Add RFC 9116 security.txt

We should add a /.well-known/security.txt route to aid in security vulnerability disclosure. See RFC 9116 and securitytxt.org.

The trick is figuring out what should go in it, since Debusine as a software project might not have quite the same policy as any given instance of Debusine. Maybe we can provide reasonable defaults that point to the Debusine team, while allowing these to be overridden on an instance-specific basis using Django settings. Or should Freexian's policies be provided only by the instances we manage, rather than being part of the Debusine codebase?

I think we could reasonably set at least the Canonical, Contact, Expires, Policy, and Preferred-Languages fields. We'd need to write a vulnerability disclosure policy.

It's recommended that the file be signed, which makes it hard for it to be dynamically generated as well; so we should probably just allow overriding the whole file in a Django setting rather than having a setting per field.