From d15b7c57e628924ff824c6d6afb2d1d5dba8a0f0 Mon Sep 17 00:00:00 2001
From: Jack Ivanov <e601809@gmail.com>
Date: Tue, 21 Jan 2020 11:49:36 +0100
Subject: [PATCH] Generate mobileconfigs for WireGuard

---
 roles/wireguard/tasks/main.yml            | 10 ++-
 roles/wireguard/tasks/mobileconfig.yml    | 10 +++
 roles/wireguard/templates/mobileconfig.j2 | 25 ++++++
 roles/wireguard/templates/vpn-dict.j2     | 94 +++++++++++++++++++++++
 4 files changed, 138 insertions(+), 1 deletion(-)
 create mode 100644 roles/wireguard/tasks/mobileconfig.yml
 create mode 100644 roles/wireguard/templates/mobileconfig.j2
 create mode 100644 roles/wireguard/templates/vpn-dict.j2

diff --git a/roles/wireguard/tasks/main.yml b/roles/wireguard/tasks/main.yml
index 4e38762..7e1fbc1 100644
--- a/roles/wireguard/tasks/main.yml
+++ b/roles/wireguard/tasks/main.yml
@@ -8,7 +8,8 @@
     - "{{ wireguard_pki_path }}/preshared"
     - "{{ wireguard_pki_path }}/private"
     - "{{ wireguard_pki_path }}/public"
-    - "{{ wireguard_config_path }}"
+    - "{{ wireguard_config_path }}/apple/ios"
+    - "{{ wireguard_config_path }}/apple/macos"
   delegate_to: localhost
   become: false
 
@@ -51,6 +52,13 @@
       vars:
         index: "{{ item.0 }}"
 
