diff --git a/manifests/site.pp b/manifests/site.pp
index 1aa2411b99..e1610bf076 100644
--- a/manifests/site.pp
+++ b/manifests/site.pp
@@ -468,7 +468,7 @@ node /^elasticsearch0[1-7]\.openstack\.org$/ {
 # Node-OS: xenial
 node /^firehose\d+\.openstack\.org$/ {
   class { 'openstack_project::server':
-    iptables_public_tcp_ports => [22, 80, 1883],
+    iptables_public_tcp_ports => [22, 80, 1883, 8080, 8883],
     sysadmins                 => hiera('sysadmins', []),
   }
   class { 'openstack_project::firehose':
@@ -476,6 +476,9 @@ node /^firehose\d+\.openstack\.org$/ {
     gerrit_public_key   => hiera('germqtt_gerrit_ssh_public_key'),
     gerrit_private_key  => hiera('germqtt_gerrit_ssh_private_key'),
     mqtt_password       => hiera('mqtt_service_user_password'),
+    ca_file             => hiera('mosquitto_tls_ca_file'),
+    cert_file           => hiera('mosquitto_tls_server_cert_file'),
+    key_file            => hiera('mosquitto_tls_server_key_file'),
   }
 }
 
diff --git a/modules/openstack_project/manifests/firehose.pp b/modules/openstack_project/manifests/firehose.pp
index d663b272b8..49418cff34 100644
--- a/modules/openstack_project/manifests/firehose.pp
+++ b/modules/openstack_project/manifests/firehose.pp
@@ -22,11 +22,18 @@ class openstack_project::firehose (
   $mqtt_hostname = 'firehose01.openstack.org',
   $mqtt_password,
   $mqtt_username = 'infra',
+  $ca_file,
+  $cert_file,
+  $key_file,
 ) {
   include mosquitto
   class {'mosquitto::server':
     infra_service_username => $mqtt_username,
     infra_service_password => $mqtt_password,
+    enable_tls             => true,
+    ca_file                => $ca_file,
+    cert_file              => $cert_file,
+    key_file               => $key_file,
   }
 
   include germqtt