diff --git a/group_vars/ntp_server.yml b/group_vars/ntp_server.yml
index 15a95434..9488a18b 100644
--- a/group_vars/ntp_server.yml
+++ b/group_vars/ntp_server.yml
@@ -1,4 +1,4 @@
 ---
 glob_ntp_server:
-  adm_network: '172.16.10.0'
-  adm_mask: '255.255.255.0'
+  open:
+    - 172.16.10.0/24
diff --git a/host_vars/charybde.cachan-adm.crans.org.yml b/host_vars/charybde.cachan-adm.crans.org.yml
index 582ae55a..3fe27538 100644
--- a/host_vars/charybde.cachan-adm.crans.org.yml
+++ b/host_vars/charybde.cachan-adm.crans.org.yml
@@ -5,7 +5,9 @@ interfaces:
   infra: eth0.111
 
 loc_ntp_server:
-  adm_network: '172.17.10.0'
+  open:
+    - 172.17.10.0/24
+    - 172.16.32.0/22
 
 loc_vsftpd:
   root: /pool/mirror/pub
diff --git a/roles/ntp-server/templates/ntp.conf.j2 b/roles/ntp-server/templates/ntp.conf.j2
index 42d7fa25..e16b4cdb 100644
--- a/roles/ntp-server/templates/ntp.conf.j2
+++ b/roles/ntp-server/templates/ntp.conf.j2
@@ -44,7 +44,9 @@ restrict ::1
 restrict source notrap nomodify noquery
 
 # Server on adm can sync
-restrict {{ ntp_server.adm_network }} mask {{ ntp_server.adm_mask }} notrap nomodify
+{% for cidr in ntp_server.open %}
+restrict {{ cidr | ipaddr('network') }} mask {{ cidr | ipaddr('netmask') }} notrap nomodify
+{% endfor %}
 
 # Clients from this (example!) subnet have unlimited access, but only if
 # cryptographically authenticated.