From ffd27536afbbaaaa8a8b39ebd887a9a5b0ea818c Mon Sep 17 00:00:00 2001 From: Padreug Date: Tue, 26 May 2026 00:53:29 +0200 Subject: [PATCH] dev compose: add nsecbunker service, build from aiolabs fork checkout MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Wires the nsec bunker daemon (Pablo's nsecBunker, forked to aiolabs/nsecbunkerd) into the dev compose for phase 2 of aiolabs/lnbits#9. Build context defaults to \${NSECBUNKER_SRC:-/home/padreug/dev/nsecbunkerd/master} so the canonical fork checkout is the source of truth — keeps all the upstream-rot patches (Dockerfile npm→pnpm, ndk 2.8.1 pin, pingOrDie disable, startKey nip19.decode — issues #1, #2, #3, #4, #8 on aiolabs/nsecbunkerd) in one tracked tree instead of a local shallow clone. Admin npub via NSECBUNKER_ADMIN_NPUBS env (in .env). SQLite + JSON config persisted under ./data/nsecbunker. Mirrors upstream's upstream docker-compose memory caps. .gitignore picks up the legacy ./nsecbunker/ local clone that the LNBITS_SRC-style override now bypasses; left there to avoid accidental staging if someone re-clones it for ad-hoc work. Co-Authored-By: Claude Opus 4.7 (1M context) --- .gitignore | 1 + docker-compose.dev.yml | 39 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 40 insertions(+) diff --git a/.gitignore b/.gitignore index f5ccb13..2c88817 100644 --- a/.gitignore +++ b/.gitignore @@ -14,3 +14,4 @@ data/boltz-client/* !data/electrs data/electrs/* !data/electrs/config.toml +nsecbunker/ diff --git a/docker-compose.dev.yml b/docker-compose.dev.yml index 5da5f07..f0e2ae7 100644 --- a/docker-compose.dev.yml +++ b/docker-compose.dev.yml @@ -92,6 +92,45 @@ services: volumes: - ./data/pict-rs:/mnt + # nsecbunkerd — Nostr remote-signing daemon (Pablo's nsecBunker). + # Phase 2 of aiolabs/lnbits#9: the bunker that will hold every target + # nsec for lnbits user accounts, with lnbits acting as a NIP-46 client + # over kind-24133 (signing) + kind-24134 (admin) events. + # + # First-pass dev config: + # - Connects to public relays (damus.io, relay.nsecbunker.com) so + # it boots without depending on the lnbits nostrrelay extension. + # The internal-relay channel migration is a follow-up — see + # ~/dev/lnbits/nsec-bunker-spike-findings.md for the iteration log. + # - Admin npub from NSECBUNKER_ADMIN_NPUBS env (in .env). + # - SQLite + JSON config persisted under ./data/nsecbunker; survives + # `down -v` only if the directory itself isn't wiped. + # - Memory cap mirrors upstream's docker-compose.yml. + # + # Setup the first time only: + # 1. Set NSECBUNKER_ADMIN_NPUBS in .env (your admin npub, comma-sep + # for multiple). + # 2. `mkdir -p ./data/nsecbunker` + # 3. `docker compose -f docker-compose.dev.yml up -d nsecbunker` + # 4. `docker compose -f docker-compose.dev.yml logs -f nsecbunker` + # should show "✅ adminNpubs: npub1..." + nsecbunker: + # Builds from the aiolabs/nsecbunkerd fork checkout at + # ${NSECBUNKER_SRC:-~/dev/nsecbunkerd/master} — carries all our + # upstream-rot patches (#1-#5, #8) so the build works from a clean + # clone. See aiolabs/nsecbunkerd for the catalog of patches. + build: ${NSECBUNKER_SRC:-/home/padreug/dev/nsecbunkerd/master} + hostname: nsecbunker + restart: on-failure + pids_limit: 100 + mem_limit: 256mb + memswap_limit: 256mb + environment: + DATABASE_URL: "file:/app/config/nsecbunker.db" + ADMIN_NPUBS: ${NSECBUNKER_ADMIN_NPUBS} + volumes: + - ./data/nsecbunker:/app/config + # Reverse proxy in front of pict-rs. Production runs pict-rs behind # an nginx vhost (deploy/server-deploy/modules/services/pict-rs.nix) # that adds the CORS headers and OPTIONS preflight handling browsers