dev compose: add nsecbunker service, build from aiolabs fork checkout

Wires the nsec bunker daemon (Pablo's nsecBunker, forked to
aiolabs/nsecbunkerd) into the dev compose for phase 2 of
aiolabs/lnbits#9. Build context defaults to
\${NSECBUNKER_SRC:-/home/padreug/dev/nsecbunkerd/master} so the
canonical fork checkout is the source of truth — keeps all the
upstream-rot patches (Dockerfile npm→pnpm, ndk 2.8.1 pin,
pingOrDie disable, startKey nip19.decode — issues #1, #2, #3, #4,
#8 on aiolabs/nsecbunkerd) in one tracked tree instead of a local
shallow clone.

Admin npub via NSECBUNKER_ADMIN_NPUBS env (in .env). SQLite + JSON
config persisted under ./data/nsecbunker. Mirrors upstream's
upstream docker-compose memory caps.

.gitignore picks up the legacy ./nsecbunker/ local clone that the
LNBITS_SRC-style override now bypasses; left there to avoid
accidental staging if someone re-clones it for ad-hoc work.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

.gitignore

@@ -14,3 +14,4 @@ data/boltz-client/*
 !data/electrs
 data/electrs/*
 !data/electrs/config.toml
+nsecbunker/

docker-compose.dev.yml

@@ -92,6 +92,45 @@ services:
     volumes:
       - ./data/pict-rs:/mnt
 
+  # nsecbunkerd — Nostr remote-signing daemon (Pablo's nsecBunker).
+  # Phase 2 of aiolabs/lnbits#9: the bunker that will hold every target
+  # nsec for lnbits user accounts, with lnbits acting as a NIP-46 client
+  # over kind-24133 (signing) + kind-24134 (admin) events.
+  #
+  # First-pass dev config:
+  #   - Connects to public relays (damus.io, relay.nsecbunker.com) so
+  #     it boots without depending on the lnbits nostrrelay extension.
+  #     The internal-relay channel migration is a follow-up — see
+  #     ~/dev/lnbits/nsec-bunker-spike-findings.md for the iteration log.
+  #   - Admin npub from NSECBUNKER_ADMIN_NPUBS env (in .env).
+  #   - SQLite + JSON config persisted under ./data/nsecbunker; survives
+  #     `down -v` only if the directory itself isn't wiped.
+  #   - Memory cap mirrors upstream's docker-compose.yml.
+  #
+  # Setup the first time only:
+  #   1. Set NSECBUNKER_ADMIN_NPUBS in .env (your admin npub, comma-sep
+  #      for multiple).
+  #   2. `mkdir -p ./data/nsecbunker`
+  #   3. `docker compose -f docker-compose.dev.yml up -d nsecbunker`
+  #   4. `docker compose -f docker-compose.dev.yml logs -f nsecbunker`
+  #      should show "✅ adminNpubs: npub1..."
+  nsecbunker:
+    # Builds from the aiolabs/nsecbunkerd fork checkout at
+    # ${NSECBUNKER_SRC:-~/dev/nsecbunkerd/master} — carries all our
+    # upstream-rot patches (#1-#5, #8) so the build works from a clean
+    # clone. See aiolabs/nsecbunkerd for the catalog of patches.
+    build: ${NSECBUNKER_SRC:-/home/padreug/dev/nsecbunkerd/master}
+    hostname: nsecbunker
+    restart: on-failure
+    pids_limit: 100
+    mem_limit: 256mb
+    memswap_limit: 256mb
+    environment:
+      DATABASE_URL: "file:/app/config/nsecbunker.db"
+      ADMIN_NPUBS: ${NSECBUNKER_ADMIN_NPUBS}
+    volumes:
+      - ./data/nsecbunker:/app/config
+
   # Reverse proxy in front of pict-rs. Production runs pict-rs behind
   # an nginx vhost (deploy/server-deploy/modules/services/pict-rs.nix)
   # that adds the CORS headers and OPTIONS preflight handling browsers