Skip to content

Releases: tale/headplane

v0.7.0

Choose a tag to compare

@tale tale released this 04 Jul 16:33
v0.7.0
17e7b35

Changes

Headplane 0.7.0 works with Headscale 0.29.0.

  • Headplane now requires Headscale 0.27.0 or newer.
  • Some config options have changed or been consolidated, please refer to the example and website: https://github.com/tale/headplane/blob/main/config.example.yaml.
  • Headplane is preparing for a 1.0 release soon and may introduce breaking changes and deprecations, it is probably a good idea to do a re-config to ensure you are using the most up to date options and not using deprecated fields.

  • Reworked authentication and account linking. OIDC users are now linked to their Headscale counterparts more reliably, and Headplane has a clearer internal permissions model.
  • Added support for automatic role assignment for new OIDC users via oidc.default_role and IdP-provided role claims via oidc.role_claim (closes #352).
  • Added support for proxy authentication via server.proxy_auth.
  • Added OIDC logout support (closes #407).
  • Replaced openid-client with a clean-room OIDC implementation.
  • Consolidated the Headscale API key under headscale.api_key; oidc.headscale_api_key is still read as a fallback but is deprecated.
  • Rebuilt Browser SSH with a new terminal powered by Ghostty WASM, better session handling, and support for custom DERP ports.
  • Reworked the Headplane Agent around periodic syncing and caching. The agent now auto-generates ephemeral pre-auth keys when enabled.
  • Added an Agent status page at /settings/agent.
  • Added support for Headscale 0.29+ registration keys.
  • Replaced OpenAPI hash detection with /version-based Headscale capability detection.
  • Headplane now boots even when Headscale is temporarily unreachable; it will retry version detection in the background.
  • Added optional in-process TLS termination with server.tls_cert_path and server.tls_key_path (closes #403).
  • Made the bundled Docker healthcheck zero-config across HTTP and HTTPS by writing the listen URL at startup.
  • Switched to structured JSON logging (closes #279).
  • Added machine list filters for user, tag, status, and route (via #507).
  • Added self-service pre-auth key creation for auditor role users (via #478).
  • Added suggestions to pick existing tags in the machine tag dialog.
  • Added Rename and Delete actions for unlinked Headscale users.
  • Added support for light, dark, and system color schemes.
  • Improved the ACL editor appearance.
  • Migrated UI components from React Aria to Base UI.
  • Added a devcontainer setup for contributors (via #500).
  • Documented custom certificate authorities via NODE_EXTRA_CA_CERTS (closes #313).

Fixes

  • Fixed assigning ACL tags to tag-only/no-user nodes from the UI.
  • Fixed the Register Machine Key dialog so it accepts registration URLs and full hskey-authreq-... registration keys.
  • Fixed tag handling on Headscale 0.28+.
  • Fixed pre-auth key expiration on Headscale 0.27.x and 0.28+.
  • Fixed first user owner assignment on OIDC login (via #480).
  • Fixed existing OIDC users incorrectly becoming pending approval after update.
  • Fixed login errors throwing a server error instead of showing form validation (via #475).
  • Fixed OIDC token exchange fallback when retrying with client_secret_basic.
  • Fixed OIDC weak RSA fallback and subject claim handling (via #537).
  • Fixed OIDC profile pictures when the image URL requires authentication (via #510).
  • Fixed agent HostInfo not refreshing periodically using cache_ttl (via #477).
  • Fixed the agent working directory being wiped on restart.
  • Fixed Browser SSH DERP probing when custom DERP ports are used.
  • Fixed Browser SSH pre-auth key handling by increasing the temporary key expiry window and showing key creation errors in the UI.
  • Fixed the DNS page crashing when Headscale has no Split DNS nameservers configured.
  • Fixed Headplane correctly reading dns.extra_records_path from the Headscale configuration.
  • Fixed Headscale PostgreSQL config validation so pass is not required when password_file is supplied.
  • Fixed Go zero-time/no-expiry values showing incorrectly in the UI (via #527).
  • Fixed machine rename submission by validating names before sending the rename request.
  • Fixed Headscale rename path encoding from the 0.6.3 security hotfix.
  • Fixed unsupported Docker API versions being detected earlier with a clear error message (via #497).
  • Fixed Docker/WASM build patch permissions (via #567).
  • Fixed dialog panels growing beyond the viewport; dialog content is now constrained and scrollable (via #556).
  • Fixed focus rings inside dialogs being clipped.
  • Fixed tooltips on the last row of the machines table being clipped by the viewport.
  • Fixed user lists to show Headscale display names while preserving usernames as secondary text.
  • Fixed the Docker healthcheck docs example to use the required CMD prefix.

