I think the migration to roles hasn't been finished. There's open PRs for Calibre (davestephens/ansible-nas#415) and a bunch of others, but no commits have been made since Apr 2.
I went through and created a branch for each reamining task that replaces task with a role and then created another streamlined single-commit branch that has everything as a role with not a single remaining bare task https://github.com/allthestairs/ansible-nas/tree/all_roles
pulled the commit, seemed to install wireguard fine. ended up moving to wg-quick settings from systemd as part of debugging. turned out there was bug in the Unifi controller that made port forwarding settings silently not take effect, ended up in a whole Unifi upgrade hell where DHCP was hosed all day.
anyways... tl;dr once i rebuilt my network i ended up configuring wireguard manually in the host. it seems to give me access to all my containers that are locally accessible anyway, without mucking around with docker networking.