summaryrefslogtreecommitdiffstats
path: root/distro/pkg/el-7
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-10 19:05:44 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-10 19:05:44 +0000
commitb045529c40c83601909dca7b76a53498e9a70f33 (patch)
tree88371572105933fd950676c07b3a12163a0c9de0 /distro/pkg/el-7
parentInitial commit. (diff)
downloadknot-b045529c40c83601909dca7b76a53498e9a70f33.tar.xz
knot-b045529c40c83601909dca7b76a53498e9a70f33.zip
Adding upstream version 3.3.4.upstream/3.3.4
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'distro/pkg/el-7')
-rw-r--r--distro/pkg/el-7/01-revert-AC_PROG_CC.patch18
-rw-r--r--distro/pkg/el-7/02-fix-compilation-by-using-SHA-1.patch67
-rw-r--r--distro/pkg/el-7/03-doc-don-t-try-to-import-sphinx_panels.patch25
-rw-r--r--distro/pkg/el-7/04-revert-don-t-share-PKCS-11-private-keys.patch166
-rw-r--r--distro/pkg/el-7/knot.service25
-rw-r--r--distro/pkg/el-7/knot.spec333
-rw-r--r--distro/pkg/el-7/knot.tmpfiles3
7 files changed, 637 insertions, 0 deletions
diff --git a/distro/pkg/el-7/01-revert-AC_PROG_CC.patch b/distro/pkg/el-7/01-revert-AC_PROG_CC.patch
new file mode 100644
index 0000000..fb49c00
--- /dev/null
+++ b/distro/pkg/el-7/01-revert-AC_PROG_CC.patch
@@ -0,0 +1,18 @@
+From: Daniel Salzman <daniel.salzman@nic.cz>
+Date: Sun, 20 Feb 2022 20:38:35 +0100
+Subject: [PATCH] Revert "configure: upgrade from AC_PROG_CC_C99 to AC_PROG_CC"
+
+diff --git a/configure.ac b/configure.ac
+index 6506197ed..c7df7f815 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -38,7 +38,8 @@ release_date=$($SED -n 's/^Knot DNS .* (\(.*\))/\1/p;q;' ${srcdir}/NEWS)
+ AC_SUBST([RELEASE_DATE], $release_date)
+
+ # Set compiler compatibility flags
+-AC_PROG_CC
++AC_PROG_CC_C99 # AC_PROG_CC not supported by CentOS 7
++AM_PROG_CC_C_O # Needed by CentOS 7
+ AC_PROG_CPP_WERROR
+
+ # Set default CFLAGS
diff --git a/distro/pkg/el-7/02-fix-compilation-by-using-SHA-1.patch b/distro/pkg/el-7/02-fix-compilation-by-using-SHA-1.patch
new file mode 100644
index 0000000..cbc5aa2
--- /dev/null
+++ b/distro/pkg/el-7/02-fix-compilation-by-using-SHA-1.patch
@@ -0,0 +1,67 @@
+From: Daniel Salzman <daniel.salzman@nic.cz>
+Date: Mon, 20 Mar 2023 14:57:54 +0100
+Subject: [PATCH] distro/el-7: fix compilation by using SHA-1 for PIN computation
+
+diff --git a/src/libknot/quic/quic.c b/src/libknot/quic/quic.c
+index 5610865f6..555c495d9 100644
+--- a/src/libknot/quic/quic.c
++++ b/src/libknot/quic/quic.c
+@@ -460,7 +460,7 @@ void knot_quic_conn_pin(knot_quic_conn_t *conn, uint8_t *pin, size_t *pin_size,
+ goto error;
+ }
+
+- ret = gnutls_x509_crt_get_key_id(cert, GNUTLS_KEYID_USE_SHA256, pin, pin_size);
++ ret = gnutls_x509_crt_get_key_id(cert, 0, pin, pin_size);
+ if (ret != GNUTLS_E_SUCCESS) {
+ gnutls_x509_crt_deinit(cert);
+ goto error;
+diff --git a/src/utils/common/tls.c b/src/utils/common/tls.c
+index 245dd3f96..6a2e7a986 100644
+--- a/src/utils/common/tls.c
++++ b/src/utils/common/tls.c
+@@ -328,7 +328,7 @@ static int check_certificates(gnutls_session_t session, const list_t *pins)
+
+ uint8_t cert_pin[CERT_PIN_LEN] = { 0 };
+ size_t cert_pin_size = sizeof(cert_pin);
+- ret = gnutls_x509_crt_get_key_id(cert, GNUTLS_KEYID_USE_SHA256,
++ ret = gnutls_x509_crt_get_key_id(cert, 0,
+ cert_pin, &cert_pin_size);
+ if (ret != 0) {
+ gnutls_x509_crt_deinit(cert);
+@@ -336,18 +336,18 @@ static int check_certificates(gnutls_session_t session, const list_t *pins)
+ }
+
+ // Check if correspond to a specified PIN.
