github tale/headplane v0.6.1

12 hours ago

Changes

Headplane 0.6.1 works with Headscale 0.26.0 or higher.

  • We have a very WIP website at headplane.net! Documentation and overall website design are still heavily subject to change.
  • Please ensure data volumes are correctly migrated!! /var/lib/headplane should be mounted in Docker.
  • There should not be any breaking changes with the config, but an up-to-date version of the config file can be found at https://github.com/tale/headplane/blob/main/config.example.yaml.

  • Headplane now supports connecting to machines via SSH in the web browser.
    • This is an experimental feature and requires the integration.agent section to be set up in the config file.
    • This is built on top of a Go binary that runs in WebAssembly, using Xterm.js for the terminal interface.
  • Begin using a new SQLite database file in /var/lib/headplane/hp_persist.db.
    • The database is created automatically if it does not exist.
    • It currently stores SSH connection details and HostInfo for the agent.
    • User information is automatically migrated from the previous database.
  • The docker container now runs in a distroless image (closes #255).
    • A debug version of the container that runs as root and has a shell is available as ghcr.io/tale/headplane:<version>-shell.
  • Reintroduce the toggle for overriding local DNS settings in the Headscale config (closes #236).
  • Prefer cross-compiling in the Dockerfile to speed up builds while still supporting multiple architectures.
  • Add a build attestation to validate SLSA provenance for the Docker image.
  • Configuration loading via paths is now supported for sensitive values (via #283)
    • Options like server.cookie_secret_path can override server.cookie_secret
    • Environment variables are interpolatable into these paths
    • See the full reference in the docs
  • Switch our build processes to use TypeScript Go and Rolldown Vite for better build and type-check performance.
  • OIDC profile pictures are now available from Gravatar by setting oidc.profile_picture_source to gravatar (closes #232).
  • OIDC now allows passing many custom parameters:
    • oidc.authorization_endpoint, oidc.token_endpoint, and oidc.userinfo_endpoint can be overridden to support non-standard providers or scenarios without discovery (closes #117).
    • oidc.scope can be set to specify custom scopes (defaults to openid email profile).
    • oidc.extra_params can be set to pass arbitrary query parameters to the authorization endpoint (closes #197).

Fixes

  • Removing a Split DNS record will no longer make the split domain unresolvable by clients (closes #231).
  • Implement more accurate guessing on the PID with the /proc integration (via #219).
  • Usernames will now correctly fall back to emails if not provided (via #257).
  • The nix overlay build is fixed for the SSH module (via #282)
  • Cookies are now encrypted JWTs, preserving API key secrets (GHSA-wrqq-v7qw-r5w7)

New Contributors

Full Changelog: v0.6.0...v0.6.1

Don't miss a new headplane release

NewReleases is sending notifications on new releases.