New Contributors

Full Changelog: v0.6.2...v0.7.0

v0.7.0-beta.4

v0.7.0-beta.4 Pre-release
Pre-release

Choose a tag to compare

@tale tale released this 31 May 19:04
v0.7.0-beta.4
262c7bf

Beta Status

I'm happy to share that 0.7.0-beta.4 will be the last beta version before the public release of Headplane 0.7.0! The main goal of this release was to fix several bugs and rework core parts of the application to bring stability guarantees. Subsequent versions will be looking at adding new features and working towards a 1.0 release.

Headplane is also working towards meeting enterprise level guarantees for deployment:

  • First-class Kubernetes support and recommended deployment charts via Helm
  • Potential secured/CVE-reactive containers (via Chainguard)
  • Stability and versioning guarantees!

If you would like to see specific features implemented quicker in Headplane, I'm also now accepting feature-sponsored development. Donations show interest and incentivize me to prioritize features.

What's Changed

  • Headplane now requires Headscale 0.27.0 or newer. Support for 0.26.x has been dropped. If /version returns 404 (the endpoint was added in 0.27.0), Headplane logs an error and keeps retrying so an in-place Headscale upgrade is picked up without a restart.
  • Replaced the OpenAPI hash detection with /version. Capabilities are now derived from the version reported by /version instead of fingerprinting the OpenAPI schema. This dramatically simplifies version detection and works with every supported release out of the box.
  • Made Headscale boot resilient. Headplane now boots even when Headscale is unreachable; capabilities default permissively and a background retry settles them once Headscale responds. No more cold-start ordering problems with docker-compose.
  • Added optional in-process TLS termination. Setting server.tls_cert_path and server.tls_key_path makes Headplane serve HTTPS/1.1 on server.port directly — no reverse proxy required. server.cookie_secure is auto-forced to true (with a warning) whenever TLS is enabled, since browsers refuse Secure-less cookies over HTTPS. HTTP/2 and HTTP/3 are intentionally not supported in-process; terminate those at a reverse proxy if you need them (closes #403).
  • Made the bundled Docker healthcheck zero-config across HTTP and HTTPS. Headplane writes its loopback URL (scheme, port, and basename included) to /tmp/headplane-listen on startup, and hp_healthcheck reads that file and probes the URL verbatim. Enabling TLS or changing server.port no longer requires any healthcheck-specific configuration. Native installs are unaffected — the listen file is only written when HEADPLANE_LISTEN_FILE is set, which the Dockerfile does automatically.
  • Added Rename and Delete actions for unlinked Headscale users on the Users page so admins can manage Headscale users that have no Headplane account (closes #525).
  • Documented Custom Certificate Authorities for trusting private or self-signed CAs across every outbound TLS connection (OIDC, Headscale, Docker, etc.) via Node's NODE_EXTRA_CA_CERTS. This replaces the previous workaround of rebuilding the Docker image to extend the system trust store (closes #313).
  • Fixed user-management actions (link, change role, transfer ownership) using the wrong ID type for unlinked Headplane users. Form fields are now explicitly headplane_user_id vs. headscale_user_id, and the auth layer no longer round-trips through Headscale to recover the OIDC subject.
  • Fixed the "Register Machine Key" dialog passing the Headscale numeric user id instead of the username. Headscale's RegisterNodeRequest.user proto field is a string looked up via GetUserByName (no numeric fallback), so registration was failing whenever the selected owner's display name differed from their numeric id (closes #532).
  • Fixed pre-auth key expiration on Headscale 0.27.x. The pre-0.28 expire endpoint takes a uint64 user field which the API layer reads from key.user?.id, but the caller was wrapping the id as { name: user }, causing the request to send an empty user field. Headplane now correctly passes the numeric Headscale user id.
  • Fixed dialog panels growing beyond the viewport; dialog content is now constrained and scrollable (via #556).
  • Fixed focus rings on inputs and buttons inside dialogs being clipped by the scrollable content container.
  • Fixed tooltips on the last row of the machines table being clipped by the viewport; tooltips now anchor above the trigger with collision padding (closes #508).
  • Corrected the Docker healthcheck example in the docs to use the required CMD prefix so reverse proxies don't see the container as unhealthy (closes #535).

