OTF Mattermost

## Overview Self-hosted Mattermost instance for Optimified team communication. ## Infrastructure - **Platform:** Railway - **Railway Account:** mike@optimified.com - **Railway Project:** otf-mattermost (`b0a7afdf-d8b3-4bb9-a7cf-8e75a9cb6d76`) - **Services:** Docker (Mattermost), Postgres - **Database:** Dedicated Postgres (own instance within project) - **Railway Domain:** docker-production-1879.up.railway.app - **Custom Domain:** comms.optimified.com (Cloudflare proxied) - **Port:** 8065 - **File Storage:** Cloudflare R2 (`otf-mattermost` bucket) - **SMTP:** Google Workspace (smtp.gmail.com:587, STARTTLS, mike@optimified.com app password) - **Cloudflare:** See [[cloudflare-optimified]] for proxy, R2, and security config - **Admin Account:** mike@optimified.com ## Environment Variables | Variable | Purpose | |----------|---------| | `MM_BLEVESETTINGS_INDEXDIR` | Bleve search index directory | | `MM_FILESETTINGS_AMAZONS3ACCESSKEYID` | R2 access key | | `MM_FILESETTINGS_AMAZONS3BUCKET` | R2 bucket (`otf-mattermost`) | | `MM_FILESETTINGS_AMAZONS3ENDPOINT` | R2 endpoint | | `MM_FILESETTINGS_AMAZONS3REGION` | R2 region (`auto`) | | `MM_FILESETTINGS_AMAZONS3SECRETACCESSKEY` | R2 secret key | | `MM_FILESETTINGS_AMAZONS3SIGNV2` | S3 Signature V2 (`false`) | | `MM_FILESETTINGS_AMAZONS3SSL` | SSL enabled (`true`) | | `MM_FILESETTINGS_DRIVERNAME` | File storage driver (`amazons3`) | | `MM_FILESETTINGS_MAXFILESIZE` | Max upload file size (100MB) | | `MM_SERVICESETTINGS_LISTENADDRESS` | Internal listen address (`:8065`) | | `MM_SERVICESETTINGS_SITEURL` | Public site URL | | `MM_SQLSETTINGS_DATASOURCE` | Postgres connection string | | `MM_SQLSETTINGS_DRIVERNAME` | Database driver (`postgres`) | | `MM_EMAILSETTINGS_SMTPSERVER` | SMTP server (`smtp.gmail.com`) | | `MM_EMAILSETTINGS_SMTPPORT` | SMTP port (`587`) | | `MM_EMAILSETTINGS_CONNECTIONSECURITY` | SMTP security (`STARTTLS`) | | `MM_EMAILSETTINGS_ENABLESMTPAUTH` | SMTP auth enabled (`true`) | | `MM_EMAILSETTINGS_SMTPUSERNAME` | SMTP username (mike@optimified.com) | | `MM_EMAILSETTINGS_SMTPPASSWORD` | SMTP app password | | `MM_EMAILSETTINGS_SENDEMAILNOTIFICATIONS` | Email notifications enabled (`true`) | | `MM_EMAILSETTINGS_REQUIREEMAILVERIFICATION` | Email verification required (`true`) | | `MM_EMAILSETTINGS_FEEDBACKEMAIL` | Sender address (mike@optimified.com) | | `MM_EMAILSETTINGS_FEEDBACKNAME` | Sender name (`Optimified Comms`) | | `MM_EMAILSETTINGS_REPLYTOADDRESS` | Reply-to address (mike@optimified.com) | | `MM_SERVICESETTINGS_ENABLEMULTIFACTORAUTHENTICATION` | MFA enabled (`true`) | | `MM_SERVICESETTINGS_ENFORCEMULTIFACTORAUTHENTICATION` | MFA enforced (`true`) | | `MM_TEAMSETTINGS_ENABLEOPENSERVER` | Allow open team registration (`false`) | | `PORT` | Railway port binding (`8065`) | | `TZ` | Timezone (`Asia/Manila`) | ## System Console Settings (via UI) Settings changed from defaults in the Mattermost System Console: | Setting | Value | Reason | |---------|-------|--------| | Enable Account Creation | True | Must be True for email invites to work (open server is off, so no self-registration) | | Enable Email Invitations | True | Admin can send invite emails | | Show Full Name | False | Privacy for team members | | Enable users to open DM channels with | Any member of the team | Team communication | | Require Email Verification | True | Verify invitee email addresses | | Multi-factor Authentication | Enabled + Enforced | All users must set up TOTP | | Push Notification Server | `https://push.mattermost.com` | Production HPNS (set via env var) | | Playbooks plugin | Disabled | Requires paid license | | AI/Agents plugin | Disabled | No AI service configured yet | | Calls plugin | Enabled | Voice calls + screen sharing only — no video calls in free/OSS edition | | Matterpoll plugin | Enabled | `/poll "Question" "A" "B"` for team decisions | | GitHub plugin | Installed | OAuth app connected; webhook returning 401 — webhook secret mismatch, needs fix | | Plugin uploads | Enabled | `MM_PLUGINSETTINGS_ENABLEUPLOADS=true` | ## Permissions (Default Scheme) **All Members** — minimal permissions: - Create Posts - Edit Own Posts - Delete Own Posts - Post Reactions - Channel Mentions Everything else (channel creation, rename, delete, manage members, edit/delete others' posts) is restricted to **Team and System Admins** only. **Admin Settings:** - Allow anyone to create a team: **False** - DM channels: **Any member of the team** ## Migration History ### 2026-03-25: Migrated to dedicated Railway project Previously part of the shared `otf-n8n-mattermost-umami` project (old `optimified` project, now deleted) under mike@automeyt.com Railway account. Shared Postgres caused DB contention issues (see Known Issues below). Fresh deploy from Railway Mattermost template into dedicated `otf-mattermost` project under mike@optimified.com Railway account. Clean start — no data migration. File storage switched from S3 to Cloudflare R2. ## Known Issues (Historical) ### 2026-03-14: DB store errors (old shared project) — RESOLVED Massive storm of recurring errors every 1-2 minutes for ~8 hours due to shared Postgres contention. No longer applicable — now on dedicated Postgres. ### 2026-03-24: "Couldn't connect to this server" from client — RESOLVED Domain moved to new Cloudflare account. Old account's auto-imported A/AAAA records caused conflicts. Fix: deleted stale A/AAAA records, set CNAME to DNS-only for Railway verification, changed port from 8443 to 8065, then re-enabled Cloudflare proxy. SSL mode: Full (Strict). ### 2026-03-25: SiteURL typo causing DNS failures — RESOLVED `MM_SERVICESETTINGS_SITEURL` was set to `comms.optimifed.com` (missing 'i'). The mattermost-ai plugin was making requests to the misspelled domain, causing `ERR_NAME_NOT_RESOLVED`. Fix: corrected env var to `https://comms.optimified.com`. ### 2026-03-25: WebSocket 403 through Cloudflare proxy — RESOLVED WebSocket upgrades to `wss://comms.optimified.com/api/v4/websocket` returned 403. Caused by Cloudflare's Browser Integrity Check rejecting the WebSocket handshake. Fix: created Cloudflare Configuration Rule to disable Browser Integrity Check for `comms.optimified.com`.