Replace small NTS servers with authoritative providers

[kvinwang]

Summary

• Remove community-run NTS servers (ntp1/ntp2.glypnod.com, nts.teambelgium.net, a.st1.ntp.br, time.bolha.one) that complained about excessive NTS-KE traffic from our fleet
• Replace with authoritative Stratum 1 NTS servers from major institutions:
  • PTB (German national metrology institute): ptbtime2.ptb.de, ptbtime3.ptb.de
  • Netnod (Swedish internet infrastructure): nts.netnod.se, nts.ntp.se
  • SIDN Labs (Dutch .nl registry): ntppool1.time.nl
• Keep existing time.cloudflare.com, ptbtime1.ptb.de, virginia.time.system76.com

All new servers have been tested and verified working with NTS-KE from our network.

Test plan

• Verified all new NTS servers respond correctly with TLS 1.3 NTS-KE handshake
• Confirmed Stratum 1 sync from all PTB, Netnod, and SIDN servers
• Deploy to a test VM and confirm chronyc authdata shows NTS authentication for all sources