networking fixes

common/network/pia-vpn/default.nix

@@ -175,8 +175,8 @@ in
     # Enable systemd-networkd for bridge management
     systemd.network.enable = true;
 
-    # Don't let systemd-networkd-wait-online block boot on bridge
-    systemd.network.wait-online.ignoredInterfaces = [ cfg.bridgeName ];
+    # TODO: re-enable once primary networking uses networkd
+    systemd.network.wait-online.enable = false;
 
     # Tell NetworkManager to ignore VPN bridge and container interfaces
     networking.networkmanager.unmanaged = mkIf config.networking.networkmanager.enable [

common/network/pia-vpn/service-container.nix

@@ -40,7 +40,6 @@ let
           Gateway = cfg.vpnAddress;
           DNS = [ cfg.vpnAddress ];
         };
-        linkConfig.RequiredForOnline = "no";
       };
 
       # DNS through VPN container (queries go through WG tunnel = no DNS leak)

common/network/pia-vpn/vpn-container.nix

@@ -81,9 +81,11 @@ in
             Address = "${cfg.vpnAddress}/${cfg.subnetPrefixLen}";
             DHCPServer = false;
           };
-          linkConfig.RequiredForOnline = "no";
         };
 
+        # Ignore WG interface for wait-online (it's configured manually, not by networkd)
+        systemd.network.wait-online.ignoredInterfaces = [ cfg.interfaceName ];
+
         # Enable forwarding so bridge traffic can go through WG
         boot.kernel.sysctl."net.ipv4.ip_forward" = 1;