Use tldsate instead of ntp #24

beaglebone.txt

@@ -1,7 +1,7 @@
 #+TITLE: FreedomBone
 #+AUTHOR: Bob Mottram
 #+EMAIL: bob@robotics.uk.to
-#+KEYWORDS: freedombox, debian, beaglebone, friendica, email, web server, home server, internet, censorship, surveillance, social network, irc, jabber, chat
+#+KEYWORDS: freedombox, debian, beaglebone, friendica, email, web server, home server, internet, censorship, surveillance, social network, irc, jabber
 #+DESCRIPTION: Turn the Beaglebone Black into a personal communications server
 #+OPTIONS: ^:nil
 #+STYLE: <link rel="stylesheet" type="text/css" href="index.css" />
@@ -690,12 +690,212 @@ hostname -f
 
 it should return your domain name.
 
-** Install NTP
+** Install time synchronisation
 
-To synchronise time.
+#+BEGIN_VERSE
+/You may delay, but time will not./
+
+-- Benjamin Franklin
+#+END_VERSE
+
+It's convenient to have the clock on your server automatically synchronised with other servers on the internet so that you don't need to set the clock manually.
+
+First install some prerequisites.
+
+#+BEGIN_SRC: bash
+apt-get install build-essential automake git
+#+END_SRC
+
+Now download and install tlsdate.
+
+#+BEGIN_SRC: bash
+cd /tmp
+git clone https://github.com/ioerror/tlsdate.git
+cd tlsdate
+./autogen.sh
+./configure
+make
+make install
+#+END_SRC
+
+Create an init script.
+
+#+BEGIN_SRC: bash
+emacs /etc/init.d/tlsdated
+#+END_SRC
+
+Add the following:
+
+#+BEGIN_SRC: bash
+#!/bin/sh
+### BEGIN INIT INFO
+# Provides:          tlsdate
+# Required-Start:    $network $local_fs $remote_fs
+# Required-Stop:     $local_fs $remote_fs
+# Default-Start:     2 3 4 5
+# Default-Stop:      0 1 6
+# Short-Description: secure parasitic rdate replacement
+# Description:       tlsdate sets the local clock by securely connecting with
+#                    TLS to remote servers and extracting the remote time out
+#                    of the secure handshake. Unlike ntpdate, tlsdate uses
+#                    TCP, for instance connecting to a remote HTTPS or TLS
+#                    enabled service, and provides some protection against
+#                    adversaries that try to feed you malicious time
+#                    information.
+#
+### END INIT INFO
+
+# Author: Jacob Appelbaum <jacob@appelbaum.net>
+
+# PATH should only include /usr/* if it runs after the mountnfs.sh script
+PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/sbin
+DESC="secure parasitic rdate replacement daemon"
+NAME=tlsdated
+DAEMON=/usr/local/sbin/tlsdated
+DAEMON_ARGS=""
+PIDFILE=/var/run/$NAME.pid
+SCRIPTNAME=/etc/init.d/$NAME
+
+# Exit if the package is not installed
+[ -x $DAEMON ] || exit 0
+
+# Read configuration variable file if it is present
+[ -r /etc/default/$NAME ] && . /etc/default/$NAME
+
+# Load the VERBOSE setting and other rcS variables
+. /lib/init/vars.sh
+
+# Define LSB log_* functions.
+# Depend on lsb-base (>= 3.0-6) to ensure that this file is present.
+. /lib/lsb/init-functions
+
+#
+# Function that starts the daemon/service
+#
+do_start()
+{
+    # Return
+    #   0 if daemon has been started
+    #   1 if daemon was already running
+    #   2 if daemon could not be started
+    start-stop-daemon --background --start --quiet --pidfile $PIDFILE \
+		--exec $DAEMON --test > /dev/null \
+        || return 1
+    start-stop-daemon --background --start --quiet --pidfile $PIDFILE \
+		--exec $DAEMON -- \
+        $DAEMON_ARGS \
+        || return 2
+    # Add code here, if necessary, that waits for the process to be ready
+    # to handle requests from services started subsequently which depend
+    # on this one.  As a last resort, sleep for some time.
+}
+
+#
+# Function that stops the daemon/service
+#
+do_stop()
+{
+    # Return
+    #   0 if daemon has been stopped
+    #   1 if daemon was already stopped
+    #   2 if daemon could not be stopped
+    #   other if a failure occurred
+    start-stop-daemon --stop --quiet --retry=TERM/5/KILL/1 --pidfile $PIDFILE \
+		--name $NAME
+        RETVAL="$?"
+        [ "$RETVAL" = 2 ] && return 2
+    # Wait for children to finish too if this is a daemon that forks
+    # and if the daemon is only ever run from this initscript.
+    # If the above conditions are not satisfied then add some other code
+    # that waits for the process to drop all resources that could be
+    # needed by services started subsequently.  A last resort is to
+    # sleep for some time.
+    start-stop-daemon --stop --quiet --oknodo --retry=0/5/KILL/5 --exec $DAEMON
+        [ "$?" = 2 ] && return 2
+        # Many daemons don't delete their pidfiles when they exit.
+        rm -f $PIDFILE
+        return "$RETVAL"
+}
+
+#
+# Function that sends a SIGHUP to the daemon/service
+#
+do_reload() {
+    #
+    # If the daemon can reload its configuration without
+    # restarting (for example, when it is sent a SIGHUP),
+    # then implement that here.
+    #
+    start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME
+    return 0
+}
+
+case "$1" in
+  start)
+    [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC " "$NAME"
+    do_start
+    case "$?" in
+         0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
+              2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
+              esac
+  ;;
+  stop)
+  [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
+  do_stop
+  case "$?" in
+       0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
+            2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
+            esac
+            ;;
+  status)
+       status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
+       ;;
+  #reload|force-reload)
+  #
+  # If do_reload() is not implemented then leave this commented out
+  # and leave 'force-reload' as an alias for 'restart'.
+  #
+  #log_daemon_msg "Reloading $DESC" "$NAME"
+  #do_reload
+  #log_end_msg $?
+  #;;
+  restart|force-reload)
+  #
+  # If the "reload" option is implemented then remove the
+  # 'force-reload' alias
+  #
+  log_daemon_msg "Restarting $DESC" "$NAME"
+  do_stop
+  case "$?" in
+    0|1)
+        do_start
+        case "$?" in
+            0) log_end_msg 0 ;;
+            1) log_end_msg 1 ;; # Old process is still running
+            *) log_end_msg 1 ;; # Failed to start
+            esac
+        ;;
+    *)
+    # Failed to stop
+    log_end_msg 1
+    ;;
+    esac
+    ;;
+  *)
+  echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
+  exit 3
+  ;;
+esac
+
+:
+#+END_SRC
+
+Save and exit, then start the daemon.
 
 #+BEGIN_SRC: bash
-apt-get install ntp
+chmod +x /etc/init.d/tlsdated
+update-rc.d tlsdated defaults
+service tlsdated start
 #+END_SRC
 
 ** Install fail2ban