Refactor secrets management to not require Ansible Vault

The decision of whether to encrypt credentials or not, and how, should be left to the user rather than enforced via "pwgen.py" (which is hardcoded to call "ansible-vault encrypt"). It should naturally flow along the divide between "write tasks" (init credentials) and "read-only tasks" (everything else).

In practical terms, it should be possible to run test environments without ANSIBLE_VAULT_PASSWORD_FILE being set at all.