Updated on February 29, 2024

Raspberry Pi Setup - OS-64 "Bullseye"

The Raspberry Pi OS is based on the Debian distro of Linux. Every 2 years Debian released a new Long Term Support (LTS) version, which is supported for 5 years. On August 24, 2021, Debian released Debian 11, codenamed "Bullseye". On October 30, 2021, the Raspberry Pi OS was upgraded to "Bullseye".

References:

Raspberrypi.com/news: "Bullseye - the new version of the Raspberry PI OS" - with lots of comments

forms.raspberrypi.com: Bullseye - Comments and bug reports thread

Bullseye bonus: 1.8GHz Raspberry Pi 4

However, it was not until 2022-02-02, that the 64-bit version of the Rasp Pi OS came out of beta. It is now fully supported in the imager.

You can also download it at:
 
https://downloads.raspberrypi.org/raspios_arm64/images/

Raspberry Pi Imager / Telemetry

The Raspberry Pi Imager is a tool for putting an OS image onto an SD card. By default, it sends telemetry data back to the Raspberry Pi Organization.

To turn telemetry off:
 
Open the Imager, and hit Ctrl+Shift+X
 
This will bring up the hidden advance options dialog box.
 
Uncheck enable telemetry (the last checkbox).

Afterwards, there will be a hidden file, ~/.config/Raspberry Pi/Imager.conf. Check this file to make sure telemetry=false.

One of the advance options is to configure a wireless LAN. This option has my wireless LAN SSID in it, and I have not figured out how to remove my SSID. I am very leary of this program.

I need to investigate downloading the OS image and using a different imager.

Raspberry Pi 4B Setup

To protect my privacy and anonymity I only install the minimum that is required to install "Nordvpn".

The Raspberry Pi setup has changed again!
The first splash screen is "Set Country":
  Dropdown Boxes:
  Country - United States
  Language - American English
  Time Zone - Chicago
  Check Boxes:
  Use English Language
  Use US Keyboard

The second splash screen is to create a user. Because of a new British law, you no longer have products with a default user name and password. However, I am still using the pi username because I believe VNC expects a pi account. Later, I will lock the pi account, which is different than deleting it.

The third splash screen is to setup a wireless network. For now, I skip this.

The forth splash screen is to update the operating system. Again, for now, I skip this.

The fifth splash screen is to reboot.

Setup for 4K Monitor

Go to Menu/Preferences/Appearance Settings/Defaults:
 
Set Default for Large Screens

 
Open Terminal (Alt-Ctrl-T)
 
Go to Edit/Preferences:
 
Change dark blue to light blue // the dark blue in the command prompt is unreadable.
 
Change text size to 20 pt.

Add User without Privileges

sudo adduser web_suffer_user

Raspi-config

sudo raspi-config

System Options/(S6)-Network at Boot - Yes

System Options/(S5)-Boot/Auto Login - Select: Desktop GUI, requiring user to login.

System Options/(S4)-Hostname

Display Options/(D5)-VNC Resolution/Headless - Select 1280 x 1024.

Interface Options/(I2)-Enable SSH

Interface Options/(I3)-Enable VNC

Install Nordvpn

sh <(curl -sSf https://downloads.nordcdn.com/apps/linux/install.sh)

Add users to the Nordvpn group:

gpasswd -a pi nordvpn
gpasswd -a web_suffer_user nordvpn

Reboot

sudo reboot

Loggin:

nordvpn login --token your_token

Whitelist:

nordvpn whitelist add subnet 192.168.0.0/24

Autoconnect:

nordvpn set autoconnect enabled US

Killswitch

nordvpn set killswitch enabled

Update Raspberry Pi OS:

sudo apt update && sudo apt upgrade -y

Install Software:

sudo apt install vim
sudo apt install firefox-esr

Remove Software

sudo apt purge chromium-browser

Raspi-config

Wi-Fi setup

Cloning & Security

The Raspberry Pi's built in SD Card Copier can be used to clone another SD card to be used in another Raspberry Pi. However, there are somethings that should be unique such as the private and public keys for ssh. To generate new keys:

To generate new keys:
 
cd /etc/ssh
sudo rm *key* // remove the old keys
 
// generate new keys - When prompted, Do Not enter a phrase to generate the keys !
sudo ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key
sudo ssh-keygen -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key
sudo ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key
sudo ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key

You may also have to remove keys that are stored on the machine that is logging into the Raspberry Pi:
rm ~/.ssh/known_hosts

-- -- -- -- -- -- -- -- -- -- -- -- --

Configuration/Interfaces and enable ssh and and optionally vnc.

