1. Headless set-up

1.1. Intro

Every time I deploy a new pi, something has changed. This makes it difficult to create a simple set-up that works every time. It also means that all instructions you find on the internet are outdated. Google is great in finding set-up instructions from back in 2012, but those do not work anymore. And most instructions do not have a date in them, so you're completely lost why it doesn't work.

This instruction made for people that have Linux running.
Version
Date
Raspian
Comment
1
28-6-2017
Jessie
2
29-12-2017
2017-11-29-raspbian-stretch
3
29-12-2017
2017-11-29-raspbian-stretch
4
19-1-2019
2018-11-13-raspbian-stretch.img

1.2. Burning the image

First get the latest Raspian:
wget http://downloads.raspberrypi.org/raspbian_latest

What you'll get is a zip-file with the latest raspian-image. Unzip and burn on the SD-card.

Many tutorials go into great length on how to identify your SD-card. In most cases, it is /dev/mmcblk0 or one of the /dev/sd* devices.
mv raspbian_latest raspbian_latest.zip
unzip raspbian_latest.zip
sudo if=2018-11-13-raspbian-stretch.img  of=/dev//dev/mmcblk0 status=progress

Ofcourse, this takes a long time; that is why the status=progress is on the command line. Total is about 3.5G.

Remove the card and plug it back in. Normally, it will be mounted automatically, and you will see:
/dev/mmcblk0p1 on /run/media/ljm/boot type vfat 
/dev/mmcblk0p2 on /run/media/ljm/5c01c1ce-fe60-428a-8e68-0be0e8ed6b7a type ext4 

Otherwise, mount by hand.

For raspian-stretch, the root filesystem will be called rootfs instead of the big number.

1.3. The networking

Because from Jessie on, it is now using systemd, everything you knew about the configuration of networking is now of no value. In previous releases, networking was done via /etc/network/interfaces but now, dhcpcd is used. It also means that all tutorials and howto's are now obsolete.

The main configuration file for dhcpcd is /etc/dhcpcd.conf. For every connection that you want to have a fixed IP address add a block, of course with your own IP addresses:
interface eth0
static ip_address=192.168.178.53/24
static routers=192.168.178.1
static domain_name_servers=192.168.178.6
interface wlan0
static ip_address=192.168.178.3/24
static routers=192.168.178.1
static domain_name_servers=192.168.178.6

For some dark and unknown reason, you still need to edit /etc/network/interfaces to add
allow-hotplug eth0

Next, setup the wpa-supplicant in etc/wpa_supplicant/wpa_supplicant.conf :
country=GB
ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
update_config=1
network={
    ssid="ssidforwifi"
    psk="wifipsk"
}

And that should be enough for the network.

1.4. Enable ssh

Enabling ssh requires an ssh file in the boot directory. Normally, you see a directory
/dev/mmcblk0p1     /run/media/username/boot              
if you query all mounts. So do a
touch /run/media/username/boot/ssh
and ssh will start at boot-time.

But you don't want to type passwords, so we'll distibute the keys:
cd $piroot/root
mkdir .ssh
chown root.root .ssh
chmod 700 .ssh
cp  ~/.ssh/id_rsa.pub  .ssh/authorized_keys
chmod 600 .ssh/authorized_keys

1.5. Connecting and manual actions.

If you do it in this way, everything should run and the pi should be accessible under your WiFi IP address.

Try a ssh root@192.168.178.3 (use your own IP address) and voila.

There are some manual actions to take before everything works. First, make your users that need to be present on the system. In my case, that is "ljm":
adduser ljm
mkdir /home/ljm
cp -r /root/.ssh ~ljm
chown -R ljm.ljm ~ljm/.ssh

Next item on the list: raspi-config. Use the menus to set the hostname. But more importantly, under 7 Advanced Options you will find A1 Expand Filesystem which will allow you to use the complete sd card.

Do not reboot after this!

Make vi our deault editor:
update-alternatives --set editor /usr/bin/vim.tiny

You will also need to add the users in the sudoers-file:
ljm   ALL=(ALL)       NOPASSWD: ALL

And now: reboot

1.6. Security

With this set-up you can add the pi to your local network. Not to the Internet. There are a lot of security implications that we have not considered. One of the most important is that the user pi is still present and having his default password. Also the NOPASSWD in the sudoers is practical, but a bad idea security-wise.

The goal of this part was to get the pi working; not to make it secure.