Use Onion Services for APT

Currently, /etc/apt/sources.list makes use of apt-transport-tor (tor+http://) to fetch the repo lists from the normal Debian mirrors via the Tor Exit node.
This could, however, be done through Tor entirely since there exist official mirrors that are Tor Onion Services, such as vwakviie2ienjx6t.onion.

https://wiki.debian.org/TorifyDebianServices

Pros:

Traffic stays within Tor, avoidance of metadata
End-to-End encryption to the Onion Service
(debatable) Fingerprinting of Tails users (what diffs were missing? when was the last package list update?) at the Tor Exit might become more difficult

Cons:

Adds load to the Onion mirror
Packages signed with GnuPG anyways
Might be slower than non-Onion Service access

Feature Branch: feature/11556-apt-with-onions

Related issues

Related to #8143 (closed)

Original created by @flapflap on 11556 (Redmine)

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information