I think the migration to roles hasn't been finished. There's open PRs for Calibre (davestephens/ansible-nas#415) and a bunch of others, but no commits have been made since Apr 2.
I went through and created a branch for each reamining task that replaces task with a role and then created another streamlined single-commit branch that has everything as a role with not a single remaining bare task https://github.com/allthestairs/ansible-nas/tree/all_roles
pulled the commit, seemed to install wireguard fine. ended up moving to wg-quick settings from systemd as part of debugging. turned out there was bug in the Unifi controller that made port forwarding settings silently not take effect, ended up in a whole Unifi upgrade hell where DHCP was hosed all day.
anyways... tl;dr once i rebuilt my network i ended up configuring wireguard manually in the host. it seems to give me access to all my containers that are locally accessible anyway, without mucking around with docker networking.
so i had to modify my HA config file to specify the traefik ip for my external access to work with my reverse proxy as of the july HA release. To get this I went into http services and then home assistant and got the ip there that traefik uses. Thats the one i put in my config file:
http: use_x_forwarded_for: true trusted_proxies: - 172.30.1.1