diff --git a/hosts b/hosts
index 2894479..e2f4111 100644
--- a/hosts
+++ b/hosts
@@ -58,3 +58,5 @@ smtp0.pyrocufflink.blue
 
 [smtp-relay:children]
 zabbix-server
+
+[ntpd]
diff --git a/ntp.yml b/ntp.yml
new file mode 100644
index 0000000..6bcd312
--- /dev/null
+++ b/ntp.yml
@@ -0,0 +1,3 @@
+- hosts: ntpd
+  roles:
+  - ntpd
diff --git a/roles/ntpd/handlers/main.yml b/roles/ntpd/handlers/main.yml
new file mode 100644
index 0000000..adf5c93
--- /dev/null
+++ b/roles/ntpd/handlers/main.yml
@@ -0,0 +1,2 @@
+- name: save firewalld configuration
+  command: firewall-cmd --runtime-to-permanent
diff --git a/roles/ntpd/tasks/main.yml b/roles/ntpd/tasks/main.yml
new file mode 100644
index 0000000..0bc3adf
--- /dev/null
+++ b/roles/ntpd/tasks/main.yml
@@ -0,0 +1,34 @@
+- name: load distribution-specific values
+  include_vars: '{{ item }}'
+  with_first_found:
+  - '{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml'
+  - '{{ ansible_distribution }}.yml'
+  - '{{ ansible_os_family }}.yml'
+  - defaults.yml
+
+- name: ensure ntpd is installed
+  package:
+    name={{ ntpd_required_packages|join(',') }}
+    state=present
+  tags:
+  - install
+
+- name: ensure ntpd starts at boot
+  service:
+    name={{ ntpd_svc }}
+    enabled=yes
+- meta: flush_handlers
+- name: ensure ntpd is running
+  service:
+    name={{ ntpd_svc }}
+    state=started
+
+- name: ensure ntpd is allowed in the firewall
+  firewalld:
+    service=ntp
+    state=enabled
+    permanent=no
+    immediate=yes
+  notify: save firewalld configuration
+  tags:
+  - firewalld
diff --git a/roles/ntpd/templates/ntp.conf.j2 b/roles/ntpd/templates/ntp.conf.j2
new file mode 100644
index 0000000..98e1299
--- /dev/null
+++ b/roles/ntpd/templates/ntp.conf.j2
@@ -0,0 +1,48 @@
+# For more information about this file, see the ntp.conf(5) man page.
+
+# Record the frequency of the system clock.
+driftfile /var/lib/ntp/drift
+
+# Permit time synchronization with our time source, but do not
+# permit the source to query or modify the service on this system.
+restrict default nomodify notrap nopeer noepeer noquery
+
+# Permit association with pool servers.
+restrict source nomodify notrap noepeer noquery
+
+# Permit all access over the loopback interface.  This could
+# be tightened as well, but to do so would effect some of
+# the administrative functions.
+restrict 127.0.0.1 
+restrict ::1
+
+# Hosts on local network are less restricted.
+#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
+
+# Use public servers from the pool.ntp.org project.
+# Please consider joining the pool (http://www.pool.ntp.org/join.html).
+pool 2.fedora.pool.ntp.org iburst
+
+# Reduce the maximum number of servers used from the pool.
+tos maxclock 5
+
+# Enable public key cryptography.
+#crypto
+
+includefile /etc/ntp/crypto/pw
+
+# Key file containing the keys and key identifiers used when operating
+# with symmetric key cryptography. 
+keys /etc/ntp/keys
+
+# Specify the key identifiers which are trusted.
+#trustedkey 4 8 42
+
+# Specify the key identifier to use with the ntpdc utility.
+#requestkey 8
+
+# Specify the key identifier to use with the ntpq utility.
+#controlkey 8
+
+# Enable writing of statistics records.
+#statistics clockstats cryptostats loopstats peerstats
diff --git a/roles/ntpd/vars/defaults.yml b/roles/ntpd/vars/defaults.yml
new file mode 100644
index 0000000..0a21fcc
--- /dev/null
+++ b/roles/ntpd/vars/defaults.yml
@@ -0,0 +1,3 @@
+ntpd_required_packages:
+- ntp
+ntpd_svc: ntpd