diff --git a/net/chrony/Makefile b/net/chrony/Makefile
index d4d807ea8..ee797e91c 100644
--- a/net/chrony/Makefile
+++ b/net/chrony/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		chrony
-PLUGIN_VERSION=		1.5
-PLUGIN_REVISION=	3
+PLUGIN_VERSION=		1.6
+PLUGIN_REVISION=	0
 PLUGIN_COMMENT=		Chrony time synchronisation
 PLUGIN_DEPENDS=		chrony
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net/chrony/pkg-descr b/net/chrony/pkg-descr
index f38222784..4ba1c7fc6 100644
--- a/net/chrony/pkg-descr
+++ b/net/chrony/pkg-descr
@@ -4,6 +4,11 @@ better in virtual environments.
 Plugin Changelog
 ----------------
 
+1.6
+
+* Add NTS server support (ntsservercert, ntsserverkey, ntsport)
+* Add confdir include for custom directives (/usr/local/etc/chrony.opnsense.d/)
+
 1.5
 
 * Allow adding a fallback NTP when using NTS
diff --git a/net/chrony/src/opnsense/mvc/app/controllers/OPNsense/Chrony/forms/general.xml b/net/chrony/src/opnsense/mvc/app/controllers/OPNsense/Chrony/forms/general.xml
index 3b6b358ff..e73d4256a 100644
--- a/net/chrony/src/opnsense/mvc/app/controllers/OPNsense/Chrony/forms/general.xml
+++ b/net/chrony/src/opnsense/mvc/app/controllers/OPNsense/Chrony/forms/general.xml
@@ -45,4 +45,26 @@
         <allownew>true</allownew>
         <help>Set the networks allowed to synchronize time with this server. If this value is not set it will also not listen to the port and just synchronize the time for itself.</help>
     </field>
+    <field>
+        <type>header</type>
+        <label>NTS Server</label>
+    </field>
+    <field>
+        <id>general.ntsservercert</id>
+        <label>NTS Server Certificate</label>
+        <type>text</type>
+        <help>Absolute path to the TLS certificate chain in PEM format for NTS server mode. The file should include any intermediate certificates needed by clients. Leave empty to disable NTS server.</help>
+    </field>
+    <field>
+        <id>general.ntsserverkey</id>
+        <label>NTS Server Key</label>
+        <type>text</type>
+        <help>Absolute path to the TLS private key in PEM format for NTS server mode.</help>
+    </field>
+    <field>
+        <id>general.ntsport</id>
+        <label>NTS-KE Port</label>
+        <type>text</type>
+        <help>TCP port for the NTS Key Establishment service (default: 4460). Leave empty to use the default.</help>
+    </field>
 </form>
diff --git a/net/chrony/src/opnsense/mvc/app/models/OPNsense/Chrony/General.xml b/net/chrony/src/opnsense/mvc/app/models/OPNsense/Chrony/General.xml
index 08d29de0c..b9697786a 100644
--- a/net/chrony/src/opnsense/mvc/app/models/OPNsense/Chrony/General.xml
+++ b/net/chrony/src/opnsense/mvc/app/models/OPNsense/Chrony/General.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/chrony/general</mount>
     <description>Chrony configuration</description>
-    <version>0.0.2</version>
+    <version>0.0.3</version>
     <items>
         <enabled type="BooleanField">
             <Default>0</Default>
@@ -33,5 +33,18 @@
             <FieldSeparator>,</FieldSeparator>
             <AsList>Y</AsList>
         </allowednetworks>
+        <ntsservercert type="TextField">
+            <Required>N</Required>
+            <Mask>/^(\/[a-zA-Z0-9._\-]+)+$/</Mask>
+            <ValidationMessage>Must be an absolute file path.</ValidationMessage>
+        </ntsservercert>
+        <ntsserverkey type="TextField">
+            <Required>N</Required>
+            <Mask>/^(\/[a-zA-Z0-9._\-]+)+$/</Mask>
+            <ValidationMessage>Must be an absolute file path.</ValidationMessage>
+        </ntsserverkey>
+        <ntsport type="PortField">
+            <Required>N</Required>
+        </ntsport>
     </items>
 </model>
diff --git a/net/chrony/src/opnsense/scripts/OPNsense/Chrony/setup.sh b/net/chrony/src/opnsense/scripts/OPNsense/Chrony/setup.sh
index ad9060012..4b60abdcd 100755
--- a/net/chrony/src/opnsense/scripts/OPNsense/Chrony/setup.sh
+++ b/net/chrony/src/opnsense/scripts/OPNsense/Chrony/setup.sh
@@ -3,3 +3,7 @@
 mkdir -p /var/db/chrony /var/lib/chrony /var/run/chrony
 chown -R chronyd:chronyd /var/db/chrony /var/lib/chrony /var/run/chrony
 chmod 750 /var/db/chrony /var/lib/chrony /var/run/chrony
+
+mkdir -p /usr/local/etc/chrony.opnsense.d
+chown root:chronyd /usr/local/etc/chrony.opnsense.d
+chmod 750 /usr/local/etc/chrony.opnsense.d
diff --git a/net/chrony/src/opnsense/service/templates/OPNsense/Chrony/chrony.conf b/net/chrony/src/opnsense/service/templates/OPNsense/Chrony/chrony.conf
index 7cd4f7a16..567eadd5d 100644
--- a/net/chrony/src/opnsense/service/templates/OPNsense/Chrony/chrony.conf
+++ b/net/chrony/src/opnsense/service/templates/OPNsense/Chrony/chrony.conf
@@ -33,4 +33,14 @@ allow {{ network }}
 {%     endfor %}
 {%   endif %}
 
+{%   if helpers.exists('OPNsense.chrony.general.ntsservercert') and not helpers.empty('OPNsense.chrony.general.ntsservercert') %}
+ntsservercert {{ OPNsense.chrony.general.ntsservercert }}
+ntsserverkey {{ OPNsense.chrony.general.ntsserverkey }}
+{%     if helpers.exists('OPNsense.chrony.general.ntsport') and not helpers.empty('OPNsense.chrony.general.ntsport') %}
+ntsport {{ OPNsense.chrony.general.ntsport }}
+{%     endif %}
+{%   endif %}
+
+include /usr/local/etc/chrony.opnsense.d/*.conf
+
 {% endif %}