release: v0.6.1

.github/CODEOWNERS

@@ -0,0 +1,3 @@
+*   @tale
+
+/nix    @tale @StealthBadger747

.github/workflows/build.yaml

@@ -28,20 +28,15 @@ jobs:
       - name: Check out the repo
         uses: actions/checkout@v4
 
-      - name: Install node.js
-        uses: actions/setup-node@v4
-        with:
-          node-version: 22
-
-      - uses: pnpm/action-setup@v4
-        name: Install pnpm
-        with:
-          run_install: false
+      - name: Setup Mise
+        uses: jdx/mise-action@v2
 
-      - name: Get pnpm store directory
+      - name: Set caching paths
         shell: bash
         run: |
           echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV
+          echo "GO_CACHE=$(go env GOCACHE)" >> $GITHUB_ENV
+          echo "GO_MODCACHE=$(go env GOMODCACHE)" >> $GITHUB_ENV
 
       - uses: actions/cache@v4
         name: Setup pnpm cache
@@ -51,11 +46,16 @@ jobs:
           restore-keys: |
             ${{ runner.os }}-pnpm-store-
 
-      - name: Install dependencies
-        run: pnpm install
+      - name: Setup Go cache
+        uses: actions/cache@v4
+        with:
+          path: |
+            ${{ env.GO_CACHE }}
+            ${{ env.GO_MODCACHE }}
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.mod', '**/go.sum') }}
 
-      - name: Build
-        run: pnpm build
+      - name: CI pipeline
+        run: mise run ci
 
   nix:
     name: nix

.github/workflows/next.yaml

@@ -12,13 +12,23 @@ permissions:
   actions: write # Allow canceling in-progress runs
   contents: read # Read access to the repository
   packages: write # Write access to the container registry
+  id-token: write # For the attest action to push
+  attestations: write # For the attest action to push
 
 jobs:
   publish:
     # Ensure the action only runs if manually dispatched or a PR on the `next` branch in the *main* repository is opened or synchronized.
     if: ${{ github.event_name == 'workflow_dispatch' || (github.event.pull_request && github.event.pull_request.head.repo.full_name == github.repository && github.event.pull_request.head.ref == 'next') }}
     name: Docker Pre-release
     runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        include:
+          - target: final
+            tag: 'next'
+          - target: debug-shell
+            tag: 'next-shell'
+
     steps:
       - name: Check out the repo
         uses: actions/checkout@v4
@@ -29,7 +39,7 @@ jobs:
         with:
           images: ghcr.io/${{ github.repository }}
           tags: |
-            type=raw,value=next
+            type=raw,value=${{ matrix.tag }}
 
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
@@ -44,12 +54,28 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Build and push Docker image
-        uses: docker/build-push-action@v5
+      - name: Build and publish ghcr.io/${{ github.repository }}:${{ matrix.tag }}
+        uses: docker/build-push-action@v6
+        id: push
         with:
           context: .
           file: ./Dockerfile
+          target: ${{ matrix.target }}
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
           platforms: linux/amd64, linux/arm64
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          build-args: |
+            IMAGE_TAG=ghcr.io/${{ github.repository }}:${{ matrix.tag }}
+          secrets: |
+            gh_token=${{ secrets.GITHUB_TOKEN }}
+
+      - name: Attestation Provenance for ghcr.io/${{ github.repository }}:${{ matrix.tag }}
+        uses: actions/attest-build-provenance@v2
+        id: attest
+        with:
+          subject-name: ghcr.io/${{ github.repository }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true

.github/workflows/release.yaml

@@ -12,11 +12,21 @@ permissions:
   actions: write # Allow canceling in-progress runs
   contents: read # Read access to the repository
   packages: write # Write access to the container registry
+  id-token: write # For the attest action to push
+  attestations: write # For the attest action to push
 
 jobs:
   docker:
     name: Docker Release
     runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        include:
+          - target: final
+            tag_suffix: ''
+          - target: debug-shell
+            tag_suffix: '-shell'
+
     steps:
       - name: Check out the repo
         uses: actions/checkout@v4
@@ -28,6 +38,9 @@ jobs:
           images: ghcr.io/${{ github.repository }}
           tags: |
             type=semver,pattern={{version}}
+          flavor: |
+            latest=auto
+            suffix=${{ matrix.tag_suffix }},onlatest=true
 
