krb5.realms.<realm>.kdc should allow multiple hosts

[mrschyte]

Describe the bug
In the krb5 module (nixpkgs/nixos/modules/config/krb5) the krb5.realms.<realm>.kdc option should allow multiple hosts to be defined. Kerberos allows multiple entries for fault tolerance, however the module only allows a single host to be defined.

Expected behavior
The kdc option should be a list of strings, for example:

krb5.realms = {
  "CORP" = {
    admin_server = "dc01.corp.lan";
    kdc = [
      "dc01.corp.lan"
      "dc02.corp.lan"
    ];
  };
}

which should produce the following config:

[realms]
CORP = {
  admin_server = dc01.corp.lan
  kdc = dc01.corp.lan
  kdc = dc02.corp.lan
}

Notify maintainers

@eqyiel @Mic92 @pvgoran @volth

Metadata
Please run nix-shell -p nix-info --run "nix-info -m" and paste the result.

 - system: `"x86_64-linux"`
 - host os: `Linux 5.4.42, NixOS, 20.03.2015.e7752db2fb6 (Markhor)`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.3.5`
 - channels(root): `"nixos-20.03.2015.e7752db2fb6"`
 - channels(user): `""`
 - nixpkgs: `/nix/var/nix/profiles/per-user/root/channels/nixos`

Maintainer information:

# a list of nixpkgs attributes affected by the problem
attribute:
# a list of nixos modules affected by the problem
module:
  - krb5

[heinic]

I ran into this recently as well. #30014 claims that it's possible. But as far as I can tell, that's only when you pass the configuration as a list of strings.

The module actually contains some code to accept lists. It looks like it should produce values seperated by whitespace, but it there are only a couple options in krb.conf that would accept this format (not including kdc). However, because it is passing attrs as the last parameter to concatMapStringsSep instead of a list, it will always fail to evaluate.

nixpkgs/nixos/modules/config/krb5/default.nix

Lines 52 to 53 in adc908a

	else if (isList value) then
	concatMapStringsSep " " mkVal { inherit value depth; }

[mrschyte]

Thanks for the help! Awesome work :) 👍