diff --git a/docs/deploy-from-script-or-cloud-init-to-localhost.md b/docs/deploy-from-script-or-cloud-init-to-localhost.md
index 4f92c46..8cd79cc 100644
--- a/docs/deploy-from-script-or-cloud-init-to-localhost.md
+++ b/docs/deploy-from-script-or-cloud-init-to-localhost.md
@@ -1,10 +1,14 @@
 # Deploy from script or cloud-init
 
-You can use `install.sh` to prepare the environment and deploy AlgoVPN on the local Ubuntu server in one shot using cloud-init, or run the script directly on the server after it's been created. The script doesn't configure any parameters in your cloud, so it's on your own to configure related [firewall rules](/docs/firewalls.md), a floating ip address and other resources you may need. The output of the install script (including the p12 and CA passwords) and user config files will be installed into the `/opt/algo` directory.
+You can use `install.sh` to prepare the environment and deploy AlgoVPN on the local Ubuntu server in one shot using cloud-init, or run the script directly on the server after it's been created. 
+
+The script doesn't configure any parameters in your cloud, so it's on your own to configure related [firewall rules](/docs/firewalls.md), a floating ip address and other resources you may need. The output of the install script (including the p12 and CA passwords) and user config files will be installed into the `/opt/algo` directory.
 
