diff --git a/.env.example b/.env.example
index 20b29f76..39390600 100644
--- a/.env.example
+++ b/.env.example
@@ -131,3 +131,12 @@ OAUTH_ALLOW_AUTO_LINKING=false         # Auto-link OAuth to accounts without pas
 # 4. Rotate secrets regularly in production
 # 5. Keep file permissions restricted (chmod 600 .env)
 # 6. Never share credentials via insecure channels
+
+# =============================================================================
+# GEOIP UPDATE (OPTIONAL)
+# =============================================================================
+
+# GeoIP Update (Optional - for geoblocking support)
+# Get credentials at: https://www.maxmind.com/en/geolite2/signup
+GEOIPUPDATE_ACCOUNT_ID=
+GEOIPUPDATE_LICENSE_KEY=
diff --git a/docker-compose.yml b/docker-compose.yml
index 2693cd4e..f80b9371 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -93,6 +93,7 @@ services:
       - caddy-data:/data
       - caddy-config:/config
       - caddy-logs:/logs
+      - geoip-data:/usr/share/GeoIP:ro,z
     networks:
       - caddy-network
     healthcheck:
@@ -102,6 +103,20 @@ services:
       retries: 3
       start_period: 10s
 
+  geoipupdate:
+    container_name: geoipupdate-${HOSTNAME}
+    image: ghcr.io/maxmind/geoipupdate
+    restart: always
+    environment:
+      - GEOIPUPDATE_ACCOUNT_ID=${GEOIPUPDATE_ACCOUNT_ID:-}
+      - GEOIPUPDATE_LICENSE_KEY=${GEOIPUPDATE_LICENSE_KEY:-}
+      - 'GEOIPUPDATE_EDITION_IDS=GeoLite2-ASN GeoLite2-City GeoLite2-Country'
+      - GEOIPUPDATE_FREQUENCY=72
+    volumes:
+      - geoip-data:/usr/share/GeoIP:z
+    networks:
+      - caddy-network
+
 networks:
   caddy-network:
     driver: bridge
@@ -111,3 +126,4 @@ volumes:
   caddy-data:
   caddy-config:
   caddy-logs:
+  geoip-data: