test: adapt Molecule setup to suit peculiarities from the latest Molecule v6 release

Molecule now runs from a different directory than it used to (Change current directory to scenario before running playbooks), so it doesn't find Ansible Vault password file in the same relative path anymore. The changes made here fix that for us.

We've seized the opportunity to also create a firewall rule to allow access from Molecule host into testing VM, so we don't get locked out by our own Ansible tasks and retain our ability to run molecule idempotence.

molecule/resources/playbooks/prepare.yml

@@ -20,3 +20,23 @@
         update_cache: true
         mode: "0644"
       become: true
+    # This Ansible role installs a multitude of firewall rules, some of which
+    # will lock us out of our Molecule test VM if we don't take precautions.
+    # As Molecule itself uses SSH just like Ansible, we need to open port
+    # tcp/22 to the private /24 subnet that Vagrant uses when provisioning the
+    # VM. As we don't know for sure what the address for this subnet is and it
+    # can change across servers/platforms, we gather this information
+    # dynamically and filter it through `ipaddr` to get the address of the
+    # whole subnet. The rule is inserted right on top of the list to make sure
+    # we always get access.
+    - name: add firewall rule to allow access from Molecule host into testing VM
+      ansible.builtin.iptables:
+        action: insert
+        rule_num: 1
+        chain: INPUT
+        comment: "molecule access"
+        jump: "ACCEPT"
+        protocol: tcp
+        source: "{{ ansible_default_ipv4.address | ansible.utils.ipaddr('network') }}/24"
+        destination_port: "22"
+      become: true