v0.7.0-beta.2

Hey there, 0.7.0-beta.2 is finally out. It just makes some changes to the first beta, fixing some issues and also bringing some other changes in. Notably, we've redone how the SSH module works, so it should be more stable now.

---

Important Things

• oidc.headscale_api_key is now deprecated in the config, the new field to put this value in is headscale.api_key (and headscale.api_key_path). The deprecated fields will be fully removed in the future.
• The Headplane agent only supports Headscale 0.28+. I've switched it to use the ACL tags model where it isn't associated with a user, and this functionality is only recently supported by Headscale.
• Authentication has been reworked. OIDC logged-in users in Headplane are now connected to Headscale users through a multi-step matching process:
  • First, we try to match via OIDC linking.
  • Then, we try matching based on the user's email addresses.
  • Finally, we allow the user to manually pick their username from the list of "unclaimed" users on Headscale.
  • This should result in a much more intuitive onboarding experience.

---

Changes

• Rebuilt the Browser SSH feature
  • Should now work with custom DERP ports and properly handle sessions.
  • Switched to using libghostty for a proper, modern terminal experience (closes #515).
  • Added more resilient error handling and state handling when initiating connections.
• Migrated all UI components from react-aria/react-stately to @base-ui-components/react.
  • Removed react-aria, react-stately, and tailwindcss-react-aria-components as dependencies.
• Replaced openid-client with a clean-room OIDC implementation.
  • Removed the openid-client dependency entirely.
  • Fixed client_secret_basic auth method not working with Google SSO and other providers (closes #493).
  • Fixed OIDC connector initialization failures on beta.1 (closes #516).
• Rearchitected the Headplane Agent with a new sync model (closes #350, closes #455).
  • The Go binary connects to the Tailnet and fetches all peer hostinfo as JSON.
  • The Node.js manager auto-generates ephemeral tag-only pre-auth keys (requires Headscale 0.28+).
  • Deprecated integration.agent.pre_authkey and integration.agent.cache_path config fields.
  • Added integration.agent.executable_path config field.
• Consolidated the Headscale API key under headscale.api_key (and headscale.api_key_path).
  • Deprecated oidc.headscale_api_key — it is still read as a fallback but will be removed in a future release.
  • Both the agent and OIDC now use the same key from headscale.api_key.
• Reworked the authentication system with a new AuthService that consolidates session management and role enforcement (via #489).
• Added an agent status page at /settings/agent showing sync status, node count, errors, and a "Sync Now" button.
• Added additional machine list filters for user, tag, status, and route (via #507, closes #506).
• Added self-service pre-auth key creation for auditor role users (via #478, closes #453).
• Store OIDC profile pictures in the database to prevent cookie header overload (closes #326, via #510).
• Fixed pre-auth key expiration on Headscale 0.28+ (closes #519).
• Fixed OIDC subject matching for providers that use special characters in user IDs (e.g. Auth0 github|12345) (closes #428).
• Fixed headscale.api_key not being used consistently across all code paths.
• Fixed intermittent SSR crash on the Access Control page caused by client-only CodeMirror imports.
• Fixed first user not being assigned the owner role on OIDC login (via #480, closes #266).
• Fixed login errors throwing an unexpected server error instead of showing form validation (via #475, closes #474).
• Fixed agent HostInfo not refreshing periodically using cache_ttl (via #477, closes #427).
• Fixed agent working directory being wiped on restart.
• Fixed a race condition where the SSE controller could be used after being closed.
• Rewrote the WebSSH WASM module to match Tailscale's proven tsconnect init sequence.
  • Switched the terminal renderer from xterm.js to restty (Ghostty WASM).
  • Bundled self-hosted JetBrains Mono Nerd Font with Nerd Fonts symbol fallback — no CDN dependency.
  • Fixed SSH sessions failing with EOF: the SSH channel multiplexer was not receiving server traffic.
  • Fixed terminal resize sending swapped rows/cols, causing garbled output on window resize.
  • Fixed log.Fatal() calls in the WASM bridge killing the entire runtime on recoverable errors.
  • Fixed Close() returning true on error and false on success.
  • Fixed stale closure bug in the NodeKey tracking callback.
  • Removed unnecessary LoginDefault and LocalBackendStartKeyOSNeutral control flags.
  • Added cancellation support for in-flight SSH connections on close.
• Fixed WebSSH dropping DERP port information on non-standard ports (e.g. :8443), which caused connections to fail (closes #515).
• Fixed WebSSH WASM prefix paths for correct asset loading (closes #386).
• Fixed Nix WASM build applying DERP patch to wrong vendor directory.
• Fixed Dockerfile WASM copy paths.
• Fixed CodeMirror version mismatch override in the ACL editor.
• Fixed cookie secret generation using incorrect byte length (via #501).
• Fixed OIDC configuration error troubleshooting link (via #518, closes #517).
• Fixed deprecated Nix package attributes (via #521).
• Detect unsupported Docker API versions early with a clear error message (via #497).
• Updated NixOS module options: removed deprecated agent fields, added headscale.api_key_path and integration.agent.executable_path.

