Releases: tale/headplane
Release list
v0.7.0
Changes
Headplane 0.7.0 works with Headscale 0.29.0.
- Headplane now requires Headscale 0.27.0 or newer.
- Some config options have changed or been consolidated, please refer to the example and website: https://github.com/tale/headplane/blob/main/config.example.yaml.
- Headplane is preparing for a 1.0 release soon and may introduce breaking changes and deprecations, it is probably a good idea to do a re-config to ensure you are using the most up to date options and not using deprecated fields.
- Reworked authentication and account linking. OIDC users are now linked to their Headscale counterparts more reliably, and Headplane has a clearer internal permissions model.
- Added support for automatic role assignment for new OIDC users via
oidc.default_roleand IdP-provided role claims viaoidc.role_claim(closes #352). - Added support for proxy authentication via
server.proxy_auth. - Added OIDC logout support (closes #407).
- Replaced
openid-clientwith a clean-room OIDC implementation. - Consolidated the Headscale API key under
headscale.api_key;oidc.headscale_api_keyis still read as a fallback but is deprecated. - Rebuilt Browser SSH with a new terminal powered by Ghostty WASM, better session handling, and support for custom DERP ports.
- Reworked the Headplane Agent around periodic syncing and caching. The agent now auto-generates ephemeral pre-auth keys when enabled.
- Added an Agent status page at
/settings/agent. - Added support for Headscale 0.29+ registration keys.
- Replaced OpenAPI hash detection with
/version-based Headscale capability detection. - Headplane now boots even when Headscale is temporarily unreachable; it will retry version detection in the background.
- Added optional in-process TLS termination with
server.tls_cert_pathandserver.tls_key_path(closes #403). - Made the bundled Docker healthcheck zero-config across HTTP and HTTPS by writing the listen URL at startup.
- Switched to structured JSON logging (closes #279).
- Added machine list filters for user, tag, status, and route (via #507).
- Added self-service pre-auth key creation for auditor role users (via #478).
- Added suggestions to pick existing tags in the machine tag dialog.
- Added Rename and Delete actions for unlinked Headscale users.
- Added support for light, dark, and system color schemes.
- Improved the ACL editor appearance.
- Migrated UI components from React Aria to Base UI.
- Added a devcontainer setup for contributors (via #500).
- Documented custom certificate authorities via
NODE_EXTRA_CA_CERTS(closes #313).
Fixes
- Fixed assigning ACL tags to tag-only/no-user nodes from the UI.
- Fixed the Register Machine Key dialog so it accepts registration URLs and full
hskey-authreq-...registration keys. - Fixed tag handling on Headscale 0.28+.
- Fixed pre-auth key expiration on Headscale 0.27.x and 0.28+.
- Fixed first user owner assignment on OIDC login (via #480).
- Fixed existing OIDC users incorrectly becoming pending approval after update.
- Fixed login errors throwing a server error instead of showing form validation (via #475).
- Fixed OIDC token exchange fallback when retrying with
client_secret_basic. - Fixed OIDC weak RSA fallback and subject claim handling (via #537).
- Fixed OIDC profile pictures when the image URL requires authentication (via #510).
- Fixed agent HostInfo not refreshing periodically using
cache_ttl(via #477). - Fixed the agent working directory being wiped on restart.
- Fixed Browser SSH DERP probing when custom DERP ports are used.
- Fixed Browser SSH pre-auth key handling by increasing the temporary key expiry window and showing key creation errors in the UI.
- Fixed the DNS page crashing when Headscale has no Split DNS nameservers configured.
- Fixed Headplane correctly reading
dns.extra_records_pathfrom the Headscale configuration. - Fixed Headscale PostgreSQL config validation so
passis not required whenpassword_fileis supplied. - Fixed Go zero-time/no-expiry values showing incorrectly in the UI (via #527).
- Fixed machine rename submission by validating names before sending the rename request.
