linked device, device tasks and certs in database

nginx/dev.conf

@@ -98,25 +98,25 @@ server {
   }
 
   # ---- mTLS-protected paths ----
-  location ^~ /records {
+  location ^~ /api/records {
     if ($ssl_client_verify != SUCCESS) { 
       return 495; 
     }
-    proxy_pass http://snoop-api:8080;
+    proxy_pass http://snoop-api:8080/;
   }
 
-  location ^~ /tasks {
+  location ^~ /api/tasks {
     if ($ssl_client_verify != SUCCESS) { 
       return 495; 
     }
-    proxy_pass http://snoop-api:8080;
+    proxy_pass http://snoop-api:8080/;
   }
 
-  location ^~ /renew {
+  location ^~ /api/renew {
     if ($ssl_client_verify != SUCCESS) { 
       return 495; 
     }
-    proxy_pass http://snoop-api:8080;
+    proxy_pass http://snoop-api:8080/;
   }
 
   # MediaMTX HLS
@@ -158,4 +158,19 @@ server {
     proxy_set_header Connection $connection_upgrade;
   }
 
+  location ^~ /api/ {
+    proxy_pass http://snoop-api:8080/;   # trailing slash strips /api
+    proxy_http_version 1.1;
+    proxy_set_header Host              $host;
+    proxy_set_header X-Real-IP         $remote_addr;
+    proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+
+    # (Optional) WS/SSE friendly defaults
+    proxy_set_header Upgrade    $http_upgrade;
+    proxy_set_header Connection $connection_upgrade;
+    proxy_read_timeout 3600s;
+    proxy_send_timeout 3600s;
+  }
+
 }

server/internal/handlers/mediamtx.go

@@ -227,7 +227,7 @@ func (h *MediaMTXHandler) StartStreamPayload(guid string) (string, error) {
 		return "", err
 	}
 	whip := fmt.Sprintf("%s/whip/%s?token=%s",
-		strings.TrimRight(h.cfg.WebRTCBaseURL, "/"),
+		strings.TrimRight(h.cfg.PublicBaseURL, "/"),
 		path,
 		url.QueryEscape(tok),
 	)

server/internal/models/cert.go

@@ -13,6 +13,7 @@ type DeviceCertificate struct {
 	NotAfter   time.Time
 	PemCert    string `gorm:"type:text"` // PEM of leaf cert
 	CreatedAt  time.Time
+	Device     Device `gorm:"constraint:OnDelete:CASCADE;foreignKey:DeviceGUID;references:GUID"`
 }
 
 // “Instant kill” list checked by the mTLS guard before allowing access.

server/internal/models/device.go

@@ -3,10 +3,12 @@ package models
 import "time"
 
 type Device struct {
-	GUID      string   `gorm:"primaryKey"`
+	GUID      string              `gorm:"primaryKey"`
-	Name      string   `gorm:"size:255;not null"`
+	Name      string              `gorm:"size:255;not null"`
-	Users     []User   `gorm:"many2many:user_devices;constraint:OnDelete:CASCADE;"`
+	Users     []User              `gorm:"many2many:user_devices;constraint:OnDelete:CASCADE;"`
-	Records   []Record `gorm:"foreignKey:DeviceGUID;references:GUID;constraint:OnDelete:CASCADE"`
+	Records   []Record            `gorm:"foreignKey:DeviceGUID;references:GUID;constraint:OnDelete:CASCADE"`
+	Tasks     []DEviceTask        `gorm:"foreignKey:DeviceGUID;references:GUID;constraint:OnDelete:CASCADE"`
+	Certs     []DeviceCertificate `gorm:"foreignKey:DeviceGUID;references:GUID;constraint:OnDelete:CASCADE"`
 	CreatedAt time.Time
 	UpdatedAt time.Time
 }

server/internal/models/task.go

@@ -48,4 +48,5 @@ type DEviceTask struct {
 
 	// Optional: small attempt/lease system if you ever need retries/timeouts
 	// Attempts int `gorm:"not null;default:0"`
+	Device Device `gorm:"constraint:OnDelete:CASCADE;foreignKey:DeviceGUID;references:GUID"`
 }