Refactor trusted browser and add build-time chrome extension support

[kajusnau]

Description of Changes

1. Chrome extensions build-time installation

   • Expanded the Chrome module (modules/reference/programs/google-chrome.nix) to support installing Web Store extensions at build time.
   • Added functionality to serve pre-fetched extensions through a local update server, allowing Chrome to fetch them at runtime without external network access.
   • Added support for extensions to be specified as either:
     • a simple Chrome Web Store ID (fetched normally at runtime), or
     • a local Nix package providing a pre-fetched .crx and version information.

2. New chrome-extensions package set

   • Added a pkgs.chrome-extensions namespace for managing Chrome extensions.
   • Added mkExtension helper for packaging Web Store extensions with a name, ID, and hash.
   • Added Session Buddy as the first packaged extension.
   • Moved open-normal extension under pkgs.chrome-extensions for consistency.

3. Trusted browser refactor

   • Refactored the trusted browser configuration to use the new Chrome extension system.
   • Added the Session Buddy extension to address SSRCSP-7164.
   • Disabled session restore popups and first-run dialogs.
     First run dialogs here are mostly useless, due to trusted browser having no access to neither Google's sign-in server nor any other search engines.
     Session restoration can be done manually via the new Session Buddy extension.
   • Renamed and moved the Open in Normal Browser extension to open-normal, now built and managed as part of pkgs.chrome-extensions.

With these changes, more extensions can be added to Google Chrome easily following this general process:

1. Add the extension to packages/chrome-extensions/default.nix

   new-extension-name = mkExtension {
     name = "new-extension-name";
     id = "<extension ID in Chrome Web Store>";
     hash = "<hash calculated after first build>";
   };
   

2. Add the new extension package to the extensions list of google-chrome module, wherever it is enabled:

   ghaf.reference.programs.google-chrome = {
     enable = true;
     extensions = [
       pkgs.chrome-extensions.new-extension-name
     ];
   };
   

Notes:

• Extensions installed using this new method are managed via Policies, meaning they cannot be uninstalled by the user.
• Locally installed extensions are updated in the upstream at unpredictable intervals.
  After such an update and a rebuild on our end, a hash conflict is expected for the respective extension package in packages/chrome-extensions/default.nix
  The hash must then be recalculated and updated accordingly.
  session-buddy, for example, has only been updated once in the last year, so these shouldn't cause too much of a headache in maintenance for us.

Type of Change

• New Feature
• Bug Fix
• Improvement / Refactor

Related Issues / Tickets

Addresses https://jira.tii.ae/browse/SSRCSP-7164, which is re-introduced by #1452

NOT TO BE MERGED BEFORE #1452

Checklist

• Clear summary in PR description
• Detailed and meaningful commit message(s)
• Commits are logically organized and squashed if appropriate
• Contribution guidelines followed
• Ghaf documentation updated with the commit - https://tiiuae.github.io/ghaf/
• Author has run make-checks and it passes
• All automatic GitHub Action checks pass - see actions
• Author has added reviewers and removed PR draft status

Testing Instructions

Applicable Targets

• Orin AGX aarch64
• Orin NX aarch64
• Lenovo X1 x86_64
• Dell Latitude x86_64
• System 76 x86_64

Installation Method

• Requires full re-installation: Strongly recommended, although might work without
• Can be updated with nixos-rebuild ... switch
• Other:

Test Steps To Verify:

1. Boot into Ghaf
2. Open Trusted Browser
3. Verify first-run dialogs (sign-in, search engine selection, etc.) do not appear
4. Verify both "Open in normal browser" and "Session Buddy" extensions are installed
5. Force Trusted Browser to crash intentionally (e.g. by logging out)
6. Re-launch Trusted Browser and verify the "Session Restore" dialog does not appear
7. Verify the previous session can be restored by using Session Buddy

[vunnyso]

Overall good. It would be beneficial to include documentation on the usage of the 'Session Buddy' feature.

[kajusnau]

Overall good. It would be beneficial to include documentation on the usage of the 'Session Buddy' feature.

I couldn't find a proper place in our docs documenting the use of Trusted Browser and Chrome, let alone Chrome extensions.

The way I see it, Session Buddy is an extension meant for power users. These users shouldn't have too much trouble learning it, as it's fairly straight forward as-is, and, provides its own "Help" section, which can be accessed in a normal browser.

[milva-unikie]

Tested on Lenovo-X1 (new installation, rebased to include #1431)

All good!

• No sign-in window or search engine selection in Trusted Browser
• "Open in normal browser" and "Session Buddy" extensions are installed
• Previous session can be restored using Session Buddy