From a290f10abf35d429aa36b1e69527bde7b440b732 Mon Sep 17 00:00:00 2001
From: Pavel Raiskup <praiskup@redhat.com>
Date: Thu, 16 Oct 2025 11:44:28 +0200
Subject: [PATCH] copr-be: avoid rsync_opts (not idempotent)

---
 roles/copr/backend/tasks/resalloc.yml | 19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

diff --git a/roles/copr/backend/tasks/resalloc.yml b/roles/copr/backend/tasks/resalloc.yml
index 732d59a580..9d4f7e42a9 100644
--- a/roles/copr/backend/tasks/resalloc.yml
+++ b/roles/copr/backend/tasks/resalloc.yml
@@ -117,13 +117,24 @@
   synchronize:
     src: "resalloc_provision/"
     dest: "/var/lib/resallocserver/resalloc_provision/"
-    rsync_opts:
-      - "--chown=resalloc:resalloc"
-      - "--chmod=D700,F600"
-      - "--chmod=a+X"
   tags:
   - provision_config
 
+- name: Resalloc, perms for provisioning files, D700, F600, Preserve Executable
+  ansible.builtin.file:
+    path: "/var/lib/resallocserver/resalloc_provision/"
+    owner: resalloc
+    group: resalloc
+    # The mode 'u=rwX,g=,o=' achieves the required complex permissions:
+    # - u=rw: Base 600 permissions for owner.
+    # - X: Adds executable bit only if path is a directory (700) or was already executable (700).
+    # - g=,o=: Explicitly removes permissions from group and others (resulting in D700/F600).
+    mode: 'u=rwX,g=,o='
+    state: directory
+    recurse: yes
+  tags:
+    - provision_config
+
 - name: Resalloc, scripts
   ansible.builtin.template: src="resalloc/{{ item }}.j2" dest="/var/lib/resallocserver/resalloc_provision/{{ item }}"
             mode=755