New Contributors

Full Changelog: v0.7.0-beta.3...v0.7.0-beta.4

v0.7.0-beta.3

v0.7.0-beta.3 Pre-release
Pre-release

Choose a tag to compare

@tale tale released this 14 May 18:05
v0.7.0-beta.3
fb4b0b1

Security Hotfix

This release fixes GHSA-vgj6-hcf2-fqf6, a path traversal / RBAC bypass in Headscale rename API calls.

Headplane now URL-encodes user-controlled node and user rename path segments before sending requests to Headscale. This prevents crafted rename values containing path traversal sequences from escaping the intended Headscale API endpoint.

Users running Headplane 0.7.0-beta.1 or beta.2 should upgrade to beta.3.
Thank you for @kah-ja for helping discover this.

What's Changed

  • fix: treat Go zero-time as no-expiry in UI by @eccgecko in #527
  • chore: update flake.lock by @github-actions[bot] in #524
  • fix: harden OIDC weak RSA fallback and subject claim handling by @croatialu in #537
  • chore: update flake.lock by @github-actions[bot] in #533

New Contributors

Full Changelog: v0.7.0-beta.2...v0.7.0-beta.3

v0.6.3

Choose a tag to compare

@tale tale released this 14 May 18:04
v0.6.3
623e7c0

Security Hotfix

This release fixes GHSA-vgj6-hcf2-fqf6, a path traversal / RBAC bypass in Headscale rename API calls.

Headplane now URL-encodes user-controlled node and user rename path segments before sending requests to Headscale. This prevents crafted rename values containing path traversal sequences from escaping the intended Headscale API endpoint.

Users running Headplane 0.6.2 or earlier should upgrade to 0.6.3.

Docker images:

  • ghcr.io/tale/headplane:0.6.3
  • ghcr.io/tale/headplane:latest

Thank you for @kah-ja for helping discover this.

Full Changelog: v0.6.2...v0.6.3

v0.7.0-beta.2

v0.7.0-beta.2 Pre-release
Pre-release

Choose a tag to compare

@tale tale released this 10 Apr 04:12
v0.7.0-beta.2
272233a

Hey there, 0.7.0-beta.2 is finally out. It just makes some changes to the first beta, fixing some issues and also bringing some other changes in. Notably, we've redone how the SSH module works, so it should be more stable now.


Important Things

  • oidc.headscale_api_key is now deprecated in the config, the new field to put this value in is headscale.api_key (and headscale.api_key_path). The deprecated fields will be fully removed in the future.
  • The Headplane agent only supports Headscale 0.28+. I've switched it to use the ACL tags model where it isn't associated with a user, and this functionality is only recently supported by Headscale.
  • Authentication has been reworked. OIDC logged-in users in Headplane are now connected to Headscale users through a multi-step matching process:
    • First, we try to match via OIDC linking.
    • Then, we try matching based on the user's email addresses.
    • Finally, we allow the user to manually pick their username from the list of "unclaimed" users on Headscale.
    • This should result in a much more intuitive onboarding experience.

