Harden restore, storage, and post-install error handling, and more

cmd/proxsave/base_dir_test.go

@@ -0,0 +1,28 @@
+package main
+
+import (
+	"path/filepath"
+	"sync"
+	"testing"
+)
+
+func forceDetectedBaseDirForTest(t *testing.T, baseDir string) {
+	t.Helper()
+	origInfo := execInfo
+	origOnce := execInfoOnce
+
+	execPath := filepath.Join(baseDir, "build", "proxsave")
+	execInfo = ExecInfo{
+		ExecPath: execPath,
+		ExecDir:  filepath.Dir(execPath),
+		BaseDir:  baseDir,
+		HasBase:  true,
+	}
+	execInfoOnce = sync.Once{}
+	execInfoOnce.Do(func() {})
+
+	t.Cleanup(func() {
+		execInfo = origInfo
+		execInfoOnce = origOnce
+	})
+}

cmd/proxsave/config_helpers.go

@@ -24,10 +24,7 @@ func resolveInstallConfigPath(configPath string) (string, error) {
 		return configPath, nil
 	}
 
-	baseDir, ok := detectBaseDir()
-	if !ok {
-		return "", fmt.Errorf("unable to determine base directory for configuration")
-	}
+	baseDir, _ := detectedBaseDirOrFallback()
 	return filepath.Join(baseDir, configPath), nil
 }
 
@@ -52,6 +49,37 @@ func setEnvValue(template, key, value string) string {
 	return utils.SetEnvValue(template, key, value)
 }
 
+func unsetEnvValue(template, key string) string {
+	key = strings.TrimSpace(key)
+	if key == "" {
+		return template
+	}
+
+	lines := strings.Split(template, "\n")
+	out := make([]string, 0, len(lines))
+	for _, line := range lines {
+		trimmed := strings.TrimSpace(line)
+		if utils.IsComment(trimmed) {
+			out = append(out, line)
+			continue
+		}
+		parts := strings.SplitN(trimmed, "=", 2)
+		if len(parts) != 2 {
+			out = append(out, line)
+			continue
+		}
+		parsedKey := strings.TrimSpace(parts[0])
+		if fields := strings.Fields(parsedKey); len(fields) >= 2 && fields[0] == "export" {
+			parsedKey = fields[1]
+		}
+		if strings.EqualFold(parsedKey, key) {
+			continue
+		}
+		out = append(out, line)
+	}
+	return strings.Join(out, "\n")
+}
+
 func sanitizeEnvValue(value string) string {
 	value = strings.Map(func(r rune) rune {
 		if r == '\n' || r == '\r' || r == '\x00' {

cmd/proxsave/decrypt_cmd.go

@@ -31,22 +31,12 @@ func runDecryptWorkflowOnly(ctx context.Context, configPath string, bootstrap *l
 		return err
 	}
 
-	cfg, err := config.LoadConfig(configPath)
+	autoBaseDir, _ := detectedBaseDirOrFallback()
+	cfg, err := config.LoadConfigWithBaseDir(configPath, autoBaseDir)
 	if err != nil {
 		return fmt.Errorf("failed to load configuration: %w", err)
 	}
 
-	autoBaseDir, _ := detectBaseDir()
-	if cfg.BaseDir == "" {
-		if autoBaseDir == "" {
-			if _, err := os.Stat("/opt/proxsave"); err == nil {
-				autoBaseDir = "/opt/proxsave"
-			} else {
-				autoBaseDir = "/opt/proxmox-backup"
-			}
-		}
-		cfg.BaseDir = autoBaseDir
-	}
 	_ = os.Setenv("BASE_DIR", cfg.BaseDir)
 
 	logLevel := cfg.DebugLevel

cmd/proxsave/encryption_setup.go

@@ -20,7 +20,8 @@ type encryptionSetupResult struct {
 }
 
 func runInitialEncryptionSetupWithUI(ctx context.Context, configPath string, ui orchestrator.AgeSetupUI) (*encryptionSetupResult, error) {
-	cfg, err := config.LoadConfig(configPath)
+	baseDir, _ := detectedBaseDirOrFallback()
+	cfg, err := config.LoadConfigWithBaseDir(configPath, baseDir)
 	if err != nil {
 		return nil, fmt.Errorf("failed to reload configuration after install: %w", err)
 	}

