1. Setting up the Raspberry Pi
Download and install Raspbian to the SD card:
sudo dd bs=1m if=2017-07-05-raspbian-jessie-lite.img of=/dev/disk2
If you don't want to have to plug the Pi into a monitor and want a headless system from the beginning, follow my guide here to enable SSH from the SD card. Then login using the default Pi user and run raspi-config to complete the initial setup.
sudo apt-get update ; sudo apt-get upgrade
Part of hardening the Pi is to setup a new user and give it sudo privileges. Then you'll want to remove the Pi user after it is verified that the account has super user privileges. (There have been a few times that I haven't verified sudo of the new account and had to start over).
sudo useradd jeffrey -s /bin/bash -m -G adm,sudo
sudo passwd jeffrey
Log out and log back in as the new user you setup and remove the default pi user:
sudo userdel pi
sudo rm -rf /home/pi
2. Configuring NTP
NTP is already installed by default in Raspbian Jessie, you'll want to pick at least 3 different NTP servers for accurate measurements, 5 is even better. This list is a good resource to pick your servers from, just be sure to pick the ones listed as Open and not Restricted Access otherwise the ntp query won't work.
Edit the ntp.conf file
sudo nano /etc/ntp.conf
Make the changes that are bold from my ntp.conf file provided for reference:
# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
driftfile /var/lib/ntp/ntp.drift
# Enable this if you want statistics to be logged.
#statsdir /var/log/ntpstats/
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable
# You do need to talk to an NTP server or two (or three).
#server ntp.your-provider.example
server time.nc7j.com
server time-a.timefreq.bldrdoc.gov
server t1.timegps.net
server t2.timegps.net
server timekeeper.isi.edu
# pool.ntp.org maps to about 1000 low-stratum NTP servers. Your server will
# pick a different set every time it starts up. Please consider joining the
# pool: <http://www.pool.ntp.org/join.html>
#0.debian.pool.ntp.org
#1.debian.pool.ntp.org
#2.debian.pool.ntp.org
#3.debian.pool.ntp.org
# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
# details. The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
# might also be helpful.
#
# Note that "restrict" applies to both servers and clients, so a configuration
# that might be intended to block requests from certain clients could also end
# up blocking replies from your own upstream servers.
# By default, exchange time with everybody, but don't allow configuration.
restrict -4 default kod notrap nomodify nopeer noquery
restrict -6 default kod notrap nomodify nopeer noquery
# Local users may interrogate the ntp server more closely.
restrict 127.0.0.1
restrict ::1
# Clients from this (example!) subnet have unlimited access, but only if
# cryptographically authenticated.
#restrict 192.168.123.0 mask 255.255.255.0 notrust
restrict 192.168.1.0 mask 255.255.255.0
# If you want to provide time to your local subnet, change the next line.
# (Again, the address is an example only.)
#broadcast 192.168.123.255
broadcast 192.168.1.255
# If you want to listen to time broadcasts on your local subnet, de-comment the
# next lines. Please do this only if you trust everybody on the network!
#disable auth
#broadcastclient
Save the file and restart NTP:
sudo /etc/init.d/ntp restart
Test the config and be sure that everything is working by querying the NTP servers listed with:
ntpq -pn
The output should look similar to this:
This lists the IP addresses of the NTP servers you have configured in the ntp.conf file and where they are getting the time from. With this being Stratum 2, the ones listed are Stratum 1 and are receiving measurements from GPS or NIST.
To finish, you'll need to point your clients to the new name or IP of the Raspberry Pi to sync the clock.