Changes

  • Rebuilt the Browser SSH feature
    • Should now work with custom DERP ports and properly handle sessions.
    • Switched to using libghostty for a proper, modern terminal experience (closes #515).
    • Added more resilient error handling and state handling when initiating connections.
  • Migrated all UI components from react-aria/react-stately to @base-ui-components/react.
    • Removed react-aria, react-stately, and tailwindcss-react-aria-components as dependencies.
  • Replaced openid-client with a clean-room OIDC implementation.
    • Removed the openid-client dependency entirely.
    • Fixed client_secret_basic auth method not working with Google SSO and other providers (closes #493).
    • Fixed OIDC connector initialization failures on beta.1 (closes #516).
  • Rearchitected the Headplane Agent with a new sync model (closes #350, closes #455).
    • The Go binary connects to the Tailnet and fetches all peer hostinfo as JSON.
    • The Node.js manager auto-generates ephemeral tag-only pre-auth keys (requires Headscale 0.28+).
    • Deprecated integration.agent.pre_authkey and integration.agent.cache_path config fields.
    • Added integration.agent.executable_path config field.
  • Consolidated the Headscale API key under headscale.api_key (and headscale.api_key_path).
    • Deprecated oidc.headscale_api_key — it is still read as a fallback but will be removed in a future release.
    • Both the agent and OIDC now use the same key from headscale.api_key.
  • Reworked the authentication system with a new AuthService that consolidates session management and role enforcement (via #489).
  • Added an agent status page at /settings/agent showing sync status, node count, errors, and a "Sync Now" button.
  • Added additional machine list filters for user, tag, status, and route (via #507, closes #506).
  • Added self-service pre-auth key creation for auditor role users (via #478, closes #453).
  • Store OIDC profile pictures in the database to prevent cookie header overload (closes #326, via #510).
  • Fixed pre-auth key expiration on Headscale 0.28+ (closes #519).
  • Fixed OIDC subject matching for providers that use special characters in user IDs (e.g. Auth0 github|12345) (closes #428).
  • Fixed headscale.api_key not being used consistently across all code paths.
  • Fixed intermittent SSR crash on the Access Control page caused by client-only CodeMirror imports.
  • Fixed first user not being assigned the owner role on OIDC login (via #480, closes #266).
  • Fixed login errors throwing an unexpected server error instead of showing form validation (via #475, closes #474).
  • Fixed agent HostInfo not refreshing periodically using cache_ttl (via #477, closes #427).
  • Fixed agent working directory being wiped on restart.
  • Fixed a race condition where the SSE controller could be used after being closed.
  • Rewrote the WebSSH WASM module to match Tailscale's proven tsconnect init sequence.
    • Switched the terminal renderer from xterm.js to restty (Ghostty WASM).
    • Bundled self-hosted JetBrains Mono Nerd Font with Nerd Fonts symbol fallback — no CDN dependency.
    • Fixed SSH sessions failing with EOF: the SSH channel multiplexer was not receiving server traffic.
    • Fixed terminal resize sending swapped rows/cols, causing garbled output on window resize.
    • Fixed log.Fatal() calls in the WASM bridge killing the entire runtime on recoverable errors.
    • Fixed Close() returning true on error and false on success.
    • Fixed stale closure bug in the NodeKey tracking callback.
    • Removed unnecessary LoginDefault and LocalBackendStartKeyOSNeutral control flags.
    • Added cancellation support for in-flight SSH connections on close.
  • Fixed WebSSH dropping DERP port information on non-standard ports (e.g. :8443), which caused connections to fail (closes #515).
  • Fixed WebSSH WASM prefix paths for correct asset loading (closes #386).
  • Fixed Nix WASM build applying DERP patch to wrong vendor directory.
  • Fixed Dockerfile WASM copy paths.
  • Fixed CodeMirror version mismatch override in the ACL editor.
  • Fixed cookie secret generation using incorrect byte length (via #501).
  • Fixed OIDC configuration error troubleshooting link (via #518, closes #517).
  • Fixed deprecated Nix package attributes (via #521).
  • Detect unsupported Docker API versions early with a clear error message (via #497).
  • Updated NixOS module options: removed deprecated agent fields, added headscale.api_key_path and integration.agent.executable_path.

