diff --git a/hieradata/common.yaml b/hieradata/common.yaml
index 5c36c0c..77fddd3 100644
--- a/hieradata/common.yaml
+++ b/hieradata/common.yaml
@@ -1,7 +1,10 @@
 ---
+profiles::ntp::client::ntp_role: 'roles::infra::ntp::server'
 profiles::ntp::client::peers:
-  - ntp01.main.unkin.net
-  - ntp02.main.unkin.net
+  - 0.pool.ntp.org
+  - 1.pool.ntp.org
+  - 2.pool.ntp.org
+  - 3.pool.ntp.org
 
 profiles::base::puppet_servers:
   - 'prodinf01n01.main.unkin.net'
diff --git a/hieradata/roles/infra/ntpserver.yaml b/hieradata/roles/infra/ntp/server.yaml
similarity index 100%
rename from hieradata/roles/infra/ntpserver.yaml
rename to hieradata/roles/infra/ntp/server.yaml
diff --git a/hieradata/roles/puppet/puppetmaster.yaml b/hieradata/roles/puppet/puppetmaster.yaml
index 931b916..25403d8 100644
--- a/hieradata/roles/puppet/puppetmaster.yaml
+++ b/hieradata/roles/puppet/puppetmaster.yaml
@@ -9,7 +9,7 @@ profiles::puppet::autosign::domains:
 #  - 'somenode.main.unkin.net'
 
 profiles::puppet::enc::repo: https://git.unkin.net/unkinben/puppet-enc.git
-profiles::puppet::enc::release: '0.6'
+profiles::puppet::enc::release: '0.7.1'
 profiles::puppet::enc::force: true
 profiles::puppet::r10k::r10k_repo: https://git.unkin.net/unkinben/puppet-r10k.git
 profiles::puppet::g10k::bin_path: '/opt/puppetlabs/bin/g10k'
diff --git a/site/profiles/manifests/ntp/client.pp b/site/profiles/manifests/ntp/client.pp
index 0429266..e3c90a7 100644
--- a/site/profiles/manifests/ntp/client.pp
+++ b/site/profiles/manifests/ntp/client.pp
@@ -2,6 +2,10 @@
 # use exported resources from profiles::ntp::server if they are available
 class profiles::ntp::client (
   Array     $peers,
+  Variant[
+    String,
+    Undef
+  ]         $ntp_role = undef,
   Boolean   $wait_enable = true,
   Enum[
     'running',
@@ -14,16 +18,23 @@ class profiles::ntp::client (
   # through the profiles::ntp::server class.
   if $client_only {
 
+    # if ntp_role is set, find all hosts matching that enc_role
+    if $ntp_role == undef {
+      $ntpserver_array = $peers
+    }else{
+      $ntpserver_array = query_nodes("enc_role='${ntp_role}'", 'networking.fqdn')
+    }
+
     # Define the client configuration based on OS family
     if $facts['os']['family'] == 'RedHat' {
       class { 'chrony':
-        servers     => $peers,
+        servers     => $ntpserver_array,
         wait_enable => $wait_enable,
         wait_ensure => $wait_ensure,
       }
     } else {
       class { 'chrony':
-        servers    => $peers,
+        servers    => $ntpserver_array,
       }
     }
   }
diff --git a/site/profiles/manifests/ntp/server.pp b/site/profiles/manifests/ntp/server.pp
index c2f9b83..88f1426 100644
--- a/site/profiles/manifests/ntp/server.pp
+++ b/site/profiles/manifests/ntp/server.pp
@@ -19,7 +19,7 @@ class profiles::ntp::server (
 
   # check the enc_role has been set, it can take two puppet runs to do this
   # TODO: change away from external fact
-  if $facts['enc_role'] == 'roles::infra::ntpserver' {
+  if $facts['enc_role'] == 'roles::infra::ntp::server' {
 
     # define the server
     if $facts['os']['family'] == 'RedHat' {
diff --git a/site/roles/manifests/infra/ntpserver.pp b/site/roles/manifests/infra/ntp/server.pp
similarity index 77%
rename from site/roles/manifests/infra/ntpserver.pp
rename to site/roles/manifests/infra/ntp/server.pp
index 887efce..cfc685d 100644
--- a/site/roles/manifests/infra/ntpserver.pp
+++ b/site/roles/manifests/infra/ntp/server.pp
@@ -1,5 +1,5 @@
 # a role to deploy a ntp server
-class roles::infra::ntpserver {
+class roles::infra::ntp::server {
   include profiles::defaults
   include profiles::base
   include profiles::ntp::server