dev-stack: pin nostr-transport keypair + allow LAN HTTP for dev

Two small fixes that surfaced during the v2-bitspire end-to-end test
on 2026-05-15 against a real Sintra ATM:

1. `NOSTR_TRANSPORT_PRIVATE_KEY` / `NOSTR_TRANSPORT_PUBLIC_KEY` are
   now forwarded from the local `.env` into the lnbits container's
   environment. Without a pinned key LNbits auto-generates a fresh
   server keypair on every container restart, which breaks any ATM
   previously provisioned against the old pubkey (encryption target
   no longer exists from LNbits' point of view → RPCs land on the
   relay but the dispatcher never picks them up → cash-out hangs at
   "generating invoice"). The `.env` file is gitignored so the actual
   keypair stays out of the repo; rotate by regenerating + re-
   provisioning all ATMs.

2. `AUTH_HTTPS_ONLY: "false"` — LNbits' auth cookies default to
   requiring HTTPS, which blocks LAN access from a non-localhost
   browser (e.g. another machine on 192.168.0.x reaching the dev
   instance). Safe to disable for the dev stack; production-shaped
   deployments must keep it true.

.gitignore

@@ -1,3 +1,6 @@
+# Local-only compose overrides (LNBITS_SRC, etc.). Auto-loaded by docker compose.
+.env
+
 data
 
 !data/boltz

docker-compose.dev.yml

@@ -21,6 +21,9 @@ services:
       LNBITS_PORT: 5001
       DEBUG: true
       LNBITS_ADMIN_UI: true
+      # Allow LAN/HTTP access for dev (auth cookies don't require HTTPS).
+      # Keep TRUE for any production-shaped deployment.
+      AUTH_HTTPS_ONLY: "false"
       LNBITS_BACKEND_WALLET_CLASS: "FakeWallet"
       LNBITS_DATA_FOLDER: "./data"
       LNBITS_EXTENSIONS_PATH: "/shared"
@@ -29,13 +32,18 @@ services:
       LNBITS_ADMIN_EXTENSIONS: "nostrclient,nostrrelay,satmachineadmin"
       LNBITS_USER_DEFAULT_EXTENSIONS: "lnurlp,nostrmarket,events,libra,satmachineclient"
       # Nostr transport layer (HTTP-free RPC over kind-21000 events).
-      # On first boot a keypair is auto-generated and logged; copy the
+      # The keypair below is pinned via the local `.env` so it survives
-      # printed pubkey into your driver script. The relay points at the
+      # container restarts. Without a pinned key LNbits auto-generates a
-      # nostrrelay extension running inside the same container — a relay
+      # fresh one on every boot, which breaks any ATM provisioned against
-      # named "test" must be created via the UI before the transport
+      # the prior pubkey (encryption target no longer exists). The relay
-      # will successfully connect (the reconnect loop retries every 5s).
+      # points at the nostrrelay extension running inside the same
+      # container — a relay named "test" must be created via the UI
+      # before the transport will successfully connect (the reconnect
+      # loop retries every 5s).
       NOSTR_TRANSPORT_ENABLED: "true"
       NOSTR_TRANSPORT_RELAYS: '["ws://localhost:5001/nostrrelay/test"]'
+      NOSTR_TRANSPORT_PRIVATE_KEY: ${NOSTR_TRANSPORT_PRIVATE_KEY}
+      NOSTR_TRANSPORT_PUBLIC_KEY: ${NOSTR_TRANSPORT_PUBLIC_KEY}
       # Lowered from the 40_000 default just to make sharding easy to
       # exercise in local tests without seeding hundreds of payments.
       # Production runs should leave this unset (defaults to 40_000).