New Contributors

Full Changelog: v0.7.0-beta.1...v0.7.0-beta.2

v0.7.0-beta.1

v0.7.0-beta.1 Pre-release
Pre-release

Choose a tag to compare

@tale tale released this 30 Mar 17:46
v0.7.0-beta.1
73b5d55

Hey everyone, I'm happy to share 0.7.0-beta.1 today. It addresses a few key things, mainly focusing on improving the user-reconciliation between Headplane/Headscale, making the UI more accessible and better looking, and seriously improving the reliability of Headplane's individual components.

Important Things

  • oidc.headscale_api_key is now deprecated in the config, the new field to put this value in is headscale.api_key (and headscale.api_key_path). The deprecated fields will be fully removed in the future.
  • The Headplane agent only supports Headscale 0.28+. I've switched it to use the ACL tags model where it isn't associated with a user, and this functionality is only recently supported by Headscale.
  • Authentication has been reworked. OIDC logged-in users in Headplane are now connected to Headscale users through a multi-step matching process:
    • First, we try to match via OIDC linking.
    • Then, we try matching based on the user's email addresses.
    • Finally, we allow the user to manually pick their username from the list of "unclaimed" users on Headscale.
    • This should result in a much more intuitive onboarding experience.

Changes

  • Migrated all UI components from react-aria/react-stately to @base-ui-components/react.
    • Removed react-aria, react-stately, and tailwindcss-react-aria-components as dependencies.
  • Rearchitected the Headplane Agent from a long-running stdin/stdout daemon to a one-shot sync model (closes #350, closes #455).
    • The Go binary connects to the Tailnet, fetches all peer hostinfo as JSON, and exits.
    • The Node.js manager auto-generates ephemeral tag-only pre-auth keys (requires Headscale 0.28+).
    • Deprecated integration.agent.pre_authkey and integration.agent.cache_path config fields.
    • Added integration.agent.executable_path config field.
  • Consolidated the Headscale API key under headscale.api_key (and headscale.api_key_path).
    • Deprecated oidc.headscale_api_key — it is still read as a fallback but will be removed in a future release.
    • Both the agent and OIDC now use the same key from headscale.api_key.
  • Reworked the authentication system with a new AuthService that consolidates session management and role enforcement (via #489).
  • Added an agent status page at /settings/agent showing sync status, node count, errors, and a "Sync Now" button.
  • Added additional machine list filters for user, tag, status, and route (via #507, closes #506).
  • Added self-service pre-auth key creation for auditor role users (via #478, closes #453).
  • Fetch OIDC profile pictures server-side when the URL requires authentication (via #510, closes #326).
  • Fixed first user not being assigned the owner role on OIDC login (via #480, closes #266).
  • Fixed login errors throwing an unexpected server error instead of showing form validation (via #475, closes #474).
  • Fixed agent HostInfo not refreshing periodically using cache_ttl (via #477, closes #427).
  • Fixed a race condition where the SSE controller could be used after being closed.
  • Fixed WebSSH WASM prefix paths for correct asset loading (closes #386).
  • Fixed Dockerfile WASM copy paths.
  • Fixed CodeMirror version mismatch override in the ACL editor.
  • Fixed cookie secret generation using incorrect byte length (via #501).
  • Detect unsupported Docker API versions early with a clear error message (via #497).
  • Updated NixOS module options: removed deprecated agent fields, added headscale.api_key_path and integration.agent.executable_path.

New Contributors

Full Changelog: v0.6.2...v0.7.0-beta.1

v0.6.2

Choose a tag to compare

@tale tale released this 26 Feb 23:41
v0.6.2
0cff389

Changes

Headplane 0.6.2 works with Headscale 0.28.0.