- Fixed Headscale rename path encoding from the 0.6.3 security hotfix.
- Fixed unsupported Docker API versions being detected earlier with a clear error message (via #497).
- Fixed Docker/WASM build patch permissions (via #567).
- Fixed dialog panels growing beyond the viewport; dialog content is now constrained and scrollable (via #556).
- Fixed focus rings inside dialogs being clipped.
- Fixed tooltips on the last row of the machines table being clipped by the viewport.
- Fixed user lists to show Headscale display names while preserving usernames as secondary text.
- Fixed the Docker healthcheck docs example to use the required
CMDprefix.
New Contributors
- @dixi83 made their first contribution in #488
- @mrangger made their first contribution in #497
- @dotWee made their first contribution in #500
- @AgathaSorceress made their first contribution in #501
- @lloydowen made their first contribution in #510
- @siemenvdn made their first contribution in #507
- @sinanmohd made their first contribution in #521
- @Kroppeb made their first contribution in #518
- @eccgecko made their first contribution in #527
- @croatialu made their first contribution in #537
- @vdovhanych made their first contribution in #556
Full Changelog: v0.6.2...v0.7.0
v0.7.0-beta.4
Beta Status
I'm happy to share that 0.7.0-beta.4 will be the last beta version before the public release of Headplane 0.7.0! The main goal of this release was to fix several bugs and rework core parts of the application to bring stability guarantees. Subsequent versions will be looking at adding new features and working towards a 1.0 release.
Headplane is also working towards meeting enterprise level guarantees for deployment:
- First-class Kubernetes support and recommended deployment charts via Helm
- Potential secured/CVE-reactive containers (via Chainguard)
- Stability and versioning guarantees!
If you would like to see specific features implemented quicker in Headplane, I'm also now accepting feature-sponsored development. Donations show interest and incentivize me to prioritize features.
What's Changed
- Headplane now requires Headscale 0.27.0 or newer. Support for 0.26.x has been dropped. If
/versionreturns 404 (the endpoint was added in 0.27.0), Headplane logs an error and keeps retrying so an in-place Headscale upgrade is picked up without a restart. - Replaced the OpenAPI hash detection with
/version. Capabilities are now derived from the version reported by/versioninstead of fingerprinting the OpenAPI schema. This dramatically simplifies version detection and works with every supported release out of the box. - Made Headscale boot resilient. Headplane now boots even when Headscale is unreachable; capabilities default permissively and a background retry settles them once Headscale responds. No more cold-start ordering problems with docker-compose.
- Added optional in-process TLS termination. Setting
server.tls_cert_pathandserver.tls_key_pathmakes Headplane serve HTTPS/1.1 onserver.portdirectly — no reverse proxy required.server.cookie_secureis auto-forced totrue(with a warning) whenever TLS is enabled, since browsers refuseSecure-less cookies over HTTPS. HTTP/2 and HTTP/3 are intentionally not supported in-process; terminate those at a reverse proxy if you need them (closes #403). - Made the bundled Docker healthcheck zero-config across HTTP and HTTPS. Headplane writes its loopback URL (scheme, port, and basename included) to
/tmp/headplane-listenon startup, andhp_healthcheckreads that file and probes the URL verbatim. Enabling TLS or changingserver.portno longer requires any healthcheck-specific configuration. Native installs are unaffected — the listen file is only written whenHEADPLANE_LISTEN_FILEis set, which the Dockerfile does automatically. - Added Rename and Delete actions for unlinked Headscale users on the Users page so admins can manage Headscale users that have no Headplane account (closes #525).