New Contributors

• @dixi83 made their first contribution in #488
• @mrangger made their first contribution in #497
• @dotWee made their first contribution in #500
• @AgathaSorceress made their first contribution in #501
• @lloydowen made their first contribution in #510
• @siemenvdn made their first contribution in #507
• @sinanmohd made their first contribution in #521
• @Kroppeb made their first contribution in #518

Full Changelog: v0.7.0-beta.1...v0.7.0-beta.2

v0.7.0-beta.1

Hey everyone, I'm happy to share 0.7.0-beta.1 today. It addresses a few key things, mainly focusing on improving the user-reconciliation between Headplane/Headscale, making the UI more accessible and better looking, and seriously improving the reliability of Headplane's individual components.

Important Things

• oidc.headscale_api_key is now deprecated in the config, the new field to put this value in is headscale.api_key (and headscale.api_key_path). The deprecated fields will be fully removed in the future.
• The Headplane agent only supports Headscale 0.28+. I've switched it to use the ACL tags model where it isn't associated with a user, and this functionality is only recently supported by Headscale.
• Authentication has been reworked. OIDC logged-in users in Headplane are now connected to Headscale users through a multi-step matching process:
  • First, we try to match via OIDC linking.
  • Then, we try matching based on the user's email addresses.
  • Finally, we allow the user to manually pick their username from the list of "unclaimed" users on Headscale.
  • This should result in a much more intuitive onboarding experience.

Changes

• Migrated all UI components from react-aria/react-stately to @base-ui-components/react.
  • Removed react-aria, react-stately, and tailwindcss-react-aria-components as dependencies.
• Rearchitected the Headplane Agent from a long-running stdin/stdout daemon to a one-shot sync model (closes #350, closes #455).
  • The Go binary connects to the Tailnet, fetches all peer hostinfo as JSON, and exits.
  • The Node.js manager auto-generates ephemeral tag-only pre-auth keys (requires Headscale 0.28+).
  • Deprecated integration.agent.pre_authkey and integration.agent.cache_path config fields.
  • Added integration.agent.executable_path config field.
• Consolidated the Headscale API key under headscale.api_key (and headscale.api_key_path).
  • Deprecated oidc.headscale_api_key — it is still read as a fallback but will be removed in a future release.
  • Both the agent and OIDC now use the same key from headscale.api_key.
• Reworked the authentication system with a new AuthService that consolidates session management and role enforcement (via #489).
• Added an agent status page at /settings/agent showing sync status, node count, errors, and a "Sync Now" button.
• Added additional machine list filters for user, tag, status, and route (via #507, closes #506).
• Added self-service pre-auth key creation for auditor role users (via #478, closes #453).
• Fetch OIDC profile pictures server-side when the URL requires authentication (via #510, closes #326).
• Fixed first user not being assigned the owner role on OIDC login (via #480, closes #266).
• Fixed login errors throwing an unexpected server error instead of showing form validation (via #475, closes #474).
• Fixed agent HostInfo not refreshing periodically using cache_ttl (via #477, closes #427).
• Fixed a race condition where the SSE controller could be used after being closed.
• Fixed WebSSH WASM prefix paths for correct asset loading (closes #386).
• Fixed Dockerfile WASM copy paths.
• Fixed CodeMirror version mismatch override in the ACL editor.
• Fixed cookie secret generation using incorrect byte length (via #501).
• Detect unsupported Docker API versions early with a clear error message (via #497).
• Updated NixOS module options: removed deprecated agent fields, added headscale.api_key_path and integration.agent.executable_path.

