diff --git a/.gitea/workflows/dev-deploy.yaml b/.gitea/workflows/dev-deploy.yaml
index 8337022..0ebf15f 100644
--- a/.gitea/workflows/dev-deploy.yaml
+++ b/.gitea/workflows/dev-deploy.yaml
@@ -24,12 +24,6 @@ on:
       - '.gitea/workflows/dev-deploy.yaml'
       - '!**/*.md'
 
-env:
-  # See go-unit.yaml for the rationale; this disables TLS verify for
-  # actions/checkout against the LAN Gitea host signed by host-Caddy's
-  # internal CA.
-  GIT_SSL_NO_VERIFY: "true"
-
 jobs:
   deploy:
     runs-on: ubuntu-latest
diff --git a/.gitea/workflows/go-unit.yaml b/.gitea/workflows/go-unit.yaml
index 7c2c10a..b961d6a 100644
--- a/.gitea/workflows/go-unit.yaml
+++ b/.gitea/workflows/go-unit.yaml
@@ -30,15 +30,6 @@ on:
       - '.gitea/workflows/go-unit.yaml'
       - '!**/*.md'
 
-env:
-  # The Gitea host serves https://gitea.iliadenisov.ru with a cert
-  # signed by host-Caddy's internal CA. The runner-image's CA bundle
-  # does not include that root, so actions/checkout fails on `git
-  # fetch`. Disabling SSL verify is acceptable for this LAN-only
-  # infrastructure; the long-term fix is to mount the Caddy root CA
-  # into the runner image.
-  GIT_SSL_NO_VERIFY: "true"
-
 jobs:
   test:
     runs-on: ubuntu-latest
diff --git a/.gitea/workflows/integration.yaml b/.gitea/workflows/integration.yaml
index dcdceec..85d61cd 100644
--- a/.gitea/workflows/integration.yaml
+++ b/.gitea/workflows/integration.yaml
@@ -37,12 +37,6 @@ on:
       - '.gitea/workflows/integration.yaml'
       - '!**/*.md'
 
-env:
-  # See go-unit.yaml for the rationale; this disables TLS verify for
-  # actions/checkout against the LAN Gitea host signed by host-Caddy's
-  # internal CA.
-  GIT_SSL_NO_VERIFY: "true"
-
 jobs:
   integration:
     runs-on: ubuntu-latest
diff --git a/.gitea/workflows/prod-build.yaml b/.gitea/workflows/prod-build.yaml
index fd4aa71..4e54788 100644
--- a/.gitea/workflows/prod-build.yaml
+++ b/.gitea/workflows/prod-build.yaml
@@ -21,12 +21,6 @@ on:
       - '.gitea/workflows/prod-build.yaml'
       - '!**/*.md'
 
-env:
-  # See go-unit.yaml for the rationale; this disables TLS verify for
-  # actions/checkout against the LAN Gitea host signed by host-Caddy's
-  # internal CA.
-  GIT_SSL_NO_VERIFY: "true"
-
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.gitea/workflows/ui-test.yaml b/.gitea/workflows/ui-test.yaml
index 93ee672..5924d3c 100644
--- a/.gitea/workflows/ui-test.yaml
+++ b/.gitea/workflows/ui-test.yaml
@@ -16,12 +16,6 @@ on:
       - '.gitea/workflows/ui-test.yaml'
       - '!**/*.md'
 
-env:
-  # See go-unit.yaml for the rationale; this disables TLS verify for
-  # actions/checkout against the LAN Gitea host signed by host-Caddy's
-  # internal CA.
-  GIT_SSL_NO_VERIFY: "true"
-
 jobs:
   test:
     runs-on: ubuntu-latest
@@ -51,8 +45,15 @@ jobs:
         run: pnpm install --frozen-lockfile
 
       - name: Install Playwright browsers
+        # `--with-deps` would shell out to `sudo apt-get install` for
+        # the system .so libraries, which the host-mode runner cannot
+        # run non-interactively. The host has the deps installed once,
+        # globally; we only need to fetch the browser binaries here.
+        # If a future run fails with missing libraries, install them
+        # on the host via `pnpm exec playwright install-deps` (one
+        # shot, requires sudo).
         working-directory: ui/frontend
-        run: pnpm exec playwright install --with-deps
+        run: pnpm exec playwright install
 
       - name: Run Vitest
         working-directory: ui/frontend
diff --git a/tools/dev-deploy/docker-compose.yml b/tools/dev-deploy/docker-compose.yml
index a6e4e67..5a449df 100644
--- a/tools/dev-deploy/docker-compose.yml
+++ b/tools/dev-deploy/docker-compose.yml
@@ -125,11 +125,7 @@ services:
         target: ${GALAXY_DEV_GAME_STATE_DIR}
         bind:
           create_host_path: true
-      # The GeoIP database is baked into the backend image (see
-      # tools/local-dev/backend.Dockerfile); a bind-mount is not used
-      # here because the source path resolves inside the runner
-      # workspace volume and the host Docker daemon cannot see it,
-      # which produced an "is a directory" error in CI.
+      - ../../pkg/geoip/test-data/test-data/GeoIP2-Country-Test.mmdb:/var/lib/galaxy/geoip.mmdb:ro
     networks:
       - galaxy-internal
     healthcheck:
diff --git a/tools/local-dev/backend.Dockerfile b/tools/local-dev/backend.Dockerfile
index 01e5898..1cd01c3 100644
--- a/tools/local-dev/backend.Dockerfile
+++ b/tools/local-dev/backend.Dockerfile
@@ -24,16 +24,6 @@ COPY pkg/transcoder/ ./pkg/transcoder/
 COPY pkg/util/       ./pkg/util/
 COPY backend/        ./backend/
 
-# Bake the GeoIP test database into the build context so downstream
-# stages can copy it into the runtime image. The path is the
-# `MaxMind-DB` git submodule under `pkg/geoip/test-data/`; the file is
-# the smallest country DB MaxMind publishes and is what every other
-# dev-stack uses. Baking it lets dev-deploy skip the bind-mount that
-# fails on runner-workspace volumes the host Docker daemon cannot see.
-RUN mkdir -p /out/var/lib/galaxy
-COPY pkg/geoip/test-data/test-data/GeoIP2-Country-Test.mmdb \
-     /out/var/lib/galaxy/geoip.mmdb
-
 RUN <<'EOF' cat > go.work
 go 1.26.2
 
@@ -77,6 +67,5 @@ EXPOSE 8080
 EXPOSE 8081
 
 COPY --from=builder /out/backend /usr/local/bin/backend
-COPY --from=builder /out/var/lib/galaxy/geoip.mmdb /var/lib/galaxy/geoip.mmdb
 
 ENTRYPOINT ["/usr/local/bin/backend"]