+- bool match = check_pin(cert_pin, sizeof(cert_pin), pins);
++ bool match = check_pin(cert_pin, cert_pin_size, pins);
+ if (match) {
+ matches++;
+ }
+
+ uint8_t *txt_pin;
+- ret = knot_base64_encode_alloc(cert_pin, sizeof(cert_pin), &txt_pin);
++ ret = knot_base64_encode_alloc(cert_pin, cert_pin_size, &txt_pin);
+ if (ret < 0) {
+ gnutls_x509_crt_deinit(cert);
+ return ret;
+ }
+- DBG(" SHA-256 PIN: %.*s%s", ret, txt_pin, match ? ", MATCH" : "");
++ DBG(" SHA-1 PIN: %.*s%s", ret, txt_pin, match ? ", MATCH" : "");
+ free(txt_pin);
+
+ gnutls_x509_crt_deinit(cert);
+diff --git a/src/utils/kdig/kdig_params.c b/src/utils/kdig/kdig_params.c
+index 359b8b596..8fd33b011 100644
+--- a/src/utils/kdig/kdig_params.c
++++ b/src/utils/kdig/kdig_params.c
+@@ -707,8 +707,8 @@ static int opt_tls_pin(const char *arg, void *query)
+ if (ret < 0) {
+ ERR("invalid +tls-pin=%s", arg);
+ return ret;
+- } else if (ret != CERT_PIN_LEN) { // Check for 256-bit value.
+- ERR("invalid sha256 hash length +tls-pin=%s", arg);
++ } else if (ret != 20) { // Check for 256-bit value.
++ ERR("invalid sha1 hash length +tls-pin=%s", arg);
+ return KNOT_EINVAL;
+ }
+
diff --git a/distro/pkg/el-7/03-doc-don-t-try-to-import-sphinx_panels.patch b/distro/pkg/el-7/03-doc-don-t-try-to-import-sphinx_panels.patch
new file mode 100644
index 0000000..8ef7e7e
--- /dev/null
+++ b/distro/pkg/el-7/03-doc-don-t-try-to-import-sphinx_panels.patch
@@ -0,0 +1,25 @@
+From c05abb0401d3343b96ced4a6cdd724ee04adfe1b Mon Sep 17 00:00:00 2001
+From: Daniel Salzman <daniel.salzman@nic.cz>
+Date: Mon, 21 Aug 2023 16:54:46 +0200
+Subject: [PATCH] doc: don't try to import sphinx_panels on CentOS 7
+
+
+ 1 file changed, 3 deletions(-)
+
+diff --git a/doc/conf.py b/doc/conf.py
+index fc2e94d96..515241051 100644
+--- a/doc/conf.py
++++ b/doc/conf.py
+@@ -27,9 +27,6 @@ sys.path.insert(0, os.path.abspath('ext'))
+
+ # Add any Sphinx extension module names here, as strings. They can be extensions
+ # coming with Sphinx (named 'sphinx.ext.*') or your custom ones.
+-import importlib.util
+-if importlib.util.find_spec("sphinx_panels"):
+- extensions = [ 'sphinx_panels' ]
+
+ # Add any paths that contain templates here, relative to this directory.
+ templates_path = ['_templates']
+--
+2.25.1
+
diff --git a/distro/pkg/el-7/04-revert-don-t-share-PKCS-11-private-keys.patch b/distro/pkg/el-7/04-revert-don-t-share-PKCS-11-private-keys.patch
new file mode 100644
index 0000000..a13be90
--- /dev/null
+++ b/distro/pkg/el-7/04-revert-don-t-share-PKCS-11-private-keys.patch
@@ -0,0 +1,166 @@
+From 1bad8f831a9fd506516549ac7461f97c689a0c46 Mon Sep 17 00:00:00 2001
+From: Daniel Salzman <daniel.salzman@nic.cz>
+Date: Mon, 11 Dec 2023 17:08:23 +0100
+Subject: [PATCH] Revert "zone-sign: don't share PKCS 11 private keys by
+ multiple signing threads"
+
+This reverts commit 7d63e8e0825e03b8e0608e87b86968c452755c93.
