v0.6.2-beta.3

Hey all, Headplane 0.6.2-beta.3 is now available and should fix the ACL regressions from the 2nd beta.
The 0.6.2 release focuses on a few important aspects for Headplane's future:

• Support for Headscale 0.27.x and robust testing with a compatibility matrix
• Cleanup and simplification of the configuration options
• More robust OIDC/SSO implementation.

Specifically for OIDC, oidc.redirect_uri has been deprecated and server.base_url will need to be supplied. Starting in Headplane 0.7.0, you will receive errors if it is not set. See the OIDC configuration docs for more information. Also, PKCE has now been turned into an option, so you'll need to set oidc.use_pkce to true if you get code verifier errors when authenticating with your OIDC provider.

Changes

• Added support for Headscale 0.27.0 and 0.27.1
• Bundle all node_modules aside from native ones to reduce bundle and container size (closes #331).
• Allow conditionally compiling the SSH WASM integration when building (closes #337).
• Implemented the ability to customize the build with a custom script (see ./build.sh --help for more information).
• Attempt to warn against misconfigured cookie settings on the login page.
• Made server.cookie_max_age and server.cookie_domain configurable (closes #348).
• Re-worked the configuration loading system with several enhancements:
  • It is now possible to skip a configuration file and only use environment variables (closes #150).
  • Secret path loading has been reworked from the ground up to be more reliable (closes #334).
  • Added better testing and validation for configuration loading
• Re-worked the OIDC integration to adhere to the correct standards and surface more errors to the user.
  • Deprecated oidc.redirect_uri and automated callback URL detection in favor of setting server.base_url correctly.
  • Explicitly added oidc.use_pkce to correctly determine PKCE configuration.
• Removed several unnecessarily verbose or spammy log messages.
• Updated the minimum Docker API used to support the latest Docker versions (via #370).
• Enhanced the node tag dialog to show a dropdown of assignable tags (via #362).
• Fixed an issue where the website favicon would not load correctly (closes #323).
• Correctly handle invalid ACL policy inserts on Headscale 0.27+ (closes #383).
• Prevent a machine from changing its owner to itself (closes #373).
• Added an /admin/api/info route that can expose sensitive information if server.info_secret is set in the configuration (closes #324).

Full Changelog: v0.6.2-beta.1...v0.6.2-beta.2

v0.6.2-beta.2

Hey everyone, 0.6.2-beta.2 is now available and should fix some of the errors if you were testing on the first beta. The 0.6.2 release focuses on a few important aspects for Headplane's future:

• Support for Headscale 0.27.x and robust testing with a compatibility matrix
• Cleanup and simplification of the configuration options
• More robust OIDC/SSO implementation.

Specifically for OIDC, oidc.redirect_uri has been deprecated and server.base_url will need to be supplied. Starting in Headplane 0.7.0, you will receive errors if it is not set. See the OIDC configuration docs for more information. Also, PKCE has now been turned into an option, so you'll need to set oidc.use_pkce to true if you get code verifier errors when authenticating with your OIDC provider.

Changes

• Added support for Headscale 0.27.0 and 0.27.1
• Bundle all node_modules aside from native ones to reduce bundle and container size (closes #331).
• Allow conditionally compiling the SSH WASM integration when building (closes #337).
• Implemented the ability to customize the build with a custom script (see ./build.sh --help for more information).
• Attempt to warn against misconfigured cookie settings on the login page.
• Made server.cookie_max_age and server.cookie_domain configurable (closes #348).
• Re-worked the configuration loading system with several enhancements:
  • It is now possible to skip a configuration file and only use environment variables (closes #150).
  • Secret path loading has been reworked from the ground up to be more reliable (closes #334).
  • Added better testing and validation for configuration loading
• Re-worked the OIDC integration to adhere to the correct standards and surface more errors to the user.
  • Deprecated oidc.redirect_uri and automated callback URL detection in favor of setting server.base_url correctly.
  • Explicitly added oidc.use_pkce to correctly determine PKCE configuration.
• Removed several unnecessarily verbose or spammy log messages.
• Updated the minimum Docker API used to support the latest Docker versions (via #370).
• Enhanced the node tag dialog to show a dropdown of assignable tags (via #362).
• Fixed an issue where the website favicon would not load correctly (closes #323).

