## Context

The geoblock role currently runs on all servers (relay + landing) via `site.yml`. It installs ipset/iptables, downloads China CIDR lists from ipdeny.com, populates an ipset named `cn-block`, adds an iptables OUTPUT chain DROP rule, and sets up a daily cron refresh + systemd boot restore. CN destination routing is already handled at the Surge client level via policy/group rules, making the server-side block redundant.

## Goals / Non-Goals

**Goals:**
- Remove all server-side CN destination blocking infrastructure
- Clean up all geoblock-related files, references, and specs
- Leave Surge client routing untouched

**Non-Goals:**
- No changes to Surge client config or routing rules
- No changes to other roles (base, shadowsocks, trojan)

## Decisions

Remove the entire `roles/geoblock/` directory rather than disabling it, since there is no reason to keep the code around. Remove the role reference from `site.yml` "Base server setup" play. Remove the `geoblock-cn` spec from `openspec/specs/`. Update README.md references.

## Risks / Trade-offs

- [Servers may still have active ipset/iptables rules after this change] → The Ansible removal won't actively clean up runtime iptables rules. A manual `iptables -D OUTPUT -m set --match-set cn-block dst -j DROP && ipset destroy cn-block` may be needed on existing servers, or a reboot will clear them.
- [No server-side safety net for accidental CN traffic] → CN routing is handled by Surge client policies. If a client bypasses the proxy and connects directly to the server, the server could theoretically reach CN destinations. This is acceptable per user decision.