Hey everyone, I'm happy to share 0.7.0-beta.1 today. It addresses a few key things, mainly focusing on improving the user-reconciliation between Headplane/Headscale, making the UI more accessible and better looking, and seriously improving the reliability of Headplane's individual components.
Important Things
oidc.headscale_api_keyis now deprecated in the config, the new field to put this value in isheadscale.api_key(andheadscale.api_key_path). The deprecated fields will be fully removed in the future.- The Headplane agent only supports Headscale 0.28+. I've switched it to use the ACL tags model where it isn't associated with a user, and this functionality is only recently supported by Headscale.
- Authentication has been reworked. OIDC logged-in users in Headplane are now connected to Headscale users through a multi-step matching process:
- First, we try to match via OIDC linking.
- Then, we try matching based on the user's email addresses.
- Finally, we allow the user to manually pick their username from the list of "unclaimed" users on Headscale.
- This should result in a much more intuitive onboarding experience.
Changes
- Migrated all UI components from react-aria/react-stately to @base-ui-components/react.
- Removed
react-aria,react-stately, andtailwindcss-react-aria-componentsas dependencies.
- Removed
- Rearchitected the Headplane Agent from a long-running stdin/stdout daemon to a one-shot sync model (closes #350, closes #455).
- The Go binary connects to the Tailnet, fetches all peer hostinfo as JSON, and exits.
- The Node.js manager auto-generates ephemeral tag-only pre-auth keys (requires Headscale 0.28+).
- Deprecated
integration.agent.pre_authkeyandintegration.agent.cache_pathconfig fields. - Added
integration.agent.executable_pathconfig field.
- Consolidated the Headscale API key under
headscale.api_key(andheadscale.api_key_path).- Deprecated
oidc.headscale_api_key— it is still read as a fallback but will be removed in a future release. - Both the agent and OIDC now use the same key from
headscale.api_key.
- Deprecated
- Reworked the authentication system with a new
AuthServicethat consolidates session management and role enforcement (via #489). - Added an agent status page at
/settings/agentshowing sync status, node count, errors, and a "Sync Now" button. - Added additional machine list filters for user, tag, status, and route (via #507, closes #506).
- Added self-service pre-auth key creation for auditor role users (via #478, closes #453).
- Fetch OIDC profile pictures server-side when the URL requires authentication (via #510, closes #326).
- Fixed first user not being assigned the owner role on OIDC login (via #480, closes #266).
- Fixed login errors throwing an unexpected server error instead of showing form validation (via #475, closes #474).
- Fixed agent HostInfo not refreshing periodically using
cache_ttl(via #477, closes #427). - Fixed a race condition where the SSE controller could be used after being closed.
- Fixed WebSSH WASM prefix paths for correct asset loading (closes #386).
- Fixed Dockerfile WASM copy paths.
- Fixed CodeMirror version mismatch override in the ACL editor.
- Fixed cookie secret generation using incorrect byte length (via #501).
- Detect unsupported Docker API versions early with a clear error message (via #497).
- Updated NixOS module options: removed deprecated agent fields, added
headscale.api_key_pathandintegration.agent.executable_path.
New Contributors
- @dixi83 made their first contribution in #488
- @mrangger made their first contribution in #497
- @dotWee made their first contribution in #500
- @AgathaSorceress made their first contribution in #501
- @lloydowen made their first contribution in #510
- @siemenvdn made their first contribution in #507
Full Changelog: v0.6.2...v0.7.0-beta.1