New Contributors

• @dixi83 made their first contribution in #488
• @mrangger made their first contribution in #497
• @dotWee made their first contribution in #500
• @AgathaSorceress made their first contribution in #501
• @lloydowen made their first contribution in #510
• @siemenvdn made their first contribution in #507

Full Changelog: v0.6.2...v0.7.0-beta.1

v0.6.2

Changes

Headplane 0.6.2 works with Headscale 0.28.0.

• Our website at headplane.net is generally stable and is the definitive source of information going forward.
• This release drops support for Headscale 0.25.0 and lower
• Some config options have generally changed, please refer to the example and the website: https://github.com/tale/headplane/blob/main/config.example.yaml.

---

• Re-worked the configuration loading system with several enhancements:
  • It is now possible to skip a configuration file and only use environment variables (closes #150).
  • Secret path loading has been reworked from the ground up to be more reliable (closes #334).
  • Added better testing and validation for configuration loading
• Re-worked the OIDC integration to adhere to the correct standards and surface more errors to the user.
  • Deprecated oidc.redirect_uri and automated callback URL detection in favor of setting server.base_url correctly.
  • Explicitly added oidc.use_pkce to correctly determine PKCE configuration.
  • oidc.token_endpoint_auth_method is now optional and will attempt to be auto-detected, defaulting to client_secret_basic if unavailable (closes #410).
  • Added oidc.enabled config option to explicitly control OIDC availability (via #463).
• Added search and sortable columns to the machines list page (closes #351).
• Allow conditionally compiling the SSH WASM integration when building (closes #337).
• Implemented the ability to customize the build with a custom script (see ./build.sh --help for more information).
• Attempt to warn against misconfigured cookie settings on the login page.
• Made server.cookie_max_age and server.cookie_domain configurable (closes #348).
• Enhanced the node tag dialog to show a dropdown of assignable tags (via #362).
• Added an /admin/api/info route that can expose sensitive information if server.info_secret is set in the configuration (closes #324).
• Machine key registration no longer works if the key isn't 24 characters long (closes #415).
• Added a Docker healthcheck to the container (closes #411).
• Strengthened the validation for the /proc integration to correctly discover the Headscale PID.
• Added lazy retry logic for OIDC providers if they initially fail to respond (closes #423).
• Pre-auth keys are now listed without a user filter on Headscale 0.28+, with a fallback to per-user fetching on older versions (via #466).
• Adapted to the removal of Node Ownership Change in Headscale 0.28 (via #436).
• Improved the no-access user page on the UI (via #469).

Fixes

• Bundle all node_modules aside from native ones to reduce bundle and container size (closes #331).
• Removed several unnecessarily verbose or spammy log messages.
• Updated the minimum Docker API used to support the latest Docker versions (via #370).
• Correctly handle invalid ACL policy inserts on Headscale 0.27+ (closes #383).
• Prevent a machine from changing its owner to itself (closes #373).
• Fixed an issue where the website favicon would not load correctly (closes #323).
• Fixed API key login on Headscale 0.28.0-beta.1+ (closes #429).
• Fixed an issue that prevented the pre-auth-key UI from being usable on Headscale 0.28 and later.
• Added support for creating tag-only pre-auth keys on Headscale 0.28+ (via #465).
• Fixed pre-auth keys not showing for OIDC users without a username (via #470).
• Fixed truncated pre-auth key display with longer Headscale 0.28 bcrypt tokens (closes #435).
• Fixed Nix systemd service to use user-specified package (via #454).
• Version displayed in the UI is now derived from git tags and build args instead of package.json, fixing incorrect versions shown on beta and nightly builds.
• Fixed handling of tag-only nodes that have no user on Headscale 0.28+ (via #467).
• Fixed some mobile CSS issues across the application (closes #401).
• Correctly apply Gravatar profile pictures on the user page if applicable (closes #405).

