diff --git a/roles/float-base/defaults/main.yml b/roles/float-base/defaults/main.yml
index eb35e9a471d1fe0df5332c4f36e206c6da23aaa9..24cef1f5b901502448aab690d602102e1627e4af 100644
--- a/roles/float-base/defaults/main.yml
+++ b/roles/float-base/defaults/main.yml
@@ -1,3 +1,5 @@
+---
+
 admins: []
 enable_ssh: true
 enable_osquery: false
@@ -52,3 +54,11 @@ kernel_lockdown_enabled: false
 enable_serial_port: false
 serial_port_unit: 0
 serial_port_speed: 115200
+
+# NOTE: we specify the `pool` part, because some user will override it and use
+# `server` instead
+ntp_servers:
+  - "pool 0.debian.pool.ntp.org iburst"
+  - "pool 1.debian.pool.ntp.org iburst"
+  - "pool 2.debian.pool.ntp.org iburst"
+  - "pool 3.debian.pool.ntp.org iburst"
diff --git a/roles/float-base/handlers/main.yml b/roles/float-base/handlers/main.yml
index 07b630b118c8ba5957b4dc8b607d9e7d051a6891..6b91a5790acecd18bf2d448175936bb5e9738212 100644
--- a/roles/float-base/handlers/main.yml
+++ b/roles/float-base/handlers/main.yml
@@ -77,3 +77,8 @@
 
 - name: update-grub
   command: /usr/sbin/update-grub
+
+- name: restart ntp
+  systemd:
+    name: ntpsec.service
+    state: restarted
diff --git a/roles/float-base/tasks/main.yml b/roles/float-base/tasks/main.yml
index f090b873c9ab62e61887f6240699a9a919ad3cf0..7fa545d443b359d2e85f29842c5502c387e51509 100644
--- a/roles/float-base/tasks/main.yml
+++ b/roles/float-base/tasks/main.yml
@@ -62,6 +62,8 @@
 
 - import_tasks: debian_misc.yml
 
+- import_tasks: ntp.yml
+
 - import_tasks: syslog.yml
 
 - import_tasks: harden.yml
diff --git a/roles/float-base/tasks/ntp.yml b/roles/float-base/tasks/ntp.yml
new file mode 100644
index 0000000000000000000000000000000000000000..7fedd0fbc2b95fef3d8e6faf3afdbe421c4d4381
--- /dev/null
+++ b/roles/float-base/tasks/ntp.yml
@@ -0,0 +1,8 @@
+---
+
+- name: Configure ntp
+  template:
+    src: "ntp.conf.j2"
+    dest: "/etc/ntpsec/ntp.conf"
+    mode: 0400
+  notify: restart ntp
diff --git a/roles/float-base/templates/ntp.conf.j2 b/roles/float-base/templates/ntp.conf.j2
new file mode 100644
index 0000000000000000000000000000000000000000..2035e6fd77bb9f05cc420855e3001deeff3c5973
--- /dev/null
+++ b/roles/float-base/templates/ntp.conf.j2
@@ -0,0 +1,48 @@
+# /etc/ntpsec/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
+
+driftfile /var/lib/ntpsec/ntp.drift
+leapfile /usr/share/zoneinfo/leap-seconds.list
+
+# To enable Network Time Security support as a server, obtain a certificate
+# (e.g. with Let's Encrypt), configure the paths below, and uncomment:
+# nts cert CERT_FILE
+# nts key KEY_FILE
+# nts enable
+
+# You must create /var/log/ntpsec (owned by ntpsec:ntpsec) to enable logging.
+#statsdir /var/log/ntpsec/
+#statistics loopstats peerstats clockstats
+#filegen loopstats file loopstats type day enable
+#filegen peerstats file peerstats type day enable
+#filegen clockstats file clockstats type day enable
+
+# This should be maxclock 7, but the pool entries count towards maxclock.
+tos maxclock 11
+
+# Comment this out if you have a refclock and want it to be able to discipline
+# the clock by itself (e.g. if the system is not connected to the network).
+tos minclock 4 minsane 3
+
+# Specify one or more NTP servers.
+
+# Public NTP servers supporting Network Time Security:
+# server time.cloudflare.com nts
+
+# pool.ntp.org maps to about 1000 low-stratum NTP servers.  Your server will
+# pick a different set every time it starts up.  Please consider joining the
+# pool: <https://www.pool.ntp.org/join.html>
+{{ ntp_servers | join('\n') }}
+
+# Access control configuration; see /usr/share/doc/ntpsec-doc/html/accopt.html
+# for details.
+#
+# Note that restrict applies to both servers and clients, so a configuration
+# that might be intended to block requests from certain clients could also end
+# up blocking replies from your own upstream servers.
+
+# By default, exchange time with everybody, but don't allow configuration.
+restrict default kod nomodify nopeer noquery limited
+
+# Local users may interrogate the ntp server more closely.
+restrict 127.0.0.1
+restrict ::1