Apt upgrade logic requires dist-upgrade

[conorsch]

During a recent kernel version bump (freedomofpress/securedrop-builder#60), we observed that SDW VMs are not automatically receiving the new version:

The following packages have been kept back:
  securedrop-workstation-grsec
0 upgraded, 0 newly installed, 0 to remove and 1 not upgraded.

The problem appears to be lack of dist-upgrade in the upgrade logic

securedrop-workstation/dom0/fpf-apt-test-repo.sls

Lines 35 to 41 in b49c5f2

	# Ensure all apt updates are applied, since the VMs
	# will be cloned, duplicating package version drift.
	update-all-apt-packages:
	pkg.uptodate:
	- cache_valid_time: "3600"
	- require:
	- pkg: install-python-apt-for-repo-config

. Let's at least add dist-upgrade and confirm upgrades are automatic. Worth considering using Qubes's qubes.update-vm state, but that's likely better handled as part of #51.

Also noting that the template build process uses a different location for the apt repo: https://github.com/freedomofpress/qubes-template-securedrop-workstation/blob/ce19add9e0dc817c7c83e6863b0ec66e34894b00/securedrop-workstation/04_install_qubes_post.sh#L45 Let's update the logic to reuse that same location, otherwise we'll have duplicate (and potentially conflicting) config files.

[emkll]

The securedrop-update daily cron does pass the dist-upgrade flag[0], so this should affect new installs only, up until the daily cron runs.

[0] : https://github.com/freedomofpress/securedrop-workstation/blob/master/dom0/securedrop-update#L50