automate major upgrades

we currently have automated upgrades for the day-to-day debian package upgrades, through unattended-upgrades (#31957 (closed)). but major upgrades are not scripted, other than ad-hoc commands copy-pasted from an otherwise excellent wiki page.

we should automate this.

during the %Debian 12 bookworm upgrade, tor weather suffered a catastrophic failure (#41388 (closed)) due to a flaw in the postgresql upgrade procedure, so that should probably be our first target: automate that procedure, which would normally keep that kind of problem from occuring again (as we can do error checking better). moved to #41879 (closed)

but ideally, we'd automate the entire procedure. See also https://wiki.debian.org/AutomatedUpgrade