How to fully set up a Raspberry Pi with Raspberry Pi OS Lite (headless)

Goal: a secure, headless Pi you can SSH into reliably (static DHCP lease or static IP), fully updated, with sane defaults for homelab use.

What you’ll build

• Raspberry Pi OS Lite installed on SD/SSD
• SSH enabled + key-based login (recommended)
• Hostname set + user created
• Timezone/locale set
• Basic hardening + firewall (optional but recommended)
• A repeatable “baseline” you can reuse for future Pi projects

Prerequisites

• Hardware: Raspberry Pi (3/4/5), microSD (or SSD + USB adapter), Ethernet recommended
• A second computer: Windows/macOS/Linux for imaging and SSH
• Network: access to your router/DHCP server (for a DHCP reservation)
• Download: Raspberry Pi Imager

Step 1 — Flash Raspberry Pi OS Lite

1. Open Raspberry Pi Imager
2. Choose:
   • Device: your Pi model
   • OS: Raspberry Pi OS Lite (64-bit) (use 32-bit only for legacy add-ons)
   • Storage: your SD card / SSD
3. Click the gear / settings (Advanced options) and set:
   • Hostname: rpi-01 (or similar)
   • Enable SSH: ON
   • Authentication: Public key (recommended) or password
   • User: create a non-root user (e.g. delbert)
   • Locale/Timezone: your values
   • Wi‑Fi (if you must): set SSID + country + password
4. Write the image.

Verify

• After writing, you should see a boot partition on the card/drive.

Step 2 — First boot + find the IP

1. Insert the card/SSD into the Pi.
2. Plug in Ethernet and power.
3. Find the Pi’s IP:
   • Router DHCP leases page, or
   • Use a network scanner, or
   • If you have another Linux box:

arp -a | grep -i rpi

Step 3 — SSH in

From macOS/Linux:

ssh <user>@<pi-ip>

From Windows PowerShell:

ssh <user>@<pi-ip>

If you used SSH keys, you may be prompted to trust the host key. Say yes.

Verify

hostname
uname -a

Step 4 — Update packages + reboot

sudo apt update
sudo apt full-upgrade -y
sudo apt autoremove -y
sudo reboot

After reboot, SSH back in.

Step 5 — Baseline configuration (recommended)

Run the Pi configuration tool:

sudo raspi-config

Recommended settings to check:

• System Options
  • Hostname (confirm)
  • Password (if you used password auth)
• Localization Options
  • Locale, timezone, keyboard
• Interface Options
  • SSH: enabled (confirm)

Step 6 — Give it a reliable IP (best practice)

You have two good options:

Option A (recommended): DHCP reservation in your router/firewall

• Find the Pi’s MAC address (router DHCP leases).
• Create a DHCP reservation so the Pi always gets the same IP.

Option B: static IP on the Pi

Only do this if you understand your LAN subnet and gateway/DNS.

1. Check current network details:

ip a
ip r
resolvectl status 2>/dev/null || cat /etc/resolv.conf

2. Edit dhcpcd.conf (common on Raspberry Pi OS):

sudo nano /etc/dhcpcd.conf

Example (replace values):

interface eth0
static ip_address=192.168.1.50/24
static routers=192.168.1.1
static domain_name_servers=192.168.1.1 1.1.1.1

3. Reboot:

sudo reboot

Verify

ip r
ping -c 3 1.1.1.1
ping -c 3 google.com

Step 7 — SSH hardening (recommended)

Use SSH keys (if you didn’t already)

On your laptop/desktop:

ssh-keygen -t ed25519
ssh-copy-id <user>@<pi-ip>

Then on the Pi, harden SSH:

sudo nano /etc/ssh/sshd_config

Recommended changes:

PasswordAuthentication no
PermitRootLogin no
PubkeyAuthentication yes

Restart SSH:

sudo systemctl restart ssh

Verify

Open a new terminal and connect:

ssh <user>@<pi-ip>

Step 8 — Basic firewall (optional but recommended)

sudo apt install -y ufw
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow OpenSSH
sudo ufw enable
sudo ufw status verbose

Step 9 — Quality-of-life packages (optional)

sudo apt install -y \
  curl wget git ca-certificates gnupg lsb-release \
  htop iotop ncdu vim tmux unzip

Troubleshooting

• SSH “Permission denied”
  • If you disabled password auth, make sure your key is installed and you’re connecting as the right user.
• Can’t find the IP
  • Use Ethernet first, check router DHCP leases, and confirm the Pi is actually booting (activity LED).
• DNS works sometimes
  • Prefer DHCP reservation + DNS from your router/firewall; avoid mixing static IP + random DNS.

Next steps

• Install Docker (see: Docker guide)
• Turn this into a reusable baseline image for future Pis
• Add monitoring (node exporter, uptime-kuma, etc.)