Table of Contents

14 — Mattermost Configuration

1. Purpose
2. Network Architecture
3. Port Exposure
4. Database Configuration
5. File Storage (MinIO)
6. TURN Integration (WebRTC)
7. Persistent Storage
8. Initial Setup
9. Security Recommendations
10. Backup Strategy
11. Verification

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

14 — Mattermost Configuration

This page documents the Mattermost configuration used in production.

Snapshot date: 2026-02
Stack: apps
Image: mattermost/mattermost-enterprise-edition:release-11.4
Mode: Docker Swarm

1. Purpose

Mattermost provides:

Internal team communication
Channels and direct messaging
File sharing (via MinIO)
WebRTC calls (via TURN)

Mattermost is exposed publicly only through Nginx (HTTPS).

2. Network Architecture

Mattermost is attached to:

internal (PostgreSQL + MinIO access)
web

Internal dependencies:

PostgreSQL → data_postgres
MinIO → data_minio
TURN → system coturn service

3. Port Exposure

Mattermost container internal port:

Port	Purpose
8065	Internal web server

This port is NOT exposed publicly.

Nginx forwards traffic:

https://mattermost.your-domain.com
→ http://apps_mattermost:8065

Verify:

sudo docker service inspect apps_mattermost

Ensure no published ports except through Nginx.

4. Database Configuration

Mattermost connects to PostgreSQL:

Host: data_postgres
Port: 5432
Database: mattermost
User: mattermost
Password: injected via Docker secret

Secret mounted at:

/run/secrets/mm_db_password

Recommended configuration pattern:

MM_SQLSETTINGS_DATASOURCE=postgres://mattermost:<password>@data_postgres:5432/mattermost?sslmode=disable

Password should not be hardcoded; use secret injection.

5. File Storage (MinIO)

Mattermost uses MinIO for file storage.

Configuration parameters:

S3 endpoint: http://data_minio:9000
Bucket: mattermost
Access key: secret
Secret key: secret
Force path style: true

Secrets used:

mm_minio_access_key
mm_minio_secret_key

All injected via Docker secrets.

6. TURN Integration (WebRTC)

Mattermost Calls requires TURN.

TURN URL example:

turn:turn.your-domain.com:3478?transport=udp

Authentication:

Shared secret (same as coturn static-auth-secret)

Ensure firewall allows:

3478/udp
49160–49200/udp

7. Persistent Storage

Mattermost data directory:

/mattermost/data

This must be backed by a persistent Docker volume.

Verify:

sudo docker volume ls

Inspect:

sudo docker volume inspect <mattermost_volume>

Loss of this volume results in file loss.

8. Initial Setup

On first deployment:

Access:
```
https://mattermost.your-domain.com
```
Create admin account
Configure:
- Database
- File storage
- SMTP (if required)
- TURN settings

After setup, disable open registration.

9. Security Recommendations

Disable open registration
Restrict system console access
Enforce HTTPS only
Monitor disk usage
Rotate secrets if compromised

10. Backup Strategy

Minimum backup requirements:

PostgreSQL dump
MinIO bucket backup
Mattermost data volume

Database backup example:

sudo docker exec -t data_postgres pg_dump -U postgres mattermost > mattermost.sql

Volume backup example:

sudo tar -czf mattermost-files.tar.gz /var/lib/docker/volumes/<mattermost_volume>/_data

Store backups externally and encrypted.

11. Verification

Check service:

sudo docker service ls | grep mattermost

Check logs:

sudo docker service logs apps_mattermost

Test connectivity:

Web UI loads
File upload works
Call works (TURN functional)