- Documented Custom Certificate Authorities for trusting private or self-signed CAs across every outbound TLS connection (OIDC, Headscale, Docker, etc.) via Node's
NODE_EXTRA_CA_CERTS. This replaces the previous workaround of rebuilding the Docker image to extend the system trust store (closes #313). - Fixed user-management actions (link, change role, transfer ownership) using the wrong ID type for unlinked Headplane users. Form fields are now explicitly
headplane_user_idvs.headscale_user_id, and the auth layer no longer round-trips through Headscale to recover the OIDC subject. - Fixed the "Register Machine Key" dialog passing the Headscale numeric user id instead of the username. Headscale's
RegisterNodeRequest.userproto field is astringlooked up viaGetUserByName(no numeric fallback), so registration was failing whenever the selected owner's display name differed from their numeric id (closes #532). - Fixed pre-auth key expiration on Headscale 0.27.x. The pre-0.28 expire endpoint takes a
uint64 userfield which the API layer reads fromkey.user?.id, but the caller was wrapping the id as{ name: user }, causing the request to send an empty user field. Headplane now correctly passes the numeric Headscale user id. - Fixed dialog panels growing beyond the viewport; dialog content is now constrained and scrollable (via #556).
- Fixed focus rings on inputs and buttons inside dialogs being clipped by the scrollable content container.
- Fixed tooltips on the last row of the machines table being clipped by the viewport; tooltips now anchor above the trigger with collision padding (closes #508).
- Corrected the Docker healthcheck example in the docs to use the required
CMDprefix so reverse proxies don't see the container as unhealthy (closes #535).
New Contributors
- @vdovhanych made their first contribution in #556
Full Changelog: v0.7.0-beta.3...v0.7.0-beta.4
v0.7.0-beta.3
Security Hotfix
This release fixes GHSA-vgj6-hcf2-fqf6, a path traversal / RBAC bypass in Headscale rename API calls.
Headplane now URL-encodes user-controlled node and user rename path segments before sending requests to Headscale. This prevents crafted rename values containing path traversal sequences from escaping the intended Headscale API endpoint.
Users running Headplane 0.7.0-beta.1 or beta.2 should upgrade to beta.3.
Thank you for @kah-ja for helping discover this.
What's Changed
- fix: treat Go zero-time as no-expiry in UI by @eccgecko in #527
- chore: update flake.lock by @github-actions[bot] in #524
- fix: harden OIDC weak RSA fallback and subject claim handling by @croatialu in #537
- chore: update flake.lock by @github-actions[bot] in #533
New Contributors
- @eccgecko made their first contribution in #527
- @croatialu made their first contribution in #537
Full Changelog: v0.7.0-beta.2...v0.7.0-beta.3
v0.6.3
Security Hotfix
This release fixes GHSA-vgj6-hcf2-fqf6, a path traversal / RBAC bypass in Headscale rename API calls.
Headplane now URL-encodes user-controlled node and user rename path segments before sending requests to Headscale. This prevents crafted rename values containing path traversal sequences from escaping the intended Headscale API endpoint.
Users running Headplane 0.6.2 or earlier should upgrade to 0.6.3.
Docker images:
ghcr.io/tale/headplane:0.6.3ghcr.io/tale/headplane:latest
Thank you for @kah-ja for helping discover this.
Full Changelog: v0.6.2...v0.6.3
v0.7.0-beta.2
Hey there, 0.7.0-beta.2 is finally out. It just makes some changes to the first beta, fixing some issues and also bringing some other changes in. Notably, we've redone how the SSH module works, so it should be more stable now.
Important Things
oidc.headscale_api_keyis now deprecated in the config, the new field to put this value in isheadscale.api_key(andheadscale.api_key_path). The deprecated fields will be fully removed in the future.- The Headplane agent only supports Headscale 0.28+. I've switched it to use the ACL tags model where it isn't associated with a user, and this functionality is only recently supported by Headscale.
- Authentication has been reworked. OIDC logged-in users in Headplane are now connected to Headscale users through a multi-step matching process:
- First, we try to match via OIDC linking.
- Then, we try matching based on the user's email addresses.
- Finally, we allow the user to manually pick their username from the list of "unclaimed" users on Headscale.
