diff --git a/nginx/nginx.conf b/nginx/nginx.conf
index 422f84a..e19dfd1 100644
--- a/nginx/nginx.conf
+++ b/nginx/nginx.conf
@@ -26,13 +26,15 @@ http {
     keepalive_timeout  65;
 
     # ── GeoIP2 database ───────────────────────────────────────────────────────
-    # The GeoLite2-City database gives us country + subdivision (state/province)
+    # on_unavailable lets nginx start even if the .mmdb file doesn't exist yet
+    # (e.g. first boot before geoipupdate has run). All GeoIP variables default
+    # to their `default=` values in that case — no requests will be blocked
+    # (fail-open). auto_reload picks up a refreshed DB from geoipupdate without
+    # requiring an nginx restart.
     geoip2 /usr/share/GeoIP/GeoLite2-City.mmdb {
-        # ISO 3166-1 alpha-2 country code  (e.g. "US")
-        $geoip2_country country iso_code;
-        # ISO 3166-2 subdivision code — country prefix stripped below
-        # Full value looks like "US-CA"; we expose just the subdivision part
-        $geoip2_subdivision subdivisions 0 iso_code;
+        auto_reload 1h;
+        $geoip2_country     default=XX country iso_code;
+        $geoip2_subdivision default=""  subdivisions 0 iso_code;
     }
 
     # Compound key used in per-repo map blocks: "CC-SUBDIV" e.g. "US-CA"