Fix missing country: neg cache, geoip2 fallback, re-resolve endpoint

- Add 5-min negative cache (_neg_cache) so failing IPs are throttled
  rather than hammering the API on every request
- Add MaxMind GeoLite2 fallback (init_geoip / _geoip_lookup) that fires
  when ip-api fails; controlled by BANGUI_GEOIP_DB_PATH env var
- Fix lookup_batch bug: failed API results were stored in positive cache
- Add _persist_neg_entry: INSERT OR IGNORE into geo_cache with NULL
  country_code so re-resolve can find historically failed IPs
- Add POST /api/geo/re-resolve: clears neg cache, batch-retries all
  geo_cache rows with country_code IS NULL, returns resolved/total count
- BanTable + MapPage: wrap the country — placeholder in a Fluent UI
  Tooltip explaining the retry behaviour
- Add geoip2>=4.8.0 dependency; geoip_db_path config setting
- Tests: add TestNegativeCache (4), TestGeoipFallback (4), TestReResolve (4)

backend/app/routers/geo.py

@@ -1,8 +1,9 @@
 """Geo / IP lookup router.
 
-Provides the IP enrichment endpoint:
+Provides the IP enrichment endpoints:
 
 * ``GET /api/geo/lookup/{ip}`` — ban status, ban history, and geo info for an IP
+* ``POST /api/geo/re-resolve`` — retry all previously failed geo lookups
 """
 
 from __future__ import annotations
@@ -12,9 +13,10 @@ from typing import TYPE_CHECKING, Annotated
 if TYPE_CHECKING:
     import aiohttp
 
-from fastapi import APIRouter, HTTPException, Path, Request, status
+import aiosqlite
+from fastapi import APIRouter, Depends, HTTPException, Path, Request, status
 
-from app.dependencies import AuthDep
+from app.dependencies import AuthDep, get_db
 from app.models.geo import GeoDetail, IpLookupResponse
 from app.services import geo_service, jail_service
 from app.utils.fail2ban_client import Fail2BanConnectionError
@@ -90,3 +92,55 @@ async def lookup_ip(
         currently_banned_in=result["currently_banned_in"],
         geo=geo_detail,
     )
+
+
+# ---------------------------------------------------------------------------
+# POST /api/geo/re-resolve
+# ---------------------------------------------------------------------------
+
+
+@router.post(
+    "/re-resolve",
+    summary="Re-resolve all IPs whose country could not be determined",
+)
+async def re_resolve_geo(
+    request: Request,
+    _auth: AuthDep,
+    db: Annotated[aiosqlite.Connection, Depends(get_db)],
+) -> dict[str, int]:
+    """Retry geo resolution for every IP in ``geo_cache`` with a null country.
+
+    Clears the in-memory negative cache first so that previously failing IPs
+    are immediately eligible for a new API attempt.
+
+    Args:
+        request: Incoming request (used to access ``app.state.http_session``).
+        _auth: Validated session — enforces authentication.
+        db: BanGUI application database (for reading/writing ``geo_cache``).
+
+    Returns:
+        JSON object ``{"resolved": N, "total": M}`` where *N* is the number
+        of IPs that gained a country code and *M* is the total number of IPs
+        that were retried.
+    """
+    # Collect all IPs in geo_cache that still lack a country code.
+    unresolved: list[str] = []
+    async with db.execute(
+        "SELECT ip FROM geo_cache WHERE country_code IS NULL"
+    ) as cur:
+        async for row in cur:
+            unresolved.append(str(row[0]))
+
+    if not unresolved:
+        return {"resolved": 0, "total": 0}
+
+    # Clear negative cache so these IPs bypass the TTL check.
+    geo_service.clear_neg_cache()
+
+    http_session: aiohttp.ClientSession = request.app.state.http_session
+    geo_map = await geo_service.lookup_batch(unresolved, http_session, db=db)
+
+    resolved_count = sum(
+        1 for info in geo_map.values() if info.country_code is not None
+    )
+    return {"resolved": resolved_count, "total": len(unresolved)}