Public facing ansible-pull server and setting user passwords

What is the preferred way to synchronize user accounts passwords between a bunch of unrelated servers that are not connected to a domain or NIS server?

Ansible has a builtin user module. What are the implications of having publicly exposed ansible-pull repo with hashed password along with the salt exposed (outlined in this ansible guide)?

If it were me, I’d put the credentials in an Ansible-Vault so that they are encrypted.