git / GitHub development with Raspberry Pi's and other devices

[sgbaird-alt]

If SSH'ing via VSCode extension, it appears that the git credentials are all stored on the VS Code side, which means you can probably keep your regular credentials. However, if you're developing locally on the Raspberry Pi (i.e., with attached monitor and keyboard) it would probably be best to use a personal access token restricted to that repository (see below). In particular, I have a separate account sgbaird-alt that I'll use sometimes. A personal access token restricted to a single repository (possibly where the main branch is protected and not accessible by sgbaird-alt) would be a relatively secure way to go about it while still allowing the freedom for anyone to commit as long as they're on that repo. Also, logging in with GitHub username and password is deprecated, so you need a personal access token if you're developing locally, anyway. The RPi's themselves will have credentials for accessing (SSH, etc.), but this is less likely to be kept secure (i.e., more likely to be shared freely).

• https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens
  https://github.com/settings/personal-access-tokens/new
• https://docs.github.com/en/organizations/managing-programmatic-access-to-your-organization/setting-a-personal-access-token-policy-for-your-organization
• https://docs.github.com/en/rest/authentication/permissions-required-for-fine-grained-personal-access-tokens

The overall idea is how to keep a seamless development experience (especially integration with git/GitHub) while still developing on these separate devices that are accessible by multiple users and generally serve only a single purpose.

cc @Neil-YL since we talked about this a bit.

[sgbaird]

I think I'll try to use Tailscale as well.

I'm porting a txt file with instructions for bookworm via VS Code SSH so I don't have to type as much directly. (EDIT: I can just copy-paste into terminal on VS Code). As a specific example (#184), the A1 Mini Toolhead Camera is running Debian GNU/Linux 12 (bookworm) (found via command). See https://tailscale.com/kb/1347/installation for other installation types.

Various resources:

• https://www.reddit.com/r/Tailscale/comments/11c69q5/how_can_i_authenticate_a_headless_device/

• https://tailscale.com/kb/1174/install-debian-bookworm

• https://forums.raspberrypi.com/viewtopic.php?t=374609

• https://tailscale.com/kb/1265/vscode-extension

• https://tailscale.com/learn/how-to-ssh-into-a-raspberry-pi

• https://github.com/johnnyfivepi/tailscale-on-raspberry-pi

[sgbaird]

Instructions:

Follow the Bookworm tailscale installation instructions (or follow the appropriate device instructions at https://tailscale.com/kb/1347/installation if not using bookworm). It's convenient to SSH into the device over the same WiFi network to make copy-pasting commands into the terminal easier (rather than trying to type them out).

You can see which RPi OS version you have (assuming you're using RPi OS) by running hostnamectl or using cat /etc/os-release. However, if you're using Ubuntu OS on your RPi, you'll need to run lsb_release -a.

On the device, enable SSH, as mentioned in How to SSH into a Raspberry Pi:

sudo tailscale up --ssh

Aside: You can check RPi serial number via cat /proc/cpuinfo, potentially useful for MQTT.

For VS Code / Tailscale Extension development, you'll probably want to disable incoming connections on your personal computer. If it's already installed on your computer, go to the corresponding icon on the toolbar and deselect it:

In the machine tab of the tailscale admin console, to be able to access devices managed by other users, follow the instructions mentioned in #184 (comment):

Add:

	"tagOwners": {
		"tag:tailscale-ssh": ["autogroup:admin"],
	},

(or could be ["autogroup:member"], noting that members don't get to see the admin console)

Change "dst": ["autogroup:self"], to e.g., "dst": ["tag:tailscale-ssh"], (here it's showing tailscale-ssh as the tag, but you can use whatever tag name you'd like)

You also might want to "disable key expiry" for the Raspberry Pi devices (see link for context about the security of doing so)

Also, consider updating the default SSH username in VS Code settings (Ctrl+,), since it will be your PC's username by default (which may not correspond to the username on the RPi).

Within the tailscale sidebar interface, I found it useful to try to connect to the terminal first, go through the prompts, then click the "Attach VS Code" button and follow any prompts again. I've had some issues (#184 (comment)) with getting VS Code errors when trying to go directly to "Attach VS Code" for a new device. If you click "details" while it's loading, you will likely find that it's waiting on you to authenticate by accessing a particular link.

[sgbaird]

Pleasantly surprised to see that tailscale is also supported on Codespaces! https://tailscale.com/kb/1160/github-codespaces. Trying this out now.

EDIT: Tailscale seems to work fine, but Tailscale extension in VS Code (i.e., "Attach to VS Code") just opens up a new window that's the same codespace (i.e., doesn't seem to work).

[Neil-YL]

Setup tailscale on OT2:

#26 (comment)

[sgbaird]

Probably worth trying on windows and doing remote desktop or similar (#257)

[sgbaird]

@Neil-YL and I are both working on the a1 mini Pi around the same time (different branches), so we can either work on a common branch (e.g., a1-mini branch), or I can add another worktree (which was new to me, but I've tested and seems to work well).

Instructions at https://stackoverflow.com/questions/36687536/how-to-open-2-visual-studio-instances-with-same-git-projects-and-different-bran

[sgbaird]

I'm leaning towards running in headless mode (e.g., Raspberry Pi OS Lite (bookworm)) in general, especially for any Raspberry Pi Zero 2W's that we have, to reduce the resources consumed by the OS.

Some considerations:

• Connecting to WPA2-Enterprise WiFi. After a lot of troubleshooting and debugging, I found a good way to get this working on bookworm:

following based on ChatGPT prompt, username redacted

Connect to a WPA2-Enterprise network on a headless Raspberry Pi Zero 2W running OS Lite (bookworm). I have access to the terminal already. It's on a WPA2-personal network at the moment, and I want to switch it to a WPA2-Enterprise network (specifically, University of Toronto wireless with SSID "UofT") ... How can I do this without exposing my password to the command line?