New Contributors

• @tituspijean made their first contribution in #349
• @rhoriguchi made their first contribution in #358
• @alexfornuto made their first contribution in #363
• @itzTheMeow made their first contribution in #362
• @luzes-dev made their first contribution in #370
• @The-Greg-O made their first contribution in #377
• @Lapin0t made their first contribution in #394
• @Murgeye made their first contribution in #384
• @0nano made their first contribution in #409
• @SethMilliken made their first contribution in #438
• @kronenpj made their first contribution in #433
• @drifterza made their first contribution in #470
• @PriceChild made their first contribution in #462
• @z0w13 made their first contribution in #454

Full Changelog: v0.6.1...v0.6.2

v0.6.2-beta.5

Hey all, Headplane 0.6.2-beta.5 is now available and ties together everything for the full 0.6.2 release. This release explicitly supports Headscale 0.28! I still need some more time to iron out some bugs before making an official release, but this should be pretty close to a daily use experience.

Notable for this beta release, the Kubernetes and Linux integrations have been fixed after being problematic for a long time. Also, for any deployments that use OIDC, oidc.redirect_uri has been deprecated and server.base_url will need to be supplied. Starting in Headplane 0.7.0, you will receive errors if it is not set. See the OIDC configuration docs for more information. Also, PKCE has now been turned into an option, so you'll need to set oidc.use_pkce to true if you get code verifier errors when authenticating with your OIDC provider.

Changes

• Added support for Headscale 0.27.0 and 0.27.1
• Bundle all node_modules aside from native ones to reduce bundle and container size (closes #331).
• Allow conditionally compiling the SSH WASM integration when building (closes #337).
• Implemented the ability to customize the build with a custom script (see ./build.sh --help for more information).
• Attempt to warn against misconfigured cookie settings on the login page.
• Made server.cookie_max_age and server.cookie_domain configurable (closes #348).
• Re-worked the configuration loading system with several enhancements:
  • It is now possible to skip a configuration file and only use environment variables (closes #150).
  • Secret path loading has been reworked from the ground up to be more reliable (closes #334).
  • Added better testing and validation for configuration loading
• Re-worked the OIDC integration to adhere to the correct standards and surface more errors to the user.
  • Deprecated oidc.redirect_uri and automated callback URL detection in favor of setting server.base_url correctly.
  • Explicitly added oidc.use_pkce to correctly determine PKCE configuration.
• Removed several unnecessarily verbose or spammy log messages.
• Updated the minimum Docker API used to support the latest Docker versions (via #370).
• Enhanced the node tag dialog to show a dropdown of assignable tags (via #362).
• Fixed an issue where the website favicon would not load correctly (closes #323).
• Correctly handle invalid ACL policy inserts on Headscale 0.27+ (closes #383).
• Prevent a machine from changing its owner to itself (closes #373).
• Added an /admin/api/info route that can expose sensitive information if server.info_secret is set in the configuration (closes #324).
• Correctly apply Gravatar profile pictures on the user page if applicable (closes #405).
• Machine key registration no longer works if the key isn't 24 characters long (closes #415).
• Fixed some mobile CSS issues across the application (closes #401).
• Added a Docker healthcheck to the container (closes #411).
• Strengthened the validation for the /proc integration to correctly discover the Headscale PID.
• Added lazy retry logic for OIDC providers if they initially fail to respond (closes #423).
• Fixed API key login on Headcale 0.28.0-beta.1+ (closes #429).
• Fixed an issue that prevented the pre-auth-key UI from being usable on Headscale 0.28 and later

Full Changelog: v0.6.2-beta.4...v0.6.2-beta.5

v0.6.2-beta.4

Hey all, Headplane 0.6.2-beta.4 is now available and adds a couple more features and smaller bug fixes like some CSS mobile layout fixes, a docker health check, better OIDC heuristics for detecting the correct token auth endpoint method, etc. This is probably the last beta before a full release. The full release will ship with support for Headscale 0.28 if it releases before.

Specifically for OIDC, oidc.redirect_uri has been deprecated and server.base_url will need to be supplied. Starting in Headplane 0.7.0, you will receive errors if it is not set. See the OIDC configuration docs for more information. Also, PKCE has now been turned into an option, so you'll need to set oidc.use_pkce to true if you get code verifier errors when authenticating with your OIDC provider.

