I created a simple role for Wordfence: https://github.com/adleviton/trellis-wordfence
Then to include this role, I use this code in deploy-hooks/build-after.yml:
- name: Setup Wordfence
include_role:
name: trellis-wordfence
So for each deploy, it copies the two files that Wordfence needs for the WAF into the latest trellis release folder.