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
@@ -42,12 +55,25 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Build and push Docker image
-        uses: docker/build-push-action@v5
+      - name: Build and push ${{ fromJSON(steps.meta.outputs.json).tags[0] }}
+        uses: docker/build-push-action@v6
+        id: push
         with:
           context: .
           file: ./Dockerfile
+          target: ${{ matrix.target }}
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
           platforms: linux/amd64, linux/arm64
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          build-args: |
+            IMAGE_TAG=ghcr.io/${{ github.repository }}:${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.version'] }}
+      - name: Attestation Provenance for ${{ fromJSON(steps.meta.outputs.json).tags[0] }}
+        uses: actions/attest-build-provenance@v2
+        id: attest
+        with:
+          subject-name: ghcr.io/${{ github.repository }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true

.gitignore

@@ -4,3 +4,9 @@ node_modules
 /build
 /test
 .env
+app/hp_ssh.wasm
+app/wasm_exec.js
+/docs/.vitepress/dist/
+/docs/.vitepress/cache/
+
+/.direnv

.tool-versions

@@ -1,2 +1,4 @@
+# REMEMBER TO UPDATE mise.toml TOO
 pnpm 10.4.0
-node 22
+node 22.16
+go 1.25.1

.zed/settings.json

@@ -6,12 +6,20 @@
 	},
 	"code_actions_on_format": {
 		"source.fixAll.biome": true,
-		"source.organizeImports.biome": true
+		"source.organizeImports.biome": true,
+		"source.organizeImports": true
 	},
 	"languages": {
 		"YAML": {
 			"tab_size": 2,
 			"hard_tabs": false
+		},
+		"Go": {
+			"formatter": {
+				"language_server": {
+					"name": "gopls"
+				}
+			}
 		}
 	}
 }

CHANGELOG.md

@@ -1,3 +1,32 @@
+### 0.6.1 (Next)
+- **Headplane now supports connecting to machines via SSH in the web browser.**
+	- This is an experimental feature and requires the `integration.agent` section to be set up in the config file.
+	- This is built on top of a Go binary that runs in WebAssembly, using Xterm.js for the terminal interface.
+- Begin using a new SQLite database file in `/var/lib/headplane/hp_persist.db`.
+	- The database is created automatically if it does not exist.
+	- It currently stores SSH connection details and HostInfo for the agent.
+	- User information is automatically migrated from the previous database.
+- The docker container now runs in a distroless image (closes [#255](https://github.com/tale/headplane/issues/255)).
+	- A debug version of the container that runs as root and has a shell is available as `ghcr.io/tale/headplane:<version>-shell`.
+- Removing a Split DNS record will no longer make the split domain unresolvable by clients (closes [#231](https://github.com/tale/headplane/issues/231)).
+- Reintroduce the toggle for overriding local DNS settings in the Headscale config (closes [#236](https://github.com/tale/headplane/issues/236)).
+- Prefer cross-compiling in the Dockerfile to speed up builds while still supporting multiple architectures.
+- Add a build attestation to validate SLSA provenance for the Docker image.
+- Implement more accurate guessing on the PID with the `/proc` integration (via [#219](https://github.com/tale/headplane/pull/219)).
+- Usernames will now correctly fall back to emails if not provided (via [#257](https://github.com/tale/headplane/pull/257)).
+- Configuration loading via paths is now supported for sensitive values (via [#283](https://github.com/tale/headplane/pulls/283))
+    - Options like `server.cookie_secret_path` can override `server.cookie_secret`
+    - Environment variables are interpolatable into these paths
+    - See the full reference in the [docs](https://github.com/tale/headplane/blob/main/docs/Configuration.md#sensitive-values)
+- The nix overlay build is fixed for the SSH module (via [#282](https://github.com/tale/headplane/pull/282))
+- Switch our build processes to use TypeScript Go and Rolldown Vite for better build and type-check performance.
+- Cookies are now encrypted JWTs, preserving API key secrets (*GHSA-wrqq-v7qw-r5w7*)
+- OIDC profile pictures are now available from Gravatar by setting `oidc.profile_picture_source` to `gravatar` (closes [#232](https://github.com/tale/headplane/issues/232)).
+- OIDC now allows passing many custom parameters:
+	- `oidc.authorization_endpoint`, `oidc.token_endpoint`, and `oidc.userinfo_endpoint` can be overridden to support non-standard providers or scenarios without discovery (closes [#117](https://github.com/tale/headplane/issues/117)).
+	- `oidc.scope` can be set to specify custom scopes (defaults to `openid email profile`).
+	- `oidc.extra_params` can be set to pass arbitrary query parameters to the authorization endpoint (closes [#197](https://github.com/tale/headplane/issues/197)).
+
 ### 0.6.0 (May 25, 2025)
 - Headplane 0.6.0 now requires **Headscale 0.26.0** or newer.
     - Breaking API changes with routes and pre auth keys are now supported (closes [#204](https://github.com/tale/headplane/issues/204)).

