diff --git a/deploy.tf b/deploy.tf
index c50042f58c94bf28f7b5e261bb49c625c0074c38..0d11672ecdb186544664a858f05fdd2f78a2537a 100644
--- a/deploy.tf
+++ b/deploy.tf
@@ -118,6 +118,7 @@ bootcmd:
   - cloud-init-per once manifests-dir mkdir -p /etc/puppet/code/environments/production/manifests
 
 packages:
+  - ansible
   - puppet-master
 
 puppet:
@@ -141,6 +142,9 @@ write_files:
 bootcmd:
   - cloud-init-per once puppet-start systemctl mask puppet
 
+packages:
+  - ansible
+
 puppet:
   conf:
     agent:
@@ -229,11 +233,15 @@ eval $(ssh-agent -s)
 trap "kill $SSH_AGENT_PID" INT TERM
 ssh-add ${local_file.localkey.filename}
 
+ip=${openstack_compute_floatingip_associate_v2.server-fip-1.floating_ip}
+remote="ssh -o PreferredAuthentications=publickey deployadm@$ip"
+while ! ping -c 1 -i 2 -q $ip; do sleep 5; done
+ssh-keygen -R $ip
+while ! $remote -o ConnectTimeout=5 -o StrictHostKeyChecking=no :; do sleep 5; done
 if [ -z "$NO_DEPLOYMENT" ]; then
-	./orchestrate.py -c ${local_file.output.filename}
-else
-	./orchestrate.py -c ${local_file.output.filename} files ping init wait
-	./orchestrate.py -c ${local_file.output.filename} -n deployment
+	git archive HEAD | $remote 'rm -rf terraform; mkdir terraform; cd terraform; tar x'
+	scp -o PreferredAuthentications=publickey -p ${local_file.output.filename} deployadm@$ip:~/terraform/
+	$remote -o ForwardAgent=yes "cd terraform; SENSITIVE=$SENSITIVE ./orchestrate.py -c ${local_file.output.filename}"
 fi
 
 kill $SSH_AGENT_PID
diff --git a/orchestrate.py b/orchestrate.py
index 1c0f5bd0b627d355cf5f6b4a4b503b5cd17b510c..6408c7b2ee2ac642e927def17fff53a9bf0c9099 100755
--- a/orchestrate.py
+++ b/orchestrate.py
@@ -130,14 +130,13 @@ ff02::2 ip6-allrouters
 [all:vars]
 ansible_become=true
 ansible_user=%s
-ansible_ssh_common_args=\'%s -o ForwardAgent=yes -o ProxyCommand="ssh -W {{ ansible_host }}:22 -q \
-{{ ansible_user }}@%s"\'
+ansible_ssh_common_args=\'%s -o ForwardAgent=yes\'
 
 [masters]
 %s ansible_host=%s
 
 [nodes]
-''' % (user, args.ssh_opts, master_ip, master_hostname, hosts[master_hostname]))
+''' % (user, args.ssh_opts, master_hostname, hosts[master_hostname]))
             for h, ip in hosts.items():
                 if h == master_hostname:
                     continue
@@ -148,19 +147,12 @@ ansible_ssh_common_args=\'%s -o ForwardAgent=yes -o ProxyCommand="ssh -W {{ ansi
 
 if 'ping' in args.actions:
     print('== ping ==', flush=True)
-    cmd = ['ping', '-c', '1', '-i', '2', '-q', master_ip]
-    perform_command(cmd, 0)
-    cmd = ['ssh-keygen', '-R', master_ip]
-    perform_command(cmd)
-    cmd = ssh + ['-o', 'ConnectTimeout=5', '-o', 'StrictHostKeyChecking=no', '%s@%s'
-                                                 % (user, master_ip), ':']
-    perform_command(cmd, 0)
     for ip in hosts.values():
-        cmd = ssh + ['%s@%s' % (user, master_ip), 'ping', '-c', '1', '-i', '2', '-q', ip]
+        cmd = ['ping', '-c', '1', '-i', '2', '-q', ip]
         perform_command(cmd, 0)
     for ip in hosts.values():
-        remote_cmd = ' '.join(ssh) + ' -o ConnectTimeout=5 -o StrictHostKeyChecking=no %s :' % ip
-        cmd = ssh + ['-o', 'ForwardAgent=yes', '%s@%s' % (user, master_ip), remote_cmd]
+        cmd = ssh + ['-o', 'ConnectTimeout=5', '-o', 'StrictHostKeyChecking=no',
+                     '%s@%s' % (user, ip), ':']
         perform_command(cmd, 0)
     if component:
         component.action('ping')
@@ -171,27 +163,19 @@ if 'init' in args.actions:
     h = list(hosts.keys()) + ['%s.%s.' % (host, d) for host in hosts.keys()] + \
         ['%s.%s' % (host, d) for host in hosts.keys()] + list(hosts.values())
 
-    cycle_all = ('echo -n At:; uname -n; for h in %s; do ' % ' '.join(h)) + ' '.join(ssh) \
-        + ' -o StrictHostKeyChecking=no $h :; done'
     commands = [
-        ['scp', '-p', 'hosts', '%s@%s:/tmp/' % (user, master_ip)],
-        ssh + ['%s@%s' % (user, master_ip), 'sudo mv -v /tmp/hosts /etc/hosts'],
-        # the frontend to all nodes
-        ssh + ['-o', 'ForwardAgent=yes', '%s@%s' % (user, master_ip), cycle_all]
+        ['sudo', 'cp', '-vp', 'hosts', '/etc/hosts'],
     ]
-    for ip in hosts.values():
-        # check the special case if it is not already frontend ('ssh-keygen -R' would be a problem)
-        if ip == master_ip:
-            continue
+    # the frontend to all nodes
+    for i in h:
         commands += [
-            ['ssh-keygen', '-R', ip],
-            ssh + ['-o', 'ForwardAgent=yes', '-o', 'ProxyCommand=ssh -W %s:22 -q %s@%s'
-                   % (ip, user, master_ip), '-o', 'StrictHostKeyChecking=no', '%s@%s' % (user, ip),
-                   ':']
+            ssh + ['-o', 'StrictHostKeyChecking=no', '%s@%s' % (user, i), ':'],
         ]
     commands += [
         ['ansible', '-i', './inventory', '-m', 'copy', '-a', 'src=hosts dest=/etc/hosts', 'nodes'],
     ]
+    cycle_all = ('echo -n At:; uname -n; for h in %s; do ' % ' '.join(h)) + ' '.join(ssh) \
+        + ' -o StrictHostKeyChecking=no %s@$h :; done' % user
     # node to node ssh keys
     # (after the /etc/hosts is distributed)
     for node in hosts.keys():
@@ -200,8 +184,7 @@ if 'init' in args.actions:
             continue
         # the node to all nodes
         commands += [
-            ssh + ['-o', 'ForwardAgent=yes', '%s@%s' % (user, master_ip), ' '.join(ssh)
-                   + ' -o ForwardAgent=yes %s \'%s\'' % ('%s.%s' % (node, d), cycle_all)],
+            ssh + ['-o', 'ForwardAgent=yes', '%s.%s' % (node, d), '%s' % cycle_all],
         ]
     perform_action('init', commands)