cmd/proxsave/encryption_setup_test.go

@@ -21,6 +21,7 @@ func TestRunInitialEncryptionSetupWithUIReloadsConfig(t *testing.T) {
 	}
 
 	baseDir := t.TempDir()
+	forceDetectedBaseDirForTest(t, baseDir)
 	configPath := filepath.Join(baseDir, "env", "backup.env")
 	if err := os.MkdirAll(filepath.Dir(configPath), 0o700); err != nil {
 		t.Fatalf("MkdirAll: %v", err)
@@ -59,6 +60,7 @@ func TestRunInitialEncryptionSetupWithUIUsesProvidedUI(t *testing.T) {
 	}
 
 	baseDir := t.TempDir()
+	forceDetectedBaseDirForTest(t, baseDir)
 	configPath := filepath.Join(baseDir, "env", "backup.env")
 	if err := os.MkdirAll(filepath.Dir(configPath), 0o700); err != nil {
 		t.Fatalf("MkdirAll: %v", err)
@@ -107,6 +109,7 @@ func TestRunInitialEncryptionSetupWithUIReusesExistingFileWithoutReportingWrite(
 	}
 
 	baseDir := t.TempDir()
+	forceDetectedBaseDirForTest(t, baseDir)
 	recipientPath := filepath.Join(baseDir, "identity", "age", "recipient.txt")
 	if err := os.MkdirAll(filepath.Dir(recipientPath), 0o700); err != nil {
 		t.Fatalf("MkdirAll: %v", err)

cmd/proxsave/helpers_test.go

@@ -741,10 +741,11 @@ func TestFeaturesNeedNetwork(t *testing.T) {
 
 func TestDisableNetworkFeaturesForRun(t *testing.T) {
 	cfg := &config.Config{
-		TelegramEnabled:     true,
-		EmailEnabled:        true,
-		EmailDeliveryMethod: "relay",
-		CloudEnabled:        true,
+		TelegramEnabled:       true,
+		EmailEnabled:          true,
+		EmailDeliveryMethod:   "relay",
+		EmailFallbackSendmail: true,
+		CloudEnabled:          true,
 	}
 
 	// Mock bootstrap logger (nil is ok for this test)
@@ -757,9 +758,9 @@ func TestDisableNetworkFeaturesForRun(t *testing.T) {
 		t.Error("CloudEnabled should be disabled")
 	}
 
-	// Email with relay should be disabled
-	if cfg.EmailEnabled && cfg.EmailDeliveryMethod == "relay" {
-		t.Error("Email relay should be disabled")
+	// Email relay should switch to local sendmail fallback when enabled.
+	if !cfg.EmailEnabled || cfg.EmailDeliveryMethod != "sendmail" {
+		t.Errorf("Email relay should switch to sendmail fallback, enabled=%v method=%q", cfg.EmailEnabled, cfg.EmailDeliveryMethod)
 	}
 }
 

cmd/proxsave/install.go

@@ -43,7 +43,7 @@ func runInstall(ctx context.Context, configPath string, bootstrap *logging.Boots
 	}
 	configPath = resolvedPath
 
-	baseDir := deriveBaseDirFromConfig(configPath)
+	baseDir, _ := detectedBaseDirOrFallback()
 	_ = os.Setenv("BASE_DIR", baseDir)
 
 	done := logging.DebugStartBootstrap(bootstrap, "install workflow (cli)", "config=%s base=%s", configPath, baseDir)
@@ -393,14 +393,6 @@ func printInstallFooter(installErr error, configPath, baseDir, telegramCode, per
 	fmt.Println()
 }
 
