for apache you need to do the following (in the mattermost vhost):
- set x-frame-options and edit csp to include the domain of your nextcloud:
Header set X-Frame-Options "ALLOW-FROM https://your-nextcloud.server.com"
Header edit Content-Security-Policy ^(.*)$ "$1;frame-ancestors 'self' https://your-nextcloud.server.com"
- unset csp and f-frame in the location block for the api and the mattermost ui by adding
Header unset X-Frame-Options
Header unset Content-Security-Policy
though the way this ultimately works is that 2 enables you to embed mattermost on any site, so you could even skip 1. (with Nginx this is indeed more secure, since you can unset the header only for the proxied request).
Depends on the use case but likely no. What you linked is the toolkit to integrate with Mattermost. So you could technically login to Mattermost. But this does not mean that usernames and passwords will be the same between Mattermost and Nextcloud.
As long as Mattermost does not support OpenID Connect I have already given you two of the existing choices.