Can you seriously put wpa_supplicant.conf in /boot and it’ll work? I have honestly never heard this in 2 years of doing Raspberry Pi, after looking at tons of documentation and web sites. This wouldn’t surprise me, but I feel like it should be much better documented, given that it’s pretty much the first and biggest hurdle to getting things to work on a new image.
I'd like to see one addition to that. On boot, it should also write a file, /boot/MAC-address, if it does not exist. This should be a text file containing the Pi's MAC address.
With that, those whose networks require whitelisting by MAC address who are trying to set up a headless Pi could boot it once to get it to write its MAC address to the SD card, whitelist that MAC address and assign it a static IP address, create /boot/wpa_supplicant.conf, and boot again to get the Pi on their network.
I know you're talking about Someone Else's Network (tm), but isn't whitelisting MAC kind of pointless? MAC can almost always be freely set to any value.
MAC whitelisting as a security measure against deliberate, reasonably knowledgeable attackers is indeed of questionable value. But that's not the only reason you might use MAC whitelisting.
Another use is to prevent accidents. Suppose you have multiple networks. For example, at work we have separate networks for machines that handle different kinds of sensitive data, with each network having the appropriate incoming and outgoing access rules to protect the kind of sensitive data on that network.
In such a situation, MAC whitelisting can protect against someone accidentally plugging a machine into the wrong network. Someone goofs and plugs a machine with customer financial data into a network that has unrestricted outside internet access? It's not on the whitelist for that network, doesn't get an IP address, and they quickly notice something is wrong.
In a home WiFi setting, MAC whitelisting could be used for partial sharing of your WiFi with people who don't know much about networking. Maybe I want to allow my neighbor, who has no idea what a MAC address is, to use my WiFi with his phone, but not to use it with his other devices. I could give him the access info and then use MAC whitelisting to just allow his phone on.
Finally, even if MAC whitelisting is not being used it would still be nice to be able to find out the Pi's MAC address easily, so that you can assign it a static IP address on your WiFi network.
Yes, you can find it out by letting it get a dynamic address on your network, going into the router settings and looking at the device table and figuring out which unexplained device is the Pi, and noting the MAC address.
Then you can configure the router to assign that MAC address a static IP address. In a world where consumer router firmware didn't often suck that would be fine. I've run into routers that once they have assigned a dynamic IP to a MAC address make it difficult to assign it a static IP address.
It's a lot easier if you can do the static IP assignment in the router before the Pi has ever connected to that network.
If you can mac-whitelist, you might also be able to use 802.1X in some form, and be it just locking to the TPM chip or some other crypto token your device has already.
You have to use the “with desktop” version, I once spent a few hours fighting to get the wifi set up because i was using the “lite” version. The lite version doesn’t react to the wpa_supplicant.conf file.
I don't believe that's true in the most recent versions. I just set up a headless pi with wpa_supplicant in the boot partition of a raspbian lite image that worked well a week or so ago.