- This should result in a much more intuitive onboarding experience.
Changes
- Rebuilt the Browser SSH feature
- Should now work with custom DERP ports and properly handle sessions.
- Switched to using
libghosttyfor a proper, modern terminal experience (closes #515). - Added more resilient error handling and state handling when initiating connections.
- Migrated all UI components from react-aria/react-stately to @base-ui-components/react.
- Removed
react-aria,react-stately, andtailwindcss-react-aria-componentsas dependencies.
- Removed
- Replaced
openid-clientwith a clean-room OIDC implementation. - Rearchitected the Headplane Agent with a new sync model (closes #350, closes #455).
- The Go binary connects to the Tailnet and fetches all peer hostinfo as JSON.
- The Node.js manager auto-generates ephemeral tag-only pre-auth keys (requires Headscale 0.28+).
- Deprecated
integration.agent.pre_authkeyandintegration.agent.cache_pathconfig fields. - Added
integration.agent.executable_pathconfig field.
- Consolidated the Headscale API key under
headscale.api_key(andheadscale.api_key_path).- Deprecated
oidc.headscale_api_key— it is still read as a fallback but will be removed in a future release. - Both the agent and OIDC now use the same key from
headscale.api_key.
- Deprecated
- Reworked the authentication system with a new
AuthServicethat consolidates session management and role enforcement (via #489). - Added an agent status page at
/settings/agentshowing sync status, node count, errors, and a "Sync Now" button. - Added additional machine list filters for user, tag, status, and route (via #507, closes #506).
- Added self-service pre-auth key creation for auditor role users (via #478, closes #453).
- Store OIDC profile pictures in the database to prevent cookie header overload (closes #326, via #510).
- Fixed pre-auth key expiration on Headscale 0.28+ (closes #519).
- Fixed OIDC subject matching for providers that use special characters in user IDs (e.g. Auth0
github|12345) (closes #428). - Fixed
headscale.api_keynot being used consistently across all code paths. - Fixed intermittent SSR crash on the Access Control page caused by client-only CodeMirror imports.
- Fixed first user not being assigned the owner role on OIDC login (via #480, closes #266).
- Fixed login errors throwing an unexpected server error instead of showing form validation (via #475, closes #474).
- Fixed agent HostInfo not refreshing periodically using
cache_ttl(via #477, closes #427). - Fixed agent working directory being wiped on restart.
- Fixed a race condition where the SSE controller could be used after being closed.
- Rewrote the WebSSH WASM module to match Tailscale's proven
tsconnectinit sequence.- Switched the terminal renderer from xterm.js to restty (Ghostty WASM).
- Bundled self-hosted JetBrains Mono Nerd Font with Nerd Fonts symbol fallback — no CDN dependency.
- Fixed SSH sessions failing with EOF: the SSH channel multiplexer was not receiving server traffic.
- Fixed terminal resize sending swapped rows/cols, causing garbled output on window resize.
- Fixed
log.Fatal()calls in the WASM bridge killing the entire runtime on recoverable errors. - Fixed
Close()returningtrueon error andfalseon success. - Fixed stale closure bug in the NodeKey tracking callback.
- Removed unnecessary
LoginDefaultandLocalBackendStartKeyOSNeutralcontrol flags. - Added cancellation support for in-flight SSH connections on close.
- Fixed WebSSH dropping DERP port information on non-standard ports (e.g.
:8443), which caused connections to fail (closes #515). - Fixed WebSSH WASM prefix paths for correct asset loading (closes #386).
- Fixed Nix WASM build applying DERP patch to wrong vendor directory.
- Fixed Dockerfile WASM copy paths.
- Fixed CodeMirror version mismatch override in the ACL editor.
- Fixed cookie secret generation using incorrect byte length (via #501).
- Fixed OIDC configuration error troubleshooting link (via #518, closes #517).
- Fixed deprecated Nix package attributes (via #521).
