diff --git a/.gitignore b/.gitignore
index ed783329d62a4c1e481a467fe674eb420a2b81dd..1fa681bca802f7eed1b50bd371699e3ec8c0cc99 100644
--- a/.gitignore
+++ b/.gitignore
@@ -53,6 +53,7 @@ Thumbs.db
 *.vault
 inventory.*
 inv.*
+*.pass
 
 # Vim #
 #######
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index bff41a8eacc2e3de524dcc5ddaf23ee749ab2c39..8ccc1d7e8483b1de94706569a168e1fd5ffb868e 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -12,26 +12,33 @@ default:
     - source /opt/molecule/bin/activate
     - ansible --version
     - molecule --version
+variables:
+  SCENARIO: "default"
+  # ANSIBLE_VAULT_PASSWORD_FILE: "molecule/lza_server_hardening.pass"
+  ANSIBLE_VAULT_PASSWORD_FILE: "../../../lza_server_hardening.pass"
+    
 
 test-job:
   stage: test
   tags:
     - "shell"
   script:
+    - echo "CURRENT PATH= '$(pwd)'" 
     # make sure that Ansible Vaults are present and can be decrypted
-    - echo "${VAULT_SERVER_HARDENING}" > ../lza_server_hardening.pass
-    - export ANSIBLE_VAULT_PASSWORD_FILE=../lza_server_hardening.pass
+    - echo "${VAULT_SERVER_HARDENING}" > ${ANSIBLE_VAULT_PASSWORD_FILE}
+    - export ANSIBLE_VAULT_PASSWORD_FILE
+    - tree
     - rm -rf ../ansible_vaults/
     - git clone https://gitlab+deploy-token-25:${VAULT_ACCESS_TOKEN}@git.slub-dresden.de/slub-referat-2-3/ansible_vaults.git ../ansible_vaults/; \
     # run Molecule tests
-    - molecule syntax --scenario-name default
+    - molecule syntax --scenario-name ${SCENARIO}
     # We cannot use `molecule lint` anymore because:
     # - https://github.com/ansible-community/molecule/pull/3802 "Remove lint command"
     # - https://github.com/ansible-community/molecule/discussions/3825#discussioncomment-4908366
     - yamllint --strict --format colored ./
     - ansible-lint --format full --profile production --strict --force-color ./
-    - molecule create --scenario-name default
-    - molecule converge --scenario-name default
-    - molecule idempotence --scenario-name default
-    # - molecule verify --scenario-name default
-    - molecule destroy --scenario-name default
+    - molecule create --scenario-name ${SCENARIO}
+    - molecule converge --scenario-name ${SCENARIO}
+    - molecule idempotence --scenario-name ${SCENARIO}
+    # - molecule verify --scenario-name ${SCENARIO}
+    - molecule destroy --scenario-name ${SCENARIO}
diff --git a/molecule/resources/playbooks/prepare.yml b/molecule/resources/playbooks/prepare.yml
index a20ecff01683308e1b648dd4fbb9ff4703258b76..eb1e2ce9c16221d04fd0adcb04aa6f2c870063b9 100644
--- a/molecule/resources/playbooks/prepare.yml
+++ b/molecule/resources/playbooks/prepare.yml
@@ -20,3 +20,23 @@
         update_cache: true
         mode: "0644"
       become: true
+    # This Ansible role installs a multitude of firewall rules, some of which
+    # will lock us out of our Molecule test VM if we don't take precautions.
+    # As Molecule itself uses SSH just like Ansible, we need to open port
+    # tcp/22 to the private /24 subnet that Vagrant uses when provisioning the
+    # VM. As we don't know for sure what the address for this subnet is and it
+    # can change across servers/platforms, we gather this information
+    # dynamically and filter it through `ipaddr` to get the address of the
+    # whole subnet. The rule is inserted right on top of the list to make sure
+    # we always get access.
+    - name: add firewall rule to allow access from Molecule host into testing VM
+      ansible.builtin.iptables:
+        action: insert
+        rule_num: 1
+        chain: INPUT
+        comment: "molecule access"
+        jump: "ACCEPT"
+        protocol: tcp
+        source: "{{ ansible_default_ipv4.address | ansible.utils.ipaddr('network') }}/24"
+        destination_port: "22"
+      become: true
diff --git a/molecule/virtualbox/molecule.yml b/molecule/virtualbox/molecule.yml
index 6f084c72c2e0306fefe762a8d2a4909f686c0e54..b409ad5bd3d34b9568e10a48513b29700fe29ab8 100644
--- a/molecule/virtualbox/molecule.yml
+++ b/molecule/virtualbox/molecule.yml
@@ -21,7 +21,7 @@ platforms:
     # Dictionary of `config` options.
     config_options:
       ssh.keep_alive: yes
-      ssh.remote_user: "'lza'"
+      ssh.remote_user: "lza"
 provisioner:
   name: ansible
   log: true
@@ -29,13 +29,14 @@ provisioner:
     defaults:
       # https://stackoverflow.com/questions/57435811/ansible-molecule-pass-multiple-vault-ids
       #vault_identity_list: "@$HOME/.ansible/roles/lza_install_common.pass, @$HOME/.ansible/roles/passfile_1.pass"
-      vault_identity_list: "../lza_server_hardening.pass"
+      #vault_identity_list: "${MOLECULE_PROJECT_DIRECTORY}/../../lza_server_hardening.pass"
+      vault_identity_list: "../lza_server_hardening.pass, ../../../lza_server_hardening.pass"
   vvv: false
   playbooks:
     # create: ../resources/playbooks/create.yml
     # destroy: ../resources/playbooks/destroy.yml
     converge: ../resources/playbooks/converge.yml
-    # prepare: ../resources/playbooks/prepare.yml
+    prepare: ../resources/playbooks/prepare.yml
     verify: ../resources/playbooks/verify.yml
 verifier:
   name: ansible