Caddyfile

@@ -0,0 +1,10 @@
+https://localhost {
+    reverse_proxy headscale:8080
+	tls /certs/localhost.pem /certs/localhost-key.pem
+
+    header {
+        Access-Control-Allow-Origin  *
+        Access-Control-Allow-Headers *
+        Access-Control-Allow-Methods GET, POST, OPTIONS
+    }
+}

Dockerfile

@@ -1,35 +1,63 @@
-FROM golang:1.24 AS agent-build
-WORKDIR /app
+FROM --platform=$BUILDPLATFORM jdxcode/mise:latest AS mise-context
+COPY mise.toml .tool-versions ./
+RUN --mount=type=secret,id=gh_token,env=MISE_GITHUB_TOKEN mise install
+
+FROM --platform=$BUILDPLATFORM mise-context AS go-build
+WORKDIR /build/
 
 COPY go.mod go.sum ./
 RUN go mod download
 
-COPY agent/ ./agent
-RUN CGO_ENABLED=0 GOOS=linux go build \
-	-trimpath \
-	-ldflags "-s -w" \
-	-o /app/hp_agent ./agent/cmd/hp_agent
+COPY cmd/ ./cmd/
+COPY internal/ ./internal/
 
-FROM node:22-alpine AS build
-WORKDIR /app
+ARG TARGETOS
+ARG TARGETARCH
+ARG IMAGE_TAG
+RUN mkdir -p /build/app/ && \
+	GOOS=$TARGETOS GOARCH=$TARGETARCH CGO_ENABLED=0 IMAGE_TAG=$IMAGE_TAG \
+	mise run wasm ::: agent ::: fake-shell
 
-RUN npm install -g pnpm@10
-RUN apk add --no-cache git
-COPY package.json pnpm-lock.yaml ./
+RUN chmod +x /build/build/hp_agent
+RUN chmod +x /build/build/sh
+
+FROM --platform=$BUILDPLATFORM mise-context AS js-build
+WORKDIR /build
 COPY patches ./patches
+COPY package.json pnpm-lock.yaml ./
 RUN pnpm install --frozen-lockfile
 
 COPY . .
-RUN pnpm run build
+RUN mise trust
+COPY --from=go-build /build/app/hp_ssh.wasm /build/app/hp_ssh.wasm
+COPY --from=go-build /build/app/wasm_exec.js /build/app/wasm_exec.js
 
-FROM node:22-alpine
-RUN apk add --no-cache ca-certificates
-RUN mkdir -p /var/lib/headplane
-RUN mkdir -p /usr/libexec/headplane
+ARG IMAGE_TAG
+RUN IMAGE_TAG=$IMAGE_TAG pnpm run build
 RUN mkdir -p /var/lib/headplane/agent
 
+FROM gcr.io/distroless/nodejs22-debian12:latest AS final
+COPY --from=js-build /build/build/ /app/build/
+COPY --from=js-build /build/drizzle /app/drizzle/
+COPY --from=js-build /var/lib/headplane /var/lib/headplane
+COPY --from=js-build /build/node_modules/ /app/node_modules/
+COPY --from=go-build /build/build/hp_agent /usr/libexec/headplane/agent
+
+# Fake shell to inform the user that they should use the debug image
+COPY --from=go-build /build/build/sh /bin/sh
+COPY --from=go-build /build/build/sh /bin/bash
+
+WORKDIR /app
+CMD [ "/app/build/server/index.js" ]
+
+FROM node:22-alpine AS debug-shell
+RUN apk add --no-cache bash curl git
+
+COPY --from=js-build /build/build/ /app/build/
+COPY --from=js-build /build/drizzle /app/drizzle/
+COPY --from=js-build /var/lib/headplane /var/lib/headplane
+COPY --from=js-build /build/node_modules/ /app/node_modules/
+COPY --from=go-build /build/build/hp_agent /usr/libexec/headplane/agent
+
 WORKDIR /app
-COPY --from=build /app/build /app/build
-COPY --from=agent-build /app/hp_agent /usr/libexec/headplane/agent
-RUN chmod +x /usr/libexec/headplane/agent
-CMD [ "node", "./build/server/index.js" ]
+CMD [ "node", "/app/build/server/index.js" ]