- Detect unsupported Docker API versions early with a clear error message (via #497).
- Updated NixOS module options: removed deprecated agent fields, added
headscale.api_key_pathandintegration.agent.executable_path.
New Contributors
- @dixi83 made their first contribution in #488
- @mrangger made their first contribution in #497
- @dotWee made their first contribution in #500
- @AgathaSorceress made their first contribution in #501
- @lloydowen made their first contribution in #510
- @siemenvdn made their first contribution in #507
- @sinanmohd made their first contribution in #521
- @Kroppeb made their first contribution in #518
Full Changelog: v0.7.0-beta.1...v0.7.0-beta.2
v0.7.0-beta.1
Hey everyone, I'm happy to share 0.7.0-beta.1 today. It addresses a few key things, mainly focusing on improving the user-reconciliation between Headplane/Headscale, making the UI more accessible and better looking, and seriously improving the reliability of Headplane's individual components.
Important Things
oidc.headscale_api_keyis now deprecated in the config, the new field to put this value in isheadscale.api_key(andheadscale.api_key_path). The deprecated fields will be fully removed in the future.- The Headplane agent only supports Headscale 0.28+. I've switched it to use the ACL tags model where it isn't associated with a user, and this functionality is only recently supported by Headscale.
- Authentication has been reworked. OIDC logged-in users in Headplane are now connected to Headscale users through a multi-step matching process:
- First, we try to match via OIDC linking.
- Then, we try matching based on the user's email addresses.
- Finally, we allow the user to manually pick their username from the list of "unclaimed" users on Headscale.
- This should result in a much more intuitive onboarding experience.
Changes
- Migrated all UI components from react-aria/react-stately to @base-ui-components/react.
- Removed
react-aria,react-stately, andtailwindcss-react-aria-componentsas dependencies.
- Removed
- Rearchitected the Headplane Agent from a long-running stdin/stdout daemon to a one-shot sync model (closes #350, closes #455).
- The Go binary connects to the Tailnet, fetches all peer hostinfo as JSON, and exits.
- The Node.js manager auto-generates ephemeral tag-only pre-auth keys (requires Headscale 0.28+).
- Deprecated
integration.agent.pre_authkeyandintegration.agent.cache_pathconfig fields. - Added
integration.agent.executable_pathconfig field.
- Consolidated the Headscale API key under
headscale.api_key(andheadscale.api_key_path).- Deprecated
oidc.headscale_api_key— it is still read as a fallback but will be removed in a future release. - Both the agent and OIDC now use the same key from
headscale.api_key.
- Deprecated
- Reworked the authentication system with a new
AuthServicethat consolidates session management and role enforcement (via #489). - Added an agent status page at
/settings/agentshowing sync status, node count, errors, and a "Sync Now" button. - Added additional machine list filters for user, tag, status, and route (via #507, closes #506).
- Added self-service pre-auth key creation for auditor role users (via #478, closes #453).
- Fetch OIDC profile pictures server-side when the URL requires authentication (via #510, closes #326).
- Fixed first user not being assigned the owner role on OIDC login (via #480, closes #266).
- Fixed login errors throwing an unexpected server error instead of showing form validation (via #475, closes #474).
- Fixed agent HostInfo not refreshing periodically using
cache_ttl(via #477, closes #427). - Fixed a race condition where the SSE controller could be used after being closed.
- Fixed WebSSH WASM prefix paths for correct asset loading (closes #386).
- Fixed Dockerfile WASM copy paths.
- Fixed CodeMirror version mismatch override in the ACL editor.
- Fixed cookie secret generation using incorrect byte length (via #501).
- Detect unsupported Docker API versions early with a clear error message (via #497).
- Updated NixOS module options: removed deprecated agent fields, added
headscale.api_key_pathandintegration.agent.executable_path.