Full Changelog: v0.6.2-beta.1...v0.6.2-beta.2

v0.6.2-beta.1

Changes

I've retired the nightly builds for Headplane and am instead opting for beta releases. There have been several cases where the nightly build ends up being broken anyways and it pollutes the container releases, so something like this feels better in the long-run.

Hey everyone, 0.6.2 is finally nearing completion and I wanted to gather beta feedback before I cut a full official release. Notably, this release adds support for Headscale 0.27.x and focuses on several improvements to OIDC and configuration. I believe our OIDC implementation now properly follows standards as they should've been implemented and should have much better compatibility with providers.

I've created a discussion on GitHub to talk about issues encountered in the beta, please leave feedback through that channel rather than through GitHub issues! Happy testing!

• Added support for Headscale 0.27.0 and 0.27.1
• Bundle all node_modules aside from native ones to reduce bundle and container size (closes #331).
• Allow conditionally compiling the SSH WASM integration when building (closes #337).
• Implemented the ability to customize the build with a custom script (see ./build.sh --help for more information).
• Attempt to warn against misconfigured cookie settings on the login page.
• Made server.cookie_max_age and server.cookie_domain configurable (closes #348).
• Re-worked the configuration loading system with several enhancements:
  • It is now possible to skip a configuration file and only use environment variables (closes #150).
  • Secret path loading has been reworked from the ground up to be more reliable (closes #334).
  • Added better testing and validation for configuration loading
• Re-worked the OIDC integration to adhere to the correct standards and surface more errors to the user.
  • PKCE support has been temporarily disabled, please disable PKCE on your end to test if necessary
• Removed several unnecessarily verbose or spammy log messages.
• Updated the minimum Docker API used to support the latest Docker versions (via #370).
• Enhanced the node tag dialog to show a dropdown of assignable tags (via #362).
• Fixed an issue where the website favicon would not load correctly (closes #323).

New Contributors

• @tituspijean made their first contribution in #349
• @rhoriguchi made their first contribution in #358
• @alexfornuto made their first contribution in #363
• @itzTheMeow made their first contribution in #362
• @luzes-dev made their first contribution in #370

Full Changelog: v0.6.1...v0.6.2-beta.1

v0.6.1

Changes

Headplane 0.6.1 works with Headscale 0.26.0 or higher.

• We have a very WIP website at headplane.net! Documentation and overall website design are still heavily subject to change.
• Please ensure data volumes are correctly migrated!! /var/lib/headplane should be mounted in Docker.
• There should not be any breaking changes with the config, but an up-to-date version of the config file can be found at https://github.com/tale/headplane/blob/main/config.example.yaml.

---

• Headplane now supports connecting to machines via SSH in the web browser.
  • This is an experimental feature and requires the integration.agent section to be set up in the config file.
  • This is built on top of a Go binary that runs in WebAssembly, using Xterm.js for the terminal interface.
• Begin using a new SQLite database file in /var/lib/headplane/hp_persist.db.
  • The database is created automatically if it does not exist.
  • It currently stores SSH connection details and HostInfo for the agent.
  • User information is automatically migrated from the previous database.
• The docker container now runs in a distroless image (closes #255).
  • A debug version of the container that runs as root and has a shell is available as ghcr.io/tale/headplane:<version>-shell.
• Reintroduce the toggle for overriding local DNS settings in the Headscale config (closes #236).
• Prefer cross-compiling in the Dockerfile to speed up builds while still supporting multiple architectures.
• Add a build attestation to validate SLSA provenance for the Docker image.
• Configuration loading via paths is now supported for sensitive values (via #283)
  • Options like server.cookie_secret_path can override server.cookie_secret
  • Environment variables are interpolatable into these paths
  • See the full reference in the docs
• Switch our build processes to use TypeScript Go and Rolldown Vite for better build and type-check performance.
• OIDC profile pictures are now available from Gravatar by setting oidc.profile_picture_source to gravatar (closes #232).
• OIDC now allows passing many custom parameters:
  • oidc.authorization_endpoint, oidc.token_endpoint, and oidc.userinfo_endpoint can be overridden to support non-standard providers or scenarios without discovery (closes #117).
  • oidc.scope can be set to specify custom scopes (defaults to openid email profile).
  • oidc.extra_params can be set to pass arbitrary query parameters to the authorization endpoint (closes #197).

