Alcali is a front-end for Salt to store jobs run result.

It also offers conformity checks: run periodically the highstate to determine if the server is still in deployed state. This is the killer feature we're interested in.

Security challenges for this deployment:

• Risk to store credentials if:
  • file.managed using them doesn't use show_output: False
  • stored as docker containers environment variables (it doesn't currently offer show_output: False)
• Need to be deployed on Complector or a dedicated Docker engine for infra not publicly reachable -> document SSH tunnel or VPN use

Useful links:

• https://github.com/latenighttales/alcali
• https://alcali.dev/
• https://alcali.dev/views/conformity/