  • Re-worked the configuration loading system with several enhancements:
    • It is now possible to skip a configuration file and only use environment variables (closes #150).
    • Secret path loading has been reworked from the ground up to be more reliable (closes #334).
    • Added better testing and validation for configuration loading
  • Re-worked the OIDC integration to adhere to the correct standards and surface more errors to the user.
    • Deprecated oidc.redirect_uri and automated callback URL detection in favor of setting server.base_url correctly.
    • Explicitly added oidc.use_pkce to correctly determine PKCE configuration.
    • oidc.token_endpoint_auth_method is now optional and will attempt to be auto-detected, defaulting to client_secret_basic if unavailable (closes #410).
    • Added oidc.enabled config option to explicitly control OIDC availability (via #463).
  • Added search and sortable columns to the machines list page (closes #351).
  • Allow conditionally compiling the SSH WASM integration when building (closes #337).
  • Implemented the ability to customize the build with a custom script (see ./build.sh --help for more information).
  • Attempt to warn against misconfigured cookie settings on the login page.
  • Made server.cookie_max_age and server.cookie_domain configurable (closes #348).
  • Enhanced the node tag dialog to show a dropdown of assignable tags (via #362).
  • Added an /admin/api/info route that can expose sensitive information if server.info_secret is set in the configuration (closes #324).
  • Machine key registration no longer works if the key isn't 24 characters long (closes #415).
  • Added a Docker healthcheck to the container (closes #411).
  • Strengthened the validation for the /proc integration to correctly discover the Headscale PID.
  • Added lazy retry logic for OIDC providers if they initially fail to respond (closes #423).
  • Pre-auth keys are now listed without a user filter on Headscale 0.28+, with a fallback to per-user fetching on older versions (via #466).
  • Adapted to the removal of Node Ownership Change in Headscale 0.28 (via #436).
  • Improved the no-access user page on the UI (via #469).

Fixes

  • Bundle all node_modules aside from native ones to reduce bundle and container size (closes #331).
  • Removed several unnecessarily verbose or spammy log messages.
  • Updated the minimum Docker API used to support the latest Docker versions (via #370).
  • Correctly handle invalid ACL policy inserts on Headscale 0.27+ (closes #383).
  • Prevent a machine from changing its owner to itself (closes #373).
  • Fixed an issue where the website favicon would not load correctly (closes #323).
  • Fixed API key login on Headscale 0.28.0-beta.1+ (closes #429).
  • Fixed an issue that prevented the pre-auth-key UI from being usable on Headscale 0.28 and later.
  • Added support for creating tag-only pre-auth keys on Headscale 0.28+ (via #465).
  • Fixed pre-auth keys not showing for OIDC users without a username (via #470).
  • Fixed truncated pre-auth key display with longer Headscale 0.28 bcrypt tokens (closes #435).
  • Fixed Nix systemd service to use user-specified package (via #454).
  • Version displayed in the UI is now derived from git tags and build args instead of package.json, fixing incorrect versions shown on beta and nightly builds.
  • Fixed handling of tag-only nodes that have no user on Headscale 0.28+ (via #467).
  • Fixed some mobile CSS issues across the application (closes #401).
  • Correctly apply Gravatar profile pictures on the user page if applicable (closes #405).

New Contributors

Full Changelog: v0.6.1...v0.6.2

v0.6.2-beta.5

v0.6.2-beta.5 Pre-release
Pre-release

Choose a tag to compare

@tale tale released this 08 Feb 18:02
v0.6.2-beta.5
931a7f8

Hey all, Headplane 0.6.2-beta.5 is now available and ties together everything for the full 0.6.2 release. This release explicitly supports Headscale 0.28! I still need some more time to iron out some bugs before making an official release, but this should be pretty close to a daily use experience.