-func deriveBaseDirFromConfig(configPath string) string {
-	baseDir := filepath.Dir(filepath.Dir(configPath))
-	if baseDir == "" || baseDir == "." || baseDir == string(filepath.Separator) {
-		baseDir = "/opt/proxsave"
-	}
-	return baseDir
-}
-
 func cleanupTempConfig(tmpConfigPath string) {
 	if tmpConfigPath == "" {
 		return
@@ -461,6 +453,7 @@ func runConfigWizardCLI(ctx context.Context, reader *bufio.Reader, configPath, t
 	if skipConfigWizard {
 		return installConfigResult{SkipConfigWizard: true}, nil
 	}
+	template = config.RemoveRuntimeDerivedEnvKeys(template)
 
 	logging.DebugStepBootstrap(bootstrap, "install config wizard (cli)", "configuring secondary storage")
 	if template, err = configureSecondaryStorage(ctx, reader, template); err != nil {
@@ -497,6 +490,7 @@ func runConfigWizardCLI(ctx context.Context, reader *bufio.Reader, configPath, t
 	}
 
 	logging.DebugStepBootstrap(bootstrap, "install config wizard (cli)", "writing configuration")
+	template = config.RemoveRuntimeDerivedEnvKeys(template)
 	if err := writeConfigFile(configPath, tmpConfigPath, template); err != nil {
 		return installConfigResult{}, err
 	}
@@ -750,20 +744,55 @@ func configureNotifications(ctx context.Context, reader *bufio.Reader, template
 	}
 
 	fmt.Println("\n--- Email ---")
-	enableEmail, err := promptYesNo(ctx, reader, "Enable email notifications (central relay)? [y/N]: ", false)
+	fmt.Println("Default email delivery uses the TIS24 cloud relay, with local sendmail as failover.")
+	fmt.Println("ProxSave does not collect raw SMTP settings; choose pmf only when Proxmox Notifications is configured.")
+	enableEmail, err := promptYesNo(ctx, reader, "Enable email notifications? [y/N]: ", false)
 	if err != nil {
 		return "", err
 	}
 	if enableEmail {
+		method, err := promptEmailDeliveryMethod(ctx, reader, "relay")
+		if err != nil {
+			return "", err
+		}
 		template = setEnvValue(template, "EMAIL_ENABLED", "true")
-		template = setEnvValue(template, "EMAIL_DELIVERY_METHOD", "relay")
+		template = setEnvValue(template, "EMAIL_DELIVERY_METHOD", method)
+		template = unsetEnvValue(template, "EMAIL_FALLBACK_PMF")
 		template = setEnvValue(template, "EMAIL_FALLBACK_SENDMAIL", "true")
 	} else {
 		template = setEnvValue(template, "EMAIL_ENABLED", "false")
 	}
 	return template, nil
 }
 
+func promptEmailDeliveryMethod(ctx context.Context, reader *bufio.Reader, defaultMethod string) (string, error) {
+	defaultMethod = config.NormalizeEmailDeliveryMethod(defaultMethod)
+	if defaultMethod != "relay" && defaultMethod != "sendmail" && defaultMethod != "pmf" {
+		defaultMethod = "relay"
+	}
+
+	fmt.Println("Email delivery methods:")
+	fmt.Println("  relay    TIS24 cloud relay over outbound HTTPS (default)")
+	fmt.Println("  sendmail Local /usr/sbin/sendmail (fallback/default failover; requires a local MTA)")
+	fmt.Println("  pmf      Proxmox Notifications via proxmox-mail-forward (SMTP lives in Proxmox)")
+	for {
+		resp, err := promptOptional(ctx, reader, fmt.Sprintf("Email delivery method [%s]: ", defaultMethod))
+		if err != nil {
+			return "", err
+		}
+		method := defaultMethod
+		if strings.TrimSpace(resp) != "" {
+			method = config.NormalizeEmailDeliveryMethod(resp)
+		}
+		switch method {
+		case "pmf", "relay", "sendmail":
+			return method, nil
+		default:
+			fmt.Println("Please enter 'pmf', 'relay', or 'sendmail'. Aliases like 'proxmox-notifications' are accepted for pmf.")
+		}
+	}
+}
+
 func configureEncryption(ctx context.Context, reader *bufio.Reader, template *string) (bool, error) {
 	fmt.Println("\n--- Encryption ---")
 	enableEncryption, err := promptYesNo(ctx, reader, "Enable backup encryption? [y/N]: ", false)

cmd/proxsave/install_helpers_test.go

@@ -6,24 +6,64 @@
 	"testing"
 )
 
