From 76d9bf468d1594727d7f735f468fcec104769d72 Mon Sep 17 00:00:00 2001
From: cd-amn <cd@amnezia.org>
Date: Tue, 21 Apr 2026 14:54:59 +0400
Subject: [PATCH] build: auto-generate pf rules based on the build type

---
 .gitignore                                    |  1 +
 CMakeLists.txt                                | 21 +++++++++++++++++++
 deploy/data/macos/pf/amn.400.allowPIA.conf    |  2 --
 .../pf-templates/amn.400.allowPIA.conf.in     |  2 ++
 4 files changed, 24 insertions(+), 2 deletions(-)
 delete mode 100644 deploy/data/macos/pf/amn.400.allowPIA.conf
 create mode 100644 deploy/data/pf-templates/amn.400.allowPIA.conf.in

diff --git a/.gitignore b/.gitignore
index a48886bfc..90430b7ee 100644
--- a/.gitignore
+++ b/.gitignore
@@ -81,6 +81,7 @@ client/.DS_Store
 ._.DS_Store
 ._*
 *.dmg
+deploy/data/macos/pf/amn.400.allowPIA.conf
 
 # tmp files
 *.*~
diff --git a/CMakeLists.txt b/CMakeLists.txt
index ca4ab5f83..5c0ad58ff 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -42,6 +42,27 @@ if(APPLE)
     endif()
 endif()
 
+if(APPLE AND NOT IOS)
+    if(CMAKE_BUILD_TYPE STREQUAL "Debug")
+        set(AMN_PF_RULE_IDENTITY "user { root }")
+    else()
+        set(AMN_PF_RULE_IDENTITY "group { amnvpn }")
+    endif()
+
+    configure_file(
+        "${CMAKE_SOURCE_DIR}/deploy/data/pf-templates/amn.400.allowPIA.conf.in"
+        "${CMAKE_CURRENT_BINARY_DIR}/amn.400.allowPIA.conf"
+        @ONLY
+    )
+
+    file(COPY_FILE
+        "${CMAKE_CURRENT_BINARY_DIR}/amn.400.allowPIA.conf"
+        "${CMAKE_SOURCE_DIR}/deploy/data/macos/pf/amn.400.allowPIA.conf"
+        ONLY_IF_DIFFERENT
+    )
+endif()
+
+
 add_subdirectory(client)
 
 if(NOT IOS AND NOT ANDROID AND NOT MACOS_NE)
diff --git a/deploy/data/macos/pf/amn.400.allowPIA.conf b/deploy/data/macos/pf/amn.400.allowPIA.conf
deleted file mode 100644
index 7c8a36808..000000000
--- a/deploy/data/macos/pf/amn.400.allowPIA.conf
+++ /dev/null
@@ -1,2 +0,0 @@
-# Allow traffic by privileged group (used by daemon)
-pass out proto { tcp, udp } group  { amnvpn } flags any no state
diff --git a/deploy/data/pf-templates/amn.400.allowPIA.conf.in b/deploy/data/pf-templates/amn.400.allowPIA.conf.in
new file mode 100644
index 000000000..20f7ec9f0
--- /dev/null
+++ b/deploy/data/pf-templates/amn.400.allowPIA.conf.in
@@ -0,0 +1,2 @@
+# Allow traffic by configured identity (set by CMake)
+pass out proto { tcp, udp } @AMN_PF_RULE_IDENTITY@ flags any no state