Notable for this beta release, the Kubernetes and Linux integrations have been fixed after being problematic for a long time. Also, for any deployments that use OIDC, oidc.redirect_uri has been deprecated and server.base_url will need to be supplied. Starting in Headplane 0.7.0, you will receive errors if it is not set. See the OIDC configuration docs for more information. Also, PKCE has now been turned into an option, so you'll need to set oidc.use_pkce to true if you get code verifier errors when authenticating with your OIDC provider.

Changes

  • Added support for Headscale 0.27.0 and 0.27.1
  • Bundle all node_modules aside from native ones to reduce bundle and container size (closes #331).
  • Allow conditionally compiling the SSH WASM integration when building (closes #337).
  • Implemented the ability to customize the build with a custom script (see ./build.sh --help for more information).
  • Attempt to warn against misconfigured cookie settings on the login page.
  • Made server.cookie_max_age and server.cookie_domain configurable (closes #348).
  • Re-worked the configuration loading system with several enhancements:
    • It is now possible to skip a configuration file and only use environment variables (closes #150).
    • Secret path loading has been reworked from the ground up to be more reliable (closes #334).
    • Added better testing and validation for configuration loading
  • Re-worked the OIDC integration to adhere to the correct standards and surface more errors to the user.
    • Deprecated oidc.redirect_uri and automated callback URL detection in favor of setting server.base_url correctly.
    • Explicitly added oidc.use_pkce to correctly determine PKCE configuration.
  • Removed several unnecessarily verbose or spammy log messages.
  • Updated the minimum Docker API used to support the latest Docker versions (via #370).
  • Enhanced the node tag dialog to show a dropdown of assignable tags (via #362).
  • Fixed an issue where the website favicon would not load correctly (closes #323).
  • Correctly handle invalid ACL policy inserts on Headscale 0.27+ (closes #383).
  • Prevent a machine from changing its owner to itself (closes #373).
  • Added an /admin/api/info route that can expose sensitive information if server.info_secret is set in the configuration (closes #324).
  • Correctly apply Gravatar profile pictures on the user page if applicable (closes #405).
  • Machine key registration no longer works if the key isn't 24 characters long (closes #415).
  • Fixed some mobile CSS issues across the application (closes #401).
  • Added a Docker healthcheck to the container (closes #411).
  • Strengthened the validation for the /proc integration to correctly discover the Headscale PID.
  • Added lazy retry logic for OIDC providers if they initially fail to respond (closes #423).
  • Fixed API key login on Headcale 0.28.0-beta.1+ (closes #429).
  • Fixed an issue that prevented the pre-auth-key UI from being usable on Headscale 0.28 and later

Full Changelog: v0.6.2-beta.4...v0.6.2-beta.5

v0.6.2-beta.4

v0.6.2-beta.4 Pre-release
Pre-release

Choose a tag to compare

@tale tale released this 14 Jan 04:33
v0.6.2-beta.4
42ffe69

Hey all, Headplane 0.6.2-beta.4 is now available and adds a couple more features and smaller bug fixes like some CSS mobile layout fixes, a docker health check, better OIDC heuristics for detecting the correct token auth endpoint method, etc. This is probably the last beta before a full release. The full release will ship with support for Headscale 0.28 if it releases before.

Specifically for OIDC, oidc.redirect_uri has been deprecated and server.base_url will need to be supplied. Starting in Headplane 0.7.0, you will receive errors if it is not set. See the OIDC configuration docs for more information. Also, PKCE has now been turned into an option, so you'll need to set oidc.use_pkce to true if you get code verifier errors when authenticating with your OIDC provider.