New Contributors
- @dixi83 made their first contribution in #488
- @mrangger made their first contribution in #497
- @dotWee made their first contribution in #500
- @AgathaSorceress made their first contribution in #501
- @lloydowen made their first contribution in #510
- @siemenvdn made their first contribution in #507
Full Changelog: v0.6.2...v0.7.0-beta.1
v0.6.2
Changes
Headplane 0.6.2 works with Headscale 0.28.0.
- Our website at headplane.net is generally stable and is the definitive source of information going forward.
- This release drops support for Headscale 0.25.0 and lower
- Some config options have generally changed, please refer to the example and the website: https://github.com/tale/headplane/blob/main/config.example.yaml.
- Re-worked the configuration loading system with several enhancements:
- Re-worked the OIDC integration to adhere to the correct standards and surface more errors to the user.
- Deprecated
oidc.redirect_uriand automated callback URL detection in favor of settingserver.base_urlcorrectly. - Explicitly added
oidc.use_pkceto correctly determine PKCE configuration. oidc.token_endpoint_auth_methodis now optional and will attempt to be auto-detected, defaulting toclient_secret_basicif unavailable (closes #410).- Added
oidc.enabledconfig option to explicitly control OIDC availability (via #463).
- Deprecated
- Added search and sortable columns to the machines list page (closes #351).
- Allow conditionally compiling the SSH WASM integration when building (closes #337).
- Implemented the ability to customize the build with a custom script (see
./build.sh --helpfor more information). - Attempt to warn against misconfigured cookie settings on the login page.
- Made
server.cookie_max_ageandserver.cookie_domainconfigurable (closes #348). - Enhanced the node tag dialog to show a dropdown of assignable tags (via #362).
- Added an
/admin/api/inforoute that can expose sensitive information ifserver.info_secretis set in the configuration (closes #324). - Machine key registration no longer works if the key isn't 24 characters long (closes #415).
- Added a Docker healthcheck to the container (closes #411).
- Strengthened the validation for the
/procintegration to correctly discover the Headscale PID. - Added lazy retry logic for OIDC providers if they initially fail to respond (closes #423).
- Pre-auth keys are now listed without a user filter on Headscale 0.28+, with a fallback to per-user fetching on older versions (via #466).
- Adapted to the removal of Node Ownership Change in Headscale 0.28 (via #436).
- Improved the no-access user page on the UI (via #469).
Fixes
- Bundle all
node_modulesaside from native ones to reduce bundle and container size (closes #331). - Removed several unnecessarily verbose or spammy log messages.
- Updated the minimum Docker API used to support the latest Docker versions (via #370).
- Correctly handle invalid ACL policy inserts on Headscale 0.27+ (closes #383).
- Prevent a machine from changing its owner to itself (closes #373).
- Fixed an issue where the website favicon would not load correctly (closes #323).
- Fixed API key login on Headscale 0.28.0-beta.1+ (closes #429).
- Fixed an issue that prevented the pre-auth-key UI from being usable on Headscale 0.28 and later.
- Added support for creating tag-only pre-auth keys on Headscale 0.28+ (via #465).
- Fixed pre-auth keys not showing for OIDC users without a username (via #470).
- Fixed truncated pre-auth key display with longer Headscale 0.28 bcrypt tokens (closes #435).
- Fixed Nix systemd service to use user-specified package (via #454).
- Version displayed in the UI is now derived from git tags and build args instead of
package.json, fixing incorrect versions shown on beta and nightly builds. - Fixed handling of tag-only nodes that have no user on Headscale 0.28+ (via #467).
- Fixed some mobile CSS issues across the application (closes #401).
- Correctly apply Gravatar profile pictures on the user page if applicable (closes #405).