+---
+ src/knot/dnssec/zone-keys.c | 38 +++----------------------------------
+ src/libdnssec/key.h | 4 ++--
+ src/libdnssec/key/key.c | 24 +----------------------
+ tests/libdnssec/test_key.c | 4 ++--
+ 4 files changed, 8 insertions(+), 62 deletions(-)
+
+diff --git a/src/knot/dnssec/zone-keys.c b/src/knot/dnssec/zone-keys.c
+index cd6bf0bb3..d5cccc759 100644
+--- a/src/knot/dnssec/zone-keys.c
++++ b/src/knot/dnssec/zone-keys.c
+@@ -1,4 +1,4 @@
+-/* Copyright (C) 2023 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
++/* Copyright (C) 2022 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
+
+ This program is free software: you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+@@ -642,21 +642,6 @@ int zone_key_calculate_ds(zone_key_t *for_key, dnssec_key_digest_t digesttype,
+ return ret;
+ }
+
+-static int dup_zone_key(const zone_key_t *src, zone_key_t *dst)
+-{
+- assert(src);
+- assert(dst);
+-
+- *dst = *src;
+-
+- dst->key = dnssec_key_dup(src->key);
+- if (dst->key == NULL) {
+- return KNOT_ENOMEM;
+- }
+-
+- return KNOT_EOK;
+-}
+-
+ zone_sign_ctx_t *zone_sign_ctx(const zone_keyset_t *keyset, const kdnssec_ctx_t *dnssec_ctx)
+ {
+ zone_sign_ctx_t *ctx = calloc(1, sizeof(*ctx) + keyset->count * sizeof(*ctx->sign_ctxs));
+@@ -665,24 +650,11 @@ zone_sign_ctx_t *zone_sign_ctx(const zone_keyset_t *keyset, const kdnssec_ctx_t
+ }
+
+ ctx->sign_ctxs = (dnssec_sign_ctx_t **)(ctx + 1);
+-
+- ctx->keys = calloc(keyset->count, sizeof(*ctx->keys));
+- if (ctx->keys == NULL) {
+- zone_sign_ctx_free(ctx);
+- return NULL;
+- }
+ ctx->count = keyset->count;
+-
++ ctx->keys = keyset->keys;
+ ctx->dnssec_ctx = dnssec_ctx;
+ for (size_t i = 0; i < ctx->count; i++) {
+- // Clone the key to avoid thread contention on the key mutex.
+- int ret = dup_zone_key(&keyset->keys[i], &ctx->keys[i]);
+- if (ret != KNOT_EOK) {
+- zone_sign_ctx_free(ctx);
+- return NULL;
+- }
+-
+- ret = dnssec_sign_new(&ctx->sign_ctxs[i], ctx->keys[i].key);
++ int ret = dnssec_sign_new(&ctx->sign_ctxs[i], ctx->keys[i].key);
+ if (ret != DNSSEC_EOK) {
+ zone_sign_ctx_free(ctx);
+ return NULL;
+@@ -719,12 +691,8 @@ void zone_sign_ctx_free(zone_sign_ctx_t *ctx)
+ {
+ if (ctx != NULL) {
+ for (size_t i = 0; i < ctx->count; i++) {
+- if (ctx->keys != NULL) {
+- dnssec_key_free(ctx->keys[i].key);
+- }
+ dnssec_sign_free(ctx->sign_ctxs[i]);
+ }
+- free(ctx->keys);
+ free(ctx);
+ }
+ }
+diff --git a/src/libdnssec/key.h b/src/libdnssec/key.h
+index aa8002b4a..2a69d377f 100644
+--- a/src/libdnssec/key.h
++++ b/src/libdnssec/key.h
+@@ -1,4 +1,4 @@
+-/* Copyright (C) 2023 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
++/* Copyright (C) 2022 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
+
+ This program is free software: you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+@@ -134,7 +134,7 @@ void dnssec_key_free(dnssec_key_t *key);
+ /*!
+ * Create a copy of a DNSSEC key.