Changes

  • Added support for Headscale 0.27.0 and 0.27.1
  • Bundle all node_modules aside from native ones to reduce bundle and container size (closes #331).
  • Allow conditionally compiling the SSH WASM integration when building (closes #337).
  • Implemented the ability to customize the build with a custom script (see ./build.sh --help for more information).
  • Attempt to warn against misconfigured cookie settings on the login page.
  • Made server.cookie_max_age and server.cookie_domain configurable (closes #348).
  • Re-worked the configuration loading system with several enhancements:
    • It is now possible to skip a configuration file and only use environment variables (closes #150).
    • Secret path loading has been reworked from the ground up to be more reliable (closes #334).
    • Added better testing and validation for configuration loading
  • Re-worked the OIDC integration to adhere to the correct standards and surface more errors to the user.
    • Deprecated oidc.redirect_uri and automated callback URL detection in favor of setting server.base_url correctly.
    • Explicitly added oidc.use_pkce to correctly determine PKCE configuration.
  • Removed several unnecessarily verbose or spammy log messages.
  • Updated the minimum Docker API used to support the latest Docker versions (via #370).
  • Enhanced the node tag dialog to show a dropdown of assignable tags (via #362).
  • Fixed an issue where the website favicon would not load correctly (closes #323).
  • Correctly handle invalid ACL policy inserts on Headscale 0.27+ (closes #383).
  • Prevent a machine from changing its owner to itself (closes #373).
  • Added an /admin/api/info route that can expose sensitive information if server.info_secret is set in the configuration (closes #324).
  • Correctly apply Gravatar profile pictures on the user page if applicable (closes #405).
  • Machine key registration no longer works if the key isn't 24 characters long (closes #415).
  • Fixed some mobile CSS issues across the application (closes #401).
  • Added a Docker healthcheck to the container (closes #411).

Full Changelog: v0.6.2-beta.3...v0.6.2-beta.4

v0.6.2-beta.3

v0.6.2-beta.3 Pre-release
Pre-release

Choose a tag to compare

@tale tale released this 14 Dec 20:06
v0.6.2-beta.3
9125490

Hey all, Headplane 0.6.2-beta.3 is now available and should fix the ACL regressions from the 2nd beta.
The 0.6.2 release focuses on a few important aspects for Headplane's future:

  • Support for Headscale 0.27.x and robust testing with a compatibility matrix
  • Cleanup and simplification of the configuration options
  • More robust OIDC/SSO implementation.

Specifically for OIDC, oidc.redirect_uri has been deprecated and server.base_url will need to be supplied. Starting in Headplane 0.7.0, you will receive errors if it is not set. See the OIDC configuration docs for more information. Also, PKCE has now been turned into an option, so you'll need to set oidc.use_pkce to true if you get code verifier errors when authenticating with your OIDC provider.

Changes

  • Added support for Headscale 0.27.0 and 0.27.1
  • Bundle all node_modules aside from native ones to reduce bundle and container size (closes #331).
  • Allow conditionally compiling the SSH WASM integration when building (closes #337).
  • Implemented the ability to customize the build with a custom script (see ./build.sh --help for more information).
  • Attempt to warn against misconfigured cookie settings on the login page.
  • Made server.cookie_max_age and server.cookie_domain configurable (closes #348).
  • Re-worked the configuration loading system with several enhancements:
    • It is now possible to skip a configuration file and only use environment variables (closes #150).
    • Secret path loading has been reworked from the ground up to be more reliable (closes #334).
    • Added better testing and validation for configuration loading
  • Re-worked the OIDC integration to adhere to the correct standards and surface more errors to the user.
    • Deprecated oidc.redirect_uri and automated callback URL detection in favor of setting server.base_url correctly.
    • Explicitly added oidc.use_pkce to correctly determine PKCE configuration.
  • Removed several unnecessarily verbose or spammy log messages.
  • Updated the minimum Docker API used to support the latest Docker versions (via #370).
  • Enhanced the node tag dialog to show a dropdown of assignable tags (via #362).
  • Fixed an issue where the website favicon would not load correctly (closes #323).
  • Correctly handle invalid ACL policy inserts on Headscale 0.27+ (closes #383).
  • Prevent a machine from changing its owner to itself (closes #373).
  • Added an /admin/api/info route that can expose sensitive information if server.info_secret is set in the configuration (closes #324).

Full Changelog: v0.6.2-beta.1...v0.6.2-beta.2