Setting up Raspberry Pi's

Starting Up Ubuntu Server on the Pi

Default Login

For most Raspberry Pi Ubuntu Server images:

• Username: ubuntu
• Password: ubuntu
  When you log in the first time, it will force you to change the password immediately.

Create your own user

To create a user run the following, replace <yourname> with the username you want

sudo adduser <yourname>

Add the user to sudo group

sudo usermod -aG sudo <yourname>

Implementing SSH Keys

Temporarily allow password SSH, run ssh-copy-id, then lock it back down

On the Pi (local console) as ubuntu:

# allow password auth just for this step
echo -e "PasswordAuthentication yes\nKbdInteractiveAuthentication yes" | \
  sudo tee /etc/ssh/sshd_config.d/99-local-allow-password.conf >/dev/null

# reload sshd
sudo systemctl reload ssh
# (optional verify)
sshd -T | grep -E 'passwordauthentication|kbd'

Fix ownership & permissions on the Pi (local console)

Replace <you> with your username.

# See your home directory path
getent passwd <you>

# Save it in a variable for convenience (copy the path printed above)
HOME_DIR=/home/<you>     # adjust if getent shows something else

# Create ~/.ssh and authorized_keys with correct owner/perms
sudo install -d -m 700 -o <you> -g <you> "$HOME_DIR/.ssh"
sudo install -m 600 -o <you> -g <you> /dev/null "$HOME_DIR/.ssh/authorized_keys"

# Sanity check: these should show <you> as owner and correct modes
ls -ld "$HOME_DIR" "$HOME_DIR/.ssh"
ls -l "$HOME_DIR/.ssh/authorized_keys"

If /home itself was made too restrictive (rare), set it to the standard mode:

sudo chmod 755 /home

Getting your SSH key from your PC and installing ssh-copy-id

See if you already have an SSH key pair on your PC

ls -al ~/.ssh

If you see files like:

• id_ed25519 and id_ed25519.pub
• or id_rsa and id_rsa.pub
  …the .pub file is your public key.

Print your keys: For Ed25519 (the modern default):

cat ~/.ssh/id_ed25519.pub

It will look like:

ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAI... yourname@MacBook

That’s the line you need to copy into your Raspberry Pi’s ~/.ssh/authorized_keys. (No need here sinse we will use ssh-copy-id)

On macOS it’s not installed by default, but you can grab it with Homebrew:

brew install ssh-copy-id

Try ssh-ing from your PC

On your PC (Mac): push your key

• Just run (replace <yourname> with the new user you created on the Pi, and <pi-ip> with its address):

ssh-copy-id <yourname>@<pi-ip>

• It will ask for your Pi user’s password once.
• After that, it copies your public key to ~/.ssh/authorized_keys and sets permissions.

Test from your PC (Mac):

ssh <you>@192.168.101.189

Re-locking SSH

Lock SSH back to keys-only (recommended):

# on the Pi
sudo rm /etc/ssh/sshd_config.d/99-local-allow-password.conf
sudo systemctl reload ssh
# (optional verify)
sshd -T | grep -E 'passwordauthentication|kbd'

Update & Configure

Update

After logging in

sudo apt update && sudo apt upgrade -y

Then set up some basics:

• sudo hostnamectl set-hostname <your-pi-name> to name each Pi (like pi-node1, pi-node2).
• sudo timedatectl set-timezone <your/timezone> so logs are consistent.
• (Optional) Set up static IPs in Netplan (/etc/netplan/*.yaml) if you want reliable addressing in your homelab.

(Optional) Disable the default ubuntu user

Once you confirm your user works, you can disable or delete the ubuntu account for better security:

sudo deluser --remove-home ubuntu

or lock it:

sudo usermod -L ubuntu

Change hostname

sudo hostnamectl set-hostname pi-node1  

Change timezone

sudo timedatectl set-timezone America/<your time zone>

Installing Pi-hole

Run the installer

curl -sSL https://install.pi-hole.net | bash

During setup:

• Select your interface (likely eth0).

• Confirm the static IP 192.168.1.10/24 and gateway 192.168.1.1.

• Choose upstream DNS (Cloudflare 1.1.1.1/1.0.0.1, Quad9, etc.).

• Install the web admin.

• Leave DHCP disabled for now (we’ll keep the router doing DHCP initially).

• Visit http://192.168.1.10/admin (or http://pi.hole/admin once clients use it).

Quick checklist on the Pi

You already installed Pi-hole; do these two small tweaks:

1. Pi-hole listens on the Tailscale interface

• Pi-hole → Settings → DNS → Interface listening behavior → select
  “Listen on all interfaces, permit all origins.”
  Save & Restart DNS.

Installing Tailscale

Install & bring up Tailscale on the Pi

curl -fsSL https://tailscale.com/install.sh | sh
# Don't let it hijack the Pi's own DNS
sudo tailscale up --ssh --accept-dns=false \
  --advertise-exit-node \
  --advertise-routes=192.168.1.0/24     # replace with your LAN CIDR

Note the Pi’s Tailscale IP (we’ll use it as the DNS server for the tailnet):

tailscale ip -4
# example: 100.88.12.34  ← keep this handy

Approve in admin console

• Approve the subnet route the Pi advertises.
• (Optional) Restrict who can use the exit node via ACLs.

Tailnet-wide DNS settings

In the Tailscale Admin Console:

1. DNS → Nameservers
   • Click Add nameserver → enter the Pi’s Tailscale IP (e.g., 100.88.12.34).
     (Using the Tailscale IP—not the LAN IP—means all clients, even remote ones, can reach Pi-hole reliably.)
2. DNS → Global settings
   • Turn MagicDNS = On.
   • Turn Override local DNS (a.k.a. Global nameservers) = On.
3. (Optional) Split DNS for your cluster domain
   • Add a Split DNS route for k8s.lan → Nameserver = the Pi’s Tailscale IP.
     This isn’t strictly required because we’ll already be overriding DNS globally to Pi-hole, but it’s nice for clarity.
4. Settings → Feature flags
   • Ensure Devices can use subnet routes and Devices can use exit nodes are enabled (usually default).