Fixes

• Removing a Split DNS record will no longer make the split domain unresolvable by clients (closes #231).
• Implement more accurate guessing on the PID with the /proc integration (via #219).
• Usernames will now correctly fall back to emails if not provided (via #257).
• The nix overlay build is fixed for the SSH module (via #282)
• Cookies are now encrypted JWTs, preserving API key secrets (GHSA-wrqq-v7qw-r5w7)

New Contributors

• @gabe565 made their first contribution in #237
• @Prince213 made their first contribution in #244
• @antoniolago made their first contribution in #241
• @LEI made their first contribution in #238
• @hayer made their first contribution in #219
• @domysh made their first contribution in #273

Full Changelog: v0.6.0...v0.6.1

v0.6.0

Changes

Headplane 0.6.0 now requires Headscale 0.26.0 or newer.

• Breaking API changes with routes and pre auth keys are now supported (#204).
• Older versions of Headscale will not work with Headplane 0.6.0+.
• There should not be any breaking changes with the config, but an up-to-date version of the config file can be found at https://github.com/tale/headplane/blob/main/config.example.yaml.

---

• OIDC authorization restrictions can now be controlled from the settings UI. (#102).
  • The required permission role for this is IT Admin or Admin/Owner and require the Headscale configuration.
  • Changes made will modify the oidc.allowed_{domains,groups,users} fields in the Headscale config file.
• The Pre-Auth keys page has been fully reworked (#179, #143).
• The Headplane agent is now available as an integration (#65).
  • The agent runs as an embedded process alongside the Headplane server and reports host information and system metrics.
  • Refer to the integrations.agent section of the config file for more information and how to enable it.
• The machine actions backend has been reworked to better handle errors and provide more information to the user (#185).
• Machine tags now show states when waiting for subnet or exit node approval and when expiry is disabled.
• Support Docker container discovery through labels (#194).
• AAAA records are now supported on the DNS page (#189).
• Add support for dns.extra_records_path in the Headscale config (#144).

Fixes

• Requests to /admin will now be redirected to /admin/ to prevent issues with the React Router (works with custom prefixes, #173).
• The Login page has been simplified and separately reports errors versus incorrect API keys (#186).
• Expiry status on the UI was incorrectly showing as never due to changes in the Headscale API.
• Added validation for machine renaming to prevent invalid submissions (#192).
• Unmanaged (non-OIDC) users cannot have a role assigned to them so the menu option was disabled.
• Tighten proc integration logic by checking for the headscale serve command (#195).
• Strip newlines in the OIDC client_secret_path file if provided (#199).

New Contributors

• @ceres-c made their first contribution in #184
• @gntouts made their first contribution in #194
• @StealthBadger747 made their first contribution in #213

Full Changelog: 0.5.10...v0.6.0

v0.5.10

Changes

• Persistent Storage:

  • Headplane now writes data to disk at /var/lib/headplane by default.
  • Docker users: mount this directory to retain data across restarts.
  • Non-Docker: ensure the directory exists and is writable by the Headplane user.

• User Permissions:

  • If you were previously using Google's public OIDC, please update ASAP as otherwise anyone with a gmail.com address can access your Tailnet via Headplane.
  • A permission system, inspired by Tailscale, is now available when using OIDC.
  • Use the same OAuth2 client for both Headscale and Headplane for this to work properly.
  • User data is stored in /var/lib/headplane/users.json (configurable via oidc.user_storage_file).
  • Users appear in the UI only after signing in to both Headscale and Headplane (because Headplane cannot create OIDC users in Headscale directly).
  • The first OIDC login post-upgrade becomes the Owner (non-transferable).
  • Others default to Member, limiting UI access.
  • IT Admins & Admins can manage roles via the users page in the menu dropdown.
  • IT Admins can change any role except the Owner (fix coming in a future release).

• Onboarding Flow:

  • When you sign in with OIDC for the first time, you will be directed to an onboarding page.
  • You can skip this onboarding page by clicking the button below the onboarding flow.
  • Onboarding looks for devices linked to the same OIDC account in Headscale (similar to how permissions works above).

Fixes

• Disabled renaming OIDC users as Headscale prevents changing their name.
• Fixed integrations not correctly loading in certain environments.
• The ACL page no longer spams blank updates to the Headscale database (#151).
• OIDC logout with disable_api_key_login set to true will not automatically login again (#149).
• Copying commands with copy buttons will not include random blank spaces (#161).
• Loosened the required Headscale config schema (this is an ongoing effort).
• Fixed an issue where opening a dialog would refocus the first input every 3 seconds.
• Hide the "Version" tab from showing in the machines page if the agent is not available.