diff --git a/.gitignore b/.gitignore
index f5ccb13..2c88817 100644
--- a/.gitignore
+++ b/.gitignore
@@ -14,3 +14,4 @@ data/boltz-client/*
 !data/electrs
 data/electrs/*
 !data/electrs/config.toml
+nsecbunker/
diff --git a/docker-compose.dev.yml b/docker-compose.dev.yml
index 5da5f07..f0e2ae7 100644
--- a/docker-compose.dev.yml
+++ b/docker-compose.dev.yml
@@ -92,6 +92,45 @@ services:
     volumes:
       - ./data/pict-rs:/mnt
 
+  # nsecbunkerd — Nostr remote-signing daemon (Pablo's nsecBunker).
+  # Phase 2 of aiolabs/lnbits#9: the bunker that will hold every target
+  # nsec for lnbits user accounts, with lnbits acting as a NIP-46 client
+  # over kind-24133 (signing) + kind-24134 (admin) events.
+  #
+  # First-pass dev config:
+  #   - Connects to public relays (damus.io, relay.nsecbunker.com) so
+  #     it boots without depending on the lnbits nostrrelay extension.
+  #     The internal-relay channel migration is a follow-up — see
+  #     ~/dev/lnbits/nsec-bunker-spike-findings.md for the iteration log.
+  #   - Admin npub from NSECBUNKER_ADMIN_NPUBS env (in .env).
+  #   - SQLite + JSON config persisted under ./data/nsecbunker; survives
+  #     `down -v` only if the directory itself isn't wiped.
+  #   - Memory cap mirrors upstream's docker-compose.yml.
+  #
+  # Setup the first time only:
+  #   1. Set NSECBUNKER_ADMIN_NPUBS in .env (your admin npub, comma-sep
+  #      for multiple).
+  #   2. `mkdir -p ./data/nsecbunker`
+  #   3. `docker compose -f docker-compose.dev.yml up -d nsecbunker`
+  #   4. `docker compose -f docker-compose.dev.yml logs -f nsecbunker`
+  #      should show "✅ adminNpubs: npub1..."
+  nsecbunker:
+    # Builds from the aiolabs/nsecbunkerd fork checkout at
+    # ${NSECBUNKER_SRC:-~/dev/nsecbunkerd/master} — carries all our
+    # upstream-rot patches (#1-#5, #8) so the build works from a clean
+    # clone. See aiolabs/nsecbunkerd for the catalog of patches.
+    build: ${NSECBUNKER_SRC:-/home/padreug/dev/nsecbunkerd/master}
+    hostname: nsecbunker
+    restart: on-failure
+    pids_limit: 100
+    mem_limit: 256mb
+    memswap_limit: 256mb
+    environment:
+      DATABASE_URL: "file:/app/config/nsecbunker.db"
+      ADMIN_NPUBS: ${NSECBUNKER_ADMIN_NPUBS}
+    volumes:
+      - ./data/nsecbunker:/app/config
+
   # Reverse proxy in front of pict-rs. Production runs pict-rs behind
   # an nginx vhost (deploy/server-deploy/modules/services/pict-rs.nix)
   # that adds the CORS headers and OPTIONS preflight handling browsers