Changes

• Added support for Headscale 0.27.0 and 0.27.1
• Bundle all node_modules aside from native ones to reduce bundle and container size (closes #331).
• Allow conditionally compiling the SSH WASM integration when building (closes #337).
• Implemented the ability to customize the build with a custom script (see ./build.sh --help for more information).
• Attempt to warn against misconfigured cookie settings on the login page.
• Made server.cookie_max_age and server.cookie_domain configurable (closes #348).
• Re-worked the configuration loading system with several enhancements:
  • It is now possible to skip a configuration file and only use environment variables (closes #150).
  • Secret path loading has been reworked from the ground up to be more reliable (closes #334).
  • Added better testing and validation for configuration loading
• Re-worked the OIDC integration to adhere to the correct standards and surface more errors to the user.
  • Deprecated oidc.redirect_uri and automated callback URL detection in favor of setting server.base_url correctly.
  • Explicitly added oidc.use_pkce to correctly determine PKCE configuration.
• Removed several unnecessarily verbose or spammy log messages.
• Updated the minimum Docker API used to support the latest Docker versions (via #370).
• Enhanced the node tag dialog to show a dropdown of assignable tags (via #362).
• Fixed an issue where the website favicon would not load correctly (closes #323).
• Correctly handle invalid ACL policy inserts on Headscale 0.27+ (closes #383).
• Prevent a machine from changing its owner to itself (closes #373).
• Added an /admin/api/info route that can expose sensitive information if server.info_secret is set in the configuration (closes #324).
• Correctly apply Gravatar profile pictures on the user page if applicable (closes #405).
• Machine key registration no longer works if the key isn't 24 characters long (closes #415).
• Fixed some mobile CSS issues across the application (closes #401).
• Added a Docker healthcheck to the container (closes #411).

Full Changelog: v0.6.2-beta.3...v0.6.2-beta.4

v0.6.2-beta.3

Hey all, Headplane 0.6.2-beta.3 is now available and should fix the ACL regressions from the 2nd beta.
The 0.6.2 release focuses on a few important aspects for Headplane's future:

• Support for Headscale 0.27.x and robust testing with a compatibility matrix
• Cleanup and simplification of the configuration options
• More robust OIDC/SSO implementation.

Specifically for OIDC, oidc.redirect_uri has been deprecated and server.base_url will need to be supplied. Starting in Headplane 0.7.0, you will receive errors if it is not set. See the OIDC configuration docs for more information. Also, PKCE has now been turned into an option, so you'll need to set oidc.use_pkce to true if you get code verifier errors when authenticating with your OIDC provider.

Changes

• Added support for Headscale 0.27.0 and 0.27.1
• Bundle all node_modules aside from native ones to reduce bundle and container size (closes #331).
• Allow conditionally compiling the SSH WASM integration when building (closes #337).
• Implemented the ability to customize the build with a custom script (see ./build.sh --help for more information).
• Attempt to warn against misconfigured cookie settings on the login page.
• Made server.cookie_max_age and server.cookie_domain configurable (closes #348).
• Re-worked the configuration loading system with several enhancements:
  • It is now possible to skip a configuration file and only use environment variables (closes #150).
  • Secret path loading has been reworked from the ground up to be more reliable (closes #334).
  • Added better testing and validation for configuration loading
• Re-worked the OIDC integration to adhere to the correct standards and surface more errors to the user.
  • Deprecated oidc.redirect_uri and automated callback URL detection in favor of setting server.base_url correctly.
  • Explicitly added oidc.use_pkce to correctly determine PKCE configuration.
• Removed several unnecessarily verbose or spammy log messages.
• Updated the minimum Docker API used to support the latest Docker versions (via #370).
• Enhanced the node tag dialog to show a dropdown of assignable tags (via #362).
• Fixed an issue where the website favicon would not load correctly (closes #323).
• Correctly handle invalid ACL policy inserts on Headscale 0.27+ (closes #383).
• Prevent a machine from changing its owner to itself (closes #373).
• Added an /admin/api/info route that can expose sensitive information if server.info_secret is set in the configuration (closes #324).

Full Changelog: v0.6.2-beta.1...v0.6.2-beta.2

v0.6.2-beta.2

Hey everyone, 0.6.2-beta.2 is now available and should fix some of the errors if you were testing on the first beta. The 0.6.2 release focuses on a few important aspects for Headplane's future:

• Support for Headscale 0.27.x and robust testing with a compatibility matrix
• Cleanup and simplification of the configuration options
• More robust OIDC/SSO implementation.

