diff --git a/systems/ceres/config/bridge.nix b/systems/ceres/config/bridge.nix
index 17f6b59..78a4c36 100755
--- a/systems/ceres/config/bridge.nix
+++ b/systems/ceres/config/bridge.nix
@@ -26,6 +26,7 @@
         networkConfig = {
           Bridge = "br-vms";
           ConfigureWithoutCarrier = true;
+          KeepConfiguration = "yes";
         };
         linkConfig = {
           RequiredForOnline = false;
@@ -37,6 +38,7 @@
         matchConfig.Name = "br-vms";
         networkConfig = {
           DHCP = "ipv4";
+          KeepConfiguration = "yes";
         };
         linkConfig = {
           RequiredForOnline = "routable";
diff --git a/systems/ceres/config/networking.nix b/systems/ceres/config/networking.nix
index b3a13a0..d6cd947 100755
--- a/systems/ceres/config/networking.nix
+++ b/systems/ceres/config/networking.nix
@@ -31,6 +31,31 @@ in
       ];
     };
   };
+
+  # Remote rebuild safeguards:
+  # These settings prevent network services from restarting during nixos-rebuild,
+  # which would otherwise drop SSH connections when done remotely.
+  # The bridge configuration changes enp10s0, so we need to prevent systemd-networkd
+  # and NetworkManager from restarting to maintain connectivity.
+
+  # Prevent SSH connections from being killed during network reconfiguration
+  systemd.services.sshd = {
+    stopIfChanged = false;
+    reloadIfChanged = true;
+  };
+
+  # Prevent systemd-networkd from restarting during switches to avoid dropping SSH
+  systemd.services.systemd-networkd = {
+    stopIfChanged = false;
+    restartTriggers = lib.mkForce [ ];
+  };
+
+  # Prevent NetworkManager from restarting during config changes
+  systemd.services.NetworkManager = {
+    stopIfChanged = false;
+    reloadIfChanged = true;
+  };
+
   services = {
     avahi = {
       enable = true;
diff --git a/systems/ceres/config/wireguard.nix b/systems/ceres/config/wireguard.nix
old mode 100644
new mode 100755