You can now create a new user and add the user to the adm and sudo groups:
  sudo adduser user_name
  sudo gpasswd -a user_name adm
  sudo gpasswd -a user_name sudo

After testing the new user is working correctly, you can lock the pi account:
  sudo passwd -l pi
 
To unlock the pi account:
  sudo passwd -u pi

To use the imaging tool, I had to unlock the pi account. For some reason, the diaglog box for user_name (belonging to the adm and sudo groups) would not accept input from the keyboard.

Note that pi, in addition to belonging to the adm and sudo groups, also belongs to the folowing groups: dialout, cdrom audio, video, plugdev, games, users, input, render, netdev, spi, 12c, gpio, and lpadmin. It may be necessary to add some or all of these groups to the new super_user.

You need to cut off Configurations/auto login

vi, vim Setup

On Debian 11 (bullseye) and the Raspberry Pi OS based on bullseye, vi is symlinked to vim.tiny; it takes only 1.4 MBytes of space. It does not support syntax highlighting, and its help files are dummy blank files. To get these features, you need vim.basic, which includes vim-runtime, and requires around 36 MBytes of space.

To get vim.basic:

sudo apt update
sudo apt install vim

You can add or modify the .vimrc file in your home directory. My ".vimrc" file is:

set showmode
set number
set shiftwidth=3
set expandtab
set autoindent
set wrap
set linebreak
set mouse=a
filetype plugin indent on
let g:html_indent_inctags="html,head,body,style,p"
syntax on

Add a firewall:
sudo apt install firewalld
sudo firewall-cmd --zone=internal --add-source=192.168.0.1/24 --permanent
// the ssh service is enabled by default for the internal zone. Howeven, VNC is not enabled
sudo firewall-cmd --zone=internal --add-service=vnc-server --permanent

Add fail2ban
  sudo apt install fail2ban
and make a jail.local file in /etc.

Peripherals

Logitech Anywhere 3 Mouse

To make Logitech's Anywhere 3 mouse discoverable, press and hold the select button on the bottom of the mouse for 4 seconds. I do not know if there is a difference in the Anywhere 3 for Windows and the Mac. I did not have a problems with either, but the Mac version does show up as Anywhere 3 for Mac. Logitech's Anywhere 3 mouse cannot be used as a wired mouse.

Apple Magic Keyboard

To make Apple's Magic keyboard discoverable, cut it 'off' and 'on'. Apple's magic keyboard can be also be used as a wired keyboard. On the model A1644 the fn+delete key performs a forward delete.

However, on the newer model A2450 (March 2021) the fn+delete just does the same as delete key (backwards delete). There, are claims that the newer keyboard A2450 is supported in Linux Kernel 5.7. As of 1/28/2022, the Raspberry Pi and Debian are still using Kernel 5.1. We will have to wait and see. Also, there does not appear to be any Windows drivers (yet) where the fn+delete works correctly.
 

Monitor Setup

Tha the Raspberry Pi does not have a BIOS. Instead it reads the /boot/config.txt file and then it loads the Linux Kernel. The /boot/config.txt file takes the place of the BIOS.

In order to drive my 4K monitor at 60Hz, I had the add the following to /boot/config.txt:
 
enable_uart=1 / I do not know what this line does, but it is still required as of 2022/04/15
hdmi_enable_4kp60=1
 

Explanation

The screen resolution and depth in the new Raspberry Pi Bullseye OS is set by the kernel (Kernel Mode Setting (KMS)). In the /boot/config.txt file:

#Enable DRM VC4 V3D Driver
dtoverlay=vc4-kms-v3d
max_framebuffers=2

At the top level is a Display Server: X session or Wayland. Wayland is newer, simpler and has a more narrow scope. Currently, the Raspberry Pi does not support Wayland. Below them is the DRM (Direct Rendering Manager). KMS (Kernel Mode Setting) is a subpart of DRM.

tvservice is not supported when using the "vc4-kms-v3d" driver.

You can set and change the resolution and orientation of the display with the "xrandr" command. Maintained by the X-org.

xrandr: x windows system - randr: resize and rotate.

arandr is a graphical front end for xrandr.

The new Raspberry Pi Bullseye OS uses the windows manager, "mutter".

 

-- old --

After the Raspberry Pi boots, the first thing you should do is enable ssh via Preferences/Raspberry Pi Configuration/Interfaces. Next, find the ip address of the Pi via ip address or ifconfig (deprecated). It is also a good idea to assign a dedicated ip address to the Pi via your router. This is so you can login to the Pi and make changes incase the screen is not displaying properly and/or other troubleshooting.