+ *
+- * Public key isn't duplicated.
++ * Only a public part of the key is copied.
+ */
+ dnssec_key_t *dnssec_key_dup(const dnssec_key_t *key);
+
+diff --git a/src/libdnssec/key/key.c b/src/libdnssec/key/key.c
+index 4574bbefb..f36316712 100644
+--- a/src/libdnssec/key/key.c
++++ b/src/libdnssec/key/key.c
+@@ -1,4 +1,4 @@
+-/* Copyright (C) 2023 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
++/* Copyright (C) 2019 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
+
+ This program is free software: you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+@@ -141,28 +141,6 @@ dnssec_key_t *dnssec_key_dup(const dnssec_key_t *key)
+ return NULL;
+ }
+
+- if (key->private_key != NULL) {
+- gnutls_privkey_init(&dup->private_key);
+-
+- gnutls_privkey_type_t type = gnutls_privkey_get_type(key->private_key);
+- if (type == GNUTLS_PRIVKEY_PKCS11) {
+-#ifdef ENABLE_PKCS11
+- gnutls_pkcs11_privkey_t tmp;
+- gnutls_privkey_export_pkcs11(key->private_key, &tmp);
+- gnutls_privkey_import_pkcs11(dup->private_key, tmp,
+- GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE);
+-#else
+- assert(0);
+-#endif // ENABLE_PKCS11
+- } else {
+- assert(type == GNUTLS_PRIVKEY_X509);
+- gnutls_x509_privkey_t tmp;
+- gnutls_privkey_export_x509(key->private_key, &tmp);
+- gnutls_privkey_import_x509(dup->private_key, tmp,
+- GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE);
+- }
+- }
+-
+ return dup;
+ }
+
+diff --git a/tests/libdnssec/test_key.c b/tests/libdnssec/test_key.c
+index c3643f08c..cd0aaee0e 100644
+--- a/tests/libdnssec/test_key.c
++++ b/tests/libdnssec/test_key.c
+@@ -1,4 +1,4 @@
+-/* Copyright (C) 2023 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
++/* Copyright (C) 2021 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
+
+ This program is free software: you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+@@ -148,7 +148,7 @@ static void test_private_key(const key_parameters_t *params)
+
+ check_key_tag(copy, params);
+ check_key_size(copy, params);
+- check_usage(copy, true, true);
++ check_usage(copy, true, false);
+
+ dnssec_key_free(copy);
+ dnssec_key_free(key);
+--
+2.34.1
+
diff --git a/distro/pkg/el-7/knot.service b/distro/pkg/el-7/knot.service
new file mode 100644
index 0000000..a872929
--- /dev/null
+++ b/distro/pkg/el-7/knot.service
@@ -0,0 +1,25 @@
+[Unit]
+Description=Knot DNS server
+Wants=network-online.target
+After=network-online.target
+Documentation=man:knotd(8) man:knot.conf(5) man:knotc(8)
+
+[Service]
+Type=notify
+User=knot
+Group=knot
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETPCAP
+AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_SETPCAP
+ExecStartPre=/usr/sbin/knotc conf-check
+ExecStart=/usr/sbin/knotd -m "$KNOT_CONF_MAX_SIZE"
+ExecReload=/bin/kill -HUP $MAINPID
+Restart=on-abort
+LimitNOFILE=1048576
+TimeoutStopSec=300
+# Extend the systemd startup timeout by this value (seconds) for each zone
+Environment="KNOT_ZONE_LOAD_TIMEOUT_SEC=180"
+# Maximum size (MiB) of a configuration database
+Environment="KNOT_CONF_MAX_SIZE=512"
+
+[Install]
+WantedBy=multi-user.target
diff --git a/distro/pkg/el-7/knot.spec b/distro/pkg/el-7/knot.spec
new file mode 100644
index 0000000..93d05bb
--- /dev/null
+++ b/distro/pkg/el-7/knot.spec
@@ -0,0 +1,333 @@
+%global _hardened_build 1
+%{!?_pkgdocdir: %global _pkgdocdir %{_docdir}/%{name}}
+
+%define GPG_CHECK 0
+%define BASE_VERSION %(echo "%{version}" | sed 's/^\\([^.]\\+\\.[^.]\\+\\).*/\\1/')
