chore: moved wireguard config

systems/ceres/config/bridge.nix

@@ -0,0 +1,71 @@
+{
+  lib,
+  ...
+}:
+{
+  # Enable systemd-networkd for bridge management
+  systemd.network = {
+    enable = true;
+
+    netdevs = {
+      "20-br-vms" = {
+        netdevConfig = {
+          Name = "br-vms";
+          Kind = "bridge";
+        };
+        bridgeConfig = {
+          STP = false;
+        };
+      };
+    };
+
+    networks = {
+      # Connect physical interface to bridge
+      "30-enp10s0" = {
+        matchConfig.Name = "enp10s0";
+        networkConfig = {
+          Bridge = "br-vms";
+          ConfigureWithoutCarrier = true;
+        };
+        linkConfig = {
+          RequiredForOnline = false;
+        };
+      };
+
+      # Configure bridge to get IP from LAN DHCP
+      "40-br-vms" = {
+        matchConfig.Name = "br-vms";
+        networkConfig = {
+          DHCP = "ipv4";
+        };
+        linkConfig = {
+          RequiredForOnline = "routable";
+        };
+      };
+
+      # VM tap interface to bridge
+      "50-vm-forgejo" = {
+        matchConfig.Name = "vm-forgejo";
+        networkConfig = {
+          Bridge = "br-vms";
+          ConfigureWithoutCarrier = true;
+        };
+        linkConfig = {
+          RequiredForOnline = false;
+        };
+      };
+    };
+  };
+
+  # Tell NetworkManager to ignore bridge and VM interfaces
+  networking.networkmanager.unmanaged = [
+    "interface-name:br-vms"
+    "interface-name:vm-*"
+    "interface-name:enp10s0"
+  ];
+
+  # IP forwarding (needed for both bridge networking and WireGuard NAT)
+  boot.kernel.sysctl = {
+    "net.ipv4.ip_forward" = 1;
+  };
+}