diff --git a/roles/ntp-server/tasks/main.yml b/roles/ntp-server/tasks/main.yml
index 3be6a719..e7ccab46 100644
--- a/roles/ntp-server/tasks/main.yml
+++ b/roles/ntp-server/tasks/main.yml
@@ -1,27 +1,27 @@
 ---
-- name: Install NTP
+- name: Install NTPsec
   apt:
     update_cache: true
-    name: ntp
+    name: ntpsec
   register: apt_result
   retries: 3
   until: apt_result is succeeded
 
 - name: Configure NTP daemon
   lineinfile:
-    path: /etc/default/ntp
+    path: /etc/default/ntpsec
     regexp: ^NTPD_OPTS
-    line: NTPD_OPTS='-g -x'
+    line: NTPD_OPTS='-g -N'
   check_mode: false
 
-- name: Configure NTP
+- name: Configure NTPsec
   template:
     src: ntp.conf.j2
-    dest: /etc/ntp.conf
+    dest: /etc/ntpsec/ntp.conf
     mode: 0644
 
-- name: Start ntp service
+- name: Start ntpsec service
   systemd:
-    name: ntp
+    name: ntpsec
     enabled: true
     state: started
diff --git a/roles/ntp-server/templates/ntp.conf.j2 b/roles/ntp-server/templates/ntp.conf.j2
index e2a3eba5..4e10e6a2 100644
--- a/roles/ntp-server/templates/ntp.conf.j2
+++ b/roles/ntp-server/templates/ntp.conf.j2
@@ -1,63 +1,52 @@
 {{ ansible_header | comment }}
-# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
+# /etc/ntpsec/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
 
-driftfile /var/lib/ntp/ntp.drift
-
-# Leap seconds definition provided by tzdata
+driftfile /var/lib/ntpsec/ntp.drift
 leapfile /usr/share/zoneinfo/leap-seconds.list
 
-# Enable this if you want statistics to be logged.
-#statsdir /var/log/ntpstats/
+# To enable Network Time Security support as a server, obtain a certificate
+# (e.g. with Let's Encrypt), configure the paths below, and uncomment:
+# nts cert CERT_FILE
+# nts key KEY_FILE
+# nts enable
 
-statistics loopstats peerstats clockstats
-filegen loopstats file loopstats type day enable
-filegen peerstats file peerstats type day enable
-filegen clockstats file clockstats type day enable
+# You must create /var/log/ntpsec (owned by ntpsec:ntpsec) to enable logging.
+#statsdir /var/log/ntpsec/
+#statistics loopstats peerstats clockstats
+#filegen loopstats file loopstats type day enable
+#filegen peerstats file peerstats type day enable
+#filegen clockstats file clockstats type day enable
 
+# This should be maxclock 7, but the pool entries count towards maxclock.
+tos maxclock 11
+
+# Comment this out if you have a refclock and want it to be able to discipline
+# the clock by itself (e.g. if the system is not connected to the network).
+tos minclock 4 minsane 3
+
+# Specify one or more NTP servers.
+
+# Public NTP servers supporting Network Time Security:
+# server time.cloudflare.com nts
 
 # pool.ntp.org maps to about 1000 low-stratum NTP servers.  Your server will
 # pick a different set every time it starts up.  Please consider joining the
-# pool: <http://www.pool.ntp.org/join.html>
+# pool: <https://www.pool.ntp.org/join.html>
 pool 0.debian.pool.ntp.org iburst
 pool 1.debian.pool.ntp.org iburst
 pool 2.debian.pool.ntp.org iburst
 pool 3.debian.pool.ntp.org iburst
 
-
-# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
-# details.  The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
-# might also be helpful.
+# Access control configuration; see /usr/share/doc/ntpsec-doc/html/accopt.html
+# for details.
 #
 # Note that "restrict" applies to both servers and clients, so a configuration
 # that might be intended to block requests from certain clients could also end
 # up blocking replies from your own upstream servers.
 
 # By default, exchange time with everybody, but don't allow configuration.
-restrict -4 default kod notrap nomodify nopeer noquery limited
-restrict -6 default kod notrap nomodify nopeer noquery limited
+restrict default kod nomodify nopeer noquery limited
 
 # Local users may interrogate the ntp server more closely.
 restrict 127.0.0.1
 restrict ::1
-
-# Needed for adding pool entries
-restrict source notrap nomodify noquery
-
-# Server on adm can sync
-{% for cidr in ntp_server.open %}
-restrict {{ cidr | ansible.utils.ipaddr('network') }} mask {{ cidr | ansible.utils.ipaddr('netmask') }} notrap nomodify
-{% endfor %}
-
-# Clients from this (example!) subnet have unlimited access, but only if
-# cryptographically authenticated.
-#restrict 192.168.123.0 mask 255.255.255.0 notrust
-
-
-# If you want to provide time to your local subnet, change the next line.
-# (Again, the address is an example only.)
-#broadcast 192.168.123.255
-
-# If you want to listen to time broadcasts on your local subnet, de-comment the
-# next lines.  Please do this only if you trust everybody on the network!
-#disable auth
-#broadcastclient