dev-stack: pin nostr-transport keypair + allow LAN HTTP for dev

Two small fixes that surfaced during the v2-bitspire end-to-end test
on 2026-05-15 against a real Sintra ATM:

1. `NOSTR_TRANSPORT_PRIVATE_KEY` / `NOSTR_TRANSPORT_PUBLIC_KEY` are
   now forwarded from the local `.env` into the lnbits container's
   environment. Without a pinned key LNbits auto-generates a fresh
   server keypair on every container restart, which breaks any ATM
   previously provisioned against the old pubkey (encryption target
   no longer exists from LNbits' point of view → RPCs land on the
   relay but the dispatcher never picks them up → cash-out hangs at
   "generating invoice"). The `.env` file is gitignored so the actual
   keypair stays out of the repo; rotate by regenerating + re-
   provisioning all ATMs.

2. `AUTH_HTTPS_ONLY: "false"` — LNbits' auth cookies default to
   requiring HTTPS, which blocks LAN access from a non-localhost
   browser (e.g. another machine on 192.168.0.x reaching the dev
   instance). Safe to disable for the dev stack; production-shaped
   deployments must keep it true.

.gitignore

@@ -1,3 +1,6 @@
+# Local-only compose overrides (LNBITS_SRC, etc.). Auto-loaded by docker compose.
+.env
+
 data
 
 !data/boltz