Have access to internet on dom0 only for checking email script

I’m using Qubes OS with i3 and polybar.
I have a module/script that check emails and notify if there are unread emails or not.
The problem is that from dom0 I can’t run it as there is no access to internet …
Is it there a way to allow ONLY access to my email in order to be able to receive if any unread emails?

It is possible to enable networking and internet access to dom0 but it is not intended to be used like that.
Is there a limitation to you running the module / script in an AppVM as intended?

1 Like

dom0 should never connect directly to the internet, you can use qvm-run from dom0 to retrieve your email in another VM and then copy that to dom0.

1 Like

Dom0 should only be used for managing VMs, otherwise you are risking to compromise the whole system. Why can’t you do that in a VM? VMs can show notifications just fine.

Not sure how to do that in a vm as I need polybar to start right after I logged in so the config should be in dom0.
Regarding having this task on another vm, how can I exucute the code from dom0 (or should i create a cron om that vm)?

You can autostart any VM when your system boots (there is a tick in the VM’s preferences) and autostart any script inside that VM (see instructions for the corresponding OS).

You should not touch dom0 at all if this is possible.

1 Like

You can use qvm-run from dom0 to run apps in a VM. qvm-start will start a VM.

Probably stupid question: polybar, i3, conky, rofi should still be installed on dom0, right?
But all scripts that require internet should be on another vm. Am I right?

In general, you should avoid installing anything in dom0 as much as possible: https://www.qubes-os.org/doc/how-to-install-software-in-dom0/.

However, you listed things connected to displaying, so yes, they have to be installed in dom0 to work. In the future version Qubes 4.1 there will be a separate VM for displaying things, sys-gui.


Nice. First time I’m using Qubes and like it. Sounds like the future of it it will be even better/safer.

1 Like

You can achieve your goal by exploiting the Qrexec communication mechanism provided by Qubes and the qvm-run command line utility.

Some assumptions, feel free to replace:

  • my-qube is the name of the qube monitoring the email account
  • my.Service is the name of the qrexec service doing the monitoring
  • inside my-qube you have set up a monitoring script/executable in the path /my/monitoring/script
  • the monitoring script runs forever and outputs a polybar-formatted line in tail mode

Start with creating the file /rw/usrlocal/etc/qubes-rpc/my.Service with a content resembling the following (you can also symlink your monitoring script, just be sure it’s an executable):

exec /my/monitoring/script

Then configure your custom/script with the following command in tail mode:
qvm-run --pass-io my-qube --service my.Service </dev/null

For more informations:
Qrexec: secure communication across domains | Qubes OS (qubes-os.org)
Qubes OS Forum (qubes-os.org)