The problem here is that XFCE runs in dom0 (or in sys-gui/sys-gui-gpu if you enable this feature), i.e. in a domain that does not have network access. And for good reason, you probably don’t want to run an email program (even if it’s just a checker) in a priviledged domain.
So you will need a networked qube to run your mail checker anyway, and it’s likely the one where you run thunderbird would be a good choice.
Now the problem could be restated as “how can you have an xfce widget reflect information from a qube ?”. I don’t think that’s supported out of the box today. This could surely be implemented with a small qrexec service, though: you’d need a custom widget showing you a flag that can be (re)set from a qrexec call, and configure your mail checker to issue qrexec calls so you can see the result.
But this introduces untrusted information in a region of the screen managed by dom0. Great care should be taken here: don’t introduce a qrexec call to set a custom bitmap for example, just stick with “on/off” behaviour or similar, and I’d recommend to decorate the custom widget with the VM’s color.
And from your dom0 widget, you can add an action that uses qvm-run to launch thunderbird.
In no way I am trying to have this running in dom0 but either in a sys-vpn or sys-whonix most likely.
xfce can run as well in templates as much as gnome does (that is why you have fedora-34-xfce template for instance)
I do have an applet called Network Manager (nm-applet) running in my sys-net (and in sys-vpn or sys-whonix for its kind) so why I cannot have a similar applet running ?
So I guess there is a certain level of integration within QubesOS that can permit to show applet from appVM within the dom0 xfce menu.
So I guess there is a certain level of integration within QubesOS that can permit to show applet from appVM within the dom0 xfce menu.
Absolutely.
I have a mail proxy called Davmail (Java program that interfaces with Outlook Web Access and then exposes SMTP/IMAP/CALDAV/LDAP etc) running in a qube and its tray icon shows up just fine.
There is a HP LaserJet driver running in my offline qubes and it shows it’s tray icon just fine.
When I run VLC in respective qubes, it’s tray icon shows just fine.
Conclusion: If the program runs in your qube and it has a tray icon, it should show. Maybe look for error messages when running the program, it might be missing dependencies?
@Guillaume, I suppose the issue is that the mail watcher you are looking at is a plugin, which means it would require the actual XFCE4 tray to run inside the qube (which it doesn’t). So I don’t think you can make that one work.
However there are alternatives. I just quickly tried ‘birdtray’ and it works as expected.
I did quickly try on a dispVM with birdtray and it seems to work indeed…
Do you know by any chance if they is a command to start a qubes within one ?
I have try my luck with qvm-run-vm email thunderbird but I got Request refused
I have try my luck with qvm-run-vm email thunderbird but I got Request refused
If you run qvm-run-vm --help it will tell you:
Executes a command in another VM using the qubes.VMShell RPC service.
That tells you that you need to edit the respective policy file to allow this. Think about it: you wouldn’t want any program to be able to run (and pass parameters) to any other program in another qube. That’s pretty much the opposite of compartmentalization. However in some cases – like yours – it might make sense to allow a specific interaction.
Hence edit /etc/qubes-rpc/policy/qubes.VMShell in dom0.
Find the line above $anyvm $dispvm allow and add the following above it:
$anyvm mail ask,default_target=mail
Where mail is the name of the qube that runs Thunderbird. This will allow any qube to try to execute a command in the mail qube but you will see a dom0 prompt first. I highly recommend doing this, so you have to manually allow the action. The idea is that you know that you clicked your mail tray icon and expect this dialog. If you ever see it unexpected, then you should cancel it to protect yourself.
If you don’t want the additional dialog then replace ask, default_target=mail with allow. Also, if you want to only allow this from a specific qube you can replace the $anyvm with the name of the qube that runs your birdtray instance.
The above is for R4.0. In R4.1 I hear all the policies moved into a single file, but I am sure once you locate and open it there will be instructions inside.
Shout out for gnubiff - gnubiff --systemtray gives icon in system
tray under Xfce, with notifications, previews, and configurable to run
action. If you didnt want to run it in the thunderbird qube (which would
be my suggestion) you could have a simple qrexec service in the
“watching” qube to launch thunderbird in the thunderbird qube.
I have choosen to install it in my sys-vpn template, being with a fedora 34 minimal template.
In my template I activated the repo for gnubiff like that dnf copr enable scx/gnubiff
