Mattermost Team Edition on Ubuntu 24.04 on Azure User Guide
Overview
Mattermost Team Edition is an MIT-licensed, self-hosted team collaboration and messaging platform - the open-source alternative to Slack. It gives your organisation channels, threads, direct messages and file sharing while keeping every conversation on infrastructure you control. The cloudimg image installs Mattermost Team Edition 10.5.5 (the free open-source build - no Enterprise license prompt) to /opt/mattermost and runs it as the dedicated non-root mattermost system user, backs it with a local PostgreSQL 16 database, fronts it with nginx as a reverse proxy on port 80 (with the WebSocket upgrade headers Mattermost's realtime channel needs), keeps all state on a dedicated Azure data disk, and generates a unique System Admin password on first boot. Backed by 24/7 cloudimg support.
What is included:
- Mattermost Team Edition 10.5.5 (MIT-licensed open-source build) served by
mattermost.serviceas the non-rootmattermostuser - A local PostgreSQL 16 database on loopback
127.0.0.1:5432, with a per-VM database password generated on first boot - nginx reverse proxy on port
80, proxying to Mattermost on127.0.0.1:8065with WebSocket upgrade headers for/api/v4/websocket - All state on a dedicated 40 GiB Azure data disk at
/var/lib/mattermost: the file store, plugins, logs and the PostgreSQL data directory - A unique per-VM System Admin account (
admin@cloudimg.local) created non-interactively on first boot, with the password written to a root-only credentials file - Open sign-up disabled by default so only the seeded System Admin exists until you invite users
- An unauthenticated
GET /healthendpoint on nginx for load-balancer and uptime checks - 24/7 cloudimg support
Mattermost binds loopback 127.0.0.1:8065 only; customers reach it through the nginx reverse proxy on port 80. PostgreSQL is never exposed - it listens on 127.0.0.1:5432 only.
Prerequisites
An active Azure subscription, an SSH key pair, and a VNet + subnet in the target region. Standard_B4ms (4 vCPU / 16 GiB RAM) is a good starting point. NSG inbound: allow 22/tcp from your management network and 80/tcp from the clients that will use Mattermost. For production, front the VM with TLS (see the final step) and allow 443/tcp instead of plain 80.
Step 1 - Deploy from the Azure Marketplace
Sign in to the Azure Portal, choose Create a resource, search the Marketplace for Mattermost Team Edition by cloudimg, and select Create. On Basics pick your subscription, resource group, region and size (Standard_B4ms); under Administrator account choose SSH public key and paste your key; under Inbound port rules allow SSH (22) and HTTP (80). Then Review + create -> Create.
Step 2 - Deploy from the Azure CLI
az vm create \
--resource-group <your-rg> \
--name mattermost \
--image <marketplace-image-urn> \
--size Standard_B4ms \
--admin-username azureuser \
--ssh-key-values ~/.ssh/id_ed25519.pub \
--vnet-name <your-vnet> --subnet <your-subnet> \
--public-ip-sku Standard
az vm open-port --resource-group <your-rg> --name mattermost --port 80 --priority 900
Step 3 - Connect to your VM
ssh azureuser@<vm-public-ip>
Step 4 - Confirm Mattermost, PostgreSQL and nginx are running
systemctl is-active postgresql mattermost nginx
You should see three active lines:
active
active
active
Mattermost binds loopback only and nginx fronts it on port 80 - confirm the listeners:
ss -tln | grep -E ':8065|:5432|:80'
LISTEN 0 511 0.0.0.0:80 0.0.0.0:*
LISTEN 0 4096 127.0.0.1:8065 0.0.0.0:*
LISTEN 0 200 127.0.0.1:5432 0.0.0.0:*
The Mattermost API answers an unauthenticated health ping, and nginx exposes a static /health endpoint for load balancers:
curl -s http://127.0.0.1:8065/api/v4/system/ping
{"status":"OK"}
curl -s -o /dev/null -w '%{http_code}\n' http://localhost/health
200
Step 5 - Retrieve your per-VM System Admin password
Each VM generates its own unique System Admin password on first boot and writes it to a root-only credentials file:
sudo cat /root/mattermost-credentials.txt
The file contains MATTERMOST_ADMIN_PASSWORD, the username (admin), the email (admin@cloudimg.local), the web URL and the System Console URL. Store the password in your secrets manager. In the commands below, <MATTERMOST_ADMIN_PASSWORD> stands for the value of MATTERMOST_ADMIN_PASSWORD.
Step 6 - Sign in to the Mattermost web UI
Open http://<vm-public-ip>/ in a browser. Sign in with the email admin@cloudimg.local and the per-VM password from Step 5.

Once signed in you land in your team's channels - Town Square, Off-Topic and any channels you create. Post messages, start threads, and share files with your team.

Mattermost keeps every conversation self-hosted on your own Azure VM - create channels, threads and direct messages just like any modern team messenger.

Step 7 - Administer the server from the System Console
As the System Admin you can manage users, teams, channels, authentication and server settings from the System Console at http://<vm-public-ip>/admin_console. The Edition and License page confirms you are running the MIT-licensed Team Edition.

Step 8 - Verify authentication from the API
The credentials file drives a real login round-trip. This reads the per-VM password from the file and posts it to the login API, which returns 200 for the correct password (and rejects a wrong one with 401):
PW=$(sudo grep '^MATTERMOST_ADMIN_PASSWORD=' /root/mattermost-credentials.txt | cut -d= -f2-)
curl -s -o /dev/null -w 'login=%{http_code}\n' -X POST -H 'Content-Type: application/json' \
-d "{\"login_id\":\"admin@cloudimg.local\",\"password\":\"$PW\"}" \
http://127.0.0.1:8065/api/v4/users/login
login=200
Step 9 - Where your data lives
All Mattermost state is on the dedicated Azure data disk mounted at /var/lib/mattermost, so it survives image updates and can be snapshotted independently:
df -h /var/lib/mattermost | tail -1
/dev/sda 40G 285M 37G 1% /var/lib/mattermost
The file store (data/), plugins, logs and the PostgreSQL data directory (pgdata/) all live on this disk.
Step 10 - Put TLS in front for production
The image serves plain HTTP on port 80 so you can validate it immediately. Before exposing Mattermost to real users, terminate TLS with your own domain and a certificate. A common approach is to point a DNS record at the VM, add an 443 inbound rule to the NSG, and use Certbot with the nginx plugin to obtain and install a certificate. Set ServiceSettings.SiteURL in the System Console (or config.json) to your https:// URL so links and the realtime WebSocket use the correct host.
Support
This image is maintained and supported by cloudimg with 24/7 support. Mattermost Team Edition is distributed under the MIT license. For product help, contact cloudimg support listed on the Azure Marketplace listing.