github tale/headplane v0.7.0

13 hours ago

Changes

Headplane 0.7.0 works with Headscale 0.29.0.

  • Headplane now requires Headscale 0.27.0 or newer.
  • Some config options have changed or been consolidated, please refer to the example and website: https://github.com/tale/headplane/blob/main/config.example.yaml.
  • Headplane is preparing for a 1.0 release soon and may introduce breaking changes and deprecations, it is probably a good idea to do a re-config to ensure you are using the most up to date options and not using deprecated fields.

  • Reworked authentication and account linking. OIDC users are now linked to their Headscale counterparts more reliably, and Headplane has a clearer internal permissions model.
  • Added support for automatic role assignment for new OIDC users via oidc.default_role and IdP-provided role claims via oidc.role_claim (closes #352).
  • Added support for proxy authentication via server.proxy_auth.
  • Added OIDC logout support (closes #407).
  • Replaced openid-client with a clean-room OIDC implementation.
  • Consolidated the Headscale API key under headscale.api_key; oidc.headscale_api_key is still read as a fallback but is deprecated.
  • Rebuilt Browser SSH with a new terminal powered by Ghostty WASM, better session handling, and support for custom DERP ports.
  • Reworked the Headplane Agent around periodic syncing and caching. The agent now auto-generates ephemeral pre-auth keys when enabled.
  • Added an Agent status page at /settings/agent.
  • Added support for Headscale 0.29+ registration keys.
  • Replaced OpenAPI hash detection with /version-based Headscale capability detection.
  • Headplane now boots even when Headscale is temporarily unreachable; it will retry version detection in the background.
  • Added optional in-process TLS termination with server.tls_cert_path and server.tls_key_path (closes #403).
  • Made the bundled Docker healthcheck zero-config across HTTP and HTTPS by writing the listen URL at startup.
  • Switched to structured JSON logging (closes #279).
  • Added machine list filters for user, tag, status, and route (via #507).
  • Added self-service pre-auth key creation for auditor role users (via #478).
  • Added suggestions to pick existing tags in the machine tag dialog.
  • Added Rename and Delete actions for unlinked Headscale users.
  • Added support for light, dark, and system color schemes.
  • Improved the ACL editor appearance.
  • Migrated UI components from React Aria to Base UI.
  • Added a devcontainer setup for contributors (via #500).
  • Documented custom certificate authorities via NODE_EXTRA_CA_CERTS (closes #313).

Fixes

  • Fixed assigning ACL tags to tag-only/no-user nodes from the UI.
  • Fixed the Register Machine Key dialog so it accepts registration URLs and full hskey-authreq-... registration keys.
  • Fixed tag handling on Headscale 0.28+.
  • Fixed pre-auth key expiration on Headscale 0.27.x and 0.28+.
  • Fixed first user owner assignment on OIDC login (via #480).
  • Fixed existing OIDC users incorrectly becoming pending approval after update.
  • Fixed login errors throwing a server error instead of showing form validation (via #475).
  • Fixed OIDC token exchange fallback when retrying with client_secret_basic.
  • Fixed OIDC weak RSA fallback and subject claim handling (via #537).
  • Fixed OIDC profile pictures when the image URL requires authentication (via #510).
  • Fixed agent HostInfo not refreshing periodically using cache_ttl (via #477).
  • Fixed the agent working directory being wiped on restart.
  • Fixed Browser SSH DERP probing when custom DERP ports are used.
  • Fixed Browser SSH pre-auth key handling by increasing the temporary key expiry window and showing key creation errors in the UI.
  • Fixed the DNS page crashing when Headscale has no Split DNS nameservers configured.
  • Fixed Headplane correctly reading dns.extra_records_path from the Headscale configuration.
  • Fixed Headscale PostgreSQL config validation so pass is not required when password_file is supplied.
  • Fixed Go zero-time/no-expiry values showing incorrectly in the UI (via #527).
  • Fixed machine rename submission by validating names before sending the rename request.
  • Fixed Headscale rename path encoding from the 0.6.3 security hotfix.
  • Fixed unsupported Docker API versions being detected earlier with a clear error message (via #497).
  • Fixed Docker/WASM build patch permissions (via #567).
  • Fixed dialog panels growing beyond the viewport; dialog content is now constrained and scrollable (via #556).
  • Fixed focus rings inside dialogs being clipped.
  • Fixed tooltips on the last row of the machines table being clipped by the viewport.
  • Fixed user lists to show Headscale display names while preserving usernames as secondary text.
  • Fixed the Docker healthcheck docs example to use the required CMD prefix.

New Contributors

Full Changelog: v0.6.2...v0.7.0

Don't miss a new headplane release

NewReleases is sending notifications on new releases.