+%define repodir %{_builddir}/%{name}-%{version}
+
+Summary: High-performance authoritative DNS server
+Name: knot
+Version: {{ version }}
+Release: cznic.{{ release }}%{?dist}
+License: GPL-3.0-or-later
+URL: https://www.knot-dns.cz
+Source0: %{name}-%{version}.tar.xz
+
+%if 0%{?GPG_CHECK}
+Source1: https://secure.nic.cz/files/knot-dns/%{name}-%{version}.tar.xz.asc
+# PGP keys used to sign upstream releases
+# Export with --armor using command from https://fedoraproject.org/wiki/PackagingDrafts:GPGSignatures
+# Don't forget to update %%prep section when adding/removing keys
+Source100: gpgkey-742FA4E95829B6C5EAC6B85710BB7AF6FEBBD6AB.gpg.asc
+BuildRequires: gnupg2
+%endif
+
+Patch1: 01-revert-AC_PROG_CC.patch
+Patch2: 02-fix-compilation-by-using-SHA-1.patch
+Patch3: 03-doc-don-t-try-to-import-sphinx_panels.patch
+Patch4: 04-revert-don-t-share-PKCS-11-private-keys.patch
+
+# Required dependencies
+BuildRequires: autoconf
+BuildRequires: automake
+BuildRequires: libtool
+BuildRequires: devtoolset-11-make
+BuildRequires: devtoolset-11-gcc
+BuildRequires: pkgconfig(liburcu)
+BuildRequires: pkgconfig(gnutls) >= 3.3
+BuildRequires: pkgconfig(libedit)
+
+# Optional dependencies
+BuildRequires: pkgconfig(libcap-ng)
+BuildRequires: pkgconfig(libidn2)
+BuildRequires: pkgconfig(libmnl)
+BuildRequires: pkgconfig(libnghttp2)
+BuildRequires: pkgconfig(libsystemd)
+BuildRequires: pkgconfig(systemd)
+# dnstap dependencies
+BuildRequires: pkgconfig(libfstrm)
+BuildRequires: pkgconfig(libprotobuf-c)
+# geoip dependencies
+BuildRequires: pkgconfig(libmaxminddb)
+
+# Distro-dependent dependencies
+%if 0%{?suse_version}
+BuildRequires: python3-Sphinx
+BuildRequires: lmdb-devel
+BuildRequires: protobuf-c
+Requires(pre): pwdutils
+%endif
+%if 0%{?rhel} && 0%{?rhel} <= 7
+BuildRequires: python-sphinx
+BuildRequires: lmdb-devel
+%endif
+%if 0%{?fedora} || 0%{?rhel} > 7
+BuildRequires: python3-sphinx
+BuildRequires: pkgconfig(lmdb)
+%endif
+
+# disable XDP on old EL
+%define configure_xdp --enable-xdp=no
+
+Requires(post): systemd %{_sbindir}/runuser
+Requires(preun): systemd
+Requires(postun): systemd
+
+Conflicts: knot-resolver < 5.7.0
+
+Requires: %{name}-libs%{?_isa} = %{version}-%{release}
+
+%description
+Knot DNS is a high-performance authoritative DNS server implementation.
+
+%package libs
+Summary: Libraries used by the Knot DNS server and client applications
+
+%description libs
+The package contains shared libraries used by the Knot DNS server and
+utilities.
+
+%package devel
+Summary: Development header files for the Knot DNS libraries
+Requires: %{name}-libs%{?_isa} = %{version}-%{release}
+
+%description devel
+The package contains development header files for the Knot DNS libraries
+included in knot-libs package.
+
+%package utils
+Summary: DNS client utilities shipped with the Knot DNS server
+Requires: %{name}-libs%{?_isa} = %{version}-%{release}
+# Debian package compat
+Provides: %{name}-dnsutils = %{version}-%{release}
+
+%description utils
+The package contains DNS client utilities shipped with the Knot DNS server.
+
+%package dnssecutils
+Summary: DNSSEC tools shipped with the Knot DNS server
+Requires: %{name}-libs%{?_isa} = %{version}-%{release}
+
+%description dnssecutils
+The package contains DNSSEC tools shipped with the Knot DNS server.
+
+%package module-dnstap
+Summary: dnstap module for Knot DNS
+Requires: %{name} = %{version}-%{release}
+
+%description module-dnstap
+The package contains dnstap Knot DNS module for logging DNS traffic.
