# Ensure the backups root exists and is owned by backup
- name: Ensure backups root exists and owned by backup
  file:
    path: "{{ BACKUPS_FOLDER_PATH }}"
    state: directory
    owner: backup
    group: backup
    mode: "0700"

# Explicit ACL so 'backup' has rwx, others none
- name: Grant ACL rwx on backups root to backup user
  ansible.posix.acl:
    path: "{{ BACKUPS_FOLDER_PATH }}"
    entity: backup
    etype: user
    permissions: rwx
    state: present

# Set default ACLs so new entries inherit rwx for backup and nothing for others
- name: Set default ACL (inherit) for backup user under backups root
  ansible.posix.acl:
    path: "{{ BACKUPS_FOLDER_PATH }}"
    entity: backup
    etype: user
    permissions: rwx
    default: true
    state: present

# Remove default ACLs for group/others (defensive hardening)
# Default ACLs so new entries inherit only backup's rwx
- name: Default ACL for backup user (inherit)
  ansible.posix.acl:
    path: "{{ BACKUPS_FOLDER_PATH }}"
    etype: user
    entity: backup
    permissions: rwx
    default: true
    state: present

# Explicitly set default group/other to no permissions (instead of absent)
- name: Default ACL for group -> none
  ansible.posix.acl:
    path: "{{ BACKUPS_FOLDER_PATH }}"
    etype: group
    permissions: '---'
    default: true
    state: present

- name: Default ACL for other -> none
  ansible.posix.acl:
    path: "{{ BACKUPS_FOLDER_PATH }}"
    etype: other
    permissions: '---'
    default: true
    state: present

- name: Fix ownership level 0..2 directories to backup:backup
  ansible.builtin.shell: >
    find "{{ BACKUPS_FOLDER_PATH }}" -mindepth 0 -maxdepth 2 -xdev -type d -exec chown backup:backup {} +
  changed_when: false

- name: Fix perms level 0..2 directories to 0700
  ansible.builtin.shell: >
    find "{{ BACKUPS_FOLDER_PATH }}" -mindepth 0 -maxdepth 2 -xdev -type d -exec chmod 700 {} +
  changed_when: false