## Why

The server-side geoblock role that blocks outbound traffic to China destinations via ipset/iptables is no longer needed. CN destination routing is already handled at the Surge client level via policy rules, making the server-side block redundant.

## What Changes

- Remove `geoblock` role from `site.yml`
- Delete `roles/geoblock/` directory entirely (tasks, templates, handlers, defaults)
- Remove the `geoblock-cn` spec from `openspec/specs/`

Surge client-side routing rules (in `surge-client.conf.j2`) remain unchanged.

## Capabilities

### New Capabilities
<!-- none -->

### Modified Capabilities
- `geoblock-cn`: **REMOVED** — server-side CN destination blocking via ipset/iptables is being removed entirely

## Impact

- `site.yml`: geoblock role removed from the "Base server setup" play
- `roles/geoblock/`: entire directory deleted
- `openspec/specs/geoblock-cn/`: spec removed
- `README.md`: any references to geoblock should be updated
- Surge client config and routing: **no change**