63201e831 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -26,6 +26,7 @@
 - Fix lost-update race on `team.features` during concurrent file creation (by @web-dev0521) [Github #9197](https://github.com/penpot/penpot/issues/9197)
 - Fix copy and paste actions crashing the workspace on insecure origins (plain HTTP / non-`localhost`) where the Clipboard API is unavailable (by @MilosM348) [Github #6514](https://github.com/penpot/penpot/issues/6514)
 - Fix blend-mode dropdown leaving the canvas rendered with the last hover-preview blend mode when dismissed without selecting an option; the WASM render is now reverted to the saved blend mode on pointer-leave (by @edwin-rivera-dev) [Github #XXXX](https://github.com/penpot/penpot/issues/XXXX)
+- Allow self-hosted frontend containers to disable the nginx IPv6 listen directive with `PENPOT_DISABLE_IPV6_LISTEN=true`, avoiding startup failures on hosts booted without IPv6 support [Github #8897](https://github.com/penpot/penpot/issues/8897)
 
 ## 2.16.0 (Unreleased)
 
diff --git a/docker/images/docker-compose.yaml b/docker/images/docker-compose.yaml
index 25d419a354..63f7a8cbbc 100644
--- a/docker/images/docker-compose.yaml
+++ b/docker/images/docker-compose.yaml
@@ -106,7 +106,8 @@ services:
 
     environment:
       << : [*penpot-flags, *penpot-http-body-size, *penpot-public-uri]
-
+      # Set to "true" on hosts where IPv6 is disabled at kernel boot level.
+      # PENPOT_DISABLE_IPV6_LISTEN: "true"
   penpot-backend:
     image: "penpotapp/backend:${PENPOT_VERSION:-2.15}"
     restart: always
diff --git a/docker/images/files/nginx-entrypoint.sh b/docker/images/files/nginx-entrypoint.sh
index 571c9f6782..a98a3655e9 100644
--- a/docker/images/files/nginx-entrypoint.sh
+++ b/docker/images/files/nginx-entrypoint.sh
@@ -48,6 +48,11 @@ export PENPOT_MCP_URI_WS=${PENPOT_MCP_URI_WS:-http://penpot-mcp:4402}
 export PENPOT_HTTP_SERVER_MAX_BODY_SIZE=${PENPOT_HTTP_SERVER_MAX_BODY_SIZE:-367001600} # Default to 350MiB
 envsubst "\$PENPOT_BACKEND_URI,\$PENPOT_EXPORTER_URI,\$PENPOT_NITRATE_URI,\$PENPOT_MCP_URI,\$PENPOT_MCP_URI_WS,\$PENPOT_HTTP_SERVER_MAX_BODY_SIZE" \
          < /tmp/nginx.conf.template > /etc/nginx/nginx.conf
+if [ "${PENPOT_DISABLE_IPV6_LISTEN}" = "true" ]; then
+  sed -i '/__PENPOT_IPV6_LISTEN_DIRECTIVE__/d' /etc/nginx/nginx.conf
+else
+  sed -i 's|__PENPOT_IPV6_LISTEN_DIRECTIVE__|        listen [::]:8080 default_server;|' /etc/nginx/nginx.conf
+fi
 
 PENPOT_DEFAULT_INTERNAL_RESOLVER="$(awk 'BEGIN{ORS=" "} $1=="nameserver" { sub(/%.*$/,"",$2); print ($2 ~ ":")? "["$2"]": $2}' /etc/resolv.conf)"
 export PENPOT_INTERNAL_RESOLVER=${PENPOT_INTERNAL_RESOLVER:-$PENPOT_DEFAULT_INTERNAL_RESOLVER}
diff --git a/docker/images/files/nginx.conf.template b/docker/images/files/nginx.conf.template
index c182856e6b..9f70f31f61 100644
--- a/docker/images/files/nginx.conf.template
+++ b/docker/images/files/nginx.conf.template
@@ -73,7 +73,7 @@ http {
 
     server {
         listen 8080 default_server;
-        listen [::]:8080 default_server;
+__PENPOT_IPV6_LISTEN_DIRECTIVE__
         server_name _;
 
         client_max_body_size $PENPOT_HTTP_SERVER_MAX_BODY_SIZE;