+
+%package module-geoip
+Summary: geoip module for Knot DNS
+Requires: %{name} = %{version}-%{release}
+
+%description module-geoip
+The package contains geoip Knot DNS module for geography-based responses.
+
+%package doc
+Summary: Documentation for the Knot DNS server
+BuildArch: noarch
+Provides: bundled(jquery)
+
+%description doc
+The package contains documentation for the Knot DNS server.
+On-line version is available on https://www.knot-dns.cz/documentation/
+
+%prep
+%if 0%{?GPG_CHECK}
+export GNUPGHOME=./gpg-keyring
+[ -d ${GNUPGHOME} ] && rm -r ${GNUPGHOME}
+mkdir --mode=700 ${GNUPGHOME}
+gpg2 --import %{SOURCE100}
+gpg2 --verify %{SOURCE1} %{SOURCE0}
+%endif
+%autosetup -p1
+
+%build
+# disable debug code (causes unused warnings)
+CFLAGS="%{optflags} -DNDEBUG -Wno-unused"
+
+%ifarch armv7hl i686
+# 32-bit architectures sometimes do not have sufficient amount of
+# contiguous address space to handle default values
+%define configure_db_sizes --with-conf-mapsize=64
+%endif
+
+autoreconf -if
+
+export CC="/opt/rh/devtoolset-11/root/usr/bin/gcc"
+%configure \
+ --sysconfdir=/etc \
+ --localstatedir=/var/lib \
+ --libexecdir=/usr/lib/knot \
+ --with-rundir=/run/knot \
+ --with-moduledir=%{_libdir}/knot/modules-%{BASE_VERSION} \
+ --with-storage=/var/lib/knot \
+ %{?configure_db_sizes} \
+ %{?configure_xdp} \
+ --disable-static \
+ --enable-dnstap=yes \
+ --with-module-dnstap=shared \
+ --with-module-geoip=shared
+make %{?_smp_mflags}
+make html
+
+%install
+make install DESTDIR=%{buildroot}
+
+# install documentation
+install -d -m 0755 %{buildroot}%{_pkgdocdir}/samples
+install -p -m 0644 -t %{buildroot}%{_pkgdocdir}/samples samples/*.zone*
+install -p -m 0644 NEWS README.md %{buildroot}%{_pkgdocdir}
+cp -av doc/_build/html %{buildroot}%{_pkgdocdir}
+[ -r %{buildroot}%{_pkgdocdir}/html/index.html ] || exit 1
+rm -f %{buildroot}%{_pkgdocdir}/html/.buildinfo
+
+# install daemon and dbus configuration files
+rm %{buildroot}%{_sysconfdir}/%{name}/*
+install -p -m 0644 -D %{repodir}/samples/%{name}.sample.conf %{buildroot}%{_sysconfdir}/%{name}/%{name}.conf
+%if 0%{?fedora} || 0%{?rhel} > 7
+install -p -m 0644 -D %{repodir}/distro/common/cz.nic.knotd.conf %{buildroot}%{_sysconfdir}/dbus-1/system.d/cz.nic.knotd.conf
+%endif
+
+# install systemd files
+install -p -m 0644 -D %{repodir}/distro/pkg/el-7/%{name}.service %{buildroot}%{_unitdir}/%{name}.service
+install -p -m 0644 -D %{repodir}/distro/pkg/el-7/%{name}.tmpfiles %{buildroot}%{_tmpfilesdir}/%{name}.conf
+%if 0%{?suse_version}
+ln -s service %{buildroot}/%{_sbindir}/rcknot
+%endif
+
+# create storage dir
+install -d %{buildroot}%{_sharedstatedir}
+install -d -m 0770 -D %{buildroot}%{_sharedstatedir}/knot
+
+# remove libarchive files
+find %{buildroot} -type f -name "*.la" -delete -print
+
+%check
+V=1 make check
+
+%pre
+getent group knot >/dev/null || groupadd -r knot
+getent passwd knot >/dev/null || \
+ useradd -r -g knot -d %{_sharedstatedir}/knot -s /sbin/nologin \
+ -c "Knot DNS server" knot