+    - include_tasks: mobileconfig.yml
+      loop:
+        - ios
+        - macos
+      loop_control:
+        loop_var: system
+
     - name: Generate QR codes
       shell: >
         umask 077;
diff --git a/roles/wireguard/tasks/mobileconfig.yml b/roles/wireguard/tasks/mobileconfig.yml
new file mode 100644
index 0000000..0e192b4
--- /dev/null
+++ b/roles/wireguard/tasks/mobileconfig.yml
@@ -0,0 +1,10 @@
+---
+- name: WireGuard apple mobileconfig generated
+  template:
+    src: mobileconfig.j2
+    dest: "{{ wireguard_config_path }}/apple/{{ system }}/{{ item.1 }}.mobileconfig"
+    mode: "0600"
+  with_indexed_items:  "{{ wireguard_users }}"
+  when: item.1 in users
+  vars:
+    index: "{{ item.0 }}"
diff --git a/roles/wireguard/templates/mobileconfig.j2 b/roles/wireguard/templates/mobileconfig.j2
new file mode 100644
index 0000000..6c3f33e
--- /dev/null
+++ b/roles/wireguard/templates/mobileconfig.j2
@@ -0,0 +1,25 @@
+#jinja2:lstrip_blocks: True
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>PayloadContent</key>
+	<array>
+    {% include 'vpn-dict.j2' %}
+  </array>
+  <key>PayloadDisplayName</key>
+  <string>AlgoVPN {{ algo_server_name }} WireGuard</string>
+  <key>PayloadIdentifier</key>
+  <string>donut.local.{{ 500000 | random | to_uuid | upper }}</string>
+  <key>PayloadOrganization</key>
+  <string>AlgoVPN</string>
+  <key>PayloadRemovalDisallowed</key>
+  <false/>
+  <key>PayloadType</key>
+  <string>Configuration</string>
+  <key>PayloadUUID</key>
+  <string>{{ 400000 | random | to_uuid | upper }}</string>
+  <key>PayloadVersion</key>
+  <integer>1</integer>
+</dict>
+</plist>
diff --git a/roles/wireguard/templates/vpn-dict.j2 b/roles/wireguard/templates/vpn-dict.j2
new file mode 100644
index 0000000..6444df9
--- /dev/null
+++ b/roles/wireguard/templates/vpn-dict.j2
@@ -0,0 +1,94 @@
+<dict>
+	<key>IPv4</key>
+  <dict>
+      <key>OverridePrimary</key>
+      <integer>1</integer>
+  </dict>
+	<key>PayloadDescription</key>
+	<string>Configures VPN settings</string>
+	<key>PayloadDisplayName</key>
+	<string>{{ algo_server_name }}</string>
+	<key>PayloadIdentifier</key>
+	<string>com.apple.vpn.managed.{{ algo_server_name + system | to_uuid | upper }}</string>
+	<key>PayloadType</key>
+	<string>com.apple.vpn.managed</string>
+	<key>PayloadUUID</key>
+	<string>{{ algo_server_name + system | to_uuid | upper }}</string>
+	<key>PayloadVersion</key>
+	<integer>1</integer>
+	<key>Proxies</key>
+	<dict>
+		<key>HTTPEnable</key>
+		<integer>0</integer>
+		<key>HTTPSEnable</key>
+		<integer>0</integer>
+	</dict>
+	<key>UserDefinedName</key>
+	<string>AlgoVPN {{ algo_server_name }}</string>
+	<key>VPN</key>
+	<dict>
+    <key>OnDemandEnabled</key>
+    <integer>{{ 1 if algo_ondemand_wifi or algo_ondemand_cellular else 0 }}</integer>
+    <key>OnDemandRules</key>
+    <array>
+      {% if algo_ondemand_wifi or algo_ondemand_cellular %}
+      {% if algo_ondemand_wifi_exclude|b64decode != '_null' %}
+      {% set WIFI_EXCLUDE_LIST = (algo_ondemand_wifi_exclude|b64decode|string).split(',') %}
+      <dict>
+        <key>Action</key>
+        <string>Disconnect</string>
+        <key>InterfaceTypeMatch</key>
+        <string>WiFi</string>
+        <key>SSIDMatch</key>
+        <array>
+          {% for network_name in WIFI_EXCLUDE_LIST %}
+          <string>{{ network_name|e }}</string>
+          {% endfor %}
+        </array>
+      </dict>
+      {% endif %}
+      <dict>
+        <key>Action</key>
+        {% if algo_ondemand_wifi %}
+        <string>Connect</string>
+        {% else %}
+        <string>Disconnect</string>
+        {% endif %}
+        <key>InterfaceTypeMatch</key>
+        <string>WiFi</string>
+        <key>URLStringProbe</key>
+        <string>http://captive.apple.com/hotspot-detect.html</string>
+      </dict>
+      <dict>
+        <key>Action</key>
+        {% if algo_ondemand_cellular %}
+        <string>Connect</string>
+        {% else %}
+        <string>Disconnect</string>
+        {% endif %}
+        <key>InterfaceTypeMatch</key>
+        <string>Cellular</string>
+        <key>URLStringProbe</key>
+        <string>http://captive.apple.com/hotspot-detect.html</string>
+      </dict>
+      {% endif %}
+      <dict>
+        <key>Action</key>
+        <string>{{ 'Disconnect' if algo_ondemand_wifi or algo_ondemand_cellular else 'Connect' }}</string>
+      </dict>
+    </array>
+		<key>AuthenticationMethod</key>
+		<string>Password</string>
+		<key>RemoteAddress</key>
+		<string>{{ IP_subject_alt_name }}:{{ wireguard_port }}</string>
+	</dict>
+	<key>VPNSubType</key>
+	<string>com.wireguard.{{ system }}</string>
+	<key>VPNType</key>
+	<string>VPN</string>
+	<key>VendorConfig</key>
+	<dict>
+		<key>WgQuickConfig</key>
+		<string>{{- lookup('template', 'client.conf.j2') | indent(8) }}</string>
+	</dict>
+</dict>