Portfolio / BLE-to-Cloud IoT Pipeline
2025 — 2026 IoT Embedded Security Cloud

BLE-to-Cloud
IoT Pipeline

A fully containerized, end-to-end IoT system: ESP32 sensor node → BLE GATT → Raspberry Pi gateway → Mosquitto MQTT with mTLS → Node-RED → InfluxDB → Grafana. Every layer is secured, auto-provisioned, and production-grade.

View on GitHub ← All Projects
OVERVIEW

Six services. One compose file. Zero plaintext.

This project implements a complete IoT data pipeline that bridges embedded hardware and cloud-style infrastructure. The goal was to build a system that a real-world deployment could use — not just a demo — with mutual TLS authentication on every service boundary, containerized infrastructure that spins up from a single command, and auto-provisioned Grafana dashboards that appear on first boot.

The data flows from a DHT22 temperature/humidity sensor wired to an ESP32, transmitted over Bluetooth Low Energy using standard GATT Environmental Sensing profiles, received and forwarded by a Python container running on a Raspberry Pi 5, brokered through Mosquitto with TLS 1.3 and mutual certificate authentication, processed and reformatted by Node-RED, stored in InfluxDB, and finally visualised in Grafana — all without a single plaintext connection in the chain.

ARCHITECTURE

Data pipeline

ESP32
DHT22 sensor FreeRTOS tasks
BLE GATT
UUID 0x2A6E / 0x2A6F notifications
BLE Container
Python / BlueZ pydbus
Mosquitto
TLS 1.3 + mTLS broker
Node-RED
Subscribe, reformat, write
InfluxDB
Time-series storage
Grafana
Live dashboard

FREEERTOS CONCURRENCY

Sensor reading, BLE communication, and logging run as independent FreeRTOS tasks communicating via queues.

MUTUAL TLS

Every service presents a unique CA-signed certificate. Identity is mapped from the certificate Common Name — no passwords.

AUTO-PROVISIONING

Datasources, dashboards, and service credentials are initialized on first startup from declarative YAML files.

WATCHDOG RECONNECTION

The BLE container automatically re-establishes connections on drop without requiring a container restart.

TECH STACK

Technologies used

HARDWARE
ESP32 Raspberry Pi 5 DHT22
FIRMWARE
C FreeRTOS Arduino / PlatformIO
WIRELESS
BLE GATT MQTT
SECURITY
TLS 1.3 mTLS OpenSSL CA
INFRASTRUCTURE
Podman podman-compose Mosquitto
BACKEND
Node-RED InfluxDB v2 Grafana Python
SECURITY DESIGN

Zero-trust MQTT layer

A key focus of this project was demonstrating production-grade IoT security on commodity hardware. Rather than relying on username/password authentication, every service boundary uses certificate-based mutual TLS authentication against a self-signed root CA.

LAYERSECURITY MEASURE
TransportTLS 1.3 mandatory — plaintext connections rejected at broker
AuthenticationCertificate-based mTLS; identity from certificate CN
InfluxDB accessRead-only token for Grafana; write token restricted to Node-RED
CredentialsGrafana admin password via Podman secrets — never plaintext on disk
Network exposureBackend services bound to localhost; accessible only via SSH tunneling