New Contributors
- @tituspijean made their first contribution in #349
- @rhoriguchi made their first contribution in #358
- @alexfornuto made their first contribution in #363
- @itzTheMeow made their first contribution in #362
- @luzes-dev made their first contribution in #370
- @The-Greg-O made their first contribution in #377
- @Lapin0t made their first contribution in #394
- @Murgeye made their first contribution in #384
- @0nano made their first contribution in #409
- @SethMilliken made their first contribution in #438
- @kronenpj made their first contribution in #433
- @drifterza made their first contribution in #470
- @PriceChild made their first contribution in #462
- @z0w13 made their first contribution in #454
Full Changelog: v0.6.1...v0.6.2
v0.6.2-beta.5
Hey all, Headplane 0.6.2-beta.5 is now available and ties together everything for the full 0.6.2 release. This release explicitly supports Headscale 0.28! I still need some more time to iron out some bugs before making an official release, but this should be pretty close to a daily use experience.
Notable for this beta release, the Kubernetes and Linux integrations have been fixed after being problematic for a long time. Also, for any deployments that use OIDC, oidc.redirect_uri has been deprecated and server.base_url will need to be supplied. Starting in Headplane 0.7.0, you will receive errors if it is not set. See the OIDC configuration docs for more information. Also, PKCE has now been turned into an option, so you'll need to set oidc.use_pkce to true if you get code verifier errors when authenticating with your OIDC provider.
Changes
- Added support for Headscale 0.27.0 and 0.27.1
- Bundle all
node_modulesaside from native ones to reduce bundle and container size (closes #331). - Allow conditionally compiling the SSH WASM integration when building (closes #337).
- Implemented the ability to customize the build with a custom script (see
./build.sh --helpfor more information). - Attempt to warn against misconfigured cookie settings on the login page.
- Made
server.cookie_max_ageandserver.cookie_domainconfigurable (closes #348). - Re-worked the configuration loading system with several enhancements:
- Re-worked the OIDC integration to adhere to the correct standards and surface more errors to the user.
- Deprecated
oidc.redirect_uriand automated callback URL detection in favor of settingserver.base_urlcorrectly. - Explicitly added
oidc.use_pkceto correctly determine PKCE configuration.
- Deprecated
- Removed several unnecessarily verbose or spammy log messages.
- Updated the minimum Docker API used to support the latest Docker versions (via #370).
- Enhanced the node tag dialog to show a dropdown of assignable tags (via #362).
- Fixed an issue where the website favicon would not load correctly (closes #323).
- Correctly handle invalid ACL policy inserts on Headscale 0.27+ (closes #383).
- Prevent a machine from changing its owner to itself (closes #373).
- Added an
/admin/api/inforoute that can expose sensitive information ifserver.info_secretis set in the configuration (closes #324). - Correctly apply Gravatar profile pictures on the user page if applicable (closes #405).
- Machine key registration no longer works if the key isn't 24 characters long (closes #415).
- Fixed some mobile CSS issues across the application (closes #401).
- Added a Docker healthcheck to the container (closes #411).
- Strengthened the validation for the
/procintegration to correctly discover the Headscale PID. - Added lazy retry logic for OIDC providers if they initially fail to respond (closes #423).
- Fixed API key login on Headcale 0.28.0-beta.1+ (closes #429).
- Fixed an issue that prevented the pre-auth-key UI from being usable on Headscale 0.28 and later
Full Changelog: v0.6.2-beta.4...v0.6.2-beta.5
v0.6.2-beta.4
Hey all, Headplane 0.6.2-beta.4 is now available and adds a couple more features and smaller bug fixes like some CSS mobile layout fixes, a docker health check, better OIDC heuristics for detecting the correct token auth endpoint method, etc. This is probably the last beta before a full release. The full release will ship with support for Headscale 0.28 if it releases before.
Specifically for OIDC, oidc.redirect_uri has been deprecated and server.base_url will need to be supplied. Starting in Headplane 0.7.0, you will receive errors if it is not set. See the OIDC configuration docs for more information. Also, PKCE has now been turned into an option, so you'll need to set oidc.use_pkce to true if you get code verifier errors when authenticating with your OIDC provider.
