Don't allow to hide last server for a role
DNSSec key master and CA renewal master can't be hidden. There must be
at least one enabled server available for each role, too.
Fixes: https://pagure.io/freeipa/issue/7892
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>