1. Verify the Current Network Status:

First, let's check the current status of your wireless interface (wlan0) to understand its state.

ip addr show wlan0

This command will display the IP address and connection status of wlan0.

2. Install Necessary Packages:

Ensure that network-manager and its associated tools are installed, as they provide utilities like nmcli and nmtui for network configuration.

sudo apt update
sudo apt install network-manager

Optionally, you can run sudo apt upgrade to upgrade all packages.

3. Disable Conflicting Network Services: [OPTIONAL]

To prevent conflicts, optionally disable other network management services such as dhcpcd (this may not apply to bookworm, but may help with earlier versions like buster). If you get Failed to disable unit: Unit file dhcpcd.service does not exist. you can ignore this.

sudo systemctl disable dhcpcd
sudo systemctl stop dhcpcd

4. Enable and Start NetworkManager:

Activate NetworkManager to manage network connections.

sudo systemctl enable NetworkManager
sudo systemctl start NetworkManager

5. Configure the WPA2-Enterprise Connection Using nmtui:

The nmtui (NetworkManager Text User Interface) tool provides an interactive way to set up network connections.

sudo nmtui

Within the nmtui interface:

• Select "Edit a connection".
• Choose "Add", then "Wi-Fi".
• Set the SSID to "UofT".
• Under "Wi-Fi Security", select "WPA & WPA2 Enterprise".

• For "Authentication", choose "Protected EAP (PEAP)".
• Enter your UTORid ("***") in the "Username" field.
• Enter the domain (in UofT's case, radius.wireless.utoronto.ca per their online instructions, NOTE: .utoronto.ca not @utoronto.ca)
• Leave "Anonymous identity" blank unless specified otherwise by the university's IT guidelines. If the interface requires you to enter something, try entering whatever you'd like (e.g., anonymous). Sometimes, it just needs a value
• For "CA Certificate", if the university provides a specific certificate, specify its path.
• Set "Inner authentication" to "MSCHAPv2".
• Enter your UTORid password in the "Password" field.

Note that users with sudo or root access can see the password again if they go digging. I suggest changing your university password to something unique and specific to it (e.g., memorable password generated via 1password). You could also do something like make sure only you have root access and create a non-admin account that others on your team can SSH into, but some consideration might be required when trying to get the device to autostart a script.

After configuring these settings, save and exit nmtui.

6. Connect to the "UofT" Network:

Attempt to establish the connection using nmcli.

sudo nmcli connection up UofT

If you are SSH'd into the device, it may close your connection. If all goes well, you should be able to connect after waiting a minute or so. Otherwise, if something catastrophic happens (i.e., it's unable to connect at all), then you'll need access to the device to manually follow these steps.

7. Verify the Connection:

Check if wlan0 has obtained an IP address and is connected to the "UofT" network.

ip addr show wlan0

You can also check (example output also shown):

sudo nmcli dev status

DEVICE         TYPE      STATE                   CONNECTION 
wlan0          wifi      connected               UofT

Alternatively, you can use sudo nmtui and "Activate Connection" to see which one is currently active (which will have a *); however, if you are SSH'd into your device over WiFi, you will need to have a keyboard and mouse directly connected to the device in order to switch it this way (since you have to manually "Deactivate" before you can activate the new one, at which point your SSH connection is already broken).

Additional Considerations:

• CA Certificate: While some institutions require a CA certificate for secure connections, others do not. If the University of Toronto does not mandate a specific CA certificate, you can configure the connection without it. However, using a CA certificate enhances security by validating the server's identity.

• Consult University IT Support: For institution-specific configurations or requirements, reach out to the University of Toronto's IT services or consult their support documentation.

By following these steps, you should be able to connect your Raspberry Pi Zero 2W to the "UofT" WPA2-Enterprise Wi-Fi network using your UTORid "***".

Rebooting the device should still connect to the one most recently chosen.

Various resources during troubleshooting (see list in comment):

• https://www.reddit.com/r/raspberry_pi/comments/18n47zi/comment/mhq1wdq/

[sgbaird]

sudo apt-get install uptimed and then accessing via uprecords is a nifty trick! Thanks @kelvinchow23 for passing on (happened upon in this blog post)

[kelvinchow23]

just want to add for troubleshooting wifi setup with raspberry pi. i didnt set my wlan country to CA and this gave me some problems. what was happening was it was blocking the wifi connection. when i ran:
rfkill list all
the wifi showed up as soft blocked.
getting around this would be to run:
sudo rfkill unblock wifi
which would unblock it, but when you restart the networkmanager, it would just be blocked again. After i set the wlan country to CA, it stopped reblocking the wifi

[sgbaird]

Thanks for documenting! #452

[sgbaird]

Kind of meh by copilot, but went ahead and merged #453

[sgbaird]

Had a weird issue crop up where I tried activating an eduroam connection via tailscale (via sudo nmtui I think) and the device went offline. After connecting manually, ip addr show wlan0 wouldn't work, I couldn't activate any networks via sudo nmtui and it threw an error for sudo raspi-config wlan settings (connecting to our mobile hotspot). Per some chatgpt instructions, I added an etc/wpa_supplicant/wpa_supplicant.conf file manually (didn't exist), and rebooted. It auto-connected to eduroam and everything seemed to be normal.

ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
update_config=1
country=US

network={
    ssid="YourNetworkName"
    psk="YourNetworkPassword"
}

(private chatgpt link, since I can't share due to use of audio, for my own reference)