Several updates #4

* Improved offline install docs
* Migrated token mechanism backend to SQL
* Preliminary token mechanism frontend integration
* Add clock skew tolerance for OCSP
* Add 'ldap computer filter' support for Kerberized machine enroll
* Include OCSP and CRL URL-s in certificates, controlled by profile.conf
* Better certificate extension handling
* Place DH parameters file in /etc/ssl/dhparam.pem
* Always talk to CA over port 8443 for 'certidude enroll'
* Hardened frontend nginx config
* Separate log files for frontend nginx
* Better provisioning heuristics
* Add sample site.sh config for LEDE image builder
* Add more device profiles for LEDE image builder
* Various bugfixes and improvements

doc/overlay/etc/uci-defaults/60-cron

@@ -1,6 +1,11 @@
+# Randomize restart time
+OFFSET=$(awk -v min=1 -v max=59 'BEGIN{srand(); print int(min+rand()*(max-min+1))}')
+
+# wtf?! https://wiki.strongswan.org/issues/1501#note-7
 cat << EOF > /etc/crontabs/root
-15 1 * * * sleep 70 && touch /etc/banner && reboot
-10 1 1 */2 * /usr/bin/certidude-enroll-renew
+#$OFFSET 2 * * * sleep 70 && touch /etc/banner && reboot
+$OFFSET 2 * * * ipsec restart
+5 1 1 */2 * /usr/bin/certidude-enroll-renew
 EOF
 
 chmod 0600 /etc/crontabs/root