Some interesting configuration options to comment on:
forks: by default to 5, it is the number of processes that Ansible will launch in parallel to communicate with remote hosts. The higher this number is, the more clients Ansible will be able to manage at the same time, and thus speed up processing. The value you can set is dependent on the CPU/RAM limits of your management server. Note that the default value, 5, is very small, the Ansible documentation states that many users set it to 50, even 500 or more.
gathering: this variable changes the policy for collecting facts. By default, the value is implicit, which implies that facts will be collected systematically. Switching this variable to smart allows for collection facts only when they have not already been collected. Coupled with a facts cache (see below), this option can greatly increase performance.
host_key_checking: Be careful with your server security! However, if you are in control of your environment, it can be interesting to disable the key control of remote servers and save some time at the connection. You can also, on remote servers, disable the use of the DNS of the SSH server (in /etc/ssh/sshd_config, option UseDNS no), this option wastes time at the connection and is, most of the time, only used in the connection logs.
ansible_managed: This variable, containing Ansible managed by default, is typically used in file templates that are deployed on remote servers. It allows you to specify to an administrator that the file is managed automatically and that any changes they make to it will potentially be lost. It can be interesting to let the administrators have a more complete message. Be careful though, if you change this variable, it may cause daemons to restart (via the handlers associated with the templates).
ssh_args = -C -o ControlMaster=auto -o ControlPersist=300s -o PreferredAuthentications=publickey: specify the ssh connection options. By disabling all authentication methods other than public key, you can save a lot of time. You can also increase the ControlPersist to improve performance (the documentation suggests that a value equivalent to 30 minutes may be appropriate). The connection to a client will stay open longer and can be reused when reconnecting to the same server, which is a significant time saving.
control_path_dir: Specify the path to the connection sockets. If this path is too long, it can cause problems. Consider changing it to something short, such as /tmp/.cp.
pipelining: Setting this value to True increases performance by reducing the number of SSH connections needed when running remote modules. You must first make sure that the requiretty option is disabled in the sudoers options (see documentation).
Gathering facts is a process that can take some time. It can be interesting to disable this gathering for playbooks that don't need it (via gather_facts option) or to keep these facts in memory in a cache for a certain period of time (for example 24H).
These facts can be easily stored in a redis database:
The various passwords and secrets cannot be stored in clear text with the Ansible source code, either locally on the management server or on a possible source code manager.
Ansible proposes using an encryption manager: ansible-vault.
The principle is to encrypt a variable or a whole file with the ansible-vault command.
Ansible will be able to decrypt this file at runtime by retrieving the encryption key from the file (for example) /etc/ansible/ansible.cfg. The latter can also be a python script or other.