Changes
- Added support for Headscale 0.27.0 and 0.27.1
- Bundle all
node_modulesaside from native ones to reduce bundle and container size (closes #331). - Allow conditionally compiling the SSH WASM integration when building (closes #337).
- Implemented the ability to customize the build with a custom script (see
./build.sh --helpfor more information). - Attempt to warn against misconfigured cookie settings on the login page.
- Made
server.cookie_max_ageandserver.cookie_domainconfigurable (closes #348). - Re-worked the configuration loading system with several enhancements:
- Re-worked the OIDC integration to adhere to the correct standards and surface more errors to the user.
- Deprecated
oidc.redirect_uriand automated callback URL detection in favor of settingserver.base_urlcorrectly. - Explicitly added
oidc.use_pkceto correctly determine PKCE configuration.
- Deprecated
- Removed several unnecessarily verbose or spammy log messages.
- Updated the minimum Docker API used to support the latest Docker versions (via #370).
- Enhanced the node tag dialog to show a dropdown of assignable tags (via #362).
- Fixed an issue where the website favicon would not load correctly (closes #323).
- Correctly handle invalid ACL policy inserts on Headscale 0.27+ (closes #383).
- Prevent a machine from changing its owner to itself (closes #373).
- Added an
/admin/api/inforoute that can expose sensitive information ifserver.info_secretis set in the configuration (closes #324). - Correctly apply Gravatar profile pictures on the user page if applicable (closes #405).
- Machine key registration no longer works if the key isn't 24 characters long (closes #415).
- Fixed some mobile CSS issues across the application (closes #401).
- Added a Docker healthcheck to the container (closes #411).
Full Changelog: v0.6.2-beta.3...v0.6.2-beta.4
v0.6.2-beta.3
Hey all, Headplane 0.6.2-beta.3 is now available and should fix the ACL regressions from the 2nd beta.
The 0.6.2 release focuses on a few important aspects for Headplane's future:
- Support for Headscale 0.27.x and robust testing with a compatibility matrix
- Cleanup and simplification of the configuration options
- More robust OIDC/SSO implementation.
Specifically for OIDC, oidc.redirect_uri has been deprecated and server.base_url will need to be supplied. Starting in Headplane 0.7.0, you will receive errors if it is not set. See the OIDC configuration docs for more information. Also, PKCE has now been turned into an option, so you'll need to set oidc.use_pkce to true if you get code verifier errors when authenticating with your OIDC provider.
Changes
- Added support for Headscale 0.27.0 and 0.27.1
- Bundle all
node_modulesaside from native ones to reduce bundle and container size (closes #331). - Allow conditionally compiling the SSH WASM integration when building (closes #337).
- Implemented the ability to customize the build with a custom script (see
./build.sh --helpfor more information). - Attempt to warn against misconfigured cookie settings on the login page.
- Made
server.cookie_max_ageandserver.cookie_domainconfigurable (closes #348). - Re-worked the configuration loading system with several enhancements:
- Re-worked the OIDC integration to adhere to the correct standards and surface more errors to the user.
- Deprecated
oidc.redirect_uriand automated callback URL detection in favor of settingserver.base_urlcorrectly. - Explicitly added
oidc.use_pkceto correctly determine PKCE configuration.
- Deprecated
- Removed several unnecessarily verbose or spammy log messages.
- Updated the minimum Docker API used to support the latest Docker versions (via #370).
- Enhanced the node tag dialog to show a dropdown of assignable tags (via #362).
- Fixed an issue where the website favicon would not load correctly (closes #323).
- Correctly handle invalid ACL policy inserts on Headscale 0.27+ (closes #383).
- Prevent a machine from changing its owner to itself (closes #373).
- Added an
/admin/api/inforoute that can expose sensitive information ifserver.info_secretis set in the configuration (closes #324).
Full Changelog: v0.6.2-beta.1...v0.6.2-beta.2