-func TestDeriveBaseDirFromConfig(t *testing.T) {
-	tests := []struct {
-		name       string
-		configPath string
-		want       string
-	}{
-		{"typical", "/opt/proxsave/env/backup.env", "/opt/proxsave"},
-		{"root file fallback", "/backup.env", "/opt/proxsave"},
-		{"relative fallback", "backup.env", "/opt/proxsave"},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			if got := deriveBaseDirFromConfig(tt.configPath); got != tt.want {
-				t.Fatalf("deriveBaseDirFromConfig(%q) = %q, want %q", tt.configPath, got, tt.want)
-			}
-		})
-	}
+func TestResolveBaseDirFromExecutablePath(t *testing.T) {
+	t.Run("standard proxsave build layout", func(t *testing.T) {
+		got, found := resolveBaseDirFromExecutablePath("/opt/proxsave/build/proxsave")
+		if !found || got != "/opt/proxsave" {
+			t.Fatalf("base dir = %q, found=%v; want /opt/proxsave true", got, found)
+		}
+	})
+
+	t.Run("standard legacy build layout", func(t *testing.T) {
+		got, found := resolveBaseDirFromExecutablePath("/opt/proxmox-backup/build/proxsave")
+		if !found || got != "/opt/proxmox-backup" {
+			t.Fatalf("base dir = %q, found=%v; want /opt/proxmox-backup true", got, found)
+		}
+	})
+
+	t.Run("symlink to installed binary", func(t *testing.T) {
+		root := t.TempDir()
+		base := filepath.Join(root, "proxsave")
+		build := filepath.Join(base, "build")
+		if err := os.MkdirAll(build, 0o755); err != nil {
+			t.Fatalf("MkdirAll: %v", err)
+		}
+		target := filepath.Join(build, "proxsave")
+		if err := os.WriteFile(target, []byte("#!/bin/sh\n"), 0o755); err != nil {
+			t.Fatalf("WriteFile: %v", err)
+		}
+		linkDir := filepath.Join(root, "bin")
+		if err := os.MkdirAll(linkDir, 0o755); err != nil {
+			t.Fatalf("MkdirAll link dir: %v", err)
+		}
+		link := filepath.Join(linkDir, "proxsave")
+		if err := os.Symlink(target, link); err != nil {
+			t.Fatalf("Symlink: %v", err)
+		}
+
+		got, found := resolveBaseDirFromExecutablePath(link)
+		if !found || got != base {
+			t.Fatalf("base dir = %q, found=%v; want %q true", got, found, base)
+		}
+	})
+
+	t.Run("install marker", func(t *testing.T) {
+		base := t.TempDir()
+		if err := os.MkdirAll(filepath.Join(base, "configs"), 0o755); err != nil {
+			t.Fatalf("MkdirAll marker: %v", err)
+		}
+		got, found := resolveBaseDirFromExecutablePath(filepath.Join(base, "bin", "proxsave"))
+		if !found || got != base {
+			t.Fatalf("base dir = %q, found=%v; want %q true", got, found, base)
+		}
+	})
+
+	t.Run("fallback", func(t *testing.T) {
+		got, found := resolveBaseDirFromExecutablePath(filepath.Join(t.TempDir(), "proxsave"))
+		if found || got != "/opt/proxsave" {
+			t.Fatalf("base dir = %q, found=%v; want /opt/proxsave false", got, found)
+		}
+	})
 }
 
 func TestCleanupTempConfig(t *testing.T) {