Specifically for OIDC, oidc.redirect_uri has been deprecated and server.base_url will need to be supplied. Starting in Headplane 0.7.0, you will receive errors if it is not set. See the OIDC configuration docs for more information. Also, PKCE has now been turned into an option, so you'll need to set oidc.use_pkce to true if you get code verifier errors when authenticating with your OIDC provider.

Changes

• Added support for Headscale 0.27.0 and 0.27.1
• Bundle all node_modules aside from native ones to reduce bundle and container size (closes #331).
• Allow conditionally compiling the SSH WASM integration when building (closes #337).
• Implemented the ability to customize the build with a custom script (see ./build.sh --help for more information).
• Attempt to warn against misconfigured cookie settings on the login page.
• Made server.cookie_max_age and server.cookie_domain configurable (closes #348).
• Re-worked the configuration loading system with several enhancements:
  • It is now possible to skip a configuration file and only use environment variables (closes #150).
  • Secret path loading has been reworked from the ground up to be more reliable (closes #334).
  • Added better testing and validation for configuration loading
• Re-worked the OIDC integration to adhere to the correct standards and surface more errors to the user.
  • Deprecated oidc.redirect_uri and automated callback URL detection in favor of setting server.base_url correctly.
  • Explicitly added oidc.use_pkce to correctly determine PKCE configuration.
• Removed several unnecessarily verbose or spammy log messages.
• Updated the minimum Docker API used to support the latest Docker versions (via #370).
• Enhanced the node tag dialog to show a dropdown of assignable tags (via #362).
• Fixed an issue where the website favicon would not load correctly (closes #323).

Full Changelog: v0.6.2-beta.1...v0.6.2-beta.2

v0.6.2-beta.1

Changes

I've retired the nightly builds for Headplane and am instead opting for beta releases. There have been several cases where the nightly build ends up being broken anyways and it pollutes the container releases, so something like this feels better in the long-run.

Hey everyone, 0.6.2 is finally nearing completion and I wanted to gather beta feedback before I cut a full official release. Notably, this release adds support for Headscale 0.27.x and focuses on several improvements to OIDC and configuration. I believe our OIDC implementation now properly follows standards as they should've been implemented and should have much better compatibility with providers.

I've created a discussion on GitHub to talk about issues encountered in the beta, please leave feedback through that channel rather than through GitHub issues! Happy testing!

• Added support for Headscale 0.27.0 and 0.27.1
• Bundle all node_modules aside from native ones to reduce bundle and container size (closes #331).
• Allow conditionally compiling the SSH WASM integration when building (closes #337).
• Implemented the ability to customize the build with a custom script (see ./build.sh --help for more information).
• Attempt to warn against misconfigured cookie settings on the login page.
• Made server.cookie_max_age and server.cookie_domain configurable (closes #348).
• Re-worked the configuration loading system with several enhancements:
  • It is now possible to skip a configuration file and only use environment variables (closes #150).
  • Secret path loading has been reworked from the ground up to be more reliable (closes #334).
  • Added better testing and validation for configuration loading
• Re-worked the OIDC integration to adhere to the correct standards and surface more errors to the user.
  • PKCE support has been temporarily disabled, please disable PKCE on your end to test if necessary
• Removed several unnecessarily verbose or spammy log messages.
• Updated the minimum Docker API used to support the latest Docker versions (via #370).
• Enhanced the node tag dialog to show a dropdown of assignable tags (via #362).
• Fixed an issue where the website favicon would not load correctly (closes #323).

New Contributors

• @tituspijean made their first contribution in #349
• @rhoriguchi made their first contribution in #358
• @alexfornuto made their first contribution in #363
• @itzTheMeow made their first contribution in #362
• @luzes-dev made their first contribution in #370

Full Changelog: v0.6.1...v0.6.2-beta.1

v0.6.1

Changes

Headplane 0.6.1 works with Headscale 0.26.0 or higher.

• We have a very WIP website at headplane.net! Documentation and overall website design are still heavily subject to change.
• Please ensure data volumes are correctly migrated!! /var/lib/headplane should be mounted in Docker.
• There should not be any breaking changes with the config, but an up-to-date version of the config file can be found at https://github.com/tale/headplane/blob/main/config.example.yaml.