 ## Cloud init deployment
 
-You can copy-paste the snippet below to the user data (cloud-init or startup script) field when creating a new server. For now this has only been successfully tested on [DigitalOcean](https://www.digitalocean.com/docs/droplets/resources/metadata/), Amazon [EC2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/user-data.html) and [Lightsail](https://lightsail.aws.amazon.com/ls/docs/en/articles/lightsail-how-to-configure-server-additional-data-shell-script), [Google Cloud](https://cloud.google.com/compute/docs/startupscript), [Azure](https://docs.microsoft.com/en-us/azure/virtual-machines/linux/using-cloud-init) and [Vultr](https://my.vultr.com/startup/), although Vultr doesn't [officially support cloud-init](https://www.vultr.com/docs/getting-started-with-cloud-init).
+You can copy-paste the snippet below to the user data (cloud-init or startup script) field when creating a new server. 
+
+For now this has only been successfully tested on [DigitalOcean](https://www.digitalocean.com/docs/droplets/resources/metadata/), Amazon [EC2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/user-data.html) and [Lightsail](https://lightsail.aws.amazon.com/ls/docs/en/articles/lightsail-how-to-configure-server-additional-data-shell-script), [Google Cloud](https://cloud.google.com/compute/docs/startupscript), [Azure](https://docs.microsoft.com/en-us/azure/virtual-machines/linux/using-cloud-init) and [Vultr](https://my.vultr.com/startup/), although Vultr doesn't [officially support cloud-init](https://www.vultr.com/docs/getting-started-with-cloud-init).
 
 ```
 #!/bin/bash
@@ -14,31 +18,31 @@ The command will prepare the environment and install AlgoVPN with the default pa
 
 ## Variables
 
-`METHOD` -  which method of the deployment to use. Possible values are local and cloud. Default: cloud. The cloud method is intended to use in cloud-init deployments only. If you are not using cloud-init to deploy the server you have to use the local method.
+- `METHOD`: which method of the deployment to use. Possible values are local and cloud. Default: cloud. The cloud method is intended to use in cloud-init deployments only. If you are not using cloud-init to deploy the server you have to use the local method.
 
-`ONDEMAND_CELLULAR` - "Connect On Demand" when connected to cellular networks. Boolean. Default: false.
+- `ONDEMAND_CELLULAR`: "Connect On Demand" when connected to cellular networks. Boolean. Default: false.
 
-`ONDEMAND_WIFI` - "Connect On Demand" when connected to Wi-Fi. Default: false.
+- `ONDEMAND_WIFI`: "Connect On Demand" when connected to Wi-Fi. Default: false.
 
-`ONDEMAND_WIFI_EXCLUDE` - List the names of any trusted Wi-Fi networks where macOS/iOS IPsec clients should not use "Connect On Demand". Comma-separated list.
+- `ONDEMAND_WIFI_EXCLUDE`: List the names of any trusted Wi-Fi networks where macOS/iOS IPsec clients should not use "Connect On Demand". Comma-separated list.
 
-`STORE_PKI` - To retain the PKI. (required to add users in the future, but less secure). Default: false.
+- `STORE_PKI: To retain the PKI. (required to add users in the future, but less secure). Default: false.
 
-`DNS_ADBLOCKING` - To install an ad blocking DNS resolver. Default: false.
+- `DNS_ADBLOCKING`: To install an ad blocking DNS resolver. Default: false.
 
-`SSH_TUNNELING` -  Enable SSH tunneling for each user. Default: false.
+- `SSH_TUNNELING`: Enable SSH tunneling for each user. Default: false.
 
-`ENDPOINT` - The public IP address or domain name of your server: (IMPORTANT! This is used to verify the certificate). It will be gathered automatically for DigitalOcean, AWS, GCE, Azure or Vultr if the `METHOD` is cloud. Otherwise you need to define this variable according to your public IP address.
+- `ENDPOINT`: The public IP address or domain name of your server: (IMPORTANT! This is used to verify the certificate). It will be gathered automatically for DigitalOcean, AWS, GCE, Azure or Vultr if the `METHOD` is cloud. Otherwise you need to define this variable according to your public IP address.
 
-`USERS` - list of VPN users. Comma-separated list. Default: user1.
+- `USERS`: list of VPN users. Comma-separated list. Default: user1.
 
-`REPO_SLUG` - Owner and repository that used to get the installation scripts from. Default: trailofbits/algo.
+- `REPO_SLUG`: Owner and repository that used to get the installation scripts from. Default: trailofbits/algo.
 
-`REPO_BRANCH` - Branch for `REPO_SLUG`. Default: master.
+- `REPO_BRANCH`: Branch for `REPO_SLUG`. Default: master.
 
-`EXTRA_VARS` - Additional extra variables.
+- `EXTRA_VARS`: Additional extra variables.
 
-`ANSIBLE_EXTRA_ARGS` - Any available ansible parameters. ie: `--skip-tags apparmor`.
+- `ANSIBLE_EXTRA_ARGS`: Any available ansible parameters. ie: `--skip-tags apparmor`.
 
 ## Examples
 
diff --git a/roles/common/tasks/facts.yml b/roles/common/tasks/facts.yml
index 6741932..02e88ed 100644
--- a/roles/common/tasks/facts.yml
+++ b/roles/common/tasks/facts.yml
@@ -1,29 +1,12 @@
 ---
-- block:
-  - name: Generate password for the CA key
-    command: openssl rand -hex 16
-    register: CA_password
-
-  - name: Generate p12 export password
-    shell: >
-      openssl rand 8 |
-      python3 -c 'import sys,string; chars=string.ascii_letters + string.digits + "_@"; print("".join([chars[ord(c) % 64] for c in list(sys.stdin.read())]))'
-    register: p12_password_generated
-    when: p12_password is not defined
-    tags: update-users
-    environment:
-      LANG: C
-  become: false
-  delegate_to: localhost
-
 - name: Define facts
   set_fact:
-    p12_export_password: "{{ p12_password|default(p12_password_generated.stdout) }}"
+    p12_export_password: "{{ p12_password|default(lookup('password', '/dev/null length=9 chars=ascii_letters,digits,_,@')) }}"
   tags: update-users
 
 - name: Set facts
   set_fact:
-    CA_password: "{{ CA_password.stdout }}"
+    CA_password: "{{ lookup('password', '/dev/null length=16 chars=ascii_letters,digits,_,@') }}"
     IP_subject_alt_name: "{{ IP_subject_alt_name }}"
 
 - name: Set IPv6 support as a fact
diff --git a/roles/strongswan/templates/mobileconfig.j2 b/roles/strongswan/templates/mobileconfig.j2
index a8123d5..807683f 100644
--- a/roles/strongswan/templates/mobileconfig.j2
+++ b/roles/strongswan/templates/mobileconfig.j2
@@ -8,11 +8,11 @@
         <dict>
             <key>IKEv2</key>
             <dict>
-{% if algo_ondemand_wifi or algo_ondemand_cellular %}
               <key>OnDemandEnabled</key>
-                <integer>1</integer>
+              <integer>{{ 1 if algo_ondemand_wifi or algo_ondemand_cellular else 0 }}</integer>
               <key>OnDemandRules</key>
               <array>
+{% if algo_ondemand_wifi or algo_ondemand_cellular %}
   {% if algo_ondemand_wifi_exclude|b64decode != '_null' %}
     {% set WIFI_EXCLUDE_LIST = (algo_ondemand_wifi_exclude|b64decode|string).split(',') %}
                   <dict>
@@ -52,12 +52,12 @@
                     <key>URLStringProbe</key>
                       <string>http://captive.apple.com/hotspot-detect.html</string>
                   </dict>
+{% endif %}
                   <dict>
                     <key>Action</key>
-                      <string>Disconnect</string>
+                      <string>{{ 'Disconnect' if algo_ondemand_wifi or algo_ondemand_cellular else 'Connect' }}</string>
                   </dict>
                 </array>
-{% endif %}
                 <key>AuthenticationMethod</key>
                 <string>Certificate</string>
                 <key>ChildSecurityAssociationParameters</key>