diff --git a/roles/common/defaults/main.yml b/roles/common/defaults/main.yml
index a13792dab9b7d216427e296eced01dcc515cd924..adf22ea0ba74fcdc7ffd02b81c35aca663f3c8d7 100644
--- a/roles/common/defaults/main.yml
+++ b/roles/common/defaults/main.yml
@@ -17,6 +17,7 @@ pip_check_requirements:
   - first==2.0.1
   - pip-tools==1.9.0
   - six==1.10.0
+ntp_servers: []
 
 # Internal use only.
 prompt_colour_mapping:
@@ -36,4 +37,4 @@ prompt_colour_mapping:
   light_purple: "1;35"
   light_cyan: "1;36"
   white: "1;37"
-  none: "0"
\ No newline at end of file
+  none: "0"
diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml
index cc55d53fcccb4486b978e510a23ee32d92b4bea8..e280c3de897d69728864a068cdb999fe3c4f50e9 100644
--- a/roles/common/handlers/main.yml
+++ b/roles/common/handlers/main.yml
@@ -38,3 +38,8 @@
     #   run the handlers manually as a way to bring the system to consistency
     #   after interrupted runs.
     - skip_ansible_lint
+
+- name: Restart NTP server
+  service:
+    name: ntp
+    state: restarted
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
index 327dc6c3b7d15dd3acc62513e72e73eccc589f3b..6351b925c5fa74d2a67c97de59035aadcd3c2e9d 100644
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -389,6 +389,25 @@
     group: root
     mode: 0644
 
+- name: Install NTP packages
+  apt:
+    name:
+      - ntp
+      - ntpdate
+    state: installed
+  when: ntp_servers
+
+- name: Deploy NTP configuration
+  template:
+    src: "ntp.conf.j2"
+    dest: "/etc/ntp.conf"
+    owner: root
+    group: root
+    mode: 0644
+  when: ntp_servers
+  notify:
+    - Restart NTP server
+
 - name: Explicitly run all handlers
   include: ../handlers/main.yml
   when: "handlers | default(False) | bool() == True"
diff --git a/roles/common/templates/ntp.conf.j2 b/roles/common/templates/ntp.conf.j2
new file mode 100644
index 0000000000000000000000000000000000000000..441ac250409be6e846fafd1dd8f981ca0db70934
--- /dev/null
+++ b/roles/common/templates/ntp.conf.j2
@@ -0,0 +1,53 @@
+# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
+
+driftfile /var/lib/ntp/ntp.drift
+
+
+# Enable this if you want statistics to be logged.
+#statsdir /var/log/ntpstats/
+
+statistics loopstats peerstats clockstats
+filegen loopstats file loopstats type day enable
+filegen peerstats file peerstats type day enable
+filegen clockstats file clockstats type day enable
+
+
+# You do need to talk to an NTP server or two (or three).
+#server ntp.your-provider.example
+
+# pool.ntp.org maps to about 1000 low-stratum NTP servers.  Your server will
+# pick a different set every time it starts up.  Please consider joining the
+# pool: <http://www.pool.ntp.org/join.html>
+{% for server in ntp_servers %}
+server {{ server }} iburst
+{% endfor %}
+
+# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
+# details.  The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
+# might also be helpful.
+#
+# Note that "restrict" applies to both servers and clients, so a configuration
+# that might be intended to block requests from certain clients could also end
+# up blocking replies from your own upstream servers.
+
+# By default, exchange time with everybody, but don't allow configuration.
+restrict -4 default kod notrap nomodify nopeer noquery
+restrict -6 default kod notrap nomodify nopeer noquery
+
+# Local users may interrogate the ntp server more closely.
+restrict 127.0.0.1
+restrict ::1
+
+# Clients from this (example!) subnet have unlimited access, but only if
+# cryptographically authenticated.
+#restrict 192.168.123.0 mask 255.255.255.0 notrust
+
+
+# If you want to provide time to your local subnet, change the next line.
+# (Again, the address is an example only.)
+#broadcast 192.168.123.255
+
+# If you want to listen to time broadcasts on your local subnet, de-comment the
+# next lines.  Please do this only if you trust everybody on the network!
+#disable auth
+#broadcastclient
diff --git a/roles/common/tests/test_parameters_optional.py b/roles/common/tests/test_parameters_optional.py
index 89c405877be2704dc5dd14cef5b846147acbbbec..5ffc9474cd9b2ce04cc7ee5b985cf66cac8a2829 100644
--- a/roles/common/tests/test_parameters_optional.py
+++ b/roles/common/tests/test_parameters_optional.py
@@ -320,12 +320,25 @@ def test_ntp_server_configuration(File, Sudo):
 
         # Ensure querying of server is disable for untrusted clients.
         restrictions = [c for c in configuration if c.startswith('restrict')]
-        expected_restrictions = ["restrict -4 default kod notrap nomodify nopeer noquery notrust",
-                                 "restrict -6 default kod notrap nomodify nopeer noquery notrust"]
+        expected_restrictions = ["restrict -4 default kod notrap nomodify nopeer noquery",
+                                 "restrict -6 default kod notrap nomodify nopeer noquery",
+                                 "restrict 127.0.0.1",
+                                 "restrict ::1"]
 
         assert sorted(restrictions) == sorted(expected_restrictions)
 
 
+def test_ntp_query_server_count(Command):
+
+    # Two lines for headers, and one line per configured server.
+    expected_stdout_line_count = 5
+
+    ntpq = Command("ntpq -p -n")
+
+    assert ntpq.rc == 0
+    assert len(ntpq.stdout.split("\n")) == expected_stdout_line_count
+
+
 def test_ntp_listening_interfaces(Socket):
     """
     Tests if NTP server is listening on correct ports.