build: auto-generate pf rules based on the build type

.gitignore

@@ -81,6 +81,7 @@ client/.DS_Store
 ._.DS_Store
 ._*
 *.dmg
+deploy/data/macos/pf/amn.400.allowPIA.conf
 
 # tmp files
 *.*~

CMakeLists.txt

@@ -42,6 +42,27 @@ if(APPLE)
     endif()
 endif()
 
+if(APPLE AND NOT IOS)
+    if(CMAKE_BUILD_TYPE STREQUAL "Debug")
+        set(AMN_PF_RULE_IDENTITY "user { root }")
+    else()
+        set(AMN_PF_RULE_IDENTITY "group { amnvpn }")
+    endif()
+
+    configure_file(
+        "${CMAKE_SOURCE_DIR}/deploy/data/pf-templates/amn.400.allowPIA.conf.in"
+        "${CMAKE_CURRENT_BINARY_DIR}/amn.400.allowPIA.conf"
+        @ONLY
+    )
+
+    file(COPY_FILE
+        "${CMAKE_CURRENT_BINARY_DIR}/amn.400.allowPIA.conf"
+        "${CMAKE_SOURCE_DIR}/deploy/data/macos/pf/amn.400.allowPIA.conf"
+        ONLY_IF_DIFFERENT
+    )
+endif()
+
+
 add_subdirectory(client)
 
 if(NOT IOS AND NOT ANDROID AND NOT MACOS_NE)

deploy/data/macos/pf/amn.400.allowPIA.conf

@@ -1,2 +0,0 @@
-# Allow traffic by privileged group (used by daemon)
-pass out proto { tcp, udp } group  { amnvpn } flags any no state

deploy/data/pf-templates/amn.400.allowPIA.conf.in

@@ -0,0 +1,2 @@
+# Allow traffic by configured identity (set by CMake)
+pass out proto { tcp, udp } @AMN_PF_RULE_IDENTITY@ flags any no state