tale/headplane v0.7.0-beta.2

on GitHub

Hey there, 0.7.0-beta.2 is finally out. It just makes some changes to the first beta, fixing some issues and also bringing some other changes in. Notably, we've redone how the SSH module works, so it should be more stable now.

Important Things

• oidc.headscale_api_key is now deprecated in the config, the new field to put this value in is headscale.api_key (and headscale.api_key_path). The deprecated fields will be fully removed in the future.
• The Headplane agent only supports Headscale 0.28+. I've switched it to use the ACL tags model where it isn't associated with a user, and this functionality is only recently supported by Headscale.
• Authentication has been reworked. OIDC logged-in users in Headplane are now connected to Headscale users through a multi-step matching process:
  • First, we try to match via OIDC linking.
  • Then, we try matching based on the user's email addresses.
  • Finally, we allow the user to manually pick their username from the list of "unclaimed" users on Headscale.
  • This should result in a much more intuitive onboarding experience.

Changes

• Rebuilt the Browser SSH feature
  • Should now work with custom DERP ports and properly handle sessions.
  • Switched to using libghostty for a proper, modern terminal experience (closes #515).
  • Added more resilient error handling and state handling when initiating connections.
• Migrated all UI components from react-aria/react-stately to @base-ui-components/react.
  • Removed react-aria, react-stately, and tailwindcss-react-aria-components as dependencies.
• Replaced openid-client with a clean-room OIDC implementation.
  • Removed the openid-client dependency entirely.
  • Fixed client_secret_basic auth method not working with Google SSO and other providers (closes #493).
  • Fixed OIDC connector initialization failures on beta.1 (closes #516).
• Rearchitected the Headplane Agent with a new sync model (closes #350, closes #455).
  • The Go binary connects to the Tailnet and fetches all peer hostinfo as JSON.
  • The Node.js manager auto-generates ephemeral tag-only pre-auth keys (requires Headscale 0.28+).
  • Deprecated integration.agent.pre_authkey and integration.agent.cache_path config fields.
  • Added integration.agent.executable_path config field.
• Consolidated the Headscale API key under headscale.api_key (and headscale.api_key_path).
  • Deprecated oidc.headscale_api_key — it is still read as a fallback but will be removed in a future release.
  • Both the agent and OIDC now use the same key from headscale.api_key.
• Reworked the authentication system with a new AuthService that consolidates session management and role enforcement (via #489).
• Added an agent status page at /settings/agent showing sync status, node count, errors, and a "Sync Now" button.
• Added additional machine list filters for user, tag, status, and route (via #507, closes #506).
• Added self-service pre-auth key creation for auditor role users (via #478, closes #453).
• Store OIDC profile pictures in the database to prevent cookie header overload (closes #326, via #510).
• Fixed pre-auth key expiration on Headscale 0.28+ (closes #519).
• Fixed OIDC subject matching for providers that use special characters in user IDs (e.g. Auth0 github|12345) (closes #428).
• Fixed headscale.api_key not being used consistently across all code paths.
• Fixed intermittent SSR crash on the Access Control page caused by client-only CodeMirror imports.
• Fixed first user not being assigned the owner role on OIDC login (via #480, closes #266).
• Fixed login errors throwing an unexpected server error instead of showing form validation (via #475, closes #474).
• Fixed agent HostInfo not refreshing periodically using cache_ttl (via #477, closes #427).
• Fixed agent working directory being wiped on restart.
• Fixed a race condition where the SSE controller could be used after being closed.
• Rewrote the WebSSH WASM module to match Tailscale's proven tsconnect init sequence.
  • Switched the terminal renderer from xterm.js to restty (Ghostty WASM).
  • Bundled self-hosted JetBrains Mono Nerd Font with Nerd Fonts symbol fallback — no CDN dependency.
  • Fixed SSH sessions failing with EOF: the SSH channel multiplexer was not receiving server traffic.
  • Fixed terminal resize sending swapped rows/cols, causing garbled output on window resize.
  • Fixed log.Fatal() calls in the WASM bridge killing the entire runtime on recoverable errors.
  • Fixed Close() returning true on error and false on success.
  • Fixed stale closure bug in the NodeKey tracking callback.
  • Removed unnecessary LoginDefault and LocalBackendStartKeyOSNeutral control flags.
  • Added cancellation support for in-flight SSH connections on close.
• Fixed WebSSH dropping DERP port information on non-standard ports (e.g. :8443), which caused connections to fail (closes #515).
• Fixed WebSSH WASM prefix paths for correct asset loading (closes #386).
• Fixed Nix WASM build applying DERP patch to wrong vendor directory.
• Fixed Dockerfile WASM copy paths.
• Fixed CodeMirror version mismatch override in the ACL editor.
• Fixed cookie secret generation using incorrect byte length (via #501).
• Fixed OIDC configuration error troubleshooting link (via #518, closes #517).
• Fixed deprecated Nix package attributes (via #521).
• Detect unsupported Docker API versions early with a clear error message (via #497).
• Updated NixOS module options: removed deprecated agent fields, added headscale.api_key_path and integration.agent.executable_path.

New Contributors

• @dixi83 made their first contribution in #488
• @mrangger made their first contribution in #497
• @dotWee made their first contribution in #500
• @AgathaSorceress made their first contribution in #501
• @lloydowen made their first contribution in #510
• @siemenvdn made their first contribution in #507
• @sinanmohd made their first contribution in #521
• @Kroppeb made their first contribution in #518

Full Changelog: v0.7.0-beta.1...v0.7.0-beta.2