diff --git a/etc/chrony/chrony.conf b/etc/chrony/chrony.conf
index 1ecccaab..b66ac055 100644
--- a/etc/chrony/chrony.conf
+++ b/etc/chrony/chrony.conf
@@ -1,5 +1,3 @@
-# For some reason Debian doesn't ship this line by default, so it needs to
-# be added by user and after that hopefully not conflict with package
-# manager
-# Requires Chrony 4.0
-confdir /etc/chrony/chrony.d
+# Debian's Chrony 4.0-4~bpo10+1 brings in these lines which require 4.0
+confdir /etc/chrony/conf.d
+sourcedir /etc/chrony/sources.d
diff --git a/etc/chrony/conf.d/allow-local.conf b/etc/chrony/conf.d/allow-local.conf
new file mode 100644
index 00000000..0f318d75
--- /dev/null
+++ b/etc/chrony/conf.d/allow-local.conf
@@ -0,0 +1,3 @@
+# Allowing access from LAN:
+allow 192.168
+allow fe80::/10
diff --git a/etc/chrony/conf.d/allow-yggdrasil.conf b/etc/chrony/conf.d/allow-yggdrasil.conf
new file mode 100644
index 00000000..b5b7ac24
--- /dev/null
+++ b/etc/chrony/conf.d/allow-yggdrasil.conf
@@ -0,0 +1,5 @@
+# https://yggdrasil-network.github.io/
+
+# Yggdrasil should protect from spoofing so this should be OK
+# ufw allow from 0200::/7 to any port 123 proto udp
+allow 0200::/7
diff --git a/etc/chrony/chrony.d/hwtimestamp.conf b/etc/chrony/conf.d/hwtimestamp.conf
similarity index 100%
rename from etc/chrony/chrony.d/hwtimestamp.conf
rename to etc/chrony/conf.d/hwtimestamp.conf
diff --git a/etc/chrony/chrony.d/log.conf b/etc/chrony/conf.d/log.conf
similarity index 100%
rename from etc/chrony/chrony.d/log.conf
rename to etc/chrony/conf.d/log.conf
diff --git a/etc/chrony/conf.d/ntsdumpdir.conf b/etc/chrony/conf.d/ntsdumpdir.conf
new file mode 100644
index 00000000..7bcb526e
--- /dev/null
+++ b/etc/chrony/conf.d/ntsdumpdir.conf
@@ -0,0 +1,5 @@
+# NTS requires Chrony 4.0
+
+# This line should be added if it's not in main chrony.conf to save NTS
+# cookies and not always make NTS-KE request on start
+ntsdumpdir /var/lib/chrony
diff --git a/etc/chrony/chrony.d/dna-moi.conf b/etc/chrony/sources.d/dna-moi.sources
similarity index 100%
rename from etc/chrony/chrony.d/dna-moi.conf
rename to etc/chrony/sources.d/dna-moi.sources
diff --git a/etc/chrony/chrony.d/elisa.conf b/etc/chrony/sources.d/elisa.sources
similarity index 100%
rename from etc/chrony/chrony.d/elisa.conf
rename to etc/chrony/sources.d/elisa.sources
diff --git a/etc/chrony/chrony.d/finland.conf b/etc/chrony/sources.d/finland.sources
similarity index 100%
rename from etc/chrony/chrony.d/finland.conf
rename to etc/chrony/sources.d/finland.sources
diff --git a/etc/chrony/chrony.d/hetzner.conf b/etc/chrony/sources.d/hetzner.sources
similarity index 100%
rename from etc/chrony/chrony.d/hetzner.conf
rename to etc/chrony/sources.d/hetzner.sources
diff --git a/etc/chrony/chrony.d/local-servers.conf b/etc/chrony/sources.d/local-servers.sources
similarity index 81%
rename from etc/chrony/chrony.d/local-servers.conf
rename to etc/chrony/sources.d/local-servers.sources
index 024f4365..80cdf859 100644
--- a/etc/chrony/chrony.d/local-servers.conf
+++ b/etc/chrony/sources.d/local-servers.sources
@@ -1,4 +1,4 @@
-# See below, xleave probably won't be on local router
+# xleave probably won't be on local router
 #server LOCALMACHINE.local iburst auto_offline xleave prefer
 
 # Or alternatively reciprocally TODO: how do `key` options work? This
@@ -9,7 +9,3 @@
 #   rather than peer, I think even Chrony manual and that is where I took
 #   trusted LAN
 #peer LOCALMACHINE.local auto_offline xleave prefer
-
-# Allowing access from LAN:
-#allow 192.168
-#allow fe80::/10
diff --git a/etc/chrony/chrony.d/nts-servers.conf b/etc/chrony/sources.d/nts-servers.sources
similarity index 63%
rename from etc/chrony/chrony.d/nts-servers.conf
rename to etc/chrony/sources.d/nts-servers.sources
index 0f3662aa..ef48f6a7 100644
--- a/etc/chrony/chrony.d/nts-servers.conf
+++ b/etc/chrony/sources.d/nts-servers.sources
@@ -1,7 +1,4 @@
 # NTS requires Chrony 4.0
 
-# This line should be added if it's not in main chrony.conf
-#ntsdumpdir /var/lib/chrony
-
 # Cloudflare NTS, anycast, works probably anywhere. No leap second smearing.
 pool time.cloudflare.com maxsources 2 iburst nts
diff --git a/etc/chrony/chrony.d/telia.conf b/etc/chrony/sources.d/telia.sources
similarity index 100%
rename from etc/chrony/chrony.d/telia.conf
rename to etc/chrony/sources.d/telia.sources
diff --git a/etc/chrony/chrony.d/yggdrasil.conf b/etc/chrony/sources.d/yggdrasil.sources
similarity index 84%
rename from etc/chrony/chrony.d/yggdrasil.conf
rename to etc/chrony/sources.d/yggdrasil.sources
index bd526ab2..b86e53b9 100644
--- a/etc/chrony/chrony.d/yggdrasil.conf
+++ b/etc/chrony/sources.d/yggdrasil.sources
@@ -1,9 +1,5 @@
 # https://yggdrasil-network.github.io/
 
-# Yggdrasil should protect from spoofing so this should be OK
-# ufw allow from 0200::/7 to any port 123 proto udp
-allow 0200::/7
-
 # Maybe Yggdrasils should have auto_offline in general?
 
 # iburst - everything has it