From 7d04e40a48ee4764fb3668e2d5686bf97375e58a Mon Sep 17 00:00:00 2001 From: Padreug Date: Sat, 16 May 2026 08:50:34 +0200 Subject: [PATCH] dev-stack: pin nostr-transport keypair + allow LAN HTTP for dev MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Two small fixes that surfaced during the v2-bitspire end-to-end test on 2026-05-15 against a real Sintra ATM: 1. `NOSTR_TRANSPORT_PRIVATE_KEY` / `NOSTR_TRANSPORT_PUBLIC_KEY` are now forwarded from the local `.env` into the lnbits container's environment. Without a pinned key LNbits auto-generates a fresh server keypair on every container restart, which breaks any ATM previously provisioned against the old pubkey (encryption target no longer exists from LNbits' point of view → RPCs land on the relay but the dispatcher never picks them up → cash-out hangs at "generating invoice"). The `.env` file is gitignored so the actual keypair stays out of the repo; rotate by regenerating + re- provisioning all ATMs. 2. `AUTH_HTTPS_ONLY: "false"` — LNbits' auth cookies default to requiring HTTPS, which blocks LAN access from a non-localhost browser (e.g. another machine on 192.168.0.x reaching the dev instance). Safe to disable for the dev stack; production-shaped deployments must keep it true. --- .gitignore | 3 +++ docker-compose.dev.yml | 18 +++++++++++++----- 2 files changed, 16 insertions(+), 5 deletions(-) diff --git a/.gitignore b/.gitignore index e60bd79..f5ccb13 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,6 @@ +# Local-only compose overrides (LNBITS_SRC, etc.). Auto-loaded by docker compose. +.env + data !data/boltz diff --git a/docker-compose.dev.yml b/docker-compose.dev.yml index ecd32aa..aa58dbe 100644 --- a/docker-compose.dev.yml +++ b/docker-compose.dev.yml @@ -21,6 +21,9 @@ services: LNBITS_PORT: 5001 DEBUG: true LNBITS_ADMIN_UI: true + # Allow LAN/HTTP access for dev (auth cookies don't require HTTPS). + # Keep TRUE for any production-shaped deployment. + AUTH_HTTPS_ONLY: "false" LNBITS_BACKEND_WALLET_CLASS: "FakeWallet" LNBITS_DATA_FOLDER: "./data" LNBITS_EXTENSIONS_PATH: "/shared" @@ -29,13 +32,18 @@ services: LNBITS_ADMIN_EXTENSIONS: "nostrclient,nostrrelay,satmachineadmin" LNBITS_USER_DEFAULT_EXTENSIONS: "lnurlp,nostrmarket,events,libra,satmachineclient" # Nostr transport layer (HTTP-free RPC over kind-21000 events). - # On first boot a keypair is auto-generated and logged; copy the - # printed pubkey into your driver script. The relay points at the - # nostrrelay extension running inside the same container — a relay - # named "test" must be created via the UI before the transport - # will successfully connect (the reconnect loop retries every 5s). + # The keypair below is pinned via the local `.env` so it survives + # container restarts. Without a pinned key LNbits auto-generates a + # fresh one on every boot, which breaks any ATM provisioned against + # the prior pubkey (encryption target no longer exists). The relay + # points at the nostrrelay extension running inside the same + # container — a relay named "test" must be created via the UI + # before the transport will successfully connect (the reconnect + # loop retries every 5s). NOSTR_TRANSPORT_ENABLED: "true" NOSTR_TRANSPORT_RELAYS: '["ws://localhost:5001/nostrrelay/test"]' + NOSTR_TRANSPORT_PRIVATE_KEY: ${NOSTR_TRANSPORT_PRIVATE_KEY} + NOSTR_TRANSPORT_PUBLIC_KEY: ${NOSTR_TRANSPORT_PUBLIC_KEY} # Lowered from the 40_000 default just to make sharding easy to # exercise in local tests without seeding hundreds of payments. # Production runs should leave this unset (defaults to 40_000).