feat: Add TLS encryption to MQTT bridge for secure connection to base station

[char1ss4]

Changes

Configured the base station's MQTT bridge to connenc tot he car over TLS on port 8883, while keeping the local listener on port 1883 so existing services can remain unencrypted prior to integration. This is the first step towards fully encrypting MQTT communications on the NER network but for now encryption has been configured on both the car and the base station.

siren-base/mosquitto/mosquitto.conf

• Updated bridge address from 192.168.100.12 to 192.168.100.12:8883
• Uncommented and configured bridge TLS settings: bridge_cafile, bridge_certfile, bridge_keyfile, bridge_tls_version tlsv1.2, bridge_insecure false
• Local listener remains on port 1883 (no change for other services)

siren-base/mosquitto/.gitignore

• Added .gitignore to exclude certificate private keys (.key) and certificate files (.crt) from version control

secure_mqtt.patch

• Included patch file containing the full port migration (1883→8883) for all services, to be applied in a future PR when ready to migrate everything to encrypted connections

Notes

• The local listener intentionally stays on 1883. Other services (scylla-server, calypso, etc.) remain on unencrypted connections until this setup is fully tested
• Certificates and keys are distributed separately outside of git for security
• The secure_mqtt.patch contains changes to all compose files, scylla-server/src/main.rs, and siren-base/compose.siren.yml for the eventual full migration to 8883
• Related Odysseus PR: Charissa/feature/mqtt-encryption (TLS config on car side)

Test Cases

• Verified car broker starts successfully on port 8883 with TLS
• Verified messages sent and received using mosquitto_pub and mosquitto_sub

To Do

Any remaining things that need to get done

• Adding a dual listener for local apps (port 1883 for local apps, 8883 for encrypted bridge)
• Test all car-side applications after adding the local listener

Checklist

It can be helpful to check the Checks and Files changed tabs.
Please review the contributor guide and reach out to your Tech Lead if anything is unclear.
Please request reviewers and ping on slack only after you've gone through this whole checklist.

• All commits are tagged with the ticket number
• No linting errors / newline at end of file warnings
• All code follows repository-configured prettier formatting
• No merge conflicts
• All checks passing
• Screenshots of UI changes (see Screenshots section)
• Remove any non-applicable sections of this template
• Assign the PR to yourself
• No package-lock.json changes (unless dependencies have changed)
• Request reviewers & ping on Slack
• PR is linked to the ticket (fill in the closes line below)

Closes # (issue #)

[Copilot]

Pull request overview

Adds TLS configuration for the base station’s Mosquitto MQTT bridge so it can connect securely to the car broker on port 8883, while keeping a local unencrypted listener on 1883 for existing services.

Changes:

• Added a full Mosquitto configuration including a TLS-enabled bridge to 192.168.100.12:8883.
• Added a .gitignore under siren-base/mosquitto/ to keep cert/key material out of version control.
• Added secure_mqtt.patch as a future, repo-wide 1883→8883 migration patch.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

File	Description
siren-base/mosquitto/mosquitto.conf	Introduces Mosquitto config with bridge-to-car TLS settings and keeps local listener on 1883.
siren-base/mosquitto/.gitignore	Ignores .key and .crt files in the mosquitto config directory.
secure_mqtt.patch	Adds a “future migration” patch for changing services to use 8883.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

This patch file references paths that don't exist in the current repo (e.g., compose/compose.*.yml and siren-base/compose.siren.yml), so it won’t apply cleanly and is likely to become stale. Consider removing it from version control (or moving it to external documentation/issue notes) unless it’s kept in sync with the current file layout and validated with git apply.

[Copilot]

max_qos 2 has an inline comment. Mosquitto only treats # as a comment when it starts the line, so this will be parsed as part of the value and can prevent the broker from starting. Move the comment onto its own line above (or make the whole line a comment) so the directive is just max_qos 2.

Suggested change

	max_qos 2 # *** moved to bottom see bug https://github.com/eclipse/mosquitto/issues/2991
	# *** moved to bottom see bug https://github.com/eclipse/mosquitto/issues/2991
	max_qos 2

[Copilot]

The MQTT broker is configured with allow_anonymous true, which means any client that can reach this listener can connect, subscribe, and publish without authentication. If port 1883 is exposed on the host or network (as suggested by the accompanying compose configuration), an attacker on the network could inject or read MQTT messages destined for the car, potentially controlling or monitoring vehicle functions. Consider disabling anonymous access and requiring authentication and/or mutual TLS for this listener, or strictly binding it to a trusted interface/network segment so that only trusted services can connect.

Suggested change

	allow_anonymous true
	# -----------------------------------------------------------------
	# Default authentication and topic access control
	# -----------------------------------------------------------------
	#password_file
	allow_anonymous false
	# -----------------------------------------------------------------
	# Default authentication and topic access control
	# -----------------------------------------------------------------
	password_file /mosquitto/config/passwordfile