I've never used network manager on a server and don't understand your routing configuration, im assuming you have wg0 configured to have a default route (ip route list).
You should be able to connect a docker network to the vpn by using a macvlan insted of a bridge type network and set the parent interface of it to the wg0 interface.
docker network create -d macvlan \ --subnet=<internal vpn network>/24 \ --gateway=<gateway ip> \ -o parent=wg0 vpn-net
modified from the docker documentation
Probably also set an ip-range on the network to make the auto assigned ips not conflict with other wireguard nodes (see linked documentation).
Make sure the allowed ips in the wireguard configs are set correctly.
You can also do ipv6 like this, see the end of the linked documentation page.
If you already have/can run a local server, then maybe storing the luks passphrase there and running a script on it which sshs into the remote server end enters the stored passphrase on command. Maybe a simple http server triggers it, which you could auth using forward auth of your reverse proxy, so you wouldnt need to implement auth in your script.
Of cause the passphrase is stored in plain text, but that will be the case in any case not using a tpm.
You could do notifications with a simple webhook of your favourite chat app, or by running a ntfy server (and app) and also sending the notification with a curl from a initrd script.