diff --git a/index.ts b/index.ts
index 1da3715..859c5f1 100644
--- a/index.ts
+++ b/index.ts
@@ -11,6 +11,7 @@ import { setupKernel } from "./kernel.js";
 import { runQemu } from "./qemu.js";
 import { Runit } from "./runit/index.js";
 import { setupDhcpcd } from "./services/dhcpcd.js";
+import { setupNtpsec } from "./services/ntpsec.js";
 
 if (process.argv[2] === "generate-secrets") {
   await generateForgejoSecretsFile();
@@ -32,6 +33,7 @@ if (process.argv[2] === "generate-secrets") {
   await alpine.addPackages(["helix", "iproute2-ss", "socat"]);
   const runit = await Runit.setup(alpine);
   await setupDhcpcd(alpine, runit);
+  await setupNtpsec(alpine, runit);
   await setupForgejo(alpine, runit);
   const kernel = await setupKernel(alpine, kernelDir);
 
diff --git a/services/ntpsec.ts b/services/ntpsec.ts
new file mode 100644
index 0000000..db313e6
--- /dev/null
+++ b/services/ntpsec.ts
@@ -0,0 +1,53 @@
+import { Alpine } from "../alpine.js";
+import { sudoWriteFile } from "../helpers/sudo.js";
+import { Runit } from "../runit/index.js";
+
+export async function setupNtpsec(alpine: Alpine, runit: Runit) {
+  await alpine.addPackages(["ntpsec"]);
+
+  // In the ntpsec-doc package, open in browser:
+  // file:///usr/share/doc/ntpsec/quick.html
+  // file:///usr/share/doc/ntpsec/NTS-QuickStart.html
+  // XXX: revisar driftfile, creo que tiene que poder escribir pero está readonly
+  await sudoWriteFile(
+    alpine.path("/etc/ntp.conf"),
+    `
+driftfile /var/lib/ntp/ntp.drift
+
+restrict default kod limited nomodify nopeer noquery
+restrict 127.0.0.1
+restrict ::1
+
+# https://gist.github.com/jauderho/2ad0d441760fc5ed69d8d4e2d6b35f8d
+
+server time.cloudflare.com nts iburst
+server nts.ntp.se nts iburst
+
+# https://nts.time.nl/
+server ntppool1.time.nl nts iburst
+server ntppool2.time.nl nts iburst
+
+# https://system76.com/time/
+server paris.time.system76.com nts iburst
+server brazil.time.system76.com nts iburst
+
+# https://www.netnod.se/netnod-time/how-to-use-nts
+server sth1.nts.netnod.se nts iburst
+server sth2.nts.netnod.se nts iburst
+
+# https://ntp.br/guia/linux/
+server a.st1.ntp.br nts iburst
+server b.st1.ntp.br nts iburst
+server c.st1.ntp.br nts iburst
+server d.st1.ntp.br nts iburst
+server gps.ntp.br nts iburst
+`
+  );
+
+  await runit.addService(
+    "ntpsec",
+    `#!/bin/sh
+exec ntpd --nice --nofork --panicgate
+`
+  );
+}