Fully split ntp and ntpsec configs

And fix ntpsec config to properly work in Debian 12+.

roles/base/tasks/main.yml

@@ -536,7 +536,7 @@
   tags: base-mta
 
 # ntp
-- name: write the NTP config file
+- name: write the NTP config file on Debian < 12
   template:
     src: "{{ item.src }}"
     dest: "{{ item.dest }}"
@@ -544,17 +544,27 @@
     - restart ntp
   with_items:
     - { src: "etc/ntp.conf.j2", dest: "/etc/ntp.conf" }
+  when: debian_version|int < 12
   tags: base-time
 
-- name: add link to ntpsec config on Debian 12+
+- name: write the NTP config file on Debian >= 12
-  file:
+  template:
-    state: link
+    src: "{{ item.src }}"
-    src: /etc/ntp.conf
+    dest: "{{ item.dest }}"
-    dest: /etc/ntpsec/ntp.conf
-    force: yes
-  when: debian_version|int >= 12
   notify:
     - restart ntp
+  with_items:
+    - { src: "etc/ntpsec/ntp.conf.j2", dest: "/etc/ntpsec/ntp.conf" }
+  when: debian_version|int >= 12
+  tags: base-time
+
+- name: clean up old NTP config file on Debian >= 12
+  file:
+    dest: /etc/ntp.conf
+    state: absent
+  notify:
+    - restart ntp
+  when: debian_version|int >= 12
   tags: base-time
 
 # ssl

roles/base/templates/etc/ntpsec/ntp.conf.j2

@@ -0,0 +1,31 @@
+# Main NTP configuration (NTPSEC)
+# {{ ansible_managed }}
+
+driftfile /var/lib/ntpsec/ntp.drift
+statsdir  /var/lib/ntpsec
+
+statistics loopstats peerstats clockstats
+
+filegen loopstats file loopstats type day enable
+filegen peerstats file peerstats type day enable
+filegen clockstats file clockstats type day enable
+
+# Enable orphan mode if cluster cannot connect to the Internet
+tos orphan 6
+server 127.127.1.0
+fudge  127.127.1.0 stratum 10
+
+# NTP masters
+{% for server in ntp_servers %}
+server {{ server }} iburst
+{% endfor %}
+
+# Local PVC cluster
+{% for node in pvc_nodes %}
+peer {{ node.cluster_ip }}  # {{ node.hostname }}.{{ pvc_cluster_domain }}
+{% endfor %}
+
+restrict -4 default nomodify
+restrict -6 default nomodify
+restrict 127.0.0.1
+restrict ::1