There are a few places you'll want to set/change passwords:
For staging/production environments, it's best to randomly generate longer passwords using something like random.org.
You may be concerned about setting plaintext passwords in a Git repository, and you should be. We strongly recommend you encrypt these passwords before committing them to your repo. Trellis is structured to make it easy to enable Ansible Vault to encrypt select files. Alternatively, you could try an option such as git-crypt.
Any type of server configs such as this playbook should always be in a private Git repository.