diff --git a/ntp/defaults/main.yml b/ntp/defaults/main.yml
new file mode 100644
index 00000000..c48a2dd4
--- /dev/null
+++ b/ntp/defaults/main.yml
@@ -0,0 +1,8 @@
+---
+ntpd_servers:
+- 'pool.ntp.org'
+ntpd_acls:
+- '127.0.0.1'
+- '::1'
+- '-4 ignore'
+- '-6 ignore'
diff --git a/ntp/handlers/main.yml b/ntp/handlers/main.yml
new file mode 100644
index 00000000..333d30de
--- /dev/null
+++ b/ntp/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+- name: restart ntp
+  service:
+    name: ntp
+    state: restarted
diff --git a/ntp/tasks/main.yml b/ntp/tasks/main.yml
new file mode 100644
index 00000000..8536149e
--- /dev/null
+++ b/ntp/tasks/main.yml
@@ -0,0 +1,16 @@
+---
+- name: Install ntp package
+  apt:
+    name: ntp
+    state: present
+  tags:
+  - ntp
+
+- name: Copy ntp config
+  template:
+    src: ntp.conf.j2
+    dest: /etc/ntp.conf
+    mode: "0644"
+  notify: restart ntp
+  tags:
+  - ntp
diff --git a/ntp/templates/ntp.conf.j2 b/ntp/templates/ntp.conf.j2
new file mode 100644
index 00000000..e004ec6a
--- /dev/null
+++ b/ntp/templates/ntp.conf.j2
@@ -0,0 +1,39 @@
+# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
+
+driftfile /var/lib/ntp/ntp.drift
+
+# Enable this if you want statistics to be logged.
+#statsdir /var/log/ntpstats/
+
+statistics loopstats peerstats clockstats
+filegen loopstats file loopstats type day enable
+filegen peerstats file peerstats type day enable
+filegen clockstats file clockstats type day enable
+
+# You do need to talk to an NTP server or two (or three).
+#server ntp.your-provider.example
+
+# pool.ntp.org maps to about 1000 low-stratum NTP servers.  Your server will
+# pick a different set every time it starts up.  Please consider joining the
+# pool: <http://www.pool.ntp.org/join.html>
+
+#server pool.ntp.org
+
+{% for server in ntpd_servers %}
+server {{ server }}
+{% endfor %}
+
+# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
+# details.  The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
+# might also be helpful.
+#
+# Note that "restrict" applies to both servers and clients, so a configuration
+# that might be intended to block requests from certain clients could also end
+# up blocking replies from your own upstream servers.
+
+#restrict -4 default kod notrap nomodify nopeer noquery
+#restrict -6 default kod notrap nomodify nopeer noquery
+
+{% for acl in ntpd_acls %}
+restrict {{ acl }}
+{% endfor %}