+%if 0%{?suse_version}
+%service_add_pre knot.service
+%endif
+
+%post
+systemd-tmpfiles --create %{_tmpfilesdir}/knot.conf &>/dev/null || :
+%if 0%{?suse_version}
+%service_add_post knot.service
+%else
+%systemd_post knot.service
+%endif
+
+%preun
+%if 0%{?suse_version}
+%service_del_preun knot.service
+%else
+%systemd_preun knot.service
+%endif
+
+%postun
+%if 0%{?suse_version}
+%service_del_postun knot.service
+%else
+%systemd_postun_with_restart knot.service
+%endif
+
+%if 0%{?fedora} || 0%{?rhel} > 7
+# https://fedoraproject.org/wiki/Changes/Removing_ldconfig_scriptlets
+%else
+%post libs -p /sbin/ldconfig
+%postun libs -p /sbin/ldconfig
+%endif
+
+%files
+%license COPYING
+%doc %{_pkgdocdir}
+%exclude %{_pkgdocdir}/html
+%attr(770,root,knot) %dir %{_sysconfdir}/knot
+%config(noreplace) %attr(640,root,knot) %{_sysconfdir}/knot/knot.conf
+%if 0%{?fedora} || 0%{?rhel} > 7
+%config(noreplace) %attr(644,root,root) %{_sysconfdir}/dbus-1/system.d/cz.nic.knotd.conf
+%endif
+%attr(770,root,knot) %dir %{_sharedstatedir}/knot
+%dir %{_libdir}/knot
+%dir %{_libdir}/knot/modules-*
+%{_unitdir}/knot.service
+%{_tmpfilesdir}/knot.conf
+%{_sbindir}/kcatalogprint
+%{_sbindir}/kjournalprint
+%{_sbindir}/keymgr
+%{_sbindir}/knotc
+%{_sbindir}/knotd
+%if 0%{?suse_version}
+%{_sbindir}/rcknot
+%endif
+%{_mandir}/man5/knot.conf.*
+%{_mandir}/man8/kcatalogprint.*
+%{_mandir}/man8/kjournalprint.*
+%{_mandir}/man8/keymgr.*
+%{_mandir}/man8/knotc.*
+%{_mandir}/man8/knotd.*
+%ghost %attr(770,root,knot) %dir %{_rundir}/knot
+
+%files utils
+%{_bindir}/kdig
+%{_bindir}/khost
+%{_bindir}/knsupdate
+%if 0%{?use_xdp}
+%{_sbindir}/kxdpgun
+%{_mandir}/man8/kxdpgun.*
+%endif
+%{_mandir}/man1/kdig.*
+%{_mandir}/man1/khost.*
+%{_mandir}/man1/knsupdate.*
+
+%files dnssecutils
+%{_bindir}/knsec3hash
+%{_bindir}/kzonecheck
+%{_bindir}/kzonesign
+%{_mandir}/man1/knsec3hash.*
+%{_mandir}/man1/kzonecheck.*
+%{_mandir}/man1/kzonesign.*
+
+%files module-dnstap
+%{_libdir}/knot/modules-*/dnstap.so
+
+%files module-geoip
+%{_libdir}/knot/modules-*/geoip.so
+
+%files libs
+%license COPYING
+%doc NEWS
+%doc README.md
+%{_libdir}/libdnssec.so.*
+%{_libdir}/libknot.so.*
+%{_libdir}/libzscanner.so.*
+
+%files devel
+%{_includedir}/libdnssec
+%{_includedir}/knot
+%{_includedir}/libknot
+%{_includedir}/libzscanner
+%{_libdir}/libdnssec.so
+%{_libdir}/libknot.so
+%{_libdir}/libzscanner.so
+%{_libdir}/pkgconfig/knotd.pc
+%{_libdir}/pkgconfig/libdnssec.pc
+%{_libdir}/pkgconfig/libknot.pc
+%{_libdir}/pkgconfig/libzscanner.pc
+
+%files doc
+%dir %{_pkgdocdir}
+%doc %{_pkgdocdir}/html
+
+%changelog
+* {{ now }} Jakub Ružička <jakub.ruzicka@nic.cz> - {{ version }}-{{ release }}
+- upstream package
+- see https://www.knot-dns.cz
diff --git a/distro/pkg/el-7/knot.tmpfiles b/distro/pkg/el-7/knot.tmpfiles
new file mode 100644
index 0000000..edec729
--- /dev/null
+++ b/distro/pkg/el-7/knot.tmpfiles
@@ -0,0 +1,3 @@
+# tmpfiles.d(5) runtime directory for knot
+#Type Path Mode UID GID Age Argument
+ d /run/knot 0755 knot knot - -