---

• Headplane now supports connecting to machines via SSH in the web browser.
  • This is an experimental feature and requires the integration.agent section to be set up in the config file.
  • This is built on top of a Go binary that runs in WebAssembly, using Xterm.js for the terminal interface.
• Begin using a new SQLite database file in /var/lib/headplane/hp_persist.db.
  • The database is created automatically if it does not exist.
  • It currently stores SSH connection details and HostInfo for the agent.
  • User information is automatically migrated from the previous database.
• The docker container now runs in a distroless image (closes #255).
  • A debug version of the container that runs as root and has a shell is available as ghcr.io/tale/headplane:<version>-shell.
• Reintroduce the toggle for overriding local DNS settings in the Headscale config (closes #236).
• Prefer cross-compiling in the Dockerfile to speed up builds while still supporting multiple architectures.
• Add a build attestation to validate SLSA provenance for the Docker image.
• Configuration loading via paths is now supported for sensitive values (via #283)
  • Options like server.cookie_secret_path can override server.cookie_secret
  • Environment variables are interpolatable into these paths
  • See the full reference in the docs
• Switch our build processes to use TypeScript Go and Rolldown Vite for better build and type-check performance.
• OIDC profile pictures are now available from Gravatar by setting oidc.profile_picture_source to gravatar (closes #232).
• OIDC now allows passing many custom parameters:
  • oidc.authorization_endpoint, oidc.token_endpoint, and oidc.userinfo_endpoint can be overridden to support non-standard providers or scenarios without discovery (closes #117).
  • oidc.scope can be set to specify custom scopes (defaults to openid email profile).
  • oidc.extra_params can be set to pass arbitrary query parameters to the authorization endpoint (closes #197).

Fixes

• Removing a Split DNS record will no longer make the split domain unresolvable by clients (closes #231).
• Implement more accurate guessing on the PID with the /proc integration (via #219).
• Usernames will now correctly fall back to emails if not provided (via #257).
• The nix overlay build is fixed for the SSH module (via #282)
• Cookies are now encrypted JWTs, preserving API key secrets (GHSA-wrqq-v7qw-r5w7)

New Contributors

• @gabe565 made their first contribution in #237
• @Prince213 made their first contribution in #244
• @antoniolago made their first contribution in #241
• @LEI made their first contribution in #238
• @hayer made their first contribution in #219
• @domysh made their first contribution in #273

Full Changelog: v0.6.0...v0.6.1

v0.6.0

Changes

Headplane 0.6.0 now requires Headscale 0.26.0 or newer.

• Breaking API changes with routes and pre auth keys are now supported (#204).
• Older versions of Headscale will not work with Headplane 0.6.0+.
• There should not be any breaking changes with the config, but an up-to-date version of the config file can be found at https://github.com/tale/headplane/blob/main/config.example.yaml.

---

• OIDC authorization restrictions can now be controlled from the settings UI. (#102).
  • The required permission role for this is IT Admin or Admin/Owner and require the Headscale configuration.
  • Changes made will modify the oidc.allowed_{domains,groups,users} fields in the Headscale config file.
• The Pre-Auth keys page has been fully reworked (#179, #143).
• The Headplane agent is now available as an integration (#65).
  • The agent runs as an embedded process alongside the Headplane server and reports host information and system metrics.
  • Refer to the integrations.agent section of the config file for more information and how to enable it.
• The machine actions backend has been reworked to better handle errors and provide more information to the user (#185).
• Machine tags now show states when waiting for subnet or exit node approval and when expiry is disabled.
• Support Docker container discovery through labels (#194).
• AAAA records are now supported on the DNS page (#189).
• Add support for dns.extra_records_path in the Headscale config (#144).

Fixes

• Requests to /admin will now be redirected to /admin/ to prevent issues with the React Router (works with custom prefixes, #173).
• The Login page has been simplified and separately reports errors versus incorrect API keys (#186).
• Expiry status on the UI was incorrectly showing as never due to changes in the Headscale API.
• Added validation for machine renaming to prevent invalid submissions (#192).
• Unmanaged (non-OIDC) users cannot have a role assigned to them so the menu option was disabled.
• Tighten proc integration logic by checking for the headscale serve command (#195).
• Strip newlines in the OIDC client_secret_path file if provided (#199).

New Contributors

• @ceres-c made their first contribution in #184
• @gntouts made their first contribution in #194
• @StealthBadger747 made their first contribution in #213

Full Changelog: 0.5.10...v0.6.0