NTPsec

Install prereqs:

sudo apt install -y git build-essential bison libssl-dev libcap-dev \
libseccomp-dev libavahi-compat-libdnssd-dev pps-tools python-dev

Pull source

git clone https://github.com/ntpsec/ntpsec

Prep:

sudo ./buildprep --ntpviz --doc

Make sure /etc/services has the following:

ntp 123/tcp
ntp 123/udp

Reboot after adding.

Configure and build:

./waf configure  --refclock=all ; ./waf build

Install: (as root)

./waf install

Create an ntp service account: (as root)

adduser --system --no-create-home --disabled-login --gecos '' ntp ;
addgroup --system ntp; addgroup ntp ntp ;
mkdir -p /var/lib/ntp /var/log/ntpstats ;
chown -R ntp:ntp /var/lib/ntp /var/log/ntpstats

# GPS PPS reference (NTP1)
refclock shm unit 1 refid PPS

# GPS Serial data reference (NTP0)
refclock shm unit 0 refid GPS

# NIST Servers
server time-a.nist.gov
server time-a-wwv.nist.gov
server time-a-b.nist.gov

# By default, exchange time with everybody, but don't allow configuration.
restrict default kod limited nomodify
restrict -6 default kod limited nomodify

# Local users may interrogate the NTP server more closely.
restrict 127.0.0.1
restrict -6 ::1
restrict 172.16.0.0 mask 255.255.252.0


# Drift file etc.
# Ensure that the directory exists, and is writable by whichever user
# the ntpd daemon runs as.
driftfile /var/lib/ntp/ntp.drift

enable stats
statsdir /var/log/ntpstats/
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable

[Unit]
Description=Network Time Service
Documentation=man:ntpd(8)
Wants=network.target
ConditionCapability=CAP_SYS_TIME
After=network.target nss-lookup.target
Conflicts=systemd-timesyncd.service

[Service]
Type=forking
PrivateTmp=true
ExecStart=/usr/local/sbin/ntpd -g -N -u ntp:ntp
# ExecStart=@SBINDIR@/ntpd -g -N -u ntp:ntp
# Specifying -g on the command line allows ntpd to make large adjustments to
# the clock on boot.  However, if Restart=yes is set, a malicious (or broken)
# server could send the incorrect time, trip the panic threshold, and when
# ntpd restarts, serve it the incorrect time (which would be accepted).
Restart=no

[Install]
WantedBy=multi-user.target

This script calls the ntplogtemp program to record the temperature from the CPU and RTC. It also cleans up the data by removing one of the duplicate entries and removing the header. Package lm-sensors must be installed.

#!/bin/bash
/usr/local/bin/ntplogtemp -o -l /var/log/ntpstats/temps
sed '/ZONE0/d' -i /var/log/ntpstats/temps
sed '/sensor/d' -i /var/log/ntpstats/temps
sed -i 's/LM0/RTC/g' /var/log/ntpstats/temps
sed -i 's/LM1/CPU/g' /var/log/ntpstats/temps

Run every 5 minutes, via cron:

*/5 * * * * /ntplogtemps.sh >/dev/null 2>&1