nixos/captive-browser: remove the udhcpc setcap wrapper fallback (#487775)

- `jetbrains.plugins.addPlugins` no longer supports plugin names or ID strings.

  You can still use `addPlugins` with plugin derivations, such as plugins packaged outside of Nixpkgs.

- The `programs.captive-browser` module no longer falls back on a setcap wrapper around udhcpc to discover your network's DNS server due to [GHSA-wc3r-c66x-8xmc](https://github.com/NixOS/nixpkgs/security/advisories/GHSA-wc3r-c66x-8xmc) (CVE-2026-25740). If you're using this module, you must either configure `programs.captive-browser.dhcp-dns` manually or enable one of NetworkManager, dhcpcd, or systemd-networkd.

- The `services.yggdrasil` module has been refactored with the following breaking changes:

  - The `services.yggdrasil.configFile` option has been removed. Configuration should now be specified directly via `services.yggdrasil.settings`.

  - The `services.yggdrasil.persistentKeys` option has been removed. To maintain persistent keys and IPv6 addresses across reboots, use `services.yggdrasil.settings.PrivateKeyPath` to securely load your private key from a file via systemd credentials. The private key must be in PEM format (PKCS #8).

        else if config.networking.useNetworkd then

          "${cfg.package}/bin/systemd-networkd-dns ${iface [ ]}"

        else

          "${config.security.wrapperDir}/udhcpc --quit --now -f ${iface [ "-i" ]} -O dns --script ${pkgs.writeShellScript "udhcp-script" ''

            if [ "$1" = bound ]; then

              echo "$dns"

            fi

          ''}"

          throw "programs.captive-browser.dhcp-dns must be set"

      );

    security.wrappers.udhcpc = {

      owner = "root";

      group = "root";

      capabilities = "cap_net_raw+p";

      source = "${pkgs.busybox}/bin/udhcpc";

    };

    security.wrappers.captive-browser = mkIf requiresSetcapWrapper {

      owner = "root";

      group = "root";