Changes
Headplane 0.7.0 works with Headscale 0.29.0.
- Headplane now requires Headscale 0.27.0 or newer.
- Some config options have changed or been consolidated, please refer to the example and website: https://github.com/tale/headplane/blob/main/config.example.yaml.
- Headplane is preparing for a 1.0 release soon and may introduce breaking changes and deprecations, it is probably a good idea to do a re-config to ensure you are using the most up to date options and not using deprecated fields.
- Reworked authentication and account linking. OIDC users are now linked to their Headscale counterparts more reliably, and Headplane has a clearer internal permissions model.
- Added support for automatic role assignment for new OIDC users via
oidc.default_roleand IdP-provided role claims viaoidc.role_claim(closes #352). - Added support for proxy authentication via
server.proxy_auth. - Added OIDC logout support (closes #407).
- Replaced
openid-clientwith a clean-room OIDC implementation. - Consolidated the Headscale API key under
headscale.api_key;oidc.headscale_api_keyis still read as a fallback but is deprecated. - Rebuilt Browser SSH with a new terminal powered by Ghostty WASM, better session handling, and support for custom DERP ports.
- Reworked the Headplane Agent around periodic syncing and caching. The agent now auto-generates ephemeral pre-auth keys when enabled.
- Added an Agent status page at
/settings/agent. - Added support for Headscale 0.29+ registration keys.
- Replaced OpenAPI hash detection with
/version-based Headscale capability detection. - Headplane now boots even when Headscale is temporarily unreachable; it will retry version detection in the background.
- Added optional in-process TLS termination with
server.tls_cert_pathandserver.tls_key_path(closes #403). - Made the bundled Docker healthcheck zero-config across HTTP and HTTPS by writing the listen URL at startup.
- Switched to structured JSON logging (closes #279).
- Added machine list filters for user, tag, status, and route (via #507).
- Added self-service pre-auth key creation for auditor role users (via #478).
- Added suggestions to pick existing tags in the machine tag dialog.
- Added Rename and Delete actions for unlinked Headscale users.
- Added support for light, dark, and system color schemes.
- Improved the ACL editor appearance.
- Migrated UI components from React Aria to Base UI.
- Added a devcontainer setup for contributors (via #500).
- Documented custom certificate authorities via
NODE_EXTRA_CA_CERTS(closes #313).
Fixes
- Fixed assigning ACL tags to tag-only/no-user nodes from the UI.
- Fixed the Register Machine Key dialog so it accepts registration URLs and full
hskey-authreq-...registration keys. - Fixed tag handling on Headscale 0.28+.
- Fixed pre-auth key expiration on Headscale 0.27.x and 0.28+.
- Fixed first user owner assignment on OIDC login (via #480).
- Fixed existing OIDC users incorrectly becoming pending approval after update.
- Fixed login errors throwing a server error instead of showing form validation (via #475).
- Fixed OIDC token exchange fallback when retrying with
client_secret_basic. - Fixed OIDC weak RSA fallback and subject claim handling (via #537).
- Fixed OIDC profile pictures when the image URL requires authentication (via #510).
- Fixed agent HostInfo not refreshing periodically using
cache_ttl(via #477). - Fixed the agent working directory being wiped on restart.
- Fixed Browser SSH DERP probing when custom DERP ports are used.
- Fixed Browser SSH pre-auth key handling by increasing the temporary key expiry window and showing key creation errors in the UI.
- Fixed the DNS page crashing when Headscale has no Split DNS nameservers configured.
- Fixed Headplane correctly reading
dns.extra_records_pathfrom the Headscale configuration. - Fixed Headscale PostgreSQL config validation so
passis not required whenpassword_fileis supplied. - Fixed Go zero-time/no-expiry values showing incorrectly in the UI (via #527).
- Fixed machine rename submission by validating names before sending the rename request.
- Fixed Headscale rename path encoding from the 0.6.3 security hotfix.
- Fixed unsupported Docker API versions being detected earlier with a clear error message (via #497).
- Fixed Docker/WASM build patch permissions (via #567).
- Fixed dialog panels growing beyond the viewport; dialog content is now constrained and scrollable (via #556).
- Fixed focus rings inside dialogs being clipped.
- Fixed tooltips on the last row of the machines table being clipped by the viewport.
- Fixed user lists to show Headscale display names while preserving usernames as secondary text.
- Fixed the Docker healthcheck docs example to use the required
CMDprefix.
New Contributors
- @dixi83 made their first contribution in #488
- @mrangger made their first contribution in #497
- @dotWee made their first contribution in #500
- @AgathaSorceress made their first contribution in #501
- @lloydowen made their first contribution in #510
- @siemenvdn made their first contribution in #507
- @sinanmohd made their first contribution in #521
- @Kroppeb made their first contribution in #518
- @eccgecko made their first contribution in #527
- @croatialu made their first contribution in #537
- @vdovhanych made their first contribution in #556
Full Changelog: v0.6.2...v0.7.0