build: package `securedrop-qubesdb` and `securedrop-whonix-config`

Status

Ready for review

Description

Towards freedomofpress/securedrop-workstation#1039:

package template-from-qubesdb in securedrop-qubesdb; and
package a one-shot systemd service in securedrop-whonix-config to configure Whonix at the VM level, obviating Salt from the dom0 level.

Test Plan

Start make build-debs. While it runs...
On sd-app, eyeball your /var/lib/keys/tor/app-journalist.auth_private and then delete it.
Once the packages are ready, manually copy securedrop-qubesdb and securedrop-whonix-config to whonix-gateway-17 and install them.
- If this raises your eyebrows, see https://github.com/freedomofpress/securedrop-workstation/pull/1051#discussion_r1618029832.
Shut down whonix-gateway-17.
Enable the securedrop-whonix-config Qubes service on sd-whonix.
Restart sd-whonix.
[ ] On sd-whonix, /var/lib/keys/tor/app-journalist.auth_private has been created with the expected contents, ownership (debian-tor:debian-tor) and permissions (0600).
Restart sys-whonix.
[ ] On sys-whonix, no /var/lib/tor/keys/tor/app-journalist.auth_private exists.

Checklist

If these changes modify code paths involving cryptography, the opening of files in VMs or network (via the RPC service) traffic, Qubes testing in the staging environment is required. For fine tuning of the graphical user interface, testing in any environment in Qubes is required. Please check as applicable:

[x] I have tested these changes in the appropriate Qubes environment
I do not have an appropriate Qubes OS workstation set up (the reviewer will need to test these changes)
These changes should not need testing in Qubes

If these changes add or remove files other than client code, the AppArmor profile may need to be updated. Please check as applicable:

I have updated the AppArmor profile
[x] No update to the AppArmor profile is required for these changes
I don't know and would appreciate guidance

freedomofpress / securedrop-client