 

Bluetooth Speakers

I tried to use Sylvania, SP262, bluetooth speaker, but after a period of time, it would go to sleep. After doing some research on the Internet, I learned that this is a common problem with bluetooth battery powered speakers.

A

Update: This is now working without the speaker going to sleep with the input from the speaker being HDMI auto.

firewalld Setup

Linux has two firewall management tools: firewalld and iptables. ufw (uncomplicated firewall) is a frontend for iptables. And there is nftables. Firewalld and iptables are incompatible and only one should be used. Neither are installed by default with the Raspberry Pi OS.

Firewalld has replaced iptables on most distros. It is part of the systemd family.

To install firewalld:

sudo apt update
sudo apt install firewalld

Add interfaces to the public zone:

sudo firewall-cmd --zone=public --permanent --add-interface=eth0
sudo firewall-cmd --zone=public --permanent --add-interface=wlan0
An interface can only be added to a single zone:

Usefull firewalld commands:
sudo firewall-cmd --get-zones
sudo firewall-cmd --get-default--zone
sudo firewall-cmd --get-active-zones
sudo firewall-cmd --list-all-zones
sudo firewall-cmd --zone=public --list-all

fail2ban

Fail2ban monitors the log files for malicious activities and bans the user. It does this by adding a firewall rule that blocks the user for a certain period of time. It will stop brute fore attacks.

You need to have either "firewalld" or "iptables" set up before fail2ban is installed. It download difference packages depending on which firewall is present.

To install fail2ban:

sudo apt update
sudp apt install fail2ban

When fail2ban is installed it creates a directory /etc/fail2ban. Inside this directory is "jail.conf". This informs you how to setup jails, but do NOT modify it because it might get overwritten when fail2ban is updated. Instead create a new file (via sudo) "jail.local" in the /etc/fail2ban directory. Anything in "jail.local" will overide what is in "jail.conf".

To create a jail for ssh, put the following in /etc/fail2ban/jail.local:

[DEFAULT]
bantime = 600
action = %(action_)s
[sshd]
enable = true
maxretry = 3

To see a list of jails:

sudo fail2ban-client status

Bluetooth

To scan for Bluetooth devices, that you can connect to:
 
bluetoothctl scan on # continuous scan
 
bluetoothctl devices # list Bluetooth devices
 
bluetoothctl paired-devices # list paired devices
 
bluetoothctl discoverable on #make this device discoverable
 
The scan on command does not list devices that are already paired to this computer or other computers.

bluetoothctl info xx:xx:xx:xx:xx
 
bluetoothctl pair xx:xx:xx:xx:xx
 
bluetoothctl connect xx:xx:xx:xx:xx
 
bluetoothctl trust xx:xx:xx:xx:xx
 
bluetoothctl remove xx:xx:xx:xx:xx # unpair
 
bluetoothctl disconnect xx:xx:xx:xx:xx
 
bluetoothctl untrust xx:xx:xx:xx:xx
 
bluetoothctl block xx:xx:xx:xx:xx
 
bluetoothctl unblock xx:xx:xx:xx:xx
 

Pulse Audio

If you remove the pulseaudio package and reinstall it, "Volume Control (PulseAudio)" will Not be in the Add/Rmove Panel Items List. There will be a Volume Control in the list without PulseAudio in parentheses, but this is not the right one. To get the "Volume Control (PulseAudio)" back in the list:
 
sudo apt install lxplug_volumepulse
and reboot.
 
After rebooting, you can now manually add the panel applet "Volume Control (PulseAudio)" back to the task bar.

Problems

HDMI QHD Interfering with WiFi

According to Tom's Hardware, when using an HDMI cable at QHD resolution (2560 x 1440), the RPi 4 will emit noise in the same range as Wi-Fi channel 1 - causing the Pi 4 to jam its own WiFi: the Article.

The article, dated November 30, 2019, states that the Raspberry Pi Foundation has acknowledged the problem. They are trying to address the issue with firmware. In the interim, users experiencing this issue should adjust their routers to use the 2.4 GHz channel 4 or above or the 5 GHz band.

References:

Raspberrypi.org

Raspberrypi.com

Raspberrypi.com/news

Raspberrypi.com/news: "Raspberry Pi SD Card Speed Test"

Raspberry Pi Downloads Page

Raspberry Pi Forums

Raspberry Pi Forums Networking and Servers

List of